rpms/selinux-policy/devel booleans-targeted.conf, 1.52, 1.53 policy-F12.patch, 1.71, 1.72 selinux-policy.spec, 1.911, 1.912
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Sep 7 01:18:06 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13382
Modified Files:
booleans-targeted.conf policy-F12.patch selinux-policy.spec
Log Message:
* Fri Sep 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.30-4
- Allow xserver to use netlink_kobject_uevent_socket
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.52
retrieving revision 1.53
diff -u -p -r1.52 -r1.53
--- booleans-targeted.conf 18 Aug 2009 12:34:25 -0000 1.52
+++ booleans-targeted.conf 7 Sep 2009 01:18:05 -0000 1.53
@@ -8,7 +8,7 @@ allow_execmod = false
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
policy-F12.patch:
Makefile | 2
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/anaconda.te | 3
policy/modules/admin/certwatch.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 7
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 7
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 19
policy/modules/admin/prelink.te | 1
policy/modules/admin/readahead.te | 3
policy/modules/admin/rpm.fc | 17
policy/modules/admin/rpm.if | 177 +++
policy/modules/admin/rpm.te | 65 +
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 4
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 30
policy/modules/admin/vbetool.te | 14
policy/modules/apps/awstats.te | 4
policy/modules/apps/calamaris.te | 7
policy/modules/apps/cdrecord.te | 4
policy/modules/apps/cpufreqselector.te | 5
policy/modules/apps/gitosis.fc | 4
policy/modules/apps/gitosis.if | 96 ++
policy/modules/apps/gitosis.te | 36
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 93 +
policy/modules/apps/gpg.if | 2
policy/modules/apps/gpg.te | 16
policy/modules/apps/java.fc | 17
policy/modules/apps/java.if | 111 ++
policy/modules/apps/java.te | 12
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 66 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50 +
policy/modules/apps/livecd.te | 26
policy/modules/apps/mono.if | 101 ++
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 13
policy/modules/apps/mozilla.te | 21
policy/modules/apps/nsplugin.fc | 12
policy/modules/apps/nsplugin.if | 313 ++++++
policy/modules/apps/nsplugin.te | 289 ++++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.te | 6
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 ++++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 56 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 167 +++
policy/modules/apps/sandbox.te | 304 ++++++
policy/modules/apps/screen.if | 31
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 76 +
policy/modules/apps/seunshare.te | 37
policy/modules/apps/vmware.fc | 1
policy/modules/apps/vmware.te | 1
policy/modules/apps/webalizer.te | 2
policy/modules/apps/wine.fc | 23
policy/modules/apps/wine.if | 59 +
policy/modules/apps/wine.te | 24
policy/modules/kernel/corecommands.fc | 28
policy/modules/kernel/corecommands.if | 1
policy/modules/kernel/corenetwork.te.in | 29
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.if | 164 +++
policy/modules/kernel/devices.te | 19
policy/modules/kernel/domain.if | 132 ++
policy/modules/kernel/domain.te | 84 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 ++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 173 +++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 39
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 124 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 36
policy/modules/roles/unconfineduser.if | 638 +++++++++++++
policy/modules/roles/unconfineduser.te | 393 ++++++++
policy/modules/roles/unprivuser.te | 131 --
policy/modules/roles/xguest.te | 18
policy/modules/services/abrt.fc | 13
policy/modules/services/abrt.if | 126 ++
policy/modules/services/abrt.te | 120 ++
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 37
policy/modules/services/apache.if | 371 +++++--
policy/modules/services/apache.te | 422 +++++++--
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.te | 8
policy/modules/services/certmaster.te | 2
policy/modules/services/clamav.te | 12
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 18
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 13
policy/modules/services/cron.if | 202 +++-
policy/modules/services/cron.te | 149 ++-
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 28
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 5
policy/modules/services/dbus.if | 49 -
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 50 -
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 7
policy/modules/services/exim.te | 4
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 58 +
policy/modules/services/gnomeclock.fc | 3
policy/modules/services/gnomeclock.if | 69 +
policy/modules/services/gnomeclock.te | 50 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 47 -
policy/modules/services/hddtemp.fc | 4
policy/modules/services/hddtemp.if | 38
policy/modules/services/hddtemp.te | 40
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.te | 11
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/modemmanager.fc | 2
policy/modules/services/modemmanager.if | 43
policy/modules/services/modemmanager.te | 46
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 5
policy/modules/services/mta.te | 52 -
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 13
policy/modules/services/networkmanager.if | 45
policy/modules/services/networkmanager.te | 114 ++
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 11
policy/modules/services/nslcd.fc | 4
policy/modules/services/nslcd.if | 142 +++
policy/modules/services/nslcd.te | 48 +
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 7
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 18
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 13
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/policykit.fc | 10
policy/modules/services/policykit.if | 49 +
policy/modules/services/policykit.te | 61 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++-
policy/modules/services/postfix.te | 136 ++
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 14
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47 +
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/ricci.te | 5
policy/modules/services/rpc.if | 6
policy/modules/services/rpc.te | 12
policy/modules/services/rpcbind.if | 20
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit_daemon.fc | 2
policy/modules/services/rtkit_daemon.if | 63 +
policy/modules/services/rtkit_daemon.te | 38
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 87 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 84 +
policy/modules/services/setroubleshoot.te | 79 +
policy/modules/services/shorewall.fc | 12
policy/modules/services/shorewall.if | 166 +++
policy/modules/services/shorewall.te | 95 ++
policy/modules/services/smartmon.te | 15
policy/modules/services/spamassassin.fc | 14
policy/modules/services/spamassassin.if | 68 +
policy/modules/services/spamassassin.te | 129 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 183 +++
policy/modules/services/ssh.te | 70 -
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sysstat.te | 2
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 11
policy/modules/services/virt.if | 127 ++
policy/modules/services/virt.te | 271 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 30
policy/modules/services/xserver.if | 671 +++++++++++---
policy/modules/services/xserver.te | 310 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 204 +++-
policy/modules/system/authlogin.te | 39
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 67 -
policy/modules/system/getty.te | 16
policy/modules/system/hostname.te | 22
policy/modules/system/init.fc | 6
policy/modules/system/init.if | 156 +++
policy/modules/system/init.te | 268 ++++-
policy/modules/system/ipsec.fc | 2
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 97 +-
policy/modules/system/iptables.fc | 11
policy/modules/system/iptables.te | 5
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/kdump.fc | 8
policy/modules/system/kdump.if | 111 ++
policy/modules/system/kdump.te | 38
policy/modules/system/libraries.fc | 158 ++-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 16
policy/modules/system/locallogin.te | 74 -
policy/modules/system/logging.fc | 11
policy/modules/system/logging.if | 4
policy/modules/system/logging.te | 34
policy/modules/system/lvm.te | 53 -
policy/modules/system/miscfiles.if | 19
policy/modules/system/modutils.te | 168 ++-
policy/modules/system/mount.fc | 7
policy/modules/system/mount.te | 75 +
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 288 ++++++
policy/modules/system/selinuxutil.te | 228 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 107 +-
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 21
policy/modules/system/udev.te | 38
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 446 ---------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1396 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 50 -
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
314 files changed, 14626 insertions(+), 2940 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -p -r1.71 -r1.72
--- policy-F12.patch 2 Sep 2009 13:33:14 -0000 1.71
+++ policy-F12.patch 7 Sep 2009 01:18:05 -0000 1.72
@@ -277,7 +277,7 @@ diff -b -B --ignore-all-space --exclude-
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-3.6.30/policy/modules/admin/prelink.if
--- nsaserefpolicy/policy/modules/admin/prelink.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/admin/prelink.if 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/admin/prelink.if 2009-09-04 10:32:08.000000000 -0400
@@ -140,3 +140,22 @@
files_search_var_lib($1)
manage_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
@@ -293,14 +293,25 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`prelink_relabelfrom_var_lib',`
++interface(`prelink_relabel_var_lib',`
+ gen_require(`
+ type prelink_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
-+ relabelfrom_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
++ relabel_files_pattern($1, prelink_var_lib_t, prelink_var_lib_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.30/policy/modules/admin/prelink.te
+--- nsaserefpolicy/policy/modules/admin/prelink.te 2009-08-14 16:14:31.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/admin/prelink.te 2009-09-04 11:49:19.000000000 -0400
+@@ -89,6 +89,7 @@
+ miscfiles_read_localization(prelink_t)
+
+ userdom_use_user_terminals(prelink_t)
++userdom_manage_user_home_content(prelink_t)
+
+ optional_policy(`
+ amanda_manage_lib(prelink_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.30/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/admin/readahead.te 2009-08-31 13:40:47.000000000 -0400
@@ -964,6 +975,18 @@ diff -b -B --ignore-all-space --exclude-
kismet_manage_log(tmpreaper_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.30/policy/modules/admin/tzdata.te
+--- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/admin/tzdata.te 2009-09-04 11:18:45.000000000 -0400
+@@ -19,6 +19,8 @@
+ files_read_etc_files(tzdata_t)
+ files_search_spool(tzdata_t)
+
++fs_getattr_xattr_fs(tzdata_t)
++
+ term_dontaudit_list_ptys(tzdata_t)
+
+ locallogin_dontaudit_use_fds(tzdata_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.30/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if 2009-08-31 13:40:47.000000000 -0400
@@ -1125,7 +1148,7 @@ diff -b -B --ignore-all-space --exclude-
sysnet_dns_name_resolve(awstats_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.30/policy/modules/apps/calamaris.te
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/apps/calamaris.te 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/apps/calamaris.te 2009-09-02 09:37:44.000000000 -0400
@@ -59,12 +59,12 @@
libs_read_lib_files(calamaris_t)
@@ -3726,8 +3749,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.30/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.30/policy/modules/apps/sandbox.te 2009-08-31 13:40:47.000000000 -0400
-@@ -0,0 +1,302 @@
++++ serefpolicy-3.6.30/policy/modules/apps/sandbox.te 2009-09-03 10:41:22.000000000 -0400
+@@ -0,0 +1,304 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -3873,6 +3896,7 @@ diff -b -B --ignore-all-space --exclude-
+auth_use_nsswitch(sandbox_x_domain)
+
+init_read_utmp(sandbox_x_domain)
++init_dontaudit_write_utmp(sandbox_x_domain)
+
+miscfiles_read_localization(sandbox_x_domain)
+
@@ -3892,10 +3916,11 @@ diff -b -B --ignore-all-space --exclude-
+ cups_read_rw_config(sandbox_x_domain)
+')
+
-+#============= sandbox_x_t ==============
-+allow sandbox_x_t home_root_t:dir search;
-+allow sandbox_x_t user_devpts_t:chr_file { read write };
++userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+
++#============= sandbox_x_t ==============
++files_search_home(sandbox_x_t)
++userdom_use_user_ptys(sandbox_x_t)
+
+########################################
+#
@@ -4370,8 +4395,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.30/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-08-31 13:40:47.000000000 -0400
-@@ -9,20 +9,35 @@
++++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-09-02 09:37:57.000000000 -0400
+@@ -9,20 +9,36 @@
type wine_t;
type wine_exec_t;
application_domain(wine_t, wine_exec_t)
@@ -4387,6 +4412,7 @@ diff -b -B --ignore-all-space --exclude-
-optional_policy(`
allow wine_t self:process { execstack execmem execheap };
- unconfined_domain_noaudit(wine_t)
++allow wine_t self:fifo_file manage_fifo_file_perms;
+
+domain_mmap_low_type(wine_t)
+tunable_policy(`mmap_low_allowed',`
@@ -4413,7 +4439,13 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.30/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.fc 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.fc 2009-09-03 10:35:24.000000000 -0400
+@@ -1,4 +1,4 @@
+-
++c
+ #
+ # /bin
+ #
@@ -54,6 +54,7 @@
/etc/cron.weekly/.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cron.monthly/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -4440,15 +4472,24 @@ diff -b -B --ignore-all-space --exclude-
#
# /usr
#
-@@ -221,6 +226,7 @@
+@@ -221,6 +226,8 @@
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -315,3 +321,21 @@
+@@ -263,6 +270,7 @@
+ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/system-config-selinux/polgen\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
+@@ -315,3 +323,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5642,7 +5683,7 @@ diff -b -B --ignore-all-space --exclude-
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.30/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-04 11:37:45.000000000 -0400
@@ -1537,6 +1537,24 @@
########################################
@@ -7390,8 +7431,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.30/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.30/policy/modules/roles/unconfineduser.te 2009-08-31 13:40:47.000000000 -0400
-@@ -0,0 +1,392 @@
++++ serefpolicy-3.6.30/policy/modules/roles/unconfineduser.te 2009-09-04 10:33:43.000000000 -0400
+@@ -0,0 +1,393 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -7670,6 +7711,7 @@ diff -b -B --ignore-all-space --exclude-
+
+optional_policy(`
+ rtkit_daemon_system_domain(unconfined_t)
++ rtkit_daemon_system_domain(unconfined_execmem_t)
+')
+
+optional_policy(`
@@ -8133,8 +8175,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.30/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.30/policy/modules/services/abrt.te 2009-08-31 13:40:47.000000000 -0400
-@@ -0,0 +1,124 @@
++++ serefpolicy-3.6.30/policy/modules/services/abrt.te 2009-09-06 15:27:50.000000000 -0400
+@@ -0,0 +1,120 @@
+
+policy_module(abrt,1.0.0)
+
@@ -8146,6 +8188,7 @@ diff -b -B --ignore-all-space --exclude-
+type abrt_t;
+type abrt_exec_t;
+init_daemon_domain(abrt_t,abrt_exec_t)
++dbus_system_domain(abrt_t,abrt_exec_t)
+
+type abrt_initrc_exec_t;
+init_script_file(abrt_initrc_exec_t)
@@ -8237,11 +8280,6 @@ diff -b -B --ignore-all-space --exclude-
+miscfiles_read_certs(abrt_t)
+miscfiles_read_localization(abrt_t)
+
-+optional_policy(`
-+ dbus_connect_system_bus(abrt_t)
-+ dbus_system_bus_client(abrt_t)
-+')
-+
+# to run bugzilla plugin
+# read ~/.abrt/Bugzilla.conf
+userdom_read_user_home_content_files(abrt_t)
@@ -10383,7 +10421,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.30/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/cron.te 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/cron.te 2009-09-04 10:32:17.000000000 -0400
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10704,7 +10742,7 @@ diff -b -B --ignore-all-space --exclude-
+ prelink_manage_lib(system_cronjob_t)
+ prelink_manage_log(system_cronjob_t)
+ prelink_read_cache(system_cronjob_t)
-+ prelink_relabelfrom_var_lib(system_cronjob_t)
++ prelink_relabel_var_lib(system_cronjob_t)
')
optional_policy(`
@@ -14023,7 +14061,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.30/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-08-18 11:41:14.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/policykit.te 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/policykit.te 2009-09-04 11:37:59.000000000 -0400
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -14091,7 +14129,7 @@ diff -b -B --ignore-all-space --exclude-
rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
-@@ -92,12 +112,13 @@
+@@ -92,12 +112,14 @@
manage_files_pattern(policykit_auth_t, policykit_var_run_t, policykit_var_run_t)
files_pid_filetrans(policykit_auth_t, policykit_var_run_t, { file dir })
@@ -14101,13 +14139,14 @@ diff -b -B --ignore-all-space --exclude-
files_read_usr_files(policykit_auth_t)
+fs_getattr_all_fs(polkit_auth_t)
++fs_search_tmpfs(polkit_auth_t)
+
auth_use_nsswitch(policykit_auth_t)
+auth_domtrans_chk_passwd(policykit_auth_t)
logging_send_syslog_msg(policykit_auth_t)
-@@ -106,7 +127,7 @@
+@@ -106,7 +128,7 @@
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
@@ -14116,7 +14155,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -119,6 +140,14 @@
+@@ -119,6 +141,14 @@
hal_read_state(policykit_auth_t)
')
@@ -14131,7 +14170,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# polkit_grant local policy
-@@ -126,7 +155,8 @@
+@@ -126,7 +156,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -14141,7 +14180,7 @@ diff -b -B --ignore-all-space --exclude-
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -156,9 +186,12 @@
+@@ -156,9 +187,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -14155,7 +14194,7 @@ diff -b -B --ignore-all-space --exclude-
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -170,7 +203,8 @@
+@@ -170,7 +204,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -14942,7 +14981,16 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.30/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/ppp.te 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/ppp.te 2009-09-04 10:22:17.000000000 -0400
+@@ -38,7 +38,7 @@
+ files_type(pppd_etc_rw_t)
+
+ type pppd_initrc_exec_t alias pppd_script_exec_t;
+-files_type(pppd_initrc_exec_t)
++init_script_file(pppd_initrc_exec_t)
+
+ # pppd_secret_t is the type of the pap and chap password files
+ type pppd_secret_t;
@@ -193,6 +193,8 @@
optional_policy(`
@@ -15473,7 +15521,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/libexec/rtkit-daemon -- gen_context(system_u:object_r:rtkit_daemon_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rtkit_daemon.if serefpolicy-3.6.30/policy/modules/services/rtkit_daemon.if
--- nsaserefpolicy/policy/modules/services/rtkit_daemon.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.30/policy/modules/services/rtkit_daemon.if 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/rtkit_daemon.if 2009-09-04 10:33:29.000000000 -0400
@@ -0,0 +1,63 @@
+
+## <summary>policy for rtkit_daemon</summary>
@@ -16520,7 +16568,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te 2009-08-31 17:31:34.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/setroubleshoot.te 2009-09-06 15:49:01.000000000 -0400
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -16582,7 +16630,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,70 @@
+@@ -94,23 +113,73 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -16647,7 +16695,10 @@ diff -b -B --ignore-all-space --exclude-
+userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t)
+
+optional_policy(`
-+ rpm_read_db(setroubleshoot_fixit_t)
++ rpm_signull(setroubleshootd_fixit_t)
++ rpm_read_db(setroubleshootd_fixit_t)
++ rpm_dontaudit_manage_db(setroubleshootd_fixit_t)
++ rpm_use_script_fds(setroubleshootd_fixit_t)
+')
+
+optional_policy(`
@@ -19635,7 +19686,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.30/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/services/xserver.te 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/services/xserver.te 2009-09-04 09:41:10.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -19793,7 +19844,7 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
files_read_etc_files(xauth_t)
-@@ -300,20 +325,29 @@
+@@ -300,20 +325,31 @@
# XDM Local policy
#
@@ -19815,6 +19866,8 @@ diff -b -B --ignore-all-space --exclude-
allow xdm_t self:appletalk_socket create_socket_perms;
allow xdm_t self:key { search link write };
++allow xdm_t xauth_home_t:file rw_file_perms;
++
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+manage_dirs_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
+manage_files_pattern(xdm_t, xkb_var_lib_t, xkb_var_lib_t)
@@ -19826,7 +19879,7 @@ diff -b -B --ignore-all-space --exclude-
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -329,22 +363,39 @@
+@@ -329,22 +365,39 @@
manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -19869,7 +19922,7 @@ diff -b -B --ignore-all-space --exclude-
allow xdm_t xserver_t:process signal;
allow xdm_t xserver_t:unix_stream_socket connectto;
-@@ -358,6 +409,7 @@
+@@ -358,6 +411,7 @@
allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xserver_t:shm rw_shm_perms;
@@ -19877,7 +19930,7 @@ diff -b -B --ignore-all-space --exclude-
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t)
-@@ -366,10 +418,14 @@
+@@ -366,10 +420,14 @@
delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t)
@@ -19893,7 +19946,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
-@@ -389,11 +445,13 @@
+@@ -389,11 +447,13 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_generic_node(xdm_t)
corenet_udp_bind_generic_node(xdm_t)
@@ -19907,7 +19960,7 @@ diff -b -B --ignore-all-space --exclude-
dev_read_rand(xdm_t)
dev_read_sysfs(xdm_t)
dev_getattr_framebuffer_dev(xdm_t)
-@@ -401,6 +459,7 @@
+@@ -401,6 +461,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -19915,7 +19968,7 @@ diff -b -B --ignore-all-space --exclude-
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -413,14 +472,17 @@
+@@ -413,14 +474,17 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -19935,7 +19988,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -431,9 +493,13 @@
+@@ -431,9 +495,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -19949,7 +20002,7 @@ diff -b -B --ignore-all-space --exclude-
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -442,6 +508,7 @@
+@@ -442,6 +510,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -19957,7 +20010,7 @@ diff -b -B --ignore-all-space --exclude-
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -450,6 +517,7 @@
+@@ -450,6 +519,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -19965,7 +20018,7 @@ diff -b -B --ignore-all-space --exclude-
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -460,10 +528,11 @@
+@@ -460,10 +530,11 @@
logging_read_generic_logs(xdm_t)
@@ -19979,7 +20032,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
-@@ -472,6 +541,9 @@
+@@ -472,6 +543,9 @@
# Search /proc for any user domain processes.
userdom_read_all_users_state(xdm_t)
userdom_signal_all_users(xdm_t)
@@ -19989,7 +20042,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_rw_session(xdm_t, xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -504,10 +576,12 @@
+@@ -504,10 +578,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
@@ -20002,7 +20055,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -515,12 +589,46 @@
+@@ -515,12 +591,46 @@
')
optional_policy(`
@@ -20049,7 +20102,7 @@ diff -b -B --ignore-all-space --exclude-
hostname_exec(xdm_t)
')
-@@ -542,6 +650,30 @@
+@@ -542,6 +652,30 @@
')
optional_policy(`
@@ -20080,7 +20133,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +682,9 @@
+@@ -550,8 +684,9 @@
')
optional_policy(`
@@ -20092,7 +20145,7 @@ diff -b -B --ignore-all-space --exclude-
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +693,6 @@
+@@ -560,7 +695,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -20100,7 +20153,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +703,10 @@
+@@ -571,6 +705,10 @@
')
optional_policy(`
@@ -20111,7 +20164,7 @@ diff -b -B --ignore-all-space --exclude-
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +723,9 @@
+@@ -587,10 +725,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -20123,11 +20176,12 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +737,11 @@
+@@ -602,9 +739,12 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
+allow xserver_t self:netlink_selinux_socket create_socket_perms;
++allow xserver_t self:netlink_kobject_uevent_socket create_socket_perms;
# Device rules
allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
@@ -20135,7 +20189,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +753,14 @@
+@@ -616,13 +756,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -20151,7 +20205,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +773,19 @@
+@@ -635,9 +776,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -20171,7 +20225,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -671,7 +819,6 @@
+@@ -671,7 +822,6 @@
dev_rw_agp(xserver_t)
dev_rw_framebuffer(xserver_t)
dev_manage_dri_dev(xserver_t)
@@ -20179,7 +20233,7 @@ diff -b -B --ignore-all-space --exclude-
dev_create_generic_dirs(xserver_t)
dev_setattr_generic_dirs(xserver_t)
# raw memory access is needed if not using the frame buffer
-@@ -681,9 +828,12 @@
+@@ -681,9 +831,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -20193,7 +20247,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -698,8 +848,12 @@
+@@ -698,8 +851,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -20206,7 +20260,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -721,6 +875,7 @@
+@@ -721,6 +878,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -20214,7 +20268,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(xserver_t)
-@@ -743,7 +898,7 @@
+@@ -743,7 +901,7 @@
')
ifdef(`enable_mls',`
@@ -20223,7 +20277,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -775,12 +930,20 @@
+@@ -775,12 +933,20 @@
')
optional_policy(`
@@ -20245,7 +20299,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -807,7 +970,7 @@
+@@ -807,7 +973,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -20254,7 +20308,7 @@ diff -b -B --ignore-all-space --exclude-
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -828,9 +991,14 @@
+@@ -828,9 +994,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -20269,7 +20323,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -845,11 +1013,14 @@
+@@ -845,11 +1016,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -20285,7 +20339,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -882,6 +1053,8 @@
+@@ -882,6 +1056,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -20294,7 +20348,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -906,6 +1079,8 @@
+@@ -906,6 +1082,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -20303,7 +20357,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -973,17 +1148,49 @@
+@@ -973,17 +1151,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -21121,7 +21175,7 @@ diff -b -B --ignore-all-space --exclude-
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.30/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/system/init.if 2009-08-31 13:40:47.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/system/init.if 2009-09-03 10:39:12.000000000 -0400
@@ -174,6 +174,7 @@
role system_r types $1;
@@ -22492,7 +22546,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.30/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/system/libraries.fc 2009-09-01 08:55:51.000000000 -0400
++++ serefpolicy-3.6.30/policy/modules/system/libraries.fc 2009-09-04 11:35:21.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -22542,7 +22596,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
-@@ -115,27 +120,31 @@
+@@ -115,27 +120,30 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22550,13 +22604,12 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
+/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+
+
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22582,7 +22635,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0)
/usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -143,11 +152,8 @@
+@@ -143,11 +151,8 @@
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22594,7 +22647,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,12 +174,12 @@
+@@ -168,12 +173,12 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
@@ -22609,7 +22662,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -185,15 +191,10 @@
+@@ -185,15 +190,10 @@
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22626,7 +22679,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -228,31 +229,17 @@
+@@ -228,31 +228,17 @@
/usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22662,7 +22715,7 @@ diff -b -B --ignore-all-space --exclude-
# Jai, Sun Microsystems (Jpackage SPRM)
/usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -268,8 +255,8 @@
+@@ -268,8 +254,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22673,7 +22726,7 @@ diff -b -B --ignore-all-space --exclude-
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -295,6 +282,8 @@
+@@ -295,6 +281,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -22682,7 +22735,7 @@ diff -b -B --ignore-all-space --exclude-
') dnl end distro_redhat
#
-@@ -307,10 +296,94 @@
+@@ -307,10 +295,96 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -22739,6 +22792,8 @@ diff -b -B --ignore-all-space --exclude-
+
+/usr/lib(64)?/xine/plugins/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ifdef(`fixed',`
+/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -23787,8 +23842,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.6.30/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.30/policy/modules/system/raid.te 2009-08-31 13:40:47.000000000 -0400
-@@ -44,6 +44,7 @@
++++ serefpolicy-3.6.30/policy/modules/system/raid.te 2009-09-06 15:32:46.000000000 -0400
+@@ -44,11 +44,13 @@
dev_dontaudit_getattr_generic_chr_files(mdadm_t)
dev_dontaudit_getattr_generic_blk_files(mdadm_t)
dev_read_realtime_clock(mdadm_t)
@@ -23796,6 +23851,12 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(mdadm_t)
+ files_read_etc_files(mdadm_t)
+ files_read_etc_runtime_files(mdadm_t)
++files_dontaudit_getattr_tmpfs_files(mdadm_t)
+
+ fs_search_auto_mountpoints(mdadm_t)
+ fs_dontaudit_list_tmpfs(mdadm_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.6.30/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/selinuxutil.fc 2009-08-31 13:40:47.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.911
retrieving revision 1.912
diff -u -p -r1.911 -r1.912
--- selinux-policy.spec 2 Sep 2009 13:33:15 -0000 1.911
+++ selinux-policy.spec 7 Sep 2009 01:18:06 -0000 1.912
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.30
-Release: 2%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -165,7 +165,7 @@ if [ -s /etc/selinux/config ]; then \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
if [ "${SELINUXTYPE}" = %1 -a -f ${FILE_CONTEXT} ]; then \
- cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
+ [ -f ${FILE_CONTEXT}.pre ] || cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.pre; \
fi \
fi
@@ -443,6 +443,12 @@ exit 0
%endif
%changelog
+* Fri Sep 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.30-4
+- Allow xserver to use netlink_kobject_uevent_socket
+
+* Thu Sep 3 2009 Dan Walsh <dwalsh at redhat.com> 3.6.30-3
+- Fixes for sandbox
+
* Mon Aug 31 2009 Dan Walsh <dwalsh at redhat.com> 3.6.30-2
- Dontaudit setroubleshootfix looking at /root directory
More information about the fedora-extras-commits
mailing list