rpms/selinux-policy/devel policy-F12.patch, 1.91, 1.92 selinux-policy.spec, 1.928, 1.929
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 24 23:30:17 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27767
Modified Files:
policy-F12.patch selinux-policy.spec
Log Message:
* Tue Sep 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-10
- Allow sendmail to request kernel modules load
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 7
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 1
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 18
policy/modules/admin/rpm.if | 242 +++++
policy/modules/admin/rpm.te | 75 +
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 67 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 4
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 31
policy/modules/admin/vbetool.te | 16
policy/modules/apps/calamaris.te | 7
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 ++
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 17
policy/modules/apps/java.if | 111 ++
policy/modules/apps/java.te | 14
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50 +
policy/modules/apps/livecd.te | 26
policy/modules/apps/mono.if | 101 ++
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 21
policy/modules/apps/nsplugin.fc | 12
policy/modules/apps/nsplugin.if | 320 ++++++
policy/modules/apps/nsplugin.te | 294 ++++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.te | 6
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 ++++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 56 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 182 +++
policy/modules/apps/sandbox.te | 328 +++++++
policy/modules/apps/screen.if | 5
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 59 +
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 28
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 31
policy/modules/kernel/devices.fc | 7
policy/modules/kernel/devices.if | 164 +++
policy/modules/kernel/devices.te | 19
policy/modules/kernel/domain.if | 151 ++-
policy/modules/kernel/domain.te | 84 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 ++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 8
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 36
policy/modules/roles/unconfineduser.if | 638 +++++++++++++
policy/modules/roles/unconfineduser.te | 402 ++++++++
policy/modules/roles/unprivuser.te | 131 --
policy/modules/roles/xguest.te | 18
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 21
policy/modules/services/abrt.te | 12
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 37
policy/modules/services/apache.if | 391 +++++---
policy/modules/services/apache.te | 438 +++++++--
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.te | 9
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 18
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 4
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 29
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49 -
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 54 +
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 7
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 1
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 58 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 48 -
policy/modules/services/howl.te | 2
policy/modules/services/inetd.te | 2
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.te | 11
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 5
policy/modules/services/mta.te | 35
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 13
policy/modules/services/networkmanager.if | 45
policy/modules/services/networkmanager.te | 114 ++
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.te | 10
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48 +
policy/modules/services/policykit.te | 63 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++-
policy/modules/services/postfix.te | 136 ++
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47 +
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 6
policy/modules/services/rgmanager.if | 40
policy/modules/services/rgmanager.te | 54 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 214 ++++
policy/modules/services/rhcs.te | 336 +++++++
policy/modules/services/ricci.te | 5
policy/modules/services/rpc.if | 6
policy/modules/services/rpc.te | 14
policy/modules/services/rpcbind.if | 20
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 102 ++
policy/modules/services/setroubleshoot.te | 78 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 2
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 137 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 183 +++
policy/modules/services/ssh.te | 77 +
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 6
policy/modules/services/sysstat.te | 2
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 127 ++
policy/modules/services/virt.te | 281 +++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 30
policy/modules/services/xserver.if | 534 ++++++++++-
policy/modules/services/xserver.te | 310 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 204 +++-
policy/modules/system/authlogin.te | 9
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 +++
policy/modules/system/init.te | 277 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 55 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 ++
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 158 ++-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 17
policy/modules/system/locallogin.te | 28
policy/modules/system/logging.fc | 11
policy/modules/system/logging.if | 4
policy/modules/system/logging.te | 34
policy/modules/system/lvm.te | 17
policy/modules/system/miscfiles.if | 19
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 76 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 288 ++++++
policy/modules/system/selinuxutil.te | 226 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 74 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 21
policy/modules/system/udev.te | 38
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 ---------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1402 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 50 -
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
319 files changed, 14655 insertions(+), 2585 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.91
retrieving revision 1.92
diff -u -p -r1.91 -r1.92
--- policy-F12.patch 22 Sep 2009 12:49:52 -0000 1.91
+++ policy-F12.patch 24 Sep 2009 23:30:15 -0000 1.92
@@ -338,12 +338,12 @@ diff -b -B --ignore-all-space --exclude-
files_dontaudit_getattr_all_sockets(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.32/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc 2009-09-16 07:03:08.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.fc 2009-09-24 08:56:43.000000000 -0700
@@ -1,17 +1,17 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/bin/debuginfo-install -- gen_context(system_u:object_r:rpm_exec_t,s0)
++/usr/bin/debuginfo-install -- gen_context(system_u:object_r:debuginfo_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -362,7 +362,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
-@@ -21,15 +21,22 @@
+@@ -21,15 +21,23 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -375,6 +375,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
++/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
@@ -387,8 +388,43 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-09-16 07:03:08.000000000 -0700
-@@ -66,6 +66,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-09-24 08:54:37.000000000 -0700
+@@ -13,11 +13,34 @@
+ interface(`rpm_domtrans',`
+ gen_require(`
+ type rpm_t, rpm_exec_t;
++ type debuginfo_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rpm_exec_t, rpm_t)
++ domtrans_pattern($1, debuginfo_exec_t, rpm_t)
++')
++
++########################################
++## <summary>
++## Execute debuginfo_install programs in the rpm domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rpm_domtrans_debuginfo',`
++ gen_require(`
++ type rpm_t;
++ type debuginfo_exec_t;
++ ')
++
++ files_search_usr($1)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, debuginfo_exec_t, rpm_t)
+ ')
+
+ ########################################
+@@ -66,6 +89,11 @@
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
@@ -400,7 +436,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +151,35 @@
+@@ -146,6 +174,35 @@
########################################
## <summary>
@@ -436,7 +472,7 @@ diff -b -B --ignore-all-space --exclude-
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -167,6 +201,48 @@
+@@ -167,6 +224,48 @@
########################################
## <summary>
@@ -485,7 +521,7 @@ diff -b -B --ignore-all-space --exclude-
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -186,6 +262,24 @@
+@@ -186,6 +285,24 @@
########################################
## <summary>
@@ -510,7 +546,7 @@ diff -b -B --ignore-all-space --exclude-
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
-@@ -219,7 +313,51 @@
+@@ -219,7 +336,51 @@
')
files_search_tmp($1)
@@ -562,7 +598,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -245,6 +383,24 @@
+@@ -245,6 +406,24 @@
########################################
## <summary>
@@ -587,7 +623,34 @@ diff -b -B --ignore-all-space --exclude-
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
-@@ -283,3 +439,46 @@
+@@ -265,6 +444,26 @@
+
+ ########################################
+ ## <summary>
++## Create, read, write, and delete the RPM package database.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`rpm_manage_cache',`
++ gen_require(`
++ type rpm_var_cache_t;
++ ')
++
++ files_search_var_lib($1)
++ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
++ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to create, read,
+ ## write, and delete the RPM package database.
+ ## </summary>
+@@ -283,3 +482,46 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -636,11 +699,24 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-09-16 07:03:08.000000000 -0700
-@@ -31,11 +31,15 @@
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-09-24 08:56:31.000000000 -0700
+@@ -15,6 +15,9 @@
+ domain_interactive_fd(rpm_t)
+ role system_r types rpm_t;
+
++type debuginfo_exec_t;
++domain_entry_file(rpm_t, debuginfo_exec_t)
++
+ type rpm_file_t;
+ files_type(rpm_file_t)
+
+@@ -31,11 +34,18 @@
files_type(rpm_var_lib_t)
typealias rpm_var_lib_t alias var_lib_rpm_t;
++type rpm_var_cache_t;
++files_type(rpm_var_cache_t)
++
+type rpm_var_run_t;
+files_pid_file(rpm_var_run_t)
+
@@ -653,7 +729,7 @@ diff -b -B --ignore-all-space --exclude-
domain_type(rpm_script_t)
domain_entry_file(rpm_t, rpm_script_exec_t)
domain_interactive_fd(rpm_script_t)
-@@ -52,8 +56,9 @@
+@@ -52,8 +62,9 @@
# rpm Local policy
#
@@ -665,7 +741,7 @@ diff -b -B --ignore-all-space --exclude-
allow rpm_t self:process { getattr setexec setfscreate setrlimit };
allow rpm_t self:fd use;
allow rpm_t self:fifo_file rw_fifo_file_perms;
-@@ -68,6 +73,8 @@
+@@ -68,6 +79,8 @@
allow rpm_t self:sem create_sem_perms;
allow rpm_t self:msgq create_msgq_perms;
allow rpm_t self:msg { send receive };
@@ -674,7 +750,15 @@ diff -b -B --ignore-all-space --exclude-
allow rpm_t rpm_log_t:file manage_file_perms;
logging_log_filetrans(rpm_t, rpm_log_t, file)
-@@ -87,8 +94,13 @@
+@@ -83,12 +96,21 @@
+ manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
+ fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+
++manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
++manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
++files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
++
+ # Access /var/lib/rpm files
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
@@ -688,7 +772,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_all_executables(rpm_t)
-@@ -108,12 +120,14 @@
+@@ -108,12 +130,14 @@
dev_list_sysfs(rpm_t)
dev_list_usbfs(rpm_t)
dev_read_urand(rpm_t)
@@ -703,7 +787,7 @@ diff -b -B --ignore-all-space --exclude-
fs_search_auto_mountpoints(rpm_t)
mls_file_read_all_levels(rpm_t)
-@@ -132,6 +146,8 @@
+@@ -132,6 +156,8 @@
# for installing kernel packages
storage_raw_read_fixed_disk(rpm_t)
@@ -712,7 +796,7 @@ diff -b -B --ignore-all-space --exclude-
auth_relabel_all_files_except_shadow(rpm_t)
auth_manage_all_files_except_shadow(rpm_t)
auth_dontaudit_read_shadow(rpm_t)
-@@ -155,6 +171,7 @@
+@@ -155,6 +181,7 @@
files_exec_etc_files(rpm_t)
init_domtrans_script(rpm_t)
@@ -720,7 +804,7 @@ diff -b -B --ignore-all-space --exclude-
libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
-@@ -174,17 +191,28 @@
+@@ -174,17 +201,28 @@
')
optional_policy(`
@@ -750,7 +834,7 @@ diff -b -B --ignore-all-space --exclude-
')
ifdef(`TODO',`
-@@ -210,8 +238,8 @@
+@@ -210,8 +248,8 @@
# rpm-script Local policy
#
@@ -761,7 +845,7 @@ diff -b -B --ignore-all-space --exclude-
allow rpm_script_t self:fd use;
allow rpm_script_t self:fifo_file rw_fifo_file_perms;
allow rpm_script_t self:unix_dgram_socket create_socket_perms;
-@@ -222,12 +250,15 @@
+@@ -222,12 +260,15 @@
allow rpm_script_t self:sem create_sem_perms;
allow rpm_script_t self:msgq create_msgq_perms;
allow rpm_script_t self:msg { send receive };
@@ -777,7 +861,7 @@ diff -b -B --ignore-all-space --exclude-
files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
-@@ -239,6 +270,9 @@
+@@ -239,6 +280,9 @@
kernel_read_kernel_sysctls(rpm_script_t)
kernel_read_system_state(rpm_script_t)
@@ -787,7 +871,7 @@ diff -b -B --ignore-all-space --exclude-
dev_list_sysfs(rpm_script_t)
-@@ -255,6 +289,7 @@
+@@ -255,6 +299,7 @@
fs_mount_xattr_fs(rpm_script_t)
fs_unmount_xattr_fs(rpm_script_t)
fs_search_auto_mountpoints(rpm_script_t)
@@ -795,7 +879,7 @@ diff -b -B --ignore-all-space --exclude-
mcs_killall(rpm_script_t)
mcs_ptrace_all(rpm_script_t)
-@@ -272,14 +307,19 @@
+@@ -272,14 +317,19 @@
storage_raw_read_fixed_disk(rpm_script_t)
storage_raw_write_fixed_disk(rpm_script_t)
@@ -815,7 +899,7 @@ diff -b -B --ignore-all-space --exclude-
domain_read_all_domains_state(rpm_script_t)
domain_getattr_all_domains(rpm_script_t)
-@@ -291,6 +331,7 @@
+@@ -291,6 +341,7 @@
files_exec_etc_files(rpm_script_t)
files_read_etc_runtime_files(rpm_script_t)
files_exec_usr_files(rpm_script_t)
@@ -823,7 +907,7 @@ diff -b -B --ignore-all-space --exclude-
init_domtrans_script(rpm_script_t)
-@@ -308,12 +349,15 @@
+@@ -308,12 +359,15 @@
seutil_domtrans_loadpolicy(rpm_script_t)
seutil_domtrans_setfiles(rpm_script_t)
seutil_domtrans_semanage(rpm_script_t)
@@ -839,7 +923,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -326,13 +370,22 @@
+@@ -326,13 +380,22 @@
')
optional_policy(`
@@ -2338,7 +2422,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 10:28:33.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-09-18 07:42:05.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-09-23 16:27:38.000000000 -0700
@@ -45,6 +45,18 @@
relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
@@ -2366,7 +2450,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_search_user_home_dirs($1)
')
-@@ -88,6 +101,24 @@
+@@ -88,6 +101,25 @@
########################################
## <summary>
@@ -2378,12 +2462,13 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`mozilla_dontaudit_write_user_home_files',`
++interface(`mozilla_dontaudit_manage_user_home_files',`
+ gen_require(`
+ type mozilla_home_t;
+ ')
+
-+ dontaudit $1 mozilla_home_t:file write;
++ dontaudit $1 mozilla_home_t:dir manage_dir_perms;
++ dontaudit $1 mozilla_home_t:file manage_file_perms;
+')
+
+########################################
@@ -2486,8 +2571,8 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.6.32/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-18 18:30:00.000000000 -0700
-@@ -0,0 +1,319 @@
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.if 2009-09-23 07:34:03.000000000 -0700
+@@ -0,0 +1,320 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -2600,6 +2685,7 @@ diff -b -B --ignore-all-space --exclude-
+ dontaudit nsplugin_t $2:process ptrace;
+ allow nsplugin_t $2:sem rw_sem_perms;
+ allow nsplugin_t $2:shm rw_shm_perms;
++ dontaudit nsplugin_t $2:shm destroy;
+
+ allow $2 nsplugin_t:process { getattr ptrace signal_perms };
+ allow $2 nsplugin_t:unix_stream_socket connectto;
@@ -2809,8 +2895,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.32/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-09-16 07:03:08.000000000 -0700
-@@ -0,0 +1,292 @@
++++ serefpolicy-3.6.32/policy/modules/apps/nsplugin.te 2009-09-24 08:43:03.000000000 -0700
+@@ -0,0 +1,294 @@
+
+policy_module(nsplugin, 1.0.0)
+
@@ -3025,6 +3111,8 @@ diff -b -B --ignore-all-space --exclude-
+allow nsplugin_config_t self:fifo_file rw_file_perms;
+allow nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
++dev_dontaudit_read_rand(nsplugin_config_t)
++
+fs_search_auto_mountpoints(nsplugin_config_t)
+fs_list_inotifyfs(nsplugin_config_t)
+
@@ -3650,8 +3738,8 @@ diff -b -B --ignore-all-space --exclude-
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-09-21 06:08:50.000000000 -0700
-@@ -0,0 +1,181 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-09-23 16:34:36.000000000 -0700
+@@ -0,0 +1,182 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -3696,6 +3784,7 @@ diff -b -B --ignore-all-space --exclude-
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
+ dontaudit sandbox_x_domain $1:tcp_socket rw_socket_perms;
++ dontaudit sandbox_x_domain $1:udp_socket rw_socket_perms;
+
+ manage_files_pattern($1, sandbox_file_type, sandbox_file_type);
+ manage_dirs_pattern($1, sandbox_file_type, sandbox_file_type);
@@ -3835,8 +3924,8 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-21 05:40:55.000000000 -0700
-@@ -0,0 +1,326 @@
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-09-24 11:21:41.000000000 -0700
+@@ -0,0 +1,328 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -3971,6 +4060,8 @@ diff -b -B --ignore-all-space --exclude-
+allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto;
+dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
++domain_dontaudit_read_all_domains_state(sandbox_x_domain)
++
+files_search_home(sandbox_x_domain)
+files_dontaudit_list_tmp(sandbox_x_domain)
+
@@ -4025,7 +4116,7 @@ diff -b -B --ignore-all-space --exclude-
+userdom_use_user_ptys(sandbox_x_t)
+
+optional_policy(`
-+ mozilla_dontaudit_write_user_home_files(sandbox_x_t)
++ mozilla_dontaudit_manage_user_home_files(sandbox_x_t)
+')
+
+
@@ -4186,8 +4277,8 @@ diff -b -B --ignore-all-space --exclude-
+/usr/sbin/seunshare -- gen_context(system_u:object_r:seunshare_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.if serefpolicy-3.6.32/policy/modules/apps/seunshare.if
--- nsaserefpolicy/policy/modules/apps/seunshare.if 1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.if 2009-09-18 18:59:52.000000000 -0700
-@@ -0,0 +1,80 @@
++++ serefpolicy-3.6.32/policy/modules/apps/seunshare.if 2009-09-23 16:34:12.000000000 -0700
+@@ -0,0 +1,81 @@
+
+## <summary>policy for seunshare</summary>
+
@@ -4239,6 +4330,7 @@ diff -b -B --ignore-all-space --exclude-
+
+ # leaks from firefox
+ dontaudit seunshare_t $1:tcp_socket rw_socket_perms;
++ dontaudit seunshare_t $1:udp_socket rw_socket_perms;
+')
+
+########################################
@@ -4270,7 +4362,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.6.32/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 1969-12-31 16:00:00.000000000 -0800
-+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te 2009-09-18 07:46:57.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/apps/seunshare.te 2009-09-23 16:28:08.000000000 -0700
@@ -0,0 +1,45 @@
+policy_module(seunshare,1.0.0)
+
@@ -4315,7 +4407,7 @@ diff -b -B --ignore-all-space --exclude-
+userdom_use_user_terminals(seunshare_t)
+
+optional_policy(`
-+ mozilla_dontaudit_write_user_home_files(seunshare_t)
++ mozilla_dontaudit_manage_user_home_files(seunshare_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.6.32/policy/modules/apps/vmware.te
--- nsaserefpolicy/policy/modules/apps/vmware.te 2009-09-09 06:23:16.000000000 -0700
@@ -6293,8 +6385,16 @@ diff -b -B --ignore-all-space --exclude-
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.6.32/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/kernel/storage.if 2009-09-16 07:03:09.000000000 -0700
-@@ -529,7 +529,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/storage.if 2009-09-23 07:29:31.000000000 -0700
+@@ -266,6 +266,7 @@
+
+ dev_list_all_dev_nodes($1)
+ allow $1 fixed_disk_device_t:blk_file relabel_blk_file_perms;
++ dontaudit $1 fixed_disk_device_t:lnk_file relabelto_lnk_file_perms;
+ ')
+
+ ########################################
+@@ -529,7 +530,7 @@
')
@@ -8253,7 +8353,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 06:09:20.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-09-24 08:54:43.000000000 -0700
@@ -75,6 +75,7 @@
corecmd_exec_bin(abrt_t)
@@ -8262,10 +8362,20 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_connect_http_port(abrt_t)
-@@ -109,9 +110,13 @@
+@@ -105,13 +106,20 @@
+ dbus_system_bus_client(abrt_t)
+ ')
+
++optional_policy(`
++ nsplugin_read_rw_files(abrt_t)
++')
++
+ # to install debuginfo packages
optional_policy(`
- rpm_manage_db(abrt_t)
- rpm_domtrans(abrt_t)
+- rpm_manage_db(abrt_t)
+- rpm_domtrans(abrt_t)
++ rpm_manage_cache(abrt_t)
++ rpm_domtrans_debuginfo(abrt_t)
+ rpm_signull(abrt_t)
')
@@ -8275,7 +8385,6 @@ diff -b -B --ignore-all-space --exclude-
')
+
+permissive abrt_t;
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.32/policy/modules/services/afs.fc
--- nsaserefpolicy/policy/modules/services/afs.fc 2009-07-23 11:11:04.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/afs.fc 2009-09-16 07:03:09.000000000 -0700
@@ -9874,7 +9983,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-09-21 05:20:47.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-09-22 17:55:58.000000000 -0700
@@ -56,7 +56,7 @@
allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
@@ -11964,7 +12073,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/cache/hald(/.*)? gen_context(system_u:object_r:hald_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.32/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2009-07-28 10:28:33.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/hal.if 2009-09-24 11:39:22.000000000 -0700
@@ -413,3 +413,21 @@
files_search_pids($1)
manage_files_pattern($1, hald_var_run_t, hald_var_run_t)
@@ -11989,7 +12098,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.32/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/hal.te 2009-09-23 07:21:23.000000000 -0700
@@ -55,6 +55,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -12000,15 +12109,17 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Local policy
-@@ -100,6 +103,7 @@
+@@ -100,7 +103,9 @@
kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
+kernel_search_network_sysctl(hald_t)
kernel_setsched(hald_t)
++kernel_request_load_module(hald_t)
auth_read_pam_console_data(hald_t)
-@@ -156,6 +160,11 @@
+
+@@ -156,6 +161,11 @@
fs_search_all(hald_t)
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
@@ -12020,7 +12131,7 @@ diff -b -B --ignore-all-space --exclude-
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
-@@ -202,8 +211,10 @@
+@@ -202,8 +212,10 @@
seutil_read_default_contexts(hald_t)
seutil_read_file_contexts(hald_t)
@@ -12032,7 +12143,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
-@@ -290,6 +301,7 @@
+@@ -290,6 +302,7 @@
')
optional_policy(`
@@ -12040,7 +12151,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(hald_t)
policykit_domtrans_resolve(hald_t)
policykit_read_lib(hald_t)
-@@ -321,6 +333,10 @@
+@@ -321,6 +334,10 @@
virt_manage_images(hald_t)
')
@@ -12051,7 +12162,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Hal acl local policy
-@@ -341,6 +357,7 @@
+@@ -341,6 +358,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
@@ -12059,7 +12170,7 @@ diff -b -B --ignore-all-space --exclude-
corecmd_exec_bin(hald_acl_t)
-@@ -357,6 +374,8 @@
+@@ -357,6 +375,8 @@
files_read_usr_files(hald_acl_t)
files_read_etc_files(hald_acl_t)
@@ -12068,7 +12179,7 @@ diff -b -B --ignore-all-space --exclude-
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
storage_getattr_fixed_disk_dev(hald_acl_t)
-@@ -369,6 +388,7 @@
+@@ -369,6 +389,7 @@
miscfiles_read_localization(hald_acl_t)
optional_policy(`
@@ -12076,7 +12187,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(hald_acl_t)
policykit_read_lib(hald_acl_t)
policykit_read_reload(hald_acl_t)
-@@ -450,12 +470,16 @@
+@@ -450,12 +471,16 @@
miscfiles_read_localization(hald_keymap_t)
@@ -12095,7 +12206,7 @@ diff -b -B --ignore-all-space --exclude-
allow hald_dccm_t self:process getsched;
allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
allow hald_dccm_t self:udp_socket create_socket_perms;
-@@ -469,10 +493,22 @@
+@@ -469,10 +494,22 @@
manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_dccm_t)
@@ -12118,7 +12229,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(hald_dccm_t)
corenet_all_recvfrom_netlabel(hald_dccm_t)
corenet_tcp_sendrecv_generic_if(hald_dccm_t)
-@@ -484,6 +520,7 @@
+@@ -484,6 +521,7 @@
corenet_tcp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_generic_node(hald_dccm_t)
corenet_udp_bind_dhcpc_port(hald_dccm_t)
@@ -12126,7 +12237,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_tcp_bind_dccm_port(hald_dccm_t)
logging_send_syslog_msg(hald_dccm_t)
-@@ -491,3 +528,7 @@
+@@ -491,3 +529,7 @@
files_read_usr_files(hald_dccm_t)
miscfiles_read_localization(hald_dccm_t)
@@ -12335,7 +12446,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-09-16 10:43:44.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/mta.te 2009-09-22 17:56:19.000000000 -0700
@@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
@@ -12346,7 +12457,7 @@ diff -b -B --ignore-all-space --exclude-
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
-@@ -57,6 +60,8 @@
+@@ -57,8 +60,11 @@
can_exec(system_mail_t, mta_exec_type)
@@ -12354,8 +12465,11 @@ diff -b -B --ignore-all-space --exclude-
+
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
++kernel_request_load_module(system_mail_t)
-@@ -72,16 +77,21 @@
+ dev_read_sysfs(system_mail_t)
+ dev_read_rand(system_mail_t)
+@@ -72,16 +78,21 @@
userdom_use_user_terminals(system_mail_t)
userdom_dontaudit_search_user_home_dirs(system_mail_t)
@@ -12377,7 +12491,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -100,6 +110,7 @@
+@@ -100,6 +111,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t)
@@ -12385,7 +12499,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -178,6 +189,10 @@
+@@ -178,6 +190,10 @@
')
optional_policy(`
@@ -12396,7 +12510,7 @@ diff -b -B --ignore-all-space --exclude-
smartmon_read_tmp_files(system_mail_t)
')
-@@ -197,6 +212,25 @@
+@@ -197,6 +213,25 @@
')
')
@@ -16761,7 +16875,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/share/setroubleshoot/SetroubleshootFixit\.py* -- gen_context(system_u:object_r:setroubleshoot_fixit_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if
--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.if 2009-09-24 11:40:15.000000000 -0700
@@ -16,8 +16,8 @@
')
@@ -16773,7 +16887,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -36,6 +36,84 @@
+@@ -36,6 +36,102 @@
type setroubleshootd_t, setroubleshoot_var_run_t;
')
@@ -16826,6 +16940,24 @@ diff -b -B --ignore-all-space --exclude-
+
+########################################
+## <summary>
++## Dontaudit read/write to a setroubleshoot unix datagram socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`setroubleshoot_dontaudit_rw_dgram_sockets',`
++ gen_require(`
++ type setroubleshoot_fixit_t;
++ ')
++
++ dontaudit $1 setroubleshoot_fixit_t:unix_dgram_socket { read write };
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an setroubleshoot environment
+## </summary>
@@ -16861,7 +16993,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-09-24 11:38:01.000000000 -0700
@@ -22,13 +22,19 @@
type setroubleshoot_var_run_t;
files_pid_file(setroubleshoot_var_run_t)
@@ -16923,7 +17055,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,23 +113,74 @@
+@@ -94,23 +113,72 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -16998,8 +17130,6 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ policykit_dbus_chat(setroubleshoot_fixit_t)
+')
-+
-+permissive setroubleshoot_fixit_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.32/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-08-14 13:14:31.000000000 -0700
+++ serefpolicy-3.6.32/policy/modules/services/smartmon.te 2009-09-16 07:03:09.000000000 -0700
@@ -17132,8 +17262,8 @@ diff -b -B --ignore-all-space --exclude-
dev_read_sysfs(snmpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.32/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-07-14 11:19:57.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc 2009-09-16 07:03:09.000000000 -0700
-@@ -1,15 +1,25 @@
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.fc 2009-09-24 10:21:09.000000000 -0700
+@@ -1,15 +1,26 @@
-HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamassassin_home_t,s0)
+HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -17151,10 +17281,11 @@ diff -b -B --ignore-all-space --exclude-
+/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
-
++/var/lib/spamassassin/compiled(/.*)? gen_context(system_u:object_r:spamd_compiled_t,s0)
++
+/var/log/spamd\.log -- gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/mimedefang -- gen_context(system_u:object_r:spamd_log_t,s0)
-+
+
/var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
/var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
@@ -17274,7 +17405,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2009-09-24 10:20:36.000000000 -0700
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -17311,7 +17442,7 @@ diff -b -B --ignore-all-space --exclude-
type spamassassin_t;
type spamassassin_exec_t;
typealias spamassassin_t alias { user_spamassassin_t staff_spamassassin_t sysadm_spamassassin_t };
-@@ -51,10 +80,18 @@
+@@ -51,10 +80,21 @@
typealias spamc_tmp_t alias { auditadm_spamc_tmp_t secadm_spamc_tmp_t };
files_tmp_file(spamc_tmp_t)
ubac_constrained(spamc_tmp_t)
@@ -17322,6 +17453,9 @@ diff -b -B --ignore-all-space --exclude-
init_daemon_domain(spamd_t, spamd_exec_t)
+can_exec(spamd_t, spamd_exec_t)
+
++type spamd_compiled_t;
++files_type(spamd_compiled_t)
++
+type spamd_initrc_exec_t;
+init_script_file(spamd_initrc_exec_t)
+
@@ -17330,7 +17464,7 @@ diff -b -B --ignore-all-space --exclude-
type spamd_spool_t;
files_type(spamd_spool_t)
-@@ -110,6 +147,7 @@
+@@ -110,6 +150,7 @@
dev_read_urand(spamassassin_t)
fs_search_auto_mountpoints(spamassassin_t)
@@ -17338,7 +17472,7 @@ diff -b -B --ignore-all-space --exclude-
# this should probably be removed
corecmd_list_bin(spamassassin_t)
-@@ -150,6 +188,7 @@
+@@ -150,6 +191,7 @@
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -17346,7 +17480,7 @@ diff -b -B --ignore-all-space --exclude-
sysnet_read_config(spamassassin_t)
')
-@@ -186,6 +225,8 @@
+@@ -186,6 +228,8 @@
optional_policy(`
mta_read_config(spamassassin_t)
sendmail_stub(spamassassin_t)
@@ -17355,7 +17489,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -207,16 +248,33 @@
+@@ -207,16 +251,33 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -17389,7 +17523,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -246,9 +304,15 @@
+@@ -246,9 +307,15 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -17405,7 +17539,7 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -256,27 +320,40 @@
+@@ -256,27 +323,40 @@
sysnet_read_config(spamc_t)
@@ -17452,7 +17586,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -288,7 +365,7 @@
+@@ -288,7 +368,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -17461,12 +17595,16 @@ diff -b -B --ignore-all-space --exclude-
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -304,10 +381,13 @@
+@@ -304,10 +384,17 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
-allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
++can_exec(spamd_t, spamd_compiled_t)
++manage_dirs_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
++manage_files_pattern(spamd_t, spamd_compiled_t, spamd_compiled_t)
++
+manage_files_pattern(spamd_t, spamd_log_t, spamd_log_t)
+logging_log_filetrans(spamd_t, spamd_log_t, file)
@@ -17476,7 +17614,7 @@ diff -b -B --ignore-all-space --exclude-
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -316,10 +396,12 @@
+@@ -316,10 +403,12 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -17490,7 +17628,7 @@ diff -b -B --ignore-all-space --exclude-
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -369,22 +451,27 @@
+@@ -369,22 +458,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -17522,7 +17660,7 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_cifs_files(spamd_t)
')
-@@ -402,23 +489,16 @@
+@@ -402,23 +496,16 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -17547,7 +17685,7 @@ diff -b -B --ignore-all-space --exclude-
postfix_read_config(spamd_t)
')
-@@ -433,6 +513,10 @@
+@@ -433,6 +520,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -17558,7 +17696,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -445,5 +529,9 @@
+@@ -445,5 +536,9 @@
')
optional_policy(`
@@ -23738,7 +23876,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2009-08-14 13:14:31.000000000 -0700
-+++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-09-16 07:03:09.000000000 -0700
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2009-09-24 11:41:09.000000000 -0700
@@ -23,6 +23,9 @@
type selinux_config_t;
files_type(selinux_config_t)
@@ -23881,17 +24019,17 @@ diff -b -B --ignore-all-space --exclude-
-allow semanage_t self:unix_stream_socket create_stream_socket_perms;
-allow semanage_t self:unix_dgram_socket create_socket_perms;
-allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
--
--allow semanage_t policy_config_t:file rw_file_perms;
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
--allow semanage_t semanage_tmp_t:dir manage_dir_perms;
--allow semanage_t semanage_tmp_t:file manage_file_perms;
--files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-allow semanage_t policy_config_t:file rw_file_perms;
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
+-allow semanage_t semanage_tmp_t:file manage_file_perms;
+-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
-
@@ -23917,14 +24055,14 @@ diff -b -B --ignore-all-space --exclude-
+can_exec(semanage_t, semanage_exec_t)
-term_use_all_terms(semanage_t)
-+# Admins are creating pp files in random locations
-+auth_read_all_files_except_shadow(semanage_t)
-
+-
-# Running genhomedircon requires this for finding all users
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
--
++# Admins are creating pp files in random locations
++auth_read_all_files_except_shadow(semanage_t)
+
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
@@ -23967,7 +24105,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -499,111 +482,36 @@
+@@ -499,111 +482,40 @@
userdom_read_user_tmp_files(semanage_t)
')
@@ -24049,55 +24187,56 @@ diff -b -B --ignore-all-space --exclude-
-userdom_use_all_users_fds(setfiles_t)
-# for config files in a home directory
-userdom_read_user_home_content_files(setfiles_t)
--
++init_dontaudit_use_fds(setsebool_t)
+
-ifdef(`distro_debian',`
- # udev tmpfs is populated with static device nodes
- # and then relabeled afterwards; thus
- # /dev/console has the tmpfs type
- fs_rw_tmpfs_chr_files(setfiles_t)
-')
-+init_dontaudit_use_fds(setsebool_t)
-
--ifdef(`distro_redhat', `
-- fs_rw_tmpfs_chr_files(setfiles_t)
-- fs_rw_tmpfs_blk_files(setfiles_t)
-- fs_relabel_tmpfs_blk_file(setfiles_t)
-- fs_relabel_tmpfs_chr_file(setfiles_t)
--')
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
--ifdef(`distro_ubuntu',`
-- optional_policy(`
-- unconfined_domain(setfiles_t)
-- ')
+-ifdef(`distro_redhat', `
+- fs_rw_tmpfs_chr_files(setfiles_t)
+- fs_rw_tmpfs_blk_files(setfiles_t)
+- fs_relabel_tmpfs_blk_file(setfiles_t)
+- fs_relabel_tmpfs_chr_file(setfiles_t)
-')
+########################################
+#
+# Setfiles local policy
+#
--ifdef(`hide_broken_symptoms',`
+-ifdef(`distro_ubuntu',`
- optional_policy(`
-- udev_dontaudit_rw_dgram_sockets(setfiles_t)
+- unconfined_domain(setfiles_t)
- ')
+-')
+seutil_setfiles(setfiles_t)
+# During boot in Rawhide
+term_use_generic_ptys(setfiles_t)
-- # cjp: cover up stray file descriptors.
+-ifdef(`hide_broken_symptoms',`
- optional_policy(`
-- unconfined_dontaudit_read_pipes(setfiles_t)
-- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+- udev_dontaudit_rw_dgram_sockets(setfiles_t)
- ')
--')
+seutil_setfiles(setfiles_mac_t)
+allow setfiles_mac_t self:capability2 mac_admin;
+kernel_relabelto_unlabeled(setfiles_mac_t)
+- # cjp: cover up stray file descriptors.
+ optional_policy(`
+- unconfined_dontaudit_read_pipes(setfiles_t)
+- unconfined_dontaudit_rw_tcp_sockets(setfiles_t)
+- ')
++ setroubleshoot_dontaudit_rw_dgram_sockets(setfiles_t)
+ ')
+
optional_policy(`
- hotplug_use_fds(setfiles_t)
+ unconfined_domain(setfiles_mac_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.928
retrieving revision 1.929
diff -u -p -r1.928 -r1.929
--- selinux-policy.spec 22 Sep 2009 12:49:53 -0000 1.928
+++ selinux-policy.spec 24 Sep 2009 23:30:16 -0000 1.929
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 9%{?dist}
+Release: 10%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -80,6 +80,7 @@ SELinux Base package
Summary: SELinux policy documentation
Group: System Environment/Base
Requires(pre): selinux-policy = %{version}-%{release}
+Requires: /usr/bin/xdg-open
%description doc
SELinux policy documentation package
@@ -447,6 +448,9 @@ exit 0
%endif
%changelog
+* Tue Sep 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-10
+- Allow sendmail to request kernel modules load
+
* Mon Sep 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-9
- Fix all kernel_request_load_module domains
More information about the fedora-extras-commits
mailing list