rpms/selinux-policy/F-12 policy-20100106.patch, 1.1, 1.2 selinux-policy.spec, 1.991, 1.992
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 8 20:06:52 UTC 2010
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv17844
Modified Files:
policy-20100106.patch selinux-policy.spec
Log Message:
- Fixes for xenconsoled
- Allow xauth to connectto xserver_t unix_stream_socket
- Add textrel_shlib_t fixes
- Add labeling for LXDM
- Allow cupsd_lpd_t to setattr fontconfig directory
- Allow abrt to getattr on all character file device nodes.
- Add labeling for the rest nagios plugins
policy-20100106.patch:
modules/services/abrt.te | 1 +
modules/services/apache.if | 3 +++
modules/services/apcupsd.te | 2 +-
modules/services/cups.te | 1 +
modules/services/dovecot.te | 6 ++++++
modules/services/fail2ban.if | 18 ++++++++++++++++++
modules/services/nagios.fc | 37 +++++++++++++++++++++++++++++++++++--
modules/services/nagios.te | 4 ++++
modules/services/postfix.te | 5 ++++-
modules/services/samba.te | 5 +++++
modules/services/sendmail.te | 2 ++
modules/services/snmp.te | 2 +-
modules/services/spamassassin.if | 18 ++++++++++++++++++
modules/services/virt.te | 2 ++
modules/services/xserver.fc | 4 ++++
modules/services/xserver.te | 2 ++
modules/system/libraries.fc | 6 ++++++
modules/system/miscfiles.if | 19 +++++++++++++++++++
modules/system/unconfined.if | 2 ++
modules/system/userdomain.fc | 1 +
modules/system/xen.te | 8 +++++++-
support/obj_perm_sets.spt | 2 +-
22 files changed, 143 insertions(+), 7 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- policy-20100106.patch 6 Jan 2010 16:14:55 -0000 1.1
+++ policy-20100106.patch 8 Jan 2010 20:06:51 -0000 1.2
@@ -1,3 +1,14 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
+--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100
+@@ -96,6 +96,7 @@
+ corenet_tcp_connect_ftp_port(abrt_t)
+ corenet_tcp_connect_all_ports(abrt_t)
+
++dev_getattr_all_chr_files(abrt_t)
+ dev_read_urand(abrt_t)
+ dev_rw_sysfs(abrt_t)
+ dev_dontaudit_read_memory_dev(abrt_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2010-01-06 15:16:37.000000000 +0100
@@ -30,9 +41,151 @@ diff -b -B --ignore-all-space --exclude-
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2010-01-08 20:32:23.000000000 +0100
+@@ -555,6 +555,7 @@
+ logging_send_syslog_msg(cupsd_lpd_t)
+
+ miscfiles_read_localization(cupsd_lpd_t)
++miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t)
+
+ cups_stream_connect(cupsd_lpd_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2010-01-08 14:24:25.000000000 +0100
+@@ -276,7 +276,11 @@
+ mta_manage_spool(dovecot_deliver_t)
+ ')
+
++
++
+ tunable_policy(`use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(dovecot_deliver_t)
++ fs_manage_nfs_dirs(dovecot_t)
+ fs_manage_nfs_files(dovecot_deliver_t)
+ fs_manage_nfs_symlinks(dovecot_deliver_t)
+ fs_manage_nfs_files(dovecot_t)
+@@ -284,6 +288,8 @@
+ ')
+
+ tunable_policy(`use_samba_home_dirs',`
++ fs_manage_cifs_dirs(dovecot_deliver_t)
++ fs_manage_cifs_dirs(dovecot_t)
+ fs_manage_cifs_files(dovecot_deliver_t)
+ fs_manage_cifs_symlinks(dovecot_deliver_t)
+ fs_manage_cifs_files(dovecot_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.6.32/policy/modules/services/fail2ban.if
+--- nsaserefpolicy/policy/modules/services/fail2ban.if 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/fail2ban.if 2010-01-08 16:30:32.000000000 +0100
+@@ -138,6 +138,24 @@
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+ ')
+
++#######################################
++## <summary>
++## Read and write to an fail2ban unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`fail2ban_rw_stream_sockets',`
++ gen_require(`
++ type fail2ban_t;
++ ')
++
++ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl };
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
+--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-08 15:00:18.000000000 +0100
+@@ -27,26 +27,59 @@
+
+ # check disk plugins
+ /usr/lib(64)?/nagios/plugins/check_disk -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_disk_smb -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_ide_smart -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_linux_raid -- gen_context(system_u:object_r:nagios_checkdisk_plugin_exec_t,s0)
+
+ # system plugins
+-/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_breeze -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dummy -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_file_age -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_flexlm -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifoperstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ifstatus -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_load -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_log -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mailq -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtg -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mrtgtraf -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_nagios -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nwstat -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_overcr -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_procs -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_sensors -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_swap -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_users -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_wave -- gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)
+
+ # services plugins
+ /usr/lib(64)?/nagios/plugins/check_cluster -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_dhcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_dig -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_dns -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_game -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_fping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_hpjd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_http -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_icmp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ircd -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ldap -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_mysql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_mysql_query -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nrpe -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_nt -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_ntp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_oracle -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_pgsql -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_ping -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_radius -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_real -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_rpc -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+-/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_tcp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+ /usr/lib(64)?/nagios/plugins/check_time -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_sip -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_smtp -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_snmp.* -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ssh -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++/usr/lib(64)?/nagios/plugins/check_ups -- gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-3.6.32/policy/modules/services/nagios.te
+--- nsaserefpolicy/policy/modules/services/nagios.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/nagios.te 2010-01-08 15:01:28.000000000 +0100
+@@ -118,6 +118,10 @@
+ corenet_udp_sendrecv_all_ports(nagios_t)
+ corenet_tcp_connect_all_ports(nagios_t)
+
++# neede by rpcinfo
++corenet_dontaudit_tcp_bind_all_ports(nagios_t)
++corenet_dontaudit_udp_bind_all_ports(nagios_t)
++
+ dev_read_sysfs(nagios_t)
+ dev_read_urand(nagios_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-06 15:41:16.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-08 20:27:51.000000000 +0100
@@ -443,6 +443,7 @@
optional_policy(`
@@ -41,6 +194,15 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+@@ -486,7 +487,7 @@
+ ')
+
+ optional_policy(`
+- sendmail_dontaudit_rw_unix_stream_sockets(postfix_postdrop_t)
++ sendmail_rw_unix_stream_sockets(postfix_postdrop_t)
+ ')
+
+ optional_policy(`
@@ -573,6 +574,8 @@
# Postfix smtp delivery local policy
#
@@ -79,6 +241,18 @@ diff -b -B --ignore-all-space --exclude-
allow swat_t nmbd_t:process { signal signull };
allow swat_t nmbd_exec_t:file mmap_file_perms;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.32/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/sendmail.te 2010-01-08 16:31:13.000000000 +0100
+@@ -136,6 +136,8 @@
+
+ optional_policy(`
+ fail2ban_read_lib_files(sendmail_t)
++ fail2ban_rw_stream_sockets(sendmail_t)
++
+ ')
+
+ optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.6.32/policy/modules/services/snmp.te
--- nsaserefpolicy/policy/modules/services/snmp.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/snmp.te 2010-01-06 15:41:37.000000000 +0100
@@ -131,9 +305,49 @@ diff -b -B --ignore-all-space --exclude-
dev_write_sound(virt_domain)
dev_rw_ksm(virt_domain)
dev_rw_kvm(virt_domain)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.6.32/policy/modules/services/xserver.fc
+--- nsaserefpolicy/policy/modules/services/xserver.fc 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.fc 2010-01-08 14:49:31.000000000 +0100
+@@ -65,6 +65,8 @@
+ /usr/(s)?bin/[xgkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
++/usr/bin/lxdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
++/usr/bin/lxdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0)
+ /usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
+ /usr/bin/Xephyr -- gen_context(system_u:object_r:xserver_exec_t,s0)
+@@ -105,6 +107,7 @@
+ /var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0)
+ /var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+
+ /var/spool/gdm(/.*)? gen_context(system_u:object_r:xdm_spool_t,s0)
+@@ -116,6 +119,7 @@
+ /var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+ /var/run/slim\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+
+ /var/run/video.rom -- gen_context(system_u:object_r:xserver_var_run_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te
+--- nsaserefpolicy/policy/modules/services/xserver.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2010-01-08 14:07:19.000000000 +0100
+@@ -301,6 +301,8 @@
+ manage_files_pattern(xauth_t, xauth_tmp_t, xauth_tmp_t)
+ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
+
++allow xauth_t xserver_t:unix_stream_socket connectto;
++
+ domain_use_interactive_fds(xauth_t)
+
+ dev_rw_xserver_misc(xauth_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-06 15:08:52.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-08 20:06:50.000000000 +0100
@@ -245,6 +245,7 @@
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
/usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -142,3 +356,111 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -433,8 +434,13 @@
+ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/lib/firefox/plugins/libractrl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libGLcore\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib(64)?/libkmplayercommon\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-08 20:32:11.000000000 +0100
+@@ -618,3 +618,22 @@
+ manage_lnk_files_pattern($1, locale_t, locale_t)
+ ')
+
++#######################################
++## <summary>
++## Set the attributes on a fonts cache directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_setattr_fonts_cache_dirs',`
++ gen_require(`
++ type fonts_cache_t;
++ ')
++
++ allow $1 fonts_cache_t:dir setattr;
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100
+@@ -21,6 +21,8 @@
+ allow $1 self:capability all_capabilities;
+ allow $1 self:fifo_file manage_fifo_file_perms;
+
++ allow $1 self:socket_class_set create_socket_perms;
++
+ # Transition to myself, to make get_ordered_context_list happy.
+ allow $1 self:process transition;
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc
+--- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-07 16:46:35.000000000 +0100
+@@ -6,4 +6,5 @@
+ /dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+ /dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
+ HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
++HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0)
+ HOME_DIR/\.gvfs(/.*)? <<none>>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.32/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/xen.te 2010-01-08 14:14:45.000000000 +0100
+@@ -248,10 +248,11 @@
+ #
+
+ allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
++allow xenconsoled_t self:process setrlimit;
+ allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+ allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+-allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
++allow xenconsoled_t xen_devpts_t:chr_file manage_term_perms;
+
+ # pid file
+ manage_files_pattern(xenconsoled_t, xenconsoled_var_run_t, xenconsoled_var_run_t)
+@@ -268,6 +269,7 @@
+
+ domain_dontaudit_ptrace_all_domains(xenconsoled_t)
+
++files_read_etc_files(xenconsoled_t)
+ files_read_usr_files(xenconsoled_t)
+
+ fs_list_tmpfs(xenconsoled_t)
+@@ -286,6 +288,10 @@
+ xen_manage_log(xenconsoled_t)
+ xen_stream_connect_xenstore(xenconsoled_t)
+
++optional_policy(`
++ ptchown_domtrans(xenconsoled_t)
++')
++
+ ########################################
+ #
+ # Xen store local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-08 20:35:13.000000000 +0100
+@@ -310,7 +310,7 @@
+ #
+ define(`rw_inherited_term_perms', `{ getattr open read write ioctl append }')
+ define(`rw_term_perms', `{ open rw_inherited_term_perms }')
+-
++define(`manage_term_perms',`{ create open setattr rename link unlink rw_inherited_term_perms }')
+ #
+ # Sockets
+ #
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.991
retrieving revision 1.992
diff -u -p -r1.991 -r1.992
--- selinux-policy.spec 6 Jan 2010 16:14:55 -0000 1.991
+++ selinux-policy.spec 8 Jan 2010 20:06:51 -0000 1.992
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -451,6 +451,15 @@ exit 0
%endif
%changelog
+* Fri Jan 8 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-68
+- Fixes for xenconsoled
+- Allow xauth to connectto xserver_t unix_stream_socket
+- Add textrel_shlib_t fixes
+- Add labeling for LXDM
+- Allow cupsd_lpd_t to setattr fontconfig directory
+- Allow abrt to getattr on all character file device nodes.
+- Add labeling for the rest nagios plugins
+
* Wed Jan 6 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-67
- Allow snmbd to send itself signal
- Allow virt_domain to read /dev/random
More information about the fedora-extras-commits
mailing list