|
|
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv14077
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Fri Sep 14 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-94
- Fixup clmvd to allow creation of fixed devices
Resolves: #
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 21
policy/flask/security_classes | 8
policy/global_tunables | 94 +++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.fc | 3
policy/modules/admin/alsa.te | 15
policy/modules/admin/amanda.if | 37 +
policy/modules/admin/amanda.te | 29 -
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 57 ++
policy/modules/admin/amtu.te | 56 ++
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 15
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 6
policy/modules/admin/firstboot.if | 24 -
policy/modules/admin/kudzu.te | 14
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 22
policy/modules/admin/netutils.te | 19
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 25 -
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 104 ++++
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 38 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 13
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.if | 2
policy/modules/admin/usermanage.te | 58 ++
policy/modules/admin/vbetool.te | 1
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++
policy/modules/apps/evolution.te | 1
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 ++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 70 +++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 39 -
policy/modules/apps/mozilla.if | 208 +++++++--
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 7
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 20
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 32 +
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 177 +++++++
policy/modules/kernel/corenetwork.te.in | 18
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 56 ++
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 80 +++
policy/modules/kernel/domain.te | 26 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 ++++++++++++
policy/modules/kernel/filesystem.if | 62 ++
policy/modules/kernel/filesystem.te | 30 +
policy/modules/kernel/kernel.if | 84 +++
policy/modules/kernel/kernel.te | 22
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 4
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 2
policy/modules/kernel/terminal.if | 21
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.te | 11
policy/modules/services/amavis.if | 19
policy/modules/services/amavis.te | 4
policy/modules/services/apache.fc | 18
policy/modules/services/apache.if | 157 ++++++
policy/modules/services/apache.te | 66 ++
policy/modules/services/apm.te | 3
policy/modules/services/arpwatch.te | 5
policy/modules/services/audioentropy.te | 4
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 15
policy/modules/services/avahi.if | 40 +
policy/modules/services/avahi.te | 10
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 12
policy/modules/services/bluetooth.te | 10
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 25 -
policy/modules/services/clamav.te | 3
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 105 ++--
policy/modules/services/cron.te | 62 ++
policy/modules/services/cups.fc | 5
policy/modules/services/cups.te | 19
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 6
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 66 ++
policy/modules/services/dbus.te | 4
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 3
policy/modules/services/dovecot.fc | 2
policy/modules/services/dovecot.if | 44 +
policy/modules/services/dovecot.te | 73 ++-
policy/modules/services/fail2ban.fc | 3
policy/modules/services/fail2ban.if | 80 +++
policy/modules/services/fail2ban.te | 74 +++
policy/modules/services/ftp.te | 24 -
policy/modules/services/hal.fc | 16
policy/modules/services/hal.if | 160 ++++++
policy/modules/services/hal.te | 186 +++++++-
policy/modules/services/inetd.te | 34 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.fc | 1
policy/modules/services/kerberos.if | 55 ++
policy/modules/services/kerberos.te | 48 +-
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 13
policy/modules/services/lpd.if | 75 ++-
policy/modules/services/lpd.te | 5
policy/modules/services/mailman.if | 20
policy/modules/services/mailman.te | 1
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 20
policy/modules/services/mta.te | 3
policy/modules/services/munin.te | 5
policy/modules/services/nagios.fc | 8
policy/modules/services/nagios.if | 22
policy/modules/services/nagios.te | 70 +--
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 7
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 39 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 31 -
policy/modules/services/ntp.te | 10
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 5
policy/modules/services/openca.if | 4
policy/modules/services/openca.te | 2
policy/modules/services/openct.te | 2
policy/modules/services/openvpn.te | 20
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 79 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 13
policy/modules/services/portmap.te | 5
policy/modules/services/portslave.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 46 +
policy/modules/services/postfix.te | 98 ++++
policy/modules/services/ppp.te | 2
policy/modules/services/procmail.te | 32 +
policy/modules/services/pyzor.if | 18
policy/modules/services/pyzor.te | 13
policy/modules/services/radius.te | 3
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 66 +-
policy/modules/services/rlogin.te | 18
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.if | 3
policy/modules/services/rpc.te | 28 -
policy/modules/services/rshd.te | 22
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 6
policy/modules/services/samba.if | 151 ++++++
policy/modules/services/samba.te | 209 ++++++---
policy/modules/services/sasl.te | 14
policy/modules/services/sendmail.if | 41 +
policy/modules/services/sendmail.te | 22
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 20
policy/modules/services/soundserver.te | 4
policy/modules/services/spamassassin.fc | 5
policy/modules/services/spamassassin.if | 42 +
policy/modules/services/spamassassin.te | 26 -
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 21
policy/modules/services/squid.te | 17
policy/modules/services/ssh.if | 84 +++
policy/modules/services/ssh.te | 14
policy/modules/services/telnet.te | 24 -
policy/modules/services/tftp.te | 3
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++
policy/modules/services/uucp.te | 44 +
policy/modules/services/uwimap.te | 1
policy/modules/services/xfs.te | 8
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 211 +++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 180 +++++++
policy/modules/system/authlogin.te | 45 +
policy/modules/system/clock.te | 18
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.if | 19
policy/modules/system/fstools.te | 20
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 75 +++
policy/modules/system/init.te | 51 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 121 +++++
policy/modules/system/iptables.te | 28 -
policy/modules/system/libraries.fc | 44 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 11
policy/modules/system/logging.fc | 5
policy/modules/system/logging.if | 61 ++
policy/modules/system/logging.te | 36 +
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 26 -
policy/modules/system/lvm.te | 117 +++--
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 38 +
policy/modules/system/mount.te | 37 +
policy/modules/system/netlabel.te | 10
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 16
policy/modules/system/selinuxutil.fc | 10
policy/modules/system/selinuxutil.if | 153 ++++++
policy/modules/system/selinuxutil.te | 153 ++----
policy/modules/system/sysnetwork.if | 2
policy/modules/system/sysnetwork.te | 14
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/udev.te | 22
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 22
policy/modules/system/unconfined.te | 24 +
policy/modules/system/userdomain.if | 622 +++++++++++++++++++++++----
policy/modules/system/userdomain.te | 117 ++---
policy/modules/system/xen.fc | 2
policy/modules/system/xen.if | 64 ++
policy/modules/system/xen.te | 74 ++-
policy/support/*Warnings* | 189 ++++++++
policy/support/file_patterns.spt | 534 +++++++++++++++++++++++
policy/support/misc_macros.spt | 8
policy/support/obj_perm_sets.spt | 144 ++++++
273 files changed, 8709 insertions(+), 1072 deletions(-)
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.56 -r 1.57 policy-20061106.patch
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- policy-20061106.patch 5 Sep 2007 03:14:49 -0000 1.56
+++ policy-20061106.patch 21 Sep 2007 19:13:41 -0000 1.57
@@ -421,8 +421,35 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/amanda.if
serefpolicy-2.4.6/policy/modules/admin/amanda.if
--- nsaserefpolicy/policy/modules/admin/amanda.if 2006-11-29
12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2007-05-22
12:40:26.000000000 -0400
-@@ -127,4 +127,21 @@
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.if 2007-09-11
08:55:14.000000000 -0400
+@@ -76,6 +76,26 @@
+
+ ########################################
+ ## <summary>
++## Search amanda var library directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`amanda_search_var_lib',`
++ gen_require(`
++ type amanda_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 amanda_var_lib_t:dir search_dir_perms;
++
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to read /etc/dumpdates.
+ ## </summary>
+ ## <param name="domain">
+@@ -127,4 +147,21 @@
allow $1 amanda_log_t:file ra_file_perms;
')
@@ -446,16 +473,8 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/amanda.te
serefpolicy-2.4.6/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-29
12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2007-05-23
11:17:26.000000000 -0400
-@@ -75,6 +75,7 @@
- allow amanda_t self:unix_dgram_socket create_socket_perms;
- allow amanda_t self:tcp_socket create_stream_socket_perms;
- allow amanda_t self:udp_socket create_socket_perms;
-+allow amanda_t self:netlink_route_socket r_netlink_socket_perms;
-
- # access to amanda_amandates_t
- allow amanda_t amanda_amandates_t:file { getattr lock read write };
-@@ -84,7 +85,7 @@
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2007-09-11
08:54:01.000000000 -0400
+@@ -84,18 +84,22 @@
# access to amandas data structure
allow amanda_t amanda_data_t:dir { read search write };
@@ -464,7 +483,12 @@
# access to amanda_dumpdates_t
allow amanda_t amanda_dumpdates_t:file { getattr lock read write };
-@@ -96,6 +97,9 @@
+
+ can_exec(amanda_t,amanda_exec_t)
++can_exec(amanda_t,amanda_inetd_exec_t)
+
+ # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+ allow amanda_t amanda_gnutarlists_t:dir rw_dir_perms;
allow amanda_t amanda_gnutarlists_t:file manage_file_perms;
allow amanda_t amanda_gnutarlists_t:lnk_file manage_file_perms;
@@ -474,15 +498,65 @@
allow amanda_t amanda_log_t:file create_file_perms;
allow amanda_t amanda_log_t:dir manage_dir_perms;
logging_log_filetrans(amanda_t,amanda_log_t,{ file dir })
-@@ -244,3 +248,8 @@
+@@ -104,6 +108,8 @@
+ allow amanda_t amanda_tmp_t:file create_file_perms;
+ files_tmp_filetrans(amanda_t, amanda_tmp_t, { file dir })
+
++auth_use_nsswitch(amanda_t)
++
+ kernel_read_system_state(amanda_t)
+ kernel_read_kernel_sysctls(amanda_t)
+ kernel_dontaudit_getattr_unlabeled_files(amanda_t)
+@@ -150,8 +156,6 @@
+ libs_use_ld_so(amanda_t)
+ libs_use_shared_libs(amanda_t)
+
+-sysnet_read_config(amanda_t)
+-
optional_policy(`
- nscd_socket_use(amanda_recover_t)
+ auth_read_shadow(amanda_t)
')
+@@ -160,14 +164,6 @@
+ logging_send_syslog_msg(amanda_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(amanda_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(amanda_t)
+-')
+-
+ ########################################
+ #
+ # Amanda recover local policy
+@@ -198,6 +194,8 @@
+ allow amanda_recover_t amanda_tmp_t:fifo_file create_file_perms;
+ files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file
sock_file fifo_file })
+
++auth_use_nsswitch(amanda_recover_t)
+
-+optional_policy(`
+ kernel_read_system_state(amanda_recover_t)
+ kernel_read_kernel_sysctls(amanda_recover_t)
+
+@@ -233,14 +231,9 @@
+
+ miscfiles_read_localization(amanda_recover_t)
+
+-sysnet_read_config(amanda_recover_t)
+-
+ userdom_search_sysadm_home_content_dirs(amanda_recover_t)
+
+ optional_policy(`
+- nis_use_ypbind(amanda_recover_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(amanda_recover_t)
+ ssh_sigchld(amanda_recover_t)
+ ssh_rw_stream_sockets(amanda_recover_t)
-+')
+ ')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/amtu.fc
serefpolicy-2.4.6/policy/modules/admin/amtu.fc
--- nsaserefpolicy/policy/modules/admin/amtu.fc 1969-12-31
19:00:00.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/admin/amtu.fc 2007-05-22
12:40:26.000000000 -0400
@@ -771,12 +845,12 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/admin/dmidecode.te
serefpolicy-2.4.6/policy/modules/admin/dmidecode.te
--- nsaserefpolicy/policy/modules/admin/dmidecode.te 2006-11-29
12:04:48.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/dmidecode.te 2007-08-30
10:26:48.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/admin/dmidecode.te 2007-09-07
17:06:27.000000000 -0400
@@ -22,6 +22,7 @@
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
-+dev_search_sysfs(dmidecode_t)
++dev_read_sysfs(dmidecode_t)
mls_file_read_up(dmidecode_t)
@@ -3301,8 +3375,52 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/kernel/corenetwork.if.in
serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2007-06-11
09:27:14.000000000 -0400
-@@ -1292,6 +1292,25 @@
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2007-09-11
15:56:46.000000000 -0400
+@@ -987,6 +987,43 @@
+
+ ########################################
+ ## <summary>
++## Connect TCP sockets to rpc ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`corenet_tcp_connect_all_rpc_ports',`
++ gen_require(`
++ attribute rpc_port_type;
++ ')
++
++ allow $1 rpc_port_type:tcp_socket name_connect;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to connect TCP sockets
++## all rpc ports.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
[...2515 lines suppressed...]
+@@ -362,6 +375,7 @@
fs_getattr_xattr_fs(restorecon_t)
fs_search_auto_mountpoints(restorecon_t)
@@ -14215,7 +15034,7 @@
mls_file_read_up(restorecon_t)
mls_file_write_down(restorecon_t)
-@@ -407,10 +428,22 @@
+@@ -407,10 +421,22 @@
fs_rw_tmpfs_blk_files(restorecon_t)
fs_relabel_tmpfs_blk_file(restorecon_t)
fs_relabel_tmpfs_chr_file(restorecon_t)
@@ -14238,7 +15057,7 @@
udev_dontaudit_rw_dgram_sockets(restorecon_t)
')
')
-@@ -419,6 +452,10 @@
+@@ -419,6 +445,10 @@
hotplug_use_fds(restorecon_t)
')
@@ -14249,15 +15068,30 @@
########################################
#
# Restorecond local policy
-@@ -449,6 +486,7 @@
+@@ -447,8 +477,10 @@
+ selinux_compute_relabel_context(restorecond_t)
+ selinux_compute_user_contexts(restorecond_t)
++auth_use_nsswitch(restorecond_t)
auth_relabel_all_files_except_shadow(restorecond_t )
auth_read_all_files_except_shadow(restorecond_t)
+auth_use_nsswitch(restorecond_t)
init_use_fds(restorecond_t)
init_dontaudit_use_script_ptys(restorecond_t)
-@@ -485,7 +523,7 @@
+@@ -471,11 +503,6 @@
+ rpm_use_script_fds(restorecond_t)
+ ')
+
+-optional_policy(`
+- # restorecond watches for users logging in,
+- # so it getspwnam when a user logs in to find his homedir
+- nis_use_ypbind(restorecond_t)
+-')
+
+ #################################
+ #
+@@ -485,7 +512,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -14266,7 +15100,7 @@
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -499,6 +537,7 @@
+@@ -499,6 +526,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -14274,7 +15108,7 @@
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -549,81 +588,14 @@
+@@ -549,81 +577,14 @@
########################################
#
@@ -14362,7 +15196,7 @@
')
########################################
-@@ -672,6 +644,7 @@
+@@ -672,6 +633,7 @@
init_use_fds(setfiles_t)
init_use_script_fds(setfiles_t)
init_use_script_ptys(setfiles_t)
@@ -14370,7 +15204,7 @@
domain_use_interactive_fds(setfiles_t)
-@@ -691,3 +664,16 @@
+@@ -691,3 +653,16 @@
userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
userdom_read_all_users_home_content_files(setfiles_t)
@@ -14660,7 +15494,7 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/unconfined.te
serefpolicy-2.4.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2007-08-29
06:26:03.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/unconfined.te 2007-09-18
10:19:10.000000000 -0400
@@ -48,6 +48,10 @@
userdom_priveleged_home_dir_manager(unconfined_t)
@@ -14682,7 +15516,7 @@
')
optional_policy(`
-@@ -138,6 +145,8 @@
+@@ -138,11 +145,14 @@
optional_policy(`
rpm_domtrans(unconfined_t)
@@ -14691,7 +15525,13 @@
')
optional_policy(`
-@@ -173,6 +182,12 @@
+ samba_domtrans_net(unconfined_t)
+ samba_domtrans_winbind_helper(unconfined_t)
++ samba_domtrans_smbcontrol(unconfined_t)
+ ')
+
+ optional_policy(`
+@@ -173,6 +183,12 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
@@ -14704,7 +15544,7 @@
')
########################################
-@@ -181,10 +196,18 @@
+@@ -181,10 +197,18 @@
#
ifdef(`targeted_policy',`
@@ -15945,7 +16785,7 @@
+')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/xen.te
serefpolicy-2.4.6/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-29
12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-08-10
16:23:05.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/xen.te 2007-09-07
12:00:31.000000000 -0400
@@ -20,12 +20,15 @@
type xenctl_t;
files_type(xenctl_t)
@@ -16044,6 +16884,15 @@
netutils_domtrans(xend_t)
optional_policy(`
+@@ -218,7 +237,7 @@
+
+ allow xenconsoled_t self:capability { dac_override fsetid ipc_lock };
+ allow xenconsoled_t self:unix_stream_socket create_stream_socket_perms;
+-allow xenconsoled_t self:fifo_file { read write };
++allow xenconsoled_t self:fifo_file rw_fifo_file_perms;
+
+ allow xenconsoled_t xen_devpts_t:chr_file rw_term_perms;
+
@@ -236,19 +255,24 @@
files_read_usr_files(xenconsoled_t)
@@ -16083,10 +16932,18 @@
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
-@@ -312,11 +342,17 @@
+@@ -306,17 +336,23 @@
+ allow xm_t self:capability { dac_override ipc_lock sys_tty_config };
+
+ # internal communication is often done using fifo and unix sockets.
+-allow xm_t self:fifo_file { read write };
++allow xm_t self:fifo_file rw_fifo_file_perms;
+ allow xm_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow xm_t self:tcp_socket create_stream_socket_perms;
allow xm_t xend_var_lib_t:dir rw_dir_perms;
- allow xm_t xend_var_lib_t:fifo_file create_file_perms;
+-allow xm_t xend_var_lib_t:fifo_file create_file_perms;
++allow xm_t xend_var_lib_t:fifo_file manage_fifo_file_perms;
+allow xm_t xend_var_lib_t:sock_file create_file_perms;
allow xm_t xend_var_lib_t:file create_file_perms;
files_search_var_lib(xm_t)
@@ -16112,7 +16969,19 @@
corenet_tcp_sendrecv_generic_if(xm_t)
corenet_tcp_sendrecv_all_nodes(xm_t)
corenet_tcp_connect_soundd_port(xm_t)
-@@ -353,3 +392,17 @@
+@@ -338,8 +377,11 @@
+ # Some common macros (you might be able to remove some)
+ files_read_etc_files(xm_t)
+
++fs_getattr_all_fs(xend_t)
++
+ term_use_all_terms(xm_t)
+
++init_stream_connect_script(xm_t)
+ init_rw_script_stream_sockets(xm_t)
+ init_use_fds(xm_t)
+
+@@ -353,3 +395,17 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.374
retrieving revision 1.375
diff -u -r1.374 -r1.375
--- selinux-policy.spec 4 Sep 2007 14:00:30 -0000 1.374
+++ selinux-policy.spec 21 Sep 2007 19:13:41 -0000 1.375
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 88%{?dist}
+Release: 92%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -358,6 +358,34 @@
%endif
%changelog
+* Fri Sep 14 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-94
+- Fixup clmvd to allow creation of fixed devices
+Resolves: #
+
+* Thu Sep 13 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-93
+- Allow hal to write to pm-tools directories
+Resolves: #282421
+#Resolves: #280271
+
+* Wed Sep 11 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-92
+- Many fixes for Kerberos Replay Cache.
+Resolves: #282421
+
+* Tue Sep 11 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-91
+- Many fixes for Kerberos Replay Cache.
+- Allow xfs to listen on port 7100
+Resolves: #282421
+
+* Fri Sep 7 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-90
+- Additional perms for xen
+Resolves: #249895
+
+* Tue Sep 5 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-89
+- Allow postfix to read master proc info
+- Allow unix_update to talk to nsswitch
+- Allow dmidecode to search sysfs_t
+Resolves: #263141
+
* Sat Sep 1 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.4.6-88
- Cleanup of fusermount/mount-ntfs and apcupsd to match rawhide
- Allow cimserver to create pegasus_data directories
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|