[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]
rpms/selinux-policy/devel policy-20060608.patch, 1.43, 1.44 selinux-policy.spec, 1.239, 1.240

From: fedora-cvs-commits redhat com
To: fedora-cvs-commits redhat com
Subject: rpms/selinux-policy/devel policy-20060608.patch, 1.43, 1.44 selinux-policy.spec, 1.239, 1.240
Date: Mon, 31 Jul 2006 17:25:11 -0400
Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv24051

Modified Files:
	policy-20060608.patch selinux-policy.spec 
Log Message:
* Mon Jul 31 2006 Dan Walsh <dwalsh redhat com> 2.3.3-16
- Fixes for Samba


policy-20060608.patch:
 global_booleans                    |    2 
 global_tunables                    |   89 ++++++++------
 mcs                                |    3 
 mls                                |    9 -
 modules/admin/bootloader.te        |    6 -
 modules/admin/consoletype.te       |   11 +
 modules/admin/firstboot.te         |    5 
 modules/admin/netutils.te          |   10 -
 modules/admin/prelink.te           |    1 
 modules/admin/rpm.fc               |    2 
 modules/admin/rpm.if               |    4 
 modules/admin/usermanage.te        |    2 
 modules/kernel/corenetwork.te.in   |    5 
 modules/kernel/devices.fc          |    3 
 modules/kernel/files.fc            |    1 
 modules/kernel/filesystem.if       |   21 +++
 modules/kernel/filesystem.te       |    2 
 modules/kernel/kernel.if           |   38 ++++++
 modules/kernel/selinux.if          |   18 ++-
 modules/kernel/selinux.te          |    4 
 modules/kernel/storage.fc          |    1 
 modules/services/amavis.te         |    7 +
 modules/services/apache.te         |    1 
 modules/services/automount.te      |    8 +
 modules/services/avahi.te          |    1 
 modules/services/bind.fc           |    3 
 modules/services/bluetooth.if      |   23 +++
 modules/services/bluetooth.te      |    7 +
 modules/services/clamav.fc         |    3 
 modules/services/clamav.if         |   22 +++
 modules/services/clamav.te         |   20 ---
 modules/services/cron.if           |   16 ++
 modules/services/cups.te           |    6 -
 modules/services/cyrus.te          |    5 
 modules/services/dovecot.fc        |    1 
 modules/services/dovecot.te        |   10 +
 modules/services/ftp.te            |    2 
 modules/services/hal.te            |   10 +
 modules/services/inetd.te          |   12 +-
 modules/services/ldap.fc           |    1 
 modules/services/ldap.if           |   21 +++
 modules/services/ldap.te           |    2 
 modules/services/lpd.if            |   20 +--
 modules/services/mailman.te        |   15 ++
 modules/services/nis.te            |    1 
 modules/services/nscd.if           |   20 +++
 modules/services/ntp.te            |    2 
 modules/services/openvpn.te        |    8 +
 modules/services/pegasus.if        |   31 +++++
 modules/services/pegasus.te        |    5 
 modules/services/postfix.te        |   13 ++
 modules/services/postgrey.fc       |    2 
 modules/services/postgrey.if       |   19 +++
 modules/services/postgrey.te       |   20 +++
 modules/services/procmail.te       |    5 
 modules/services/radius.fc         |    1 
 modules/services/radius.te         |    8 +
 modules/services/remotelogin.te    |    1 
 modules/services/samba.te          |    6 -
 modules/services/setroubleshoot.fc |   11 +
 modules/services/setroubleshoot.if |   24 ++++
 modules/services/setroubleshoot.te |  146 ++++++++++++++++++++++++
 modules/services/spamassassin.te   |    4 
 modules/services/squid.te          |    9 -
 modules/services/ssh.if            |    1 
 modules/services/tftp.te           |    1 
 modules/services/xfs.te            |    2 
 modules/services/xserver.if        |   22 +++
 modules/services/xserver.te        |    3 
 modules/services/zebra.te          |    7 +
 modules/system/authlogin.if        |    3 
 modules/system/authlogin.te        |    1 
 modules/system/fstools.fc          |    1 
 modules/system/getty.fc            |    1 
 modules/system/getty.te            |    3 
 modules/system/hostname.te         |   10 +
 modules/system/hotplug.te          |    2 
 modules/system/init.if             |    7 -
 modules/system/libraries.fc        |    4 
 modules/system/locallogin.te       |    1 
 modules/system/logging.fc          |    3 
 modules/system/logging.if          |    6 -
 modules/system/logging.te          |    9 +
 modules/system/lvm.te              |    3 
 modules/system/mount.te            |    2 
 modules/system/selinuxutil.te      |   29 ++++
 modules/system/setrans.te          |    5 
 modules/system/sysnetwork.te       |    1 
 modules/system/udev.te             |    4 
 modules/system/unconfined.fc       |    1 
 modules/system/unconfined.if       |    8 -
 modules/system/unconfined.te       |   13 +-
 modules/system/userdomain.if       |  221 ++++++++++++++++++++++++-------------
 modules/system/userdomain.te       |   50 +++-----
 modules/system/xen.if              |   38 ++++++
 modules/system/xen.te              |   14 +-
 96 files changed, 1000 insertions(+), 265 deletions(-)

Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- policy-20060608.patch	29 Jul 2006 08:32:43 -0000	1.43
+++ policy-20060608.patch	31 Jul 2006 21:25:08 -0000	1.44
@@ -187,6 +187,30 @@
  
  mlsconstrain process { sigkill sigstop }
  	(( h1 dom h2 ) or ( t1 == mcskillall ));
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.3.3/policy/mls
+--- nsaserefpolicy/policy/mls	2006-07-14 17:04:46.000000000 -0400
++++ serefpolicy-2.3.3/policy/mls	2006-07-31 17:12:14.000000000 -0400
+@@ -184,19 +184,12 @@
+ 	 ( t2 == mlstrustedobject ));
+ 
+ # the "single level" file "write" ops
+-mlsconstrain { file lnk_file fifo_file } { write create setattr relabelfrom append unlink link rename mounton }
++mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+ 	(( l1 eq l2 ) or
+ 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ 	 ( t1 == mlsfilewrite ) or
+ 	 ( t2 == mlstrustedobject ));
+ 
+-# the "ranged" file "write" ops
+-mlsconstrain { dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
+-	((( l1 dom l2 ) and ( l1 domby h2 )) or
+-	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+-	 ( t1 == mlsfilewrite ) or
+-	 ( t2 == mlstrustedobject ));
+-
+ mlsconstrain dir { add_name remove_name reparent rmdir }
+ 	((( l1 dom l2 ) and ( l1 domby h2 )) or
+ 	 (( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.3/policy/modules/admin/bootloader.te
 --- nsaserefpolicy/policy/modules/admin/bootloader.te	2006-07-14 17:04:46.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/admin/bootloader.te	2006-07-26 13:52:04.000000000 -0400
@@ -592,7 +616,7 @@
  /dev/p[fg][0-3]		-b	gen_context(system_u:object_r:removable_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.3.3/policy/modules/services/amavis.te
 --- nsaserefpolicy/policy/modules/services/amavis.te	2006-07-14 17:04:40.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/services/amavis.te	2006-07-17 12:03:46.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/amavis.te	2006-07-31 09:31:51.000000000 -0400
 @@ -62,10 +62,12 @@
  allow amavis_t amavis_quarantine_t:dir create_dir_perms;
  
@@ -606,6 +630,22 @@
  
  # tmp files
  allow amavis_t amavis_tmp_t:file create_file_perms;
+@@ -116,6 +118,7 @@
+ # bind to incoming port
+ corenet_tcp_bind_amavisd_recv_port(amavis_t)
+ corenet_udp_bind_generic_port(amavis_t)
++corenet_tcp_connect_razor_port(amavis_t)
+ 
+ dev_read_rand(amavis_t)
+ dev_read_urand(amavis_t)
+@@ -180,3 +183,7 @@
+ 	spamassassin_exec(amavis_t)
+ 	spamassassin_exec_client(amavis_t)
+ ')
++
++optional_policy(`
++	postfix_read_config(amavis_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.3/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2006-07-14 17:04:41.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/services/apache.te	2006-07-27 12:31:07.000000000 -0400
@@ -855,6 +895,51 @@
  allow clamscan_t clamd_var_lib_t:dir r_dir_perms;
  
  kernel_read_kernel_sysctls(clamscan_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.3.3/policy/modules/services/cron.if
+--- nsaserefpolicy/policy/modules/services/cron.if	2006-07-14 17:04:41.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/cron.if	2006-07-31 17:09:13.000000000 -0400
+@@ -181,6 +181,7 @@
+ 	allow $1_crontab_t $2:fd use;
+ 	allow $1_crontab_t $2:fifo_file rw_file_perms;
+ 	allow $1_crontab_t $2:process sigchld;
++	allow $2 $1_crontab_t:process sigchld;
+ 
+ 	# crontab shows up in user ps
+ 	allow $2 $1_crontab_t:dir { search getattr read };
+@@ -194,14 +195,19 @@
+ 	# Allow crond to read those crontabs in cron spool.
+ 	allow crond_t $1_cron_spool_t:file create_file_perms;
+ 
++	allow $1_crontab_t tmp_t:dir rw_dir_perms;
++	allow $1_crontab_t $1_tmp_t:file create_file_perms;
++	type_transition $1_crontab_t tmp_t:file $1_tmp_t;
++
+ 	# dac_override is to create the file in the directory under /tmp
+-	allow $1_crontab_t self:capability { setuid setgid chown dac_override };
++	allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
+ 	allow $1_crontab_t self:process signal_perms;
+ 
+ 	# create files in /var/spool/cron
+-	allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
++	files_search_spool($1_crontab_t)
+ 	allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
+-	type_transition $1_crontab_t $1_cron_spool_t:file $1_cron_spool_t;
++	allow $1_crontab_t $1_cron_spool_t:file create_file_perms;
++	type_transition $1_crontab_t cron_spool_t:file $1_cron_spool_t;
+ 
+ 	# crontab signals crond by updating the mtime on the spooldir
+ 	allow $1_crontab_t cron_spool_t:dir setattr;
+@@ -239,6 +245,10 @@
+ 	# Read user crontabs
+ 	userdom_read_user_home_content_files($1,$1_crontab_t)
+ 
++	optional_policy(`
++		nscd_socket_use($1_crontab_t)
++	')
++
+ 	tunable_policy(`fcron_crond', `
+ 		# fcron wants an instant update of a crontab change for the administrator
+ 		# also crontab does a security check for crontab -u
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.3/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2006-07-14 17:04:41.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/services/cups.te	2006-07-19 16:27:33.000000000 -0400
@@ -1321,7 +1406,7 @@
  hostname_exec(pegasus_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.3.3/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/services/postfix.te	2006-07-17 12:13:57.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/postfix.te	2006-07-31 09:41:05.000000000 -0400
 @@ -160,7 +160,7 @@
  
  init_use_script_ptys(postfix_master_t)
@@ -1331,7 +1416,39 @@
  
  seutil_sigchld_newrole(postfix_master_t)
  # postfix does a "find" on startup for some reason - keep it quiet
-@@ -593,3 +593,7 @@
+@@ -250,6 +250,7 @@
+ allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
+ 
+ allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
++corecmd_exec_bin(postfix_cleanup_t)
+ 
+ ########################################
+ #
+@@ -293,6 +294,10 @@
+ 	procmail_domtrans(postfix_local_t)
+ ')
+ 
++optional_policy(`
++	clamav_search_lib(postfix_local_t)
++')
++
+ ########################################
+ #
+ # Postfix map local policy
+@@ -519,6 +524,7 @@
+ allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
+ allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
+ allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
++corecmd_exec_bin(postfix_qmgr_t)
+ 
+ ########################################
+ #
+@@ -589,7 +595,12 @@
+ # for OpenSSL certificates
+ files_read_usr_files(postfix_smtpd_t)
+ mta_read_aliases(postfix_smtpd_t)
++corecmd_exec_bin(postfix_smtpd_t)
+ 
  optional_policy(`
  	sasl_connect(postfix_smtpd_t)
  ')
@@ -1477,7 +1594,7 @@
  allow remote_login_t remote_login_tmp_t:file create_file_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.3.3/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/services/samba.te	2006-07-17 12:16:42.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/samba.te	2006-07-31 10:38:02.000000000 -0400
 @@ -186,11 +186,12 @@
  allow smbd_t self:udp_socket create_socket_perms;
  allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -1488,7 +1605,7 @@
  allow smbd_t samba_etc_t:file { rw_file_perms setattr };
  
 -allow smbd_t samba_log_t:dir ra_dir_perms;
-+allow smbd_t samba_log_t:dir { ra_dir_perms setattr };
++allow smbd_t samba_log_t:dir { create ra_dir_perms setattr };
  dontaudit smbd_t samba_log_t:dir remove_name;
  allow smbd_t samba_log_t:file { create ra_file_perms };
  
@@ -1505,7 +1622,7 @@
  allow nmbd_t samba_etc_t:file { getattr read };
  
 -allow nmbd_t samba_log_t:dir ra_dir_perms;
-+allow nmbd_t samba_log_t:dir { ra_dir_perms setattr };
++allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr };
  allow nmbd_t samba_log_t:file { create ra_file_perms };
  
  allow nmbd_t samba_var_t:dir rw_dir_perms;
@@ -1702,6 +1819,17 @@
 +	rpm_read_db(setroubleshoot_t)
 +	rpm_dontaudit_manage_db(setroubleshoot_t)
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.3.3/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te	2006-07-14 17:04:41.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/spamassassin.te	2006-07-31 09:36:35.000000000 -0400
+@@ -194,3 +194,7 @@
+ optional_policy(`
+ 	udev_read_db(spamd_t)
+ ')
++
++optional_policy(`
++	postfix_read_config(spamd_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.3.3/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2006-07-14 17:04:41.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/services/squid.te	2006-07-28 09:12:30.000000000 -0400
@@ -1971,16 +2099,19 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.3.3/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2006-07-14 17:04:43.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/libraries.fc	2006-07-17 11:43:02.000000000 -0400
-@@ -198,7 +198,7 @@
++++ serefpolicy-2.3.3/policy/modules/system/libraries.fc	2006-07-30 18:14:44.000000000 -0400
+@@ -198,9 +198,9 @@
  # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
  /usr/lib(64)?.*/libmpg123\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 -/usr/lib(64)?/libavformat-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +/usr/lib(64)?/libavformat.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libavcodec-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr/lib(64)?/libavutil-.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/libavutil.*\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
  /usr/lib(64)?/libxvidcore\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xine/plugins/.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libgsm\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.3.3/policy/modules/system/locallogin.te
 --- nsaserefpolicy/policy/modules/system/locallogin.te	2006-07-14 17:04:43.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/system/locallogin.te	2006-07-17 11:43:02.000000000 -0400
@@ -1992,6 +2123,16 @@
  
  allow local_login_t local_login_lock_t:file create_file_perms;
  files_lock_filetrans(local_login_t,local_login_lock_t,file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.3.3/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc	2006-07-14 17:04:44.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/logging.fc	2006-07-31 14:51:30.000000000 -0400
+@@ -38,3 +38,6 @@
+ /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+ 
+ /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
++
++/var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
++/var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.3.3/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2006-07-14 17:04:43.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/system/logging.if	2006-07-26 13:00:20.000000000 -0400
@@ -2031,8 +2172,20 @@
  #######################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.3/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2006-07-14 17:04:43.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/logging.te	2006-07-17 11:43:02.000000000 -0400
-@@ -140,7 +140,7 @@
++++ serefpolicy-2.3.3/policy/modules/system/logging.te	2006-07-31 14:50:13.000000000 -0400
+@@ -120,9 +120,10 @@
+ allow auditd_t auditd_log_t:lnk_file create_lnk_perms;
+ allow auditd_t var_log_t:dir search;
+ 
++allow auditd_t auditd_var_run_t:sock_file create_file_perms;
+ allow auditd_t auditd_var_run_t:file create_file_perms;
+ allow auditd_t auditd_var_run_t:dir rw_dir_perms;
+-files_pid_filetrans(auditd_t,auditd_var_run_t,file)
++files_pid_filetrans(auditd_t,auditd_var_run_t,{ file sock_file })
+ 
+ kernel_read_kernel_sysctls(auditd_t)
+ # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
+@@ -140,7 +141,7 @@
  # Probably want a transition, and a new auditd_helper app
  corecmd_exec_sbin(auditd_t)
  corecmd_exec_bin(auditd_t)
@@ -2041,7 +2194,7 @@
  
  domain_use_interactive_fds(auditd_t)
  
-@@ -176,6 +176,10 @@
+@@ -176,6 +177,10 @@
  ')
  
  optional_policy(`
@@ -2072,6 +2225,18 @@
  fs_read_tmpfs_symlinks(lvm_t)
  fs_dontaudit_read_removable_files(lvm_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.3.3/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te	2006-07-14 17:04:44.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/mount.te	2006-07-31 09:50:35.000000000 -0400
+@@ -97,6 +97,8 @@
+ 
+ sysnet_use_portmap(mount_t)
+ 
++selinux_get_enforce_mode(mount_t)
++
+ userdom_use_all_users_fds(mount_t)
+ 
+ ifdef(`distro_redhat',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.3/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-07-14 17:04:44.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/system/selinuxutil.te	2006-07-26 15:14:33.000000000 -0400
@@ -2219,7 +2384,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.3.3/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/unconfined.if	2006-07-20 14:48:42.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/unconfined.if	2006-07-31 07:15:29.000000000 -0400
 @@ -20,6 +20,7 @@
  	# Use any Linux capability.
  	allow $1 self:capability *;
@@ -2244,7 +2409,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.3.3/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/unconfined.te	2006-07-17 11:43:02.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/unconfined.te	2006-07-31 07:16:25.000000000 -0400
 @@ -56,10 +56,6 @@
  	')
  
@@ -2267,6 +2432,16 @@
  		dmidecode_domtrans(unconfined_t)
  	')
  
+@@ -195,4 +195,9 @@
+ ifdef(`targeted_policy',`
+ 	allow unconfined_execmem_t self:process { execstack execmem };
+ 	unconfined_domain_noaudit(unconfined_execmem_t)
++	optional_policy(`
++		init_dbus_chat_script(unconfined_execmem_t)
++		dbus_stub(unconfined_execmem_t)
++		unconfined_dbus_chat(unconfined_execmem_t)
++	')
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.3/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2006-07-14 17:04:43.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/system/userdomain.if	2006-07-18 09:32:58.000000000 -0400
@@ -2645,7 +2820,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.3/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2006-07-14 17:04:43.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/userdomain.te	2006-07-20 16:21:02.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/userdomain.te	2006-07-31 17:24:25.000000000 -0400
 @@ -56,14 +56,6 @@
  # Local policy
  #
@@ -2737,6 +2912,23 @@
  	', `
  		logging_manage_audit_log(sysadm_t)
  		logging_manage_audit_config(sysadm_t)
+@@ -443,11 +439,11 @@
+ 			selinux_set_parameters(secadm_t)
+ 
+ 			seutil_manage_bin_policy(secadm_t)
+-			seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
+-			seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
+-			seutil_run_semanage(secadm_t,secadm_r,admin_terminal)
+-			seutil_run_setfiles(secadm_t,secadm_r,admin_terminal)
+-			seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
++			seutil_run_checkpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
++			seutil_run_loadpolicy(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
++			seutil_run_semanage(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
++			seutil_run_setfiles(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
++			seutil_run_restorecon(secadm_t,secadm_r,{ secadm_tty_device_t secadm_devpts_t })
+ 		', `
+ 			selinux_set_enforce_mode(sysadm_t)
+ 			selinux_set_boolean(sysadm_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.3.3/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2006-07-14 17:04:43.000000000 -0400
 +++ serefpolicy-2.3.3/policy/modules/system/xen.if	2006-07-28 13:26:47.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.239
retrieving revision 1.240
diff -u -r1.239 -r1.240
--- selinux-policy.spec	29 Jul 2006 08:32:43 -0000	1.239
+++ selinux-policy.spec	31 Jul 2006 21:25:08 -0000	1.240
@@ -16,7 +16,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.3.3
-Release: 15
+Release: 16
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -348,6 +348,9 @@
 %endif
 
 %changelog
+* Mon Jul 31 2006 Dan Walsh <dwalsh redhat com> 2.3.3-16
+- Fixes for Samba
+
 * Sat Jul 29 2006 Dan Walsh <dwalsh redhat com> 2.3.3-15
 - Fixes for xen
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]