[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy/devel policy-20060323.patch, 1.5, 1.6 selinux-policy.spec, 1.164, 1.165

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31716

Modified Files:
	policy-20060323.patch selinux-policy.spec 
Log Message:
* Fri Mar 30 2006 Dan Walsh <dwalsh redhat com> 2.2.29-1
- Update to upstream


policy-20060323.patch:
 kernel/devices.fc     |    1 +
 kernel/devices.if     |   20 ++++++++++++++++++++
 kernel/files.if       |   15 +++++++++++++++
 services/automount.te |    1 +
 services/dbus.te      |    1 +
 services/hal.te       |    1 +
 services/xserver.if   |   20 ++++++++++++++++++++
 system/fstools.te     |    1 +
 system/init.te        |    1 +
 system/libraries.fc   |    9 +++++++--
 system/logging.if     |   32 ++++++++++++++++++++++++++++++++
 system/mount.te       |    4 +++-
 system/unconfined.if  |    8 --------
 system/userdomain.te  |    4 ++--
 14 files changed, 105 insertions(+), 13 deletions(-)

Index: policy-20060323.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060323.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20060323.patch	30 Mar 2006 22:27:52 -0000	1.5
+++ policy-20060323.patch	31 Mar 2006 20:17:33 -0000	1.6
@@ -1,126 +1,18 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-2.2.28/man/man8/samba_selinux.8
---- nsaserefpolicy/man/man8/samba_selinux.8	2006-01-06 17:55:17.000000000 -0500
-+++ serefpolicy-2.2.28/man/man8/samba_selinux.8	2006-03-29 14:44:17.000000000 -0500
-@@ -23,7 +23,7 @@
- .SH SHARING FILES
- If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t.  These context allow any of the above domains to read the content.  If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean.  allow_DOMAIN_anon_write.  So for samba you would execute:
- 
--setsebool -P allow_smb_anon_write=1
-+setsebool -P allow_smbd_anon_write=1
- 
- .SH BOOLEANS
- .br 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.28/policy/modules/admin/logwatch.te
---- nsaserefpolicy/policy/modules/admin/logwatch.te	2006-03-24 11:54:26.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/admin/logwatch.te	2006-03-29 14:44:17.000000000 -0500
-@@ -52,6 +52,7 @@
- files_read_etc_runtime_files(logwatch_t)
- files_read_usr_files(logwatch_t)
- files_search_spool(logwatch_t)
-+files_search_mnt(logwatch_t)
- files_dontaudit_search_home(logwatch_t)
- 
- fs_getattr_all_fs(logwatch_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.2.28/policy/modules/admin/rpm.fc
---- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-03-23 16:02:02.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/admin/rpm.fc	2006-03-29 14:44:17.000000000 -0500
-@@ -3,6 +3,7 @@
- /usr/bin/smart 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
- 
- /usr/bin/yum 			--	gen_context(system_u:object_r:rpm_exec_t,s0)
-+/usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
- 
- /usr/lib(64)?/rpm/rpmd		-- 	gen_context(system_u:object_r:bin_t,s0)
- /usr/lib(64)?/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.2.28/policy/modules/admin/usermanage.te
---- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-03-24 11:54:26.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/admin/usermanage.te	2006-03-29 14:44:17.000000000 -0500
-@@ -225,6 +225,7 @@
- 
- files_manage_etc_files(groupadd_t)
- files_relabel_etc_files(groupadd_t)
-+files_read_etc_runtime_files(groupadd_t)
- 
- libs_use_ld_so(groupadd_t)
- libs_use_shared_libs(groupadd_t)
-@@ -492,6 +493,7 @@
- files_manage_etc_files(useradd_t)
- files_search_var_lib(useradd_t)
- files_relabel_etc_files(useradd_t)
-+files_read_etc_runtime_files(useradd_t)
- 
- init_use_fds(useradd_t)
- init_rw_utmp(useradd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.28/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2006-03-23 16:02:03.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/kernel/corenetwork.te.in	2006-03-29 14:44:17.000000000 -0500
-@@ -68,7 +68,7 @@
- network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
- network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0)
- network_port(howl, tcp,5335,s0, udp,5353,s0)
--network_port(hplip, tcp,50000,s0, tcp,50002,s0)
-+network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,9100,s0)
- network_port(i18n_input, tcp,9010,s0)
- network_port(imaze, tcp,5323,s0, udp,5323,s0)
- network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -127,7 +127,7 @@
- network_port(uucpd, tcp,540,s0)
- network_port(vnc, tcp,5900,s0)
- network_port(xen, tcp,8002,s0)
--network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
-+network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
- network_port(zebra, tcp,2601,s0)
- network_port(zope, tcp,8021,s0)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.28/policy/modules/kernel/devices.if
---- nsaserefpolicy/policy/modules/kernel/devices.if	2006-03-28 23:09:36.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/kernel/devices.if	2006-03-29 14:44:17.000000000 -0500
-@@ -2383,6 +2383,44 @@
- 
- ########################################
- ## <summary>
-+##	Getattr generic the USB devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_getattr_generic_usb_dev',`
-+	gen_require(`
-+		type usb_device_t;
-+	')
-+
-+	allow $1 device_t:dir r_dir_perms;
-+	allow $1 usb_device_t:chr_file getattr;
-+')
-+
-+########################################
-+## <summary>
-+##	Setattr generic the USB devices.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`dev_setattr_generic_usb_dev',`
-+	gen_require(`
-+		type usb_device_t;
-+	')
-+
-+	allow $1 device_t:dir r_dir_perms;
-+	allow $1 usb_device_t:chr_file setattr;
-+')
-+
-+########################################
-+## <summary>
- ##	Mount a usbfs filesystem.
- ## </summary>
- ## <param name="domain">
-@@ -2822,3 +2860,23 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.29/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc	2006-03-23 16:45:31.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/kernel/devices.fc	2006-03-31 11:49:27.000000000 -0500
+@@ -59,6 +59,7 @@
+ ')
+ /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vttuner		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/vtx.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/winradio.		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.29/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if	2006-03-30 10:03:20.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/kernel/devices.if	2006-03-31 11:21:52.000000000 -0500
+@@ -2860,3 +2860,23 @@
  	allow $1 self:capability sys_rawio;
  	typeattribute $1 memory_raw_write, memory_raw_read;
  ')
@@ -144,9 +36,9 @@
 +	dontaudit $1 device_node:dir_file_class_set getattr;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.28/policy/modules/kernel/files.if
---- nsaserefpolicy/policy/modules/kernel/files.if	2006-03-28 23:09:36.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/kernel/files.if	2006-03-30 16:57:12.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.2.29/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if	2006-03-30 10:04:15.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/kernel/files.if	2006-03-31 11:21:52.000000000 -0500
 @@ -1643,6 +1643,21 @@
  ')
  
@@ -169,63 +61,9 @@
  ## <summary>
  ##	Read files in /etc that are dynamically
  ##	created on boot, such as mtab.
-@@ -2152,6 +2167,18 @@
- 
- ########################################
- #
-+# files_dontaudit_search_mnt(domain)
-+#
-+interface(`files_dontaudit_search_mnt',`
-+	gen_require(`
-+		type mnt_t;
-+	')
-+
-+	dontaudit $1 mnt_t:dir search_dir_perms;
-+')
-+
-+########################################
-+#
- # files_list_mnt(domain)
- #
- interface(`files_list_mnt',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.2.28/policy/modules/kernel/kernel.if
---- nsaserefpolicy/policy/modules/kernel/kernel.if	2006-03-23 16:02:03.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/kernel/kernel.if	2006-03-29 14:44:17.000000000 -0500
-@@ -1148,7 +1148,7 @@
- 
- 	allow $1 proc_t:dir search;
- 	allow $1 sysctl_t:dir r_dir_perms;
--	allow $1 sysctl_vm_t:dir list_dir_perms;
-+	allow $1 sysctl_vm_t:dir rw_dir_perms;
- 	allow $1 sysctl_vm_t:file rw_file_perms;
- ')
- 
-@@ -1433,7 +1433,7 @@
- 
- 	allow $1 proc_t:dir search;
- 	allow $1 sysctl_t:dir r_dir_perms;
--	allow $1 sysctl_kernel_t:dir r_dir_perms;
-+	allow $1 sysctl_kernel_t:dir rw_dir_perms;
- 	allow $1 sysctl_kernel_t:file rw_file_perms;
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-2.2.28/policy/modules/services/apm.te
---- nsaserefpolicy/policy/modules/services/apm.te	2006-03-24 11:54:27.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/apm.te	2006-03-29 14:44:17.000000000 -0500
-@@ -226,6 +226,10 @@
- ')
- 
- optional_policy(`
-+	xserver_domtrans_xdm_xserver(apmd_t)
-+')
-+
-+optional_policy(`
- 	seutil_sigchld_newrole(apmd_t)
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.28/policy/modules/services/automount.te
---- nsaserefpolicy/policy/modules/services/automount.te	2006-03-24 11:54:27.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/automount.te	2006-03-30 17:24:29.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.29/policy/modules/services/automount.te
+--- nsaserefpolicy/policy/modules/services/automount.te	2006-03-24 11:09:13.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/automount.te	2006-03-31 11:21:52.000000000 -0500
 @@ -123,6 +123,7 @@
  logging_search_logs(automount_t)
  
@@ -234,42 +72,9 @@
  
  # Run mount in the mount_t domain.
  mount_domtrans(automount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.28/policy/modules/services/bluetooth.te
---- nsaserefpolicy/policy/modules/services/bluetooth.te	2006-03-29 14:26:02.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/bluetooth.te	2006-03-29 14:44:17.000000000 -0500
-@@ -220,6 +220,8 @@
- 	')
- ')
- 
-+sysnet_read_config(bluetooth_helper_t)
-+
- optional_policy(`
- 	dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
- 	dbus_connect_system_bus(bluetooth_helper_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.2.28/policy/modules/services/cups.te
---- nsaserefpolicy/policy/modules/services/cups.te	2006-03-24 11:54:27.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/cups.te	2006-03-29 14:44:17.000000000 -0500
-@@ -375,7 +375,9 @@
- # HPLIP local policy
- #
- 
-+allow hplip_t self:capability net_raw;
- dontaudit hplip_t self:capability sys_tty_config;
-+allow hplip_t self:fifo_file rw_file_perms;
- allow hplip_t self:process signal_perms;
- allow hplip_t self:unix_dgram_socket create_socket_perms;
- allow hplip_t self:unix_stream_socket create_socket_perms;
-@@ -418,6 +420,7 @@
- dev_read_sysfs(hplip_t)
- dev_rw_printer(hplip_t)
- dev_read_urand(hplip_t)
-+dev_rw_generic_usb_dev(hplip_t)
- 
- fs_getattr_all_fs(hplip_t)
- fs_search_auto_mountpoints(hplip_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.28/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te	2006-03-24 11:54:27.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/dbus.te	2006-03-30 17:24:01.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.29/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te	2006-03-24 11:09:14.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/dbus.te	2006-03-31 11:21:52.000000000 -0500
 @@ -102,6 +102,7 @@
  logging_send_syslog_msg(system_dbusd_t)
  
@@ -278,47 +83,9 @@
  
  seutil_read_config(system_dbusd_t)
  seutil_read_default_contexts(system_dbusd_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.2.28/policy/modules/services/dovecot.te
---- nsaserefpolicy/policy/modules/services/dovecot.te	2006-03-24 11:54:28.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/dovecot.te	2006-03-29 14:44:17.000000000 -0500
-@@ -79,12 +79,14 @@
- corenet_tcp_bind_all_nodes(dovecot_t)
- corenet_tcp_bind_pop_port(dovecot_t)
- corenet_tcp_connect_all_ports(dovecot_t)
-+corenet_tcp_connect_postgresql_port(dovecot_t)
- 
- dev_read_sysfs(dovecot_t)
- dev_read_urand(dovecot_t)
- 
- fs_getattr_all_fs(dovecot_t)
- fs_search_auto_mountpoints(dovecot_t)
-+fs_list_inotifyfs(dovecot_t)
- 
- term_dontaudit_use_console(dovecot_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.28/policy/modules/services/ftp.te
---- nsaserefpolicy/policy/modules/services/ftp.te	2006-03-24 11:54:28.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/ftp.te	2006-03-30 10:32:47.000000000 -0500
-@@ -134,16 +134,6 @@
- 
- 	term_dontaudit_use_generic_ptys(ftpd_t)
- 	term_dontaudit_use_unallocated_ttys(ftpd_t)
--
--	optional_policy(`
--		tunable_policy(`ftpd_is_daemon',`
--			userdom_manage_generic_user_home_content_files(ftpd_t)
--			userdom_manage_generic_user_home_content_symlinks(ftpd_t)
--			userdom_manage_generic_user_home_content_sockets(ftpd_t)
--			userdom_manage_generic_user_home_content_pipes(ftpd_t)
--			userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
--		')
--	')
- ')
- 
- tunable_policy(`allow_ftpd_anon_write',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.28/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te	2006-03-24 11:54:28.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/hal.te	2006-03-30 15:04:04.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te	2006-03-30 10:59:02.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/hal.te	2006-03-31 11:21:52.000000000 -0500
 @@ -52,6 +52,7 @@
  kernel_write_proc_files(hald_t)
  
@@ -327,64 +94,9 @@
  
  corecmd_exec_bin(hald_t)
  corecmd_exec_sbin(hald_t)
-@@ -211,6 +212,10 @@
- ')
- 
- optional_policy(`
-+        ntp_domtrans(hald_t)
-+')
-+
-+optional_policy(`
- 	nscd_socket_use(hald_t)
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.2.28/policy/modules/services/pegasus.te
---- nsaserefpolicy/policy/modules/services/pegasus.te	2006-03-24 11:54:28.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/pegasus.te	2006-03-29 14:44:17.000000000 -0500
-@@ -77,6 +77,7 @@
- corenet_tcp_bind_pegasus_https_port(pegasus_t)
- corenet_tcp_connect_pegasus_http_port(pegasus_t)
- corenet_tcp_connect_pegasus_https_port(pegasus_t)
-+corenet_tcp_connect_generic_port(pegasus_t)
- 
- dev_read_sysfs(pegasus_t)
- dev_read_urand(pegasus_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-2.2.28/policy/modules/services/privoxy.te
---- nsaserefpolicy/policy/modules/services/privoxy.te	2006-03-24 11:54:28.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/privoxy.te	2006-03-29 14:44:17.000000000 -0500
-@@ -51,6 +51,7 @@
- corenet_tcp_bind_http_cache_port(privoxy_t)
- corenet_tcp_connect_http_port(privoxy_t)
- corenet_tcp_connect_ftp_port(privoxy_t)
-+corenet_tcp_connect_tor_port(privoxy_t)
- 
- dev_read_sysfs(privoxy_t)
- 
-@@ -95,6 +96,10 @@
- ')
- 
- optional_policy(`
-+       nscd_socket_use(privoxy_t)
-+')
-+
-+optional_policy(`
- 	seutil_sigchld_newrole(privoxy_t)
- ')
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.2.28/policy/modules/services/xfs.te
---- nsaserefpolicy/policy/modules/services/xfs.te	2006-03-24 11:54:29.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/xfs.te	2006-03-29 14:44:17.000000000 -0500
-@@ -53,6 +53,7 @@
- 
- files_read_etc_files(xfs_t)
- files_read_etc_runtime_files(xfs_t)
-+files_read_usr_files(xfs_t)
- 
- init_use_fds(xfs_t)
- init_use_script_ptys(xfs_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.28/policy/modules/services/xserver.if
---- nsaserefpolicy/policy/modules/services/xserver.if	2006-03-28 23:09:36.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/services/xserver.if	2006-03-29 14:44:17.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.29/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if	2006-03-30 10:16:43.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/xserver.if	2006-03-31 11:21:52.000000000 -0500
 @@ -1015,3 +1015,23 @@
  
  	dontaudit $1 xdm_xserver_t:tcp_socket { read write };
@@ -409,33 +121,10 @@
 +	allow $1 xdm_xserver_tmp_t:dir search;
 +	allow $1 xdm_xserver_tmp_t:sock_file { read write };
 +')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.28/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te	2006-03-24 11:54:29.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/authlogin.te	2006-03-29 14:44:17.000000000 -0500
-@@ -171,6 +171,8 @@
- dev_setattr_video_dev(pam_console_t)
- dev_getattr_xserver_misc_dev(pam_console_t)
- dev_setattr_xserver_misc_dev(pam_console_t)
-+dev_getattr_generic_usb_dev(pam_console_t)
-+dev_setattr_generic_usb_dev(pam_console_t)
- 
- fs_search_auto_mountpoints(pam_console_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.28/policy/modules/system/fstools.te
---- nsaserefpolicy/policy/modules/system/fstools.te	2006-03-24 11:54:29.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/fstools.te	2006-03-29 14:44:17.000000000 -0500
-@@ -67,6 +67,10 @@
- dev_read_urand(fsadm_t)
- # Recreate /dev/cdrom.
- dev_manage_generic_symlinks(fsadm_t)
-+
-+# fdisk needs this for early boot
-+dev_manage_generic_blk_files(fsadm_t)
-+
- # Access to /initrd devices
- dev_search_usbfs(fsadm_t)
- # for swapon
-@@ -75,6 +79,7 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.29/policy/modules/system/fstools.te
+--- nsaserefpolicy/policy/modules/system/fstools.te	2006-03-30 10:59:03.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/fstools.te	2006-03-31 11:21:52.000000000 -0500
+@@ -77,6 +77,7 @@
  dev_getattr_usbfs_dirs(fsadm_t)
  # Access to /dev/mapper/control
  dev_rw_lvm_control(fsadm_t)
@@ -443,9 +132,9 @@
  
  fs_search_auto_mountpoints(fsadm_t)
  fs_getattr_xattr_fs(fsadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.28/policy/modules/system/init.te
---- nsaserefpolicy/policy/modules/system/init.te	2006-03-29 14:26:03.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/init.te	2006-03-29 14:44:17.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.29/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te	2006-03-30 10:13:28.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/init.te	2006-03-31 11:21:52.000000000 -0500
 @@ -353,6 +353,7 @@
  files_mounton_isid_type_dirs(initrc_t)
  files_list_default(initrc_t)
@@ -454,9 +143,9 @@
  
  libs_rw_ld_so_cache(initrc_t)
  libs_use_ld_so(initrc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.28/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc	2006-03-23 16:02:04.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/libraries.fc	2006-03-30 13:22:43.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
+--- nsaserefpolicy/policy/modules/system/libraries.fc	2006-03-30 10:18:07.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/libraries.fc	2006-03-31 15:15:11.000000000 -0500
 @@ -55,6 +55,8 @@
  
  /usr(/.*)?/nvidia/.*\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -466,18 +155,25 @@
  /usr/lib(64)?/pgsql/test/regress/.*\.so 	--	gen_context(system_u:object_r:shlib_t,s0)
  
  /usr/lib/win32/.*			--	gen_context(system_u:object_r:shlib_t,s0)
-@@ -148,7 +150,7 @@
- /usr/lib(64)?/php/modules/.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- 
- # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
--/usr/lib(64)?/xmms/Input/libmpg123\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?.*/libmpg123\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libpostproc\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libavformat-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libavcodec-.*\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.28/policy/modules/system/logging.if
---- nsaserefpolicy/policy/modules/system/logging.if	2006-03-21 14:33:36.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/logging.if	2006-03-30 14:26:04.000000000 -0500
+@@ -70,10 +72,13 @@
+ /usr/(local/)?lib/wine/.*\.so  		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/(local/)?lib/libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:shlib_t,s0)
+-
++/usr/lib(64)?/libjs\.so.*     		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libGL\.so.* 		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/X11R6/lib/libXvMCNVIDIA\.so.* 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+-
++/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)*             --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)*              --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.*            --      	gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)*	--		gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.29/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if	2006-03-23 16:46:11.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/logging.if	2006-03-31 11:21:52.000000000 -0500
 @@ -368,3 +368,35 @@
  	allow $1 var_log_t:dir rw_dir_perms;
  	allow $1 var_log_t:file create_file_perms;
@@ -514,117 +210,30 @@
 +	allow auditctl_t $3:chr_file rw_term_perms;
 +')
 +
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.28/policy/modules/system/mount.te
---- nsaserefpolicy/policy/modules/system/mount.te	2006-03-24 11:54:29.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/mount.te	2006-03-29 14:44:17.000000000 -0500
-@@ -72,6 +72,8 @@
- # for when /etc/mtab loses its type
- # cjp: this seems wrong, the type should probably be etc
- files_read_isid_type_files(mount_t)
-+# For reading cert files
-+files_read_usr_files(mount_t)
- 
- init_use_fds(mount_t)
- init_use_script_ptys(mount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.28/policy/modules/system/selinuxutil.fc
---- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2006-03-23 16:02:04.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/selinuxutil.fc	2006-03-29 14:44:17.000000000 -0500
-@@ -33,6 +33,7 @@
- /usr/lib(64)?/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
- 
- /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
-+/usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
- /usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
- /usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
- /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
-@@ -40,3 +41,8 @@
- ifdef(`distro_debian', `
- /usr/share/selinux(/.*)?		gen_context(system_u:object_r:policy_src_t,s0)
- ')
-+
-+#
-+# /var/run
-+#
-+/var/run/restorecond.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.28/policy/modules/system/selinuxutil.te
---- nsaserefpolicy/policy/modules/system/selinuxutil.te	2006-03-29 14:26:03.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/selinuxutil.te	2006-03-29 14:44:24.000000000 -0500
-@@ -83,6 +83,15 @@
- init_system_domain(restorecon_t,restorecon_exec_t)
- role system_r types restorecon_t;
- 
-+type restorecond_t;
-+type restorecond_exec_t;
-+init_daemon_domain(restorecond_t,restorecond_exec_t)
-+domain_obj_id_change_exemption(restorecond_t)
-+role system_r types restorecond_t;
-+
-+type restorecond_var_run_t;
-+files_pid_file(restorecond_var_run_t)
-+
- type run_init_t;
- type run_init_exec_t;
- domain_type(run_init_t)
-@@ -415,6 +424,48 @@
- 
- allow restorecon_t kernel_t:unix_dgram_socket { read write };
- 
-+########################################
-+#
-+# Restorecond local policy
-+#
-+
-+allow restorecond_t self:capability { dac_override dac_read_search fowner };
-+allow restorecond_t self:fifo_file rw_file_perms;
-+
-+auth_relabel_all_files_except_shadow(restorecond_t )
-+auth_read_all_files_except_shadow(restorecond_t)
-+
-+allow restorecond_t restorecond_var_run_t:file create_file_perms;
-+files_pid_filetrans(restorecond_t,restorecond_var_run_t, file)
-+
-+kernel_use_fds(restorecond_t)
-+kernel_rw_pipes(restorecond_t)
-+kernel_read_system_state(restorecond_t)
-+
-+fs_getattr_xattr_fs(restorecond_t)
-+fs_list_inotifyfs(restorecond_t)
-+
-+selinux_get_fs_mount(restorecond_t)
-+selinux_validate_context(restorecond_t)
-+selinux_compute_access_vector(restorecond_t)
-+selinux_compute_create_context(restorecond_t)
-+selinux_compute_relabel_context(restorecond_t)
-+selinux_compute_user_contexts(restorecond_t)
-+
-+term_dontaudit_use_generic_ptys(restorecond_t)
-+
-+sysnet_dns_name_resolve(restorecond_t)
-+
-+init_use_fds(restorecond_t)
-+
-+libs_use_ld_so(restorecond_t)
-+libs_use_shared_libs(restorecond_t)
-+
-+logging_send_syslog_msg(restorecond_t)
-+
-+miscfiles_read_localization(run_init_t)
-+
-+
- #################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.29/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te	2006-03-30 10:59:03.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/mount.te	2006-03-31 15:12:44.000000000 -0500
+@@ -19,7 +19,8 @@
+ # mount local policy
  #
- # Run_init local policy
-@@ -595,6 +646,7 @@
- miscfiles_read_localization(setfiles_t)
- 
- seutil_get_semanage_read_lock(setfiles_t)
-+seutil_get_semanage_trans_lock(setfiles_t)
- 
- userdom_use_all_users_fds(setfiles_t)
- # for config files in a home directory
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.28/policy/modules/system/unconfined.if
---- nsaserefpolicy/policy/modules/system/unconfined.if	2006-03-29 14:26:03.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/unconfined.if	2006-03-30 13:28:32.000000000 -0500
+ 
+-allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config };
++# setuid/setgid needed to mount cifs 
++allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+ 
+ allow mount_t mount_tmp_t:file create_file_perms;
+ allow mount_t mount_tmp_t:dir create_dir_perms;
+@@ -44,6 +45,7 @@
+ storage_raw_write_removable_device(mount_t)
+ 
+ fs_getattr_xattr_fs(mount_t)
++fs_getattr_cifs(mount_t)
+ fs_mount_all_fs(mount_t)
+ fs_unmount_all_fs(mount_t)
+ fs_remount_all_fs(mount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.29/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if	2006-03-29 09:34:53.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/unconfined.if	2006-03-31 11:21:52.000000000 -0500
 @@ -89,14 +89,6 @@
  		storage_unconfined($1)
  	')
@@ -640,9 +249,9 @@
  ')
  
  ########################################
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.28/policy/modules/system/userdomain.te
---- nsaserefpolicy/policy/modules/system/userdomain.te	2006-03-28 23:09:37.000000000 -0500
-+++ serefpolicy-2.2.28/policy/modules/system/userdomain.te	2006-03-30 15:11:51.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.29/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te	2006-03-28 12:58:49.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/userdomain.te	2006-03-31 11:21:52.000000000 -0500
 @@ -179,10 +179,10 @@
  		mls_file_downgrade(secadm_t)
  		init_exec(secadm_t)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.164
retrieving revision 1.165
diff -u -r1.164 -r1.165
--- selinux-policy.spec	30 Mar 2006 22:27:52 -0000	1.164
+++ selinux-policy.spec	31 Mar 2006 20:17:33 -0000	1.165
@@ -15,8 +15,8 @@
 %define CHECKPOLICYVER 1.30.1-2
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.2.28
-Release: 3
+Version: 2.2.29
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -320,10 +320,13 @@
 %endif
 
 %changelog
-* Fri Mar 30 2006 Dan Walsh <dwalsh redhat com> 2.2.28-3
+* Fri Mar 30 2006 Dan Walsh <dwalsh redhat com> 2.2.29-1
+- Update to upstream
+
+* Thu Mar 30 2006 Dan Walsh <dwalsh redhat com> 2.2.28-3
 - Allow automount and dbus to read cert files
 
-* Fri Mar 30 2006 Dan Walsh <dwalsh redhat com> 2.2.28-2
+* Thu Mar 30 2006 Dan Walsh <dwalsh redhat com> 2.2.28-2
 - Fix ftp policy
 - Fix secadm running of auditctl
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]