rpms/selinux-policy/devel policy-20060323.patch, 1.7, 1.8 selinux-policy.spec, 1.165, 1.166
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 3 17:17:17 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8627
Modified Files:
policy-20060323.patch selinux-policy.spec
Log Message:
* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2
- Add mono dbus support
- Lots of file_context fixes for textrel_shlib_t in FC5
- Turn off execmem auditallow since they are filling log files
policy-20060323.patch:
apps/mono.if | 23 +++++++++++++++++++++++
apps/mono.te | 1 +
kernel/devices.fc | 1 +
kernel/devices.if | 40 ++++++++++++++++++++++++++++++++++++++++
kernel/files.if | 15 +++++++++++++++
services/apache.if | 20 ++++++++++++++++++++
services/automount.te | 1 +
services/avahi.te | 4 ++++
services/bluetooth.te | 7 +++++--
services/dbus.te | 1 +
services/hal.te | 12 +++++++++++-
services/networkmanager.te | 1 +
services/nscd.if | 20 ++++++++++++++++++++
services/xserver.if | 21 +++++++++++++++++++++
system/fstools.te | 1 +
system/getty.fc | 1 +
system/getty.te | 2 ++
system/init.te | 1 +
system/libraries.fc | 20 +++++++++++++++-----
system/logging.if | 32 ++++++++++++++++++++++++++++++++
system/mount.te | 4 +++-
system/unconfined.if | 17 +++++------------
system/unconfined.te | 4 ----
system/userdomain.te | 4 ++--
24 files changed, 226 insertions(+), 27 deletions(-)
Index: policy-20060323.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060323.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20060323.patch 31 Mar 2006 20:46:37 -0000 1.7
+++ policy-20060323.patch 3 Apr 2006 17:17:13 -0000 1.8
@@ -1,3 +1,41 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.29/policy/modules/apps/mono.if
+--- nsaserefpolicy/policy/modules/apps/mono.if 2006-03-23 16:46:10.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/mono.if 2006-04-03 10:03:24.000000000 -0400
+@@ -23,3 +23,26 @@
+ allow mono_t $1:fifo_file rw_file_perms;
+ allow mono_t $1:process sigchld;
+ ')
++
++
++########################################
++## <summary>
++## Send and receive messages from
++## mono over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mono_dbus_chat',`
++ gen_require(`
++ type mono_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 mono_t:dbus send_msg;
++ allow mono_t $1:dbus send_msg;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.29/policy/modules/apps/mono.te
+--- nsaserefpolicy/policy/modules/apps/mono.te 2006-03-23 16:46:10.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/apps/mono.te 2006-04-03 12:28:33.000000000 -0400
+@@ -22,3 +22,4 @@
+ unconfined_domain_noaudit(mono_t)
+ role system_r types mono_t;
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.2.29/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-03-23 16:45:31.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/kernel/devices.fc 2006-03-31 11:49:27.000000000 -0500
@@ -11,8 +49,35 @@
/dev/winradio. -c gen_context(system_u:object_r:v4l_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.29/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-03-30 10:03:20.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/kernel/devices.if 2006-03-31 11:21:52.000000000 -0500
-@@ -2860,3 +2860,23 @@
++++ serefpolicy-2.2.29/policy/modules/kernel/devices.if 2006-04-03 11:31:23.000000000 -0400
+@@ -2439,6 +2439,26 @@
+
+ ########################################
+ ## <summary>
++## Set the attributes of usbfs filesystem.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_setattr_usbfs',`
++ gen_require(`
++ type device_t, usbfs_t;
++ ')
++
++ allow $1 device_t:dir r_dir_perms;
++ allow $1 usbfs_t:file setattr;
++')
++
++
++########################################
++## <summary>
+ ## Associate a file to a usbfs filesystem.
+ ## </summary>
+ ## <param name="file_type">
+@@ -2860,3 +2880,23 @@
allow $1 self:capability sys_rawio;
typeattribute $1 memory_raw_write, memory_raw_read;
')
@@ -61,6 +126,36 @@
## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.2.29/policy/modules/services/apache.if
+--- nsaserefpolicy/policy/modules/services/apache.if 2006-03-24 11:09:14.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/apache.if 2006-04-03 13:02:08.000000000 -0400
+@@ -197,6 +197,26 @@
+ allow httpd_$1_script_t self:lnk_file read;
+ ')
+
++ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
++ corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
++ corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
++ allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
++ allow httpd_$1_script_t self:udp_socket create_socket_perms;
++
++ corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
++ corenet_udp_sendrecv_all_if(httpd_$1_script_t)
++ corenet_raw_sendrecv_all_if(httpd_$1_script_t)
++ corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
++ corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
++ corenet_raw_sendrecv_all_nodes(httpd_$1_script_t)
++ corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
++ corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
++ corenet_non_ipsec_sendrecv(httpd_$1_script_t)
++ corenet_tcp_bind_all_nodes(httpd_$1_script_t)
++ corenet_udp_bind_all_nodes(httpd_$1_script_t)
++ sysnet_read_config(httpd_$1_script_t)
++ ')
++
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_$1_script_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.29/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-03-24 11:09:13.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/automount.te 2006-03-31 11:21:52.000000000 -0500
@@ -72,6 +167,58 @@
# Run mount in the mount_t domain.
mount_domtrans(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.2.29/policy/modules/services/avahi.te
+--- nsaserefpolicy/policy/modules/services/avahi.te 2006-03-24 11:09:13.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/avahi.te 2006-04-03 10:04:43.000000000 -0400
+@@ -92,6 +92,10 @@
+ dbus_system_bus_client_template(avahi,avahi_t)
+ dbus_connect_system_bus(avahi_t)
+ dbus_send_system_bus(avahi_t)
++ optional_policy(`
++ mono_dbus_chat(avahi_t)
++ ')
++
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.2.29/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-03-30 10:59:02.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/bluetooth.te 2006-04-03 10:50:10.000000000 -0400
+@@ -41,7 +41,7 @@
+ # Bluetooth services local policy
+ #
+
+-allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
++allow bluetooth_t self:capability { net_admin net_raw sys_tty_config ipc_lock };
+ dontaudit bluetooth_t self:capability sys_tty_config;
+ allow bluetooth_t self:process { getsched signal_perms };
+ allow bluetooth_t self:fifo_file rw_file_perms;
+@@ -178,7 +178,7 @@
+
+ allow bluetooth_helper_t bluetooth_helper_tmp_t:dir create_dir_perms;
+ allow bluetooth_helper_t bluetooth_helper_tmp_t:file create_file_perms;
+-files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir })
++files_tmp_filetrans(bluetooth_helper_t, bluetooth_helper_tmp_t, { file dir sock_file })
+
+ kernel_read_system_state(bluetooth_helper_t)
+ kernel_read_kernel_sysctls(bluetooth_helper_t)
+@@ -217,6 +217,8 @@
+
+ userdom_read_all_users_home_content_files(bluetooth_helper_t)
+
++ term_dontaudit_use_generic_ptys(bluetooth_helper_t)
++
+ optional_policy(`
+ xserver_stream_connect_xdm(bluetooth_helper_t)
+ ')
+@@ -226,6 +228,7 @@
+ dbus_system_bus_client_template(bluetooth_helper,bluetooth_helper_t)
+ dbus_connect_system_bus(bluetooth_helper_t)
+ dbus_send_system_bus(bluetooth_helper_t)
++ bluetooth_dbus_chat(bluetooth_helper_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.2.29/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2006-03-24 11:09:14.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/dbus.te 2006-03-31 11:21:52.000000000 -0500
@@ -85,19 +232,89 @@
seutil_read_default_contexts(system_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-03-30 10:59:02.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/services/hal.te 2006-03-31 11:21:52.000000000 -0500
-@@ -52,6 +52,7 @@
++++ serefpolicy-2.2.29/policy/modules/services/hal.te 2006-04-03 11:31:34.000000000 -0400
+@@ -22,7 +22,7 @@
+ #
+
+ # execute openvt which needs setuid
+-allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
++allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability sys_tty_config;
+ allow hald_t self:process signal_perms;
+ allow hald_t self:fifo_file rw_file_perms;
+@@ -52,6 +52,9 @@
kernel_write_proc_files(hald_t)
files_search_boot(hald_t)
+files_getattr_home_dir(hald_t)
++
++auth_read_pam_console_data(hald_t)
corecmd_exec_bin(hald_t)
corecmd_exec_sbin(hald_t)
+@@ -77,6 +80,8 @@
+ dev_getattr_all_chr_files(hald_t)
+ dev_manage_generic_chr_files(hald_t)
+ dev_rw_generic_usb_dev(hald_t)
++dev_setattr_generic_usb_dev(hald_t)
++dev_setattr_usbfs(hald_t)
+
+ # hal is now execing pm-suspend
+ dev_rw_sysfs(hald_t)
+@@ -187,6 +192,11 @@
+ optional_policy(`
+ networkmanager_dbus_chat(hald_t)
+ ')
++
++ optional_policy(`
++ mono_dbus_chat(hald_t)
++ ')
++
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.29/policy/modules/services/networkmanager.te
+--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-03-24 11:09:15.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/networkmanager.te 2006-04-03 12:24:37.000000000 -0400
+@@ -155,6 +155,7 @@
+
+ optional_policy(`
+ nscd_socket_use(NetworkManager_t)
++ nscd_signal(NetworkManager_t)
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-2.2.29/policy/modules/services/nscd.if
+--- nsaserefpolicy/policy/modules/services/nscd.if 2006-03-23 16:46:11.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/nscd.if 2006-04-03 12:24:28.000000000 -0400
+@@ -126,3 +126,23 @@
+
+ allow $1 nscd_t:nscd *;
+ ')
++
++
++########################################
++## <summary>
++## signal NSCD
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`nscd_signal',`
++ gen_require(`
++ type nscd_t;
++ ')
++
++ allow $1 nscd_t:process signal;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.29/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-03-30 10:16:43.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/services/xserver.if 2006-03-31 11:21:52.000000000 -0500
-@@ -1015,3 +1015,23 @@
++++ serefpolicy-2.2.29/policy/modules/services/xserver.if 2006-04-03 10:43:12.000000000 -0400
+@@ -1015,3 +1015,24 @@
dontaudit $1 xdm_xserver_t:tcp_socket { read write };
')
@@ -121,6 +338,7 @@
+ allow $1 xdm_xserver_tmp_t:dir search;
+ allow $1 xdm_xserver_tmp_t:sock_file { read write };
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.29/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-03-30 10:59:03.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/fstools.te 2006-03-31 11:21:52.000000000 -0500
@@ -132,6 +350,26 @@
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-2.2.29/policy/modules/system/getty.fc
+--- nsaserefpolicy/policy/modules/system/getty.fc 2006-03-23 16:46:11.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/getty.fc 2006-04-03 12:51:51.000000000 -0400
+@@ -6,3 +6,4 @@
+ /var/log/mgetty\.log.* -- gen_context(system_u:object_r:getty_log_t,s0)
+
+ /var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
++/var/spool/fax -- gen_context(system_u:object_r:getty_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.2.29/policy/modules/system/getty.te
+--- nsaserefpolicy/policy/modules/system/getty.te 2006-03-29 10:50:04.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/getty.te 2006-04-03 12:52:46.000000000 -0400
+@@ -104,6 +104,8 @@
+
+ miscfiles_read_localization(getty_t)
+
++mta_send_mail(getty_t)
++
+ ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(getty_t)
+ term_dontaudit_use_generic_ptys(getty_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.2.29/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-03-30 10:13:28.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/init.te 2006-03-31 11:21:52.000000000 -0500
@@ -145,8 +383,16 @@
libs_use_ld_so(initrc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.29/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2006-03-30 10:18:07.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/libraries.fc 2006-03-31 15:45:19.000000000 -0500
-@@ -55,6 +55,8 @@
++++ serefpolicy-2.2.29/policy/modules/system/libraries.fc 2006-04-03 12:44:37.000000000 -0400
+@@ -33,6 +33,7 @@
+ #
+ /opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
++/opt/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ #
+ # /sbin
+@@ -55,6 +56,8 @@
/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -155,7 +401,16 @@
/usr/lib(64)?/pgsql/test/regress/.*\.so -- gen_context(system_u:object_r:shlib_t,s0)
/usr/lib/win32/.* -- gen_context(system_u:object_r:shlib_t,s0)
-@@ -70,10 +72,13 @@
+@@ -62,6 +65,8 @@
+ /usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+ /usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+
++/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:texrel_shlib_t,s0)
++
+ /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -70,10 +75,15 @@
/usr/(local/)?lib/wine/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(local/)?lib/libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -163,7 +418,8 @@
+/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--
++/usr/lib(64)?/vmware(.*/)?/VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -171,7 +427,7 @@
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -92,6 +97,7 @@
+@@ -92,6 +102,7 @@
/usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -179,6 +435,20 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/oggfformat\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/theorarend\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -170,10 +181,9 @@
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+-/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
+-/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr(/.*)?/intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
++/usr(/.*)?/intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
++/usr(/.*)?/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+ ') dnl end distro_redhat
+
+ ifdef(`distro_suse',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.2.29/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2006-03-23 16:46:11.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/logging.if 2006-03-31 11:21:52.000000000 -0500
@@ -241,7 +511,16 @@
fs_remount_all_fs(mount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.29/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-03-29 09:34:53.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/unconfined.if 2006-03-31 11:21:52.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/unconfined.if 2006-04-03 11:09:45.000000000 -0400
+@@ -55,7 +55,7 @@
+ tunable_policy(`allow_execmem && allow_execstack',`
+ # Allow making the stack executable via mprotect.
+ allow $1 self:process execstack;
+- auditallow $1 self:process execstack;
++# auditallow $1 self:process execstack;
+ ', `
+ # These are fairly common but seem to be harmless
+ # caused by using shared libraries built with old tool chains
@@ -89,14 +89,6 @@
storage_unconfined($1)
')
@@ -257,6 +536,34 @@
')
########################################
+@@ -118,9 +110,10 @@
+ auditallow $1 self:process execheap;
+ ')
+
+- tunable_policy(`allow_execmem',`
+- auditallow $1 self:process execmem;
+- ')
++# Turn off this audit for FC5
++# tunable_policy(`allow_execmem',`
++# auditallow $1 self:process execmem;
++# ')
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.29/policy/modules/system/unconfined.te
+--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-03-29 09:34:53.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/system/unconfined.te 2006-04-03 12:27:56.000000000 -0400
+@@ -106,10 +106,6 @@
+ ')
+
+ optional_policy(`
+- netutils_domtrans_ping(unconfined_t)
+- ')
+-
+- optional_policy(`
+ portmap_domtrans_helper(unconfined_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.29/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-03-28 12:58:49.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/system/userdomain.te 2006-03-31 11:21:52.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.165
retrieving revision 1.166
diff -u -r1.165 -r1.166
--- selinux-policy.spec 31 Mar 2006 20:17:33 -0000 1.165
+++ selinux-policy.spec 3 Apr 2006 17:17:13 -0000 1.166
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.2.29
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -320,6 +320,11 @@
%endif
%changelog
+* Mon Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-2
+- Add mono dbus support
+- Lots of file_context fixes for textrel_shlib_t in FC5
+- Turn off execmem auditallow since they are filling log files
+
* Fri Mar 30 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-1
- Update to upstream
More information about the fedora-cvs-commits
mailing list