rpms/selinux-policy/devel policy-20061106.patch, 1.39, 1.40 selinux-policy.spec, 1.366, 1.367
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 15 21:42:21 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv28819
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-14
- Allow cron to polyinstatiate
- Fix creation of boot flags
Resolves: #207433
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 48 ++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 7
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 46 +-
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 4
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 4
policy/modules/kernel/corecommands.if | 36 ++
policy/modules/kernel/corenetwork.if.in | 49 +++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 160 +++++++++-
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 8
policy/modules/kernel/mls.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 7
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 91 ++---
policy/modules/services/cron.te | 30 +
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/radvd.te | 2
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 69 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.if | 3
policy/modules/system/init.te | 27 +
policy/modules/system/iptables.te | 7
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 9
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 79 ++++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 110 ++++++
policy/modules/system/selinuxutil.te | 107 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 28 +
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 19 +
policy/modules/system/userdomain.if | 506 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 60 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
138 files changed, 2180 insertions(+), 457 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- policy-20061106.patch 14 Dec 2006 20:06:00 -0000 1.39
+++ policy-20061106.patch 15 Dec 2006 21:42:14 -0000 1.40
@@ -1108,7 +1108,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-14 10:20:50.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-14 17:00:22.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -1374,7 +1374,7 @@
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.4.6/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2006-12-12 16:39:31.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2006-12-15 14:10:04.000000000 -0500
@@ -100,16 +100,16 @@
## </summary>
## <param name="domain">
@@ -1675,7 +1675,7 @@
/usr/sbin/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.4.6/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.if 2006-12-15 14:58:50.000000000 -0500
@@ -54,9 +54,6 @@
domain_entry_file($1_crontab_t,crontab_exec_t)
role $3 types $1_crontab_t;
@@ -1686,7 +1686,65 @@
##############################
#
# $1_crond_t local policy
-@@ -138,6 +135,7 @@
+@@ -67,6 +64,7 @@
+ allow $1_crond_t self:fifo_file rw_file_perms;
+ allow $1_crond_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_crond_t self:unix_dgram_socket create_socket_perms;
++ allow $1_crond_t self:context contains;
+
+ # The entrypoint interface is not used as this is not
+ # a regular entrypoint. Since crontab files are
+@@ -114,8 +112,43 @@
+ domain_dontaudit_read_all_domains_state($1_crond_t)
+ domain_dontaudit_getattr_all_domains($1_crond_t)
+
++ files_read_etc_files($1_crond_t)
++ files_read_etc_runtime_files($1_crond_t)
+ files_read_usr_files($1_crond_t)
++ # Read directories and files with the readable_t type.
++ # This type is a general type for "world"-readable files.
++ files_list_world_readable($1_crond_t)
++ files_read_world_readable_files($1_crond_t)
++ files_read_world_readable_symlinks($1_crond_t)
++ files_read_world_readable_pipes($1_crond_t)
++ files_read_world_readable_sockets($1_crond_t)
++ # old broswer_domain():
++ files_dontaudit_list_non_security($1_crond_t)
++ files_dontaudit_getattr_non_security_files($1_crond_t)
++ files_dontaudit_getattr_non_security_symlinks($1_crond_t)
++ files_dontaudit_getattr_non_security_pipes($1_crond_t)
++ files_dontaudit_getattr_non_security_sockets($1_crond_t)
++ files_dontaudit_getattr_non_security_blk_files($1_crond_t)
++ files_dontaudit_getattr_non_security_chr_files($1_crond_t)
++
+ files_exec_etc_files($1_crond_t)
++ files_search_locks($1_crond_t)
++ # Check to see if cdrom is mounted
++ files_search_mnt($1_crond_t)
++ # cjp: perhaps should cut back on file reads:
++ files_read_var_files($1_crond_t)
++ files_read_var_symlinks($1_crond_t)
++ files_read_generic_spool($1_crond_t)
++ files_read_var_lib_files($1_crond_t)
++ # Stat lost+found.
++ files_getattr_lost_found_dirs($1_crond_t)
++
++ fs_get_all_fs_quotas($1_crond_t)
++ fs_getattr_all_fs($1_crond_t)
++ fs_getattr_all_dirs($1_crond_t)
++ fs_search_auto_mountpoints($1_crond_t)
++ fs_list_inotifyfs($1_crond_t)
++
+ # for nscd:
+ files_dontaudit_search_pids($1_crond_t)
+
+@@ -134,19 +167,22 @@
+
+ miscfiles_read_localization($1_crond_t)
+
++ mls_rangetrans_target($1_crond_t)
++
+ userdom_manage_user_tmp_files($1,$1_crond_t)
userdom_manage_user_tmp_symlinks($1,$1_crond_t)
userdom_manage_user_tmp_pipes($1,$1_crond_t)
userdom_manage_user_tmp_sockets($1,$1_crond_t)
@@ -1694,7 +1752,18 @@
# Run scripts in user home directory and access shared libs.
userdom_exec_user_home_content_files($1,$1_crond_t)
# Access user files and dirs.
-@@ -156,22 +154,13 @@
+-# userdom_manage_user_home_subdir_dirs($1,$1_crond_t)
++ userdom_manage_user_home_content_dirs($1,$1_crond_t)
+ userdom_manage_user_home_content_files($1,$1_crond_t)
+ userdom_manage_user_home_content_symlinks($1,$1_crond_t)
+ userdom_manage_user_home_content_pipes($1,$1_crond_t)
+ userdom_manage_user_home_content_sockets($1,$1_crond_t)
+-# userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
++ userdom_user_home_dir_filetrans_user_home_content($1,$1_crond_t,notdevfile_class_set)
+
+ tunable_policy(`fcron_crond', `
+ allow crond_t $1_cron_spool_t:file create_file_perms;
+@@ -156,22 +192,13 @@
nis_use_ypbind($1_crond_t)
')
@@ -1720,7 +1789,7 @@
##############################
#
-@@ -195,14 +184,11 @@
+@@ -195,14 +222,11 @@
allow $2 $1_crontab_t:process getattr;
# for ^Z
@@ -1736,7 +1805,7 @@
# create files in /var/spool/cron
allow $1_crontab_t cron_spool_t:dir rw_dir_perms;
allow $1_crontab_t $1_cron_spool_t:file manage_file_perms;
-@@ -240,10 +226,12 @@
+@@ -240,10 +264,12 @@
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
userdom_manage_user_tmp_files($1,$1_crontab_t)
@@ -1749,7 +1818,7 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -472,29 +460,6 @@
+@@ -472,29 +498,6 @@
########################################
## <summary>
@@ -1781,7 +1850,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.te 2006-12-15 16:24:30.000000000 -0500
@@ -11,9 +11,6 @@
#
attribute cron_spool_type;
@@ -1792,7 +1861,15 @@
type cron_spool_t;
files_type(cron_spool_t)
-@@ -47,8 +44,8 @@
+@@ -33,6 +30,7 @@
+
+ type crond_tmp_t;
+ files_tmp_file(crond_tmp_t)
++files_poly_parent(crond_tmp_t)
+
+ type crond_var_run_t;
+ files_pid_file(crond_var_run_t)
+@@ -47,8 +45,8 @@
typealias crond_t alias system_crond_t;
',`
type system_crond_t;
@@ -1802,7 +1879,7 @@
corecmd_shell_entry_type(system_crond_t)
role system_r types system_crond_t;
-@@ -86,7 +83,7 @@
+@@ -86,7 +84,7 @@
allow crond_t self:sem create_sem_perms;
allow crond_t self:msgq create_msgq_perms;
allow crond_t self:msg { send receive };
@@ -1811,7 +1888,7 @@
allow crond_t crond_var_run_t:file create_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
-@@ -98,6 +95,7 @@
+@@ -98,6 +96,7 @@
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
@@ -1819,7 +1896,37 @@
dev_read_sysfs(crond_t)
selinux_get_fs_mount(crond_t)
-@@ -166,6 +164,11 @@
+@@ -121,6 +120,16 @@
+ corecmd_list_sbin(crond_t)
+ corecmd_read_sbin_symlinks(crond_t)
+
++mls_rangetrans_source(crond_t)
++mls_file_read_up(crond_t)
++mls_file_write_down(crond_t)
++mls_file_upgrade(crond_t)
++mls_file_downgrade(crond_t)
++mls_process_set_level(crond_t)
++mls_fd_share_all_levels(crond_t)
++mls_fd_share_all_levels(crond_t)
++mls_trusted_object(crond_t)
++
+ domain_use_interactive_fds(crond_t)
+
+ files_read_etc_files(crond_t)
+@@ -151,6 +160,12 @@
+
+ mta_send_mail(crond_t)
+
++tunable_policy(`allow_polyinstantiation',`
++ allow crond_t self:capability fowner;
++ files_search_tmp(crond_t)
++ files_polyinstantiate_all(crond_t)
++')
++
+ ifdef(`distro_debian',`
+ optional_policy(`
+ # Debian logcheck has the home dir set to its cache
+@@ -166,6 +181,11 @@
')
')
@@ -2021,6 +2128,27 @@
allow hald_t hald_var_run_t:file create_file_perms;
allow hald_t hald_var_run_t:dir rw_dir_perms;
files_pid_filetrans(hald_t,hald_var_run_t,file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-2.4.6/policy/modules/services/irqbalance.te
+--- nsaserefpolicy/policy/modules/services/irqbalance.te 2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/irqbalance.te 2006-12-14 15:55:18.000000000 -0500
+@@ -18,6 +18,9 @@
+ # Local policy
+ #
+
++allow irqbalance_t self:capability net_admin;
++allow irqbalance_t self:udp_socket create_socket_perms;
++
+ dontaudit irqbalance_t self:capability sys_tty_config;
+ allow irqbalance_t self:process signal_perms;
+
+@@ -25,6 +28,7 @@
+ allow irqbalance_t irqbalance_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(irqbalance_t,irqbalance_var_run_t,file)
+
++kernel_read_network_state(irqbalance_t)
+ kernel_read_system_state(irqbalance_t)
+ kernel_read_kernel_sysctls(irqbalance_t)
+ kernel_rw_irq_sysctls(irqbalance_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.4.6/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/kerberos.if 2006-12-12 15:19:22.000000000 -0500
@@ -2556,6 +2684,18 @@
# Do not audit attempts to access /root.
userdom_dontaudit_search_sysadm_home_dirs(procmail_t)
userdom_dontaudit_search_staff_home_dirs(procmail_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-2.4.6/policy/modules/services/radvd.te
+--- nsaserefpolicy/policy/modules/services/radvd.te 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/radvd.te 2006-12-14 15:15:51.000000000 -0500
+@@ -28,7 +28,7 @@
+ allow radvd_t self:tcp_socket create_stream_socket_perms;
+ allow radvd_t self:udp_socket create_socket_perms;
+
+-allow radvd_t radvd_etc_t:file { getattr read };
++allow radvd_t radvd_etc_t:file r_file_perms;
+
+ allow radvd_t radvd_var_run_t:file create_file_perms;
+ allow radvd_t radvd_var_run_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-2.4.6/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/rlogin.te 2006-12-12 15:19:22.000000000 -0500
@@ -3009,7 +3149,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-14 16:45:52.000000000 -0500
@@ -190,6 +190,9 @@
## </param>
#
@@ -3267,8 +3407,16 @@
domain_auto_trans(initrc_t,$2,$1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.4.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-12 15:19:22.000000000 -0500
-@@ -189,7 +189,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/init.te 2006-12-14 16:51:41.000000000 -0500
+@@ -125,6 +125,7 @@
+ # file descriptors inherited from the rootfs:
+ files_dontaudit_rw_root_files(init_t)
+ files_dontaudit_rw_root_chr_files(init_t)
++files_create_boot_flag(init_t)
+
+ # cjp: this may be related to /dev/log
+ fs_write_ramfs_sockets(init_t)
+@@ -189,7 +190,7 @@
# Init script local policy
#
@@ -3277,7 +3425,7 @@
allow initrc_t self:capability ~{ sys_admin sys_module };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -205,6 +205,9 @@
+@@ -205,6 +206,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -3287,7 +3435,7 @@
can_exec(initrc_t,initrc_exec_t)
allow initrc_t initrc_state_t:dir manage_dir_perms;
-@@ -335,6 +338,8 @@
+@@ -335,6 +339,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@@ -3296,7 +3444,7 @@
libs_rw_ld_so_cache(initrc_t)
libs_use_ld_so(initrc_t)
-@@ -347,7 +352,11 @@
+@@ -347,7 +353,11 @@
logging_append_all_logs(initrc_t)
logging_read_audit_config(initrc_t)
@@ -3309,7 +3457,7 @@
# slapd needs to read cert files from its initscript
miscfiles_read_certs(initrc_t)
-@@ -499,7 +508,17 @@
+@@ -499,7 +509,17 @@
tunable_policy(`allow_daemons_use_tty',`
term_use_unallocated_ttys(daemon)
term_use_generic_ptys(daemon)
@@ -3327,7 +3475,7 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
-@@ -710,6 +729,9 @@
+@@ -710,6 +730,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -4404,14 +4552,15 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-15 15:34:32.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
template(`userdom_base_user_template',`
-
gen_require(`
- class context contains;
+- class context contains;
++ class context;
+ attribute userdomain;
')
@@ -4427,7 +4576,15 @@
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
-@@ -220,6 +224,10 @@
+@@ -149,6 +153,7 @@
+ files_mountpoint($1_home_dir_t)
+ files_associate_tmp($1_home_dir_t)
+ fs_associate_tmpfs($1_home_dir_t)
++ files_poly_member($1_home_dir_t)
+
+ ##############################
+ #
+@@ -220,6 +225,10 @@
## <rolebase/>
#
template(`userdom_manage_home_template',`
@@ -4438,7 +4595,7 @@
# type for contents of home directory
type $1_home_t, $1_file_type, home_type;
files_type($1_home_t)
-@@ -319,12 +327,11 @@
+@@ -319,12 +328,11 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -4456,7 +4613,7 @@
')
#######################################
-@@ -347,6 +354,10 @@
+@@ -347,6 +355,10 @@
## <rolebase/>
#
template(`userdom_manage_tmp_template',`
@@ -4467,7 +4624,7 @@
type $1_tmp_t, $1_file_type;
files_tmp_file($1_tmp_t)
-@@ -387,9 +398,7 @@
+@@ -387,9 +399,7 @@
## <rolebase/>
#
template(`userdom_poly_tmp_template',`
@@ -4478,7 +4635,7 @@
')
#######################################
-@@ -415,6 +424,9 @@
+@@ -415,6 +425,9 @@
## <rolebase/>
#
template(`userdom_manage_tmpfs_template',`
@@ -4488,7 +4645,7 @@
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
-@@ -673,6 +685,8 @@
+@@ -673,6 +686,8 @@
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:process { ptrace setfscreate };
@@ -4497,7 +4654,7 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-@@ -734,6 +748,7 @@
+@@ -734,6 +749,7 @@
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -4505,7 +4662,7 @@
init_read_utmp($1_t)
# The library functions always try to open read-write first,
-@@ -1188,7 +1203,7 @@
+@@ -1188,7 +1204,7 @@
ifdef(`xserver.te', `
tunable_policy(`xdm_sysadm_login',`
allow xdm_t $1_home_t:lnk_file read;
@@ -4514,7 +4671,7 @@
')
')
') dnl endif TODO
-@@ -1859,7 +1874,7 @@
+@@ -1859,7 +1875,7 @@
')
files_search_home($2)
@@ -4523,7 +4680,7 @@
allow $2 $1_home_t:dir search_dir_perms;
allow $2 $1_home_t:file r_file_perms;
')
-@@ -1962,8 +1977,8 @@
+@@ -1962,8 +1978,8 @@
')
files_search_home($2)
@@ -4534,7 +4691,7 @@
allow $2 $1_home_t:lnk_file r_file_perms;
')
-@@ -1998,8 +2013,8 @@
+@@ -1998,8 +2014,8 @@
')
files_search_home($2)
@@ -4545,7 +4702,7 @@
can_exec($2,$1_home_t)
')
-@@ -2069,7 +2084,7 @@
+@@ -2069,7 +2085,7 @@
')
files_search_home($2)
@@ -4554,7 +4711,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:file create_file_perms;
')
-@@ -2142,7 +2157,7 @@
+@@ -2142,7 +2158,7 @@
')
files_search_home($2)
@@ -4563,7 +4720,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:lnk_file create_lnk_perms;
')
-@@ -2180,7 +2195,7 @@
+@@ -2180,7 +2196,7 @@
')
files_search_home($2)
@@ -4572,7 +4729,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:fifo_file create_file_perms;
')
-@@ -2218,7 +2233,7 @@
+@@ -2218,7 +2234,7 @@
')
files_search_home($2)
@@ -4581,7 +4738,7 @@
allow $2 $1_home_t:dir rw_dir_perms;
allow $2 $1_home_t:sock_file create_file_perms;
')
-@@ -3977,7 +3992,7 @@
+@@ -3977,7 +3993,7 @@
')
files_search_home($1)
@@ -4590,7 +4747,7 @@
')
########################################
-@@ -3996,7 +4011,7 @@
+@@ -3996,7 +4012,7 @@
type staff_home_dir_t;
')
@@ -4599,7 +4756,7 @@
')
########################################
-@@ -4343,7 +4358,7 @@
+@@ -4343,7 +4359,7 @@
type sysadm_home_dir_t;
')
@@ -4608,7 +4765,7 @@
')
########################################
-@@ -4501,41 +4516,13 @@
+@@ -4501,41 +4517,13 @@
## </param>
#
interface(`userdom_read_sysadm_home_content_files',`
@@ -4655,7 +4812,7 @@
')
########################################
-@@ -4858,7 +4845,7 @@
+@@ -4858,7 +4846,7 @@
type user_home_t;
')
@@ -4664,7 +4821,7 @@
')
########################################
-@@ -4905,6 +4892,28 @@
+@@ -4905,6 +4893,28 @@
########################################
## <summary>
@@ -4693,7 +4850,7 @@
## Read files in generic user home directories.
## </summary>
## <param name="domain">
-@@ -5497,3 +5506,383 @@
+@@ -5497,3 +5507,383 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.366
retrieving revision 1.367
diff -u -r1.366 -r1.367
--- selinux-policy.spec 14 Dec 2006 20:06:00 -0000 1.366
+++ selinux-policy.spec 15 Dec 2006 21:42:14 -0000 1.367
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 12%{?dist}
+Release: 14%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,7 +351,18 @@
%endif
%changelog
-* Wed Dec 13 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-12
+* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-14
+- Allow cron to polyinstatiate
+- Fix creation of boot flags
+Resolves: #207433
+
+* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-13
+- Fixes for irqbalance
+Resolves: #219606
+
+* Thu Dec 14 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-12
+- Fix vixie-cron to work on mls
+Resolves: #207433
* Wed Dec 13 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-11
Resolves: #218978
More information about the fedora-cvs-commits
mailing list