rpms/selinux-policy/devel policy-20061106.patch, 1.44, 1.45 selinux-policy.spec, 1.368, 1.369
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Dec 20 20:40:33 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv24636
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Tue Dec 19 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-16
- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t
Resolves: #219421
- Allow sysadm_lpr_t to manage other print spool jobs
Resolves: #220080
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 48 ++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 7
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 2
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 46 +-
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 11
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 4
policy/modules/kernel/corecommands.if | 36 ++
policy/modules/kernel/corenetwork.if.in | 78 ++++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 160 +++++++++-
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.if | 61 +++
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 92 +++--
policy/modules/services/cron.te | 30 +
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 13
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/inetd.te | 9
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 55 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/radvd.te | 2
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 8
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 69 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.if | 3
policy/modules/system/init.te | 27 +
policy/modules/system/iptables.te | 7
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 9
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 79 +++++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 111 ++++++-
policy/modules/system/selinuxutil.te | 107 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 32 ++
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 19 +
policy/modules/system/userdomain.if | 504 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 60 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
140 files changed, 2320 insertions(+), 458 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- policy-20061106.patch 18 Dec 2006 21:50:13 -0000 1.44
+++ policy-20061106.patch 20 Dec 2006 20:40:30 -0000 1.45
@@ -225,7 +225,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.6/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/amanda.te 2006-12-19 16:04:18.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
@@ -342,8 +342,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.6/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-12 15:19:22.000000000 -0500
-@@ -53,6 +53,7 @@
++++ serefpolicy-2.4.6/policy/modules/admin/logwatch.te 2006-12-20 09:54:52.000000000 -0500
+@@ -53,10 +53,12 @@
corecmd_exec_ls(logwatch_t)
dev_read_urand(logwatch_t)
@@ -351,9 +351,14 @@
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
+
++files_list_var(logwatch_t)
+ files_read_etc_files(logwatch_t)
+ files_read_etc_runtime_files(logwatch_t)
+ files_read_usr_files(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.6/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/netutils.te 2006-12-19 16:04:18.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
@@ -503,7 +508,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.4.6/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-12-13 11:09:03.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/rpm.te 2006-12-19 16:04:18.000000000 -0500
@@ -9,6 +9,8 @@
type rpm_t;
type rpm_exec_t;
@@ -671,7 +676,7 @@
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-19 13:57:11.000000000 -0500
@@ -112,6 +112,7 @@
files_manage_etc_files(chfn_t)
files_read_etc_runtime_files(chfn_t)
@@ -697,9 +702,30 @@
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
+@@ -517,6 +519,9 @@
+ seutil_read_config(useradd_t)
+ seutil_read_file_contexts(useradd_t)
+ seutil_read_default_contexts(useradd_t)
++seutil_domtrans_semanage(useradd_t)
++seutil_domtrans_restorecon(useradd_t)
++seutil_domtrans_setfiles(useradd_t)
+
+ userdom_use_unpriv_users_fds(useradd_t)
+ # for when /root is the cwd
+@@ -532,6 +537,10 @@
+ mta_manage_spool(useradd_t)
+
+ optional_policy(`
++ apache_manage_all_content(useradd_t)
++')
++
++optional_policy(`
+ dpkg_use_fds(useradd_t)
+ dpkg_rw_pipes(useradd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-2.4.6/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2006-11-16 17:15:07.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-19 16:04:18.000000000 -0500
@@ -87,6 +87,7 @@
allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
@@ -855,7 +881,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-14 10:49:28.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in 2006-12-19 16:04:18.000000000 -0500
@@ -998,9 +998,11 @@
interface(`corenet_tcp_sendrecv_reserved_port',`
gen_require(`
@@ -954,7 +980,43 @@
## Read and write the TUN/TAP virtual network device.
## </summary>
## <param name="domain">
-@@ -1875,3 +1906,21 @@
+@@ -1494,6 +1525,35 @@
+
+ ########################################
+ ## <summary>
++## Receive Raw IP packets from a NetLabel connection.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_raw_recv_netlabel',`
++ kernel_raw_recvfrom_unlabeled($1)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive Raw IP packets from a NetLabel
++## connection.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_raw_recv_netlabel',`
++ kernel_dontaudit_raw_recvfrom_unlabeled($1)
++')
++
++########################################
++## <summary>
+ ## Send generic client packets.
+ ## </summary>
+ ## <param name="domain">
+@@ -1875,3 +1935,21 @@
typeattribute $1 corenet_unconfined_type;
')
@@ -1360,6 +1422,77 @@
+
+# Allow me to mv from one noxattrfs to another nfs_t to dosfs_t for example
+fs_associate_noxattr(noxattrfs)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.4.6/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-11-16 17:15:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/kernel.if 2006-12-19 16:04:18.000000000 -0500
+@@ -2327,6 +2327,67 @@
+
+ ########################################
+ ## <summary>
++## Receive Raw IP packets from a NetLabel connection.
++## </summary>
++## <desc>
++## <p>
++## Receive Raw IP packets from a NetLabel connection, NetLabel is an
++## explicit packet labeling framework which implements CIPSO and
++## similar protocols.
++## </p>
++## <p>
++## The corenetwork interface
++## corenet_raw_recv_netlabel() should
++## be used instead of this one.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_raw_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ allow $1 unlabeled_t:rawip_socket recvfrom;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to receive Raw IP packets from a NetLabel
++## connection.
++## </summary>
++## <desc>
++## <p>
++## Do not audit attempts to receive Raw IP packets from a NetLabel
++## connection. NetLabel is an explicit packet labeling framework
++## which implements CIPSO and similar protocols.
++## </p>
++## <p>
++## The corenetwork interface
++## corenet_dontaudit_raw_recv_netlabel() should
++## be used instead of this one.
++## </p>
++## </desc>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kernel_dontaudit_raw_recvfrom_unlabeled',`
++ gen_require(`
++ type unlabeled_t;
++ ')
++
++ dontaudit $1 unlabeled_t:rawip_socket recvfrom;
++')
++
++########################################
++## <summary>
+ ## Send and receive unlabeled packets.
+ ## </summary>
+ ## <desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.4.6/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/kernel.te 2006-12-12 15:19:22.000000000 -0500
@@ -1374,7 +1507,7 @@
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.if serefpolicy-2.4.6/policy/modules/kernel/mls.if
--- nsaserefpolicy/policy/modules/kernel/mls.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2006-12-15 14:10:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/mls.if 2006-12-19 14:43:51.000000000 -0500
@@ -100,16 +100,16 @@
## </summary>
## <param name="domain">
@@ -1396,6 +1529,33 @@
')
########################################
+@@ -154,6 +154,26 @@
+ ########################################
+ ## <summary>
+ ## Make specified domain MLS trusted
++## for writing to sockets at any level
++## that is dominated by the process clearance.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mls_socket_write_to_clearance',`
++ gen_require(`
++ attribute mlsnetwritetoclr;
++ ')
++
++ typeattribute $1 mlsnetwritetoclr;
++')
++
++########################################
++## <summary>
++## Make specified domain MLS trusted
+ ## for writing to sockets at any level.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.4.6/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/kernel/mls.te 2006-12-12 16:40:02.000000000 -0500
@@ -1969,7 +2129,7 @@
/usr/sbin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.4.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cups.te 2006-12-19 16:04:18.000000000 -0500
@@ -118,6 +118,8 @@
allow cupsd_t cupsd_tmp_t:file create_file_perms;
allow cupsd_t cupsd_tmp_t:fifo_file create_file_perms;
@@ -2149,6 +2309,29 @@
allow hald_t hald_var_run_t:file create_file_perms;
allow hald_t hald_var_run_t:dir rw_dir_perms;
files_pid_filetrans(hald_t,hald_var_run_t,file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-2.4.6/policy/modules/services/inetd.te
+--- nsaserefpolicy/policy/modules/services/inetd.te 2006-11-16 17:15:20.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/inetd.te 2006-12-19 14:46:09.000000000 -0500
+@@ -218,6 +218,13 @@
+ ')
+ ')
+
++ifdef(`enable_mls',`
++ corenet_tcp_recv_netlabel(inetd_t)
++ corenet_udp_recv_netlabel(inetd_t)
++ mls_socket_read_to_clearance(inetd_t)
++ mls_socket_write_to_clearance(inetd_t)
++')
++
+ optional_policy(`
+ tunable_policy(`ftpd_is_daemon',`
+ # Allows it to check exec privs on daemon
+@@ -236,3 +243,5 @@
+ optional_policy(`
+ nscd_socket_use(inetd_child_t)
+ ')
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/irqbalance.te serefpolicy-2.4.6/policy/modules/services/irqbalance.te
--- nsaserefpolicy/policy/modules/services/irqbalance.te 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/irqbalance.te 2006-12-14 15:55:18.000000000 -0500
@@ -2210,7 +2393,7 @@
allow krb5kdc_t krb5kdc_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.6/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/lpd.if 2006-12-20 13:53:08.000000000 -0500
@@ -64,33 +64,35 @@
allow $1_lpr_t self:udp_socket create_socket_perms;
allow $1_lpr_t self:netlink_route_socket r_netlink_socket_perms;
@@ -2272,6 +2455,16 @@
dontaudit $1_lpr_t $2:unix_stream_socket { read write };
# Transition from the user domain to the derived domain.
+@@ -225,6 +227,9 @@
+
+ userdom_read_all_users_home_content_files($1_lpr_t)
+
++ # Read and write shared files in the spool directory.
++ allow $1_lpr_t print_spool_t:file rw_file_perms;
++
+ # Allow per user lpr domain read acces for specific user.
+ tunable_policy(`read_untrusted_content',`
+ userdom_read_all_untrusted_content($1_lpr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.6/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/mta.if 2006-12-12 15:19:22.000000000 -0500
@@ -2707,7 +2900,7 @@
userdom_dontaudit_search_staff_home_dirs(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-2.4.6/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/radvd.te 2006-12-14 15:15:51.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/radvd.te 2006-12-19 16:04:18.000000000 -0500
@@ -28,7 +28,7 @@
allow radvd_t self:tcp_socket create_stream_socket_perms;
allow radvd_t self:udp_socket create_socket_perms;
@@ -2790,7 +2983,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/samba.te 2006-12-19 16:04:18.000000000 -0500
@@ -349,7 +349,7 @@
allow nmbd_t samba_etc_t:file { getattr read };
@@ -3719,7 +3912,7 @@
+/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.6/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2006-12-19 16:04:18.000000000 -0500
@@ -13,6 +13,9 @@
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -3976,7 +4169,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.4.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-12-12 15:19:22.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/mount.te 2006-12-19 16:04:18.000000000 -0500
@@ -9,6 +9,7 @@
type mount_t;
type mount_exec_t;
@@ -4064,10 +4257,12 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-12-12 15:19:22.000000000 -0500
-@@ -41,6 +41,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.fc 2006-12-19 12:36:13.000000000 -0500
+@@ -40,7 +40,9 @@
+ /usr/sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0)
/usr/sbin/setsebool -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
++/usr/sbin/genhomedircon -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/share/system-config-selinux/system-config-selinux.py -- gen_context(system_u:object_r:semanage_gui_exec_t,s0)
@@ -4075,7 +4270,7 @@
# /var/run
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.6/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-12-13 16:33:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2006-12-19 12:39:25.000000000 -0500
@@ -713,7 +713,7 @@
')
@@ -4094,7 +4289,7 @@
allow $1 default_context_t:file manage_file_perms;
')
-@@ -1121,3 +1121,109 @@
+@@ -1121,3 +1121,110 @@
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 semanage_trans_lock_t:file rw_file_perms;
')
@@ -4111,7 +4306,7 @@
+#
+interface(`seutil_semanage_domain',`
+ gen_require(`
-+ type policy_config_t, semanage_tmp_t;
++ type policy_config_t, semanage_tmp_t, semanage_exec_t;
+ ')
+
+ allow $1 self:capability { dac_override audit_write };
@@ -4128,6 +4323,7 @@
+ allow $1 semanage_tmp_t:file create_file_perms;
+ files_tmp_filetrans($1, semanage_tmp_t, { file dir })
+
++ can_exec($1,semanage_exec_t)
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
@@ -4448,8 +4644,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/tzdata.te serefpolicy-2.4.6/policy/modules/system/tzdata.te
--- nsaserefpolicy/policy/modules/system/tzdata.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/tzdata.te 2006-12-12 15:19:22.000000000 -0500
-@@ -0,0 +1,28 @@
++++ serefpolicy-2.4.6/policy/modules/system/tzdata.te 2006-12-20 13:32:30.000000000 -0500
+@@ -0,0 +1,32 @@
+policy_module(tzdata,1.0.0)
+
+########################################
@@ -4477,6 +4673,10 @@
+miscfiles_manage_localization(tzdata_t)
+miscfiles_etc_filetrans_localization(tzdata_t)
+
++ifdef(`targeted_policy',`
++ term_dontaudit_use_unallocated_ttys(tzdata_t)
++ term_dontaudit_use_generic_ptys(tzdata_t)
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.4.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-11-16 17:15:24.000000000 -0500
@@ -4583,7 +4783,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-15 17:09:16.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-20 09:58:02.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.368
retrieving revision 1.369
diff -u -r1.368 -r1.369
--- selinux-policy.spec 18 Dec 2006 21:50:13 -0000 1.368
+++ selinux-policy.spec 20 Dec 2006 20:40:30 -0000 1.369
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,12 @@
%endif
%changelog
+* Tue Dec 19 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-16
+- Allow semanage to exec it self. Label genhomedircon as semanage_exec_t
+Resolves: #219421
+- Allow sysadm_lpr_t to manage other print spool jobs
+Resolves: #220080
+
* Mon Dec 18 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-15
- allow automount to setgid
Resolves: #219999
More information about the fedora-cvs-commits
mailing list