rpms/selinux-policy/FC-5 policy-20060822.patch, 1.3, 1.4 selinux-policy.spec, 1.184, 1.185 sources, 1.66, 1.67
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Nov 22 14:25:22 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv10388
Modified Files:
policy-20060822.patch selinux-policy.spec sources
Log Message:
* Mon Nov 21 2006 Dan Walsh <dwalsh at redhat.com> 2.4.5-4.fc5
- Bump to fc6 policy
policy-20060822.patch:
mls | 9 -
modules/admin/amanda.fc | 51 -------
modules/admin/anaconda.te | 20 ++
modules/admin/bootloader.te | 4
modules/admin/consoletype.te | 11 +
modules/admin/firstboot.te | 2
modules/admin/logrotate.fc | 6
modules/admin/logrotate.if | 1
modules/admin/logrotate.te | 2
modules/admin/logwatch.fc | 7
modules/admin/logwatch.if | 18 ++
modules/admin/logwatch.te | 17 ++
modules/admin/prelink.if | 1
modules/admin/prelink.te | 11 +
modules/admin/rpm.fc | 2
modules/admin/rpm.if | 13 -
modules/admin/usermanage.te | 27 +--
modules/apps/java.fc | 9 +
modules/apps/mozilla.if | 2
modules/apps/wine.te | 2
modules/kernel/corecommands.fc | 7
modules/kernel/corecommands.if | 21 ++
modules/kernel/corecommands.te | 2
modules/kernel/corenetwork.te.in | 11 +
modules/kernel/devices.fc | 19 ++
modules/kernel/devices.if | 260 ++++++++++++++++++++++++++++++++++++-
modules/kernel/devices.te | 10 +
modules/kernel/domain.if | 13 +
modules/kernel/domain.te | 9 +
modules/kernel/files.fc | 2
modules/kernel/files.if | 188 ++++++++++++++++++++++++--
modules/kernel/files.te | 4
modules/kernel/filesystem.if | 121 +++++++++++++++++
modules/kernel/filesystem.te | 9 -
modules/kernel/kernel.if | 75 ++++++++++
modules/kernel/terminal.fc | 14 +
modules/kernel/terminal.if | 180 +++++++++++++++++++++++--
modules/kernel/terminal.te | 2
modules/services/afs.te | 14 -
modules/services/amavis.te | 12 +
modules/services/apache.if | 2
modules/services/apache.te | 14 +
modules/services/automount.te | 5
modules/services/avahi.te | 2
modules/services/bind.te | 2
modules/services/bluetooth.fc | 1
modules/services/bluetooth.te | 16 ++
modules/services/clamav.if | 1
modules/services/clamav.te | 1
modules/services/cpucontrol.te | 2
modules/services/cron.fc | 1
modules/services/cron.if | 18 ++
modules/services/cron.te | 9 -
modules/services/cups.te | 40 +++--
modules/services/cyrus.te | 7
modules/services/dbus.if | 6
modules/services/dhcp.te | 6
modules/services/dovecot.te | 4
modules/services/gatekeeper.te | 15 --
modules/services/hal.te | 11 -
modules/services/inn.te | 1
modules/services/kerberos.if | 2
modules/services/ldap.te | 5
modules/services/lpd.fc | 17 +-
modules/services/mta.fc | 2
modules/services/networkmanager.te | 10 +
modules/services/ntp.te | 7
modules/services/openvpn.te | 4
modules/services/pegasus.if | 31 ++++
modules/services/pegasus.te | 5
modules/services/postfix.fc | 1
modules/services/postfix.te | 15 ++
modules/services/postgresql.te | 1
modules/services/postgrey.te | 2
modules/services/ppp.fc | 7
modules/services/ppp.if | 18 ++
modules/services/ppp.te | 19 +-
modules/services/procmail.te | 3
modules/services/pyzor.te | 9 -
modules/services/radius.te | 2
modules/services/rpc.if | 4
modules/services/rpc.te | 17 +-
modules/services/samba.te | 15 +-
modules/services/sendmail.te | 15 +-
modules/services/setroubleshoot.fc | 9 +
modules/services/setroubleshoot.if | 3
modules/services/setroubleshoot.te | 112 +++++++++++++++
modules/services/smartmon.te | 1
modules/services/snmp.if | 19 ++
modules/services/spamassassin.te | 6
modules/services/squid.te | 10 -
modules/services/ssh.if | 24 +++
modules/services/ssh.te | 85 +++++-------
modules/services/stunnel.te | 11 +
modules/services/sysstat.te | 3
modules/services/xfs.te | 3
modules/services/xserver.if | 68 +++++++++
modules/services/xserver.te | 19 ++
modules/system/authlogin.if | 21 --
modules/system/authlogin.te | 1
modules/system/fstools.te | 1
modules/system/hostname.te | 10 -
modules/system/init.if | 7
modules/system/init.te | 2
modules/system/libraries.fc | 19 ++
modules/system/locallogin.te | 4
modules/system/logging.fc | 3
modules/system/logging.if | 21 ++
modules/system/logging.te | 11 -
modules/system/lvm.fc | 2
modules/system/lvm.te | 6
modules/system/miscfiles.fc | 1
modules/system/miscfiles.if | 18 ++
modules/system/modutils.te | 1
modules/system/mount.te | 7
modules/system/selinuxutil.te | 15 ++
modules/system/udev.fc | 1
modules/system/udev.te | 1
modules/system/unconfined.fc | 1
modules/system/unconfined.if | 2
modules/system/unconfined.te | 9 -
modules/system/userdomain.if | 246 +++++++++++++++++++++++------------
modules/system/userdomain.te | 48 +++---
modules/system/xen.if | 38 +++++
modules/system/xen.te | 26 ++-
125 files changed, 1997 insertions(+), 461 deletions(-)
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.3 -r 1.4 policy-20060822.patch
Index: policy-20060822.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/policy-20060822.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20060822.patch 29 Aug 2006 22:59:55 -0000 1.3
+++ policy-20060822.patch 22 Nov 2006 14:25:20 -0000 1.4
@@ -186,20 +186,199 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.fc serefpolicy-2.3.7/policy/modules/admin/logrotate.fc
+--- nsaserefpolicy/policy/modules/admin/logrotate.fc 2006-08-12 06:57:19.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/admin/logrotate.fc 2006-10-16 10:28:10.000000000 -0400
+@@ -1,13 +1,7 @@
+ /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+-/usr/sbin/logcheck -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+ /usr/sbin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+
+-/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+-
+-# using a hard-coded name under /var/tmp is a bug - new version fixes it
+-/var/tmp/logcheck -d gen_context(system_u:object_r:logrotate_tmp_t,s0)
+-
+ ifdef(`distro_debian', `
+ /usr/bin/savelog -- gen_context(system_u:object_r:logrotate_exec_t,s0)
+ /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.if serefpolicy-2.3.7/policy/modules/admin/logrotate.if
+--- nsaserefpolicy/policy/modules/admin/logrotate.if 2006-08-12 06:57:19.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/admin/logrotate.if 2006-10-16 10:28:10.000000000 -0400
+@@ -43,6 +43,7 @@
+ ## The type of the terminal allow the logrotate domain to use.
+ ## </summary>
+ ## </param>
++## <rolecap/>
+ #
+ interface(`logrotate_run',`
+ gen_require(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-2.3.7/policy/modules/admin/logrotate.te
+--- nsaserefpolicy/policy/modules/admin/logrotate.te 2006-08-12 06:57:19.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/admin/logrotate.te 2006-10-16 10:28:11.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(logrotate,1.2.1)
++policy_module(logrotate,1.2.2)
+
+ ########################################
+ #
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.fc serefpolicy-2.3.7/policy/modules/admin/logwatch.fc
+--- nsaserefpolicy/policy/modules/admin/logwatch.fc 2006-08-12 06:57:19.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/admin/logwatch.fc 2006-10-16 10:29:21.000000000 -0400
+@@ -1,4 +1,7 @@
++/usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0)
+
+-/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
++/usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0)
+
+-/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
++/var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0)
++/var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0)
++/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.if serefpolicy-2.3.7/policy/modules/admin/logwatch.if
+--- nsaserefpolicy/policy/modules/admin/logwatch.if 2006-08-12 06:57:19.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/admin/logwatch.if 2006-10-16 10:29:21.000000000 -0400
+@@ -18,3 +18,21 @@
+ files_search_tmp($1)
+ allow $1 logwatch_tmp_t:file r_file_perms;
+ ')
++
++########################################
++## <summary>
++## Search logwatch cache directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`logwatch_search_cache_dir',`
++ gen_require(`
++ type logwatch_cache_t;
++ ')
++
++ allow $1 logwatch_cache_t:dir search;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.3.7/policy/modules/admin/logwatch.te
+--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-08-12 06:57:16.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/admin/logwatch.te 2006-10-16 10:29:22.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(logwatch,1.1.2)
++policy_module(logwatch,1.1.4)
+
+ #################################
+ #
+@@ -15,6 +15,9 @@
+ type logwatch_cache_t;
+ files_type(logwatch_cache_t)
+
++type logwatch_lock_t;
++files_lock_file(logwatch_lock_t)
++
+ type logwatch_tmp_t;
+ files_tmp_file(logwatch_tmp_t)
+
+@@ -24,12 +27,16 @@
+ #
+
+ allow logwatch_t self:capability { dac_override dac_read_search setgid };
++allow logwatch_t self:process signal;
+ allow logwatch_t self:fifo_file rw_file_perms;
+ allow logwatch_t self:unix_stream_socket create_stream_socket_perms;
+
+ allow logwatch_t logwatch_cache_t:dir create_dir_perms;
+ allow logwatch_t logwatch_cache_t:file create_file_perms;
+
++allow logwatch_t logwatch_lock_t:file manage_file_perms;
++files_lock_filetrans(logwatch_t,logwatch_lock_t,file)
++
+ allow logwatch_t logwatch_tmp_t:dir create_dir_perms;
+ allow logwatch_t logwatch_tmp_t:file create_file_perms;
+ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+@@ -41,7 +48,9 @@
+ corecmd_read_sbin_symlinks(logwatch_t)
+ corecmd_read_sbin_files(logwatch_t)
+ corecmd_exec_bin(logwatch_t)
++corecmd_exec_sbin(logwatch_t)
+ corecmd_exec_shell(logwatch_t)
++corecmd_exec_ls(logwatch_t)
+
+ dev_read_urand(logwatch_t)
+
+@@ -54,8 +63,10 @@
+ files_search_spool(logwatch_t)
+ files_search_mnt(logwatch_t)
+ files_dontaudit_search_home(logwatch_t)
++files_dontaudit_search_boot(logwatch_t)
+
+ fs_getattr_all_fs(logwatch_t)
++fs_dontaudit_list_auto_mountpoints(logwatch_t)
+
+ term_dontaudit_getattr_pty_dirs(logwatch_t)
+ term_dontaudit_list_ptys(logwatch_t)
+@@ -93,6 +104,10 @@
+ ')
+
+ optional_policy(`
++ hostname_exec(logwatch_t)
++')
++
++optional_policy(`
+ mta_getattr_spool(logwatch_t)
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-2.3.7/policy/modules/admin/prelink.if
+--- nsaserefpolicy/policy/modules/admin/prelink.if 2006-08-12 06:57:16.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/admin/prelink.if 2006-10-16 10:25:25.000000000 -0400
+@@ -78,6 +78,7 @@
+ ')
+
+ allow $1 prelink_cache_t:file unlink;
++ files_rw_etc_dirs($1)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.3.7/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-08-12 06:57:19.000000000 -0400
-+++ serefpolicy-2.3.7/policy/modules/admin/prelink.te 2006-08-28 14:20:46.000000000 -0400
-@@ -1,4 +1,3 @@
--
- policy_module(prelink,1.1.5)
++++ serefpolicy-2.3.7/policy/modules/admin/prelink.te 2006-10-16 10:25:06.000000000 -0400
+@@ -1,5 +1,5 @@
+
+-policy_module(prelink,1.1.5)
++policy_module(prelink,1.1.7)
########################################
-@@ -74,6 +73,8 @@
+ #
+@@ -24,7 +24,7 @@
+ #
- miscfiles_read_localization(prelink_t)
+ allow prelink_t self:capability { chown dac_override fowner fsetid };
+-allow prelink_t self:process { execheap execmem execstack };
++allow prelink_t self:process { execheap execmem execstack signal };
+ allow prelink_t self:fifo_file rw_file_perms;
+
+ allow prelink_t prelink_cache_t:file manage_file_perms;
+@@ -60,6 +60,8 @@
+
+ fs_getattr_xattr_fs(prelink_t)
+selinux_get_enforce_mode(prelink_t)
+
+ libs_use_ld_so(prelink_t)
[...3522 lines suppressed...]
++## </summary>
++## </param>
++#
++interface(`snmp_dontaudit_read_snmp_var_lib_files',`
++ gen_require(`
++ type snmpd_var_lib_t;
++ ')
++ dontaudit $1 snmpd_var_lib_t:dir r_dir_perms;
++ dontaudit $1 snmpd_var_lib_t:file r_file_perms;
++ dontaudit $1 snmpd_var_lib_t:lnk_file { getattr read };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.3.7/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-08-12 06:57:20.000000000 -0400
-+++ serefpolicy-2.3.7/policy/modules/services/spamassassin.te 2006-08-29 18:51:34.000000000 -0400
-@@ -135,6 +135,7 @@
++++ serefpolicy-2.3.7/policy/modules/services/spamassassin.te 2006-10-19 15:03:51.000000000 -0400
+@@ -51,6 +51,7 @@
+ allow spamd_t self:unix_stream_socket connectto;
+ allow spamd_t self:tcp_socket create_stream_socket_perms;
+ allow spamd_t self:udp_socket create_socket_perms;
++allow spamd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow spamd_t spamd_spool_t:file create_file_perms;
+ allow spamd_t spamd_spool_t:dir create_dir_perms;
+@@ -135,6 +136,7 @@
term_dontaudit_use_generic_ptys(spamd_t)
files_dontaudit_read_root_files(spamd_t)
tunable_policy(`spamd_enable_home_dirs',`
@@ -1509,7 +4249,7 @@
userdom_manage_generic_user_home_content_dirs(spamd_t)
userdom_manage_generic_user_home_content_files(spamd_t)
userdom_manage_generic_user_home_content_symlinks(spamd_t)
-@@ -194,3 +195,7 @@
+@@ -194,3 +196,7 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -1519,7 +4259,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.3.7/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-08-12 06:57:28.000000000 -0400
-+++ serefpolicy-2.3.7/policy/modules/services/squid.te 2006-08-28 14:20:46.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/services/squid.te 2006-10-16 13:48:58.000000000 -0400
@@ -28,9 +28,9 @@
# Local policy
#
@@ -1532,6 +4272,23 @@
allow squid_t self:fifo_file rw_file_perms;
allow squid_t self:sock_file r_file_perms;
allow squid_t self:fd use;
+@@ -99,6 +99,8 @@
+
+ fs_getattr_all_fs(squid_t)
+ fs_search_auto_mountpoints(squid_t)
++#squid requires the following when run in diskd mode, the recommended setting
++fs_rw_tmpfs_files(squid_t)
+
+ selinux_dontaudit_getattr_dir(squid_t)
+
+@@ -177,7 +179,3 @@
+ udev_read_db(squid_t)
+ ')
+
+-ifdef(`TODO',`
+-#squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.3.7/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2006-08-12 06:57:28.000000000 -0400
+++ serefpolicy-2.3.7/policy/modules/services/ssh.if 2006-08-28 14:20:46.000000000 -0400
@@ -1692,7 +4449,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-2.3.7/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2006-08-12 06:57:28.000000000 -0400
-+++ serefpolicy-2.3.7/policy/modules/services/stunnel.te 2006-08-28 14:20:46.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/services/stunnel.te 2006-10-19 15:05:52.000000000 -0400
@@ -38,6 +38,7 @@
allow stunnel_t self:fifo_file rw_file_perms;
allow stunnel_t self:tcp_socket create_stream_socket_perms;
@@ -1701,21 +4458,26 @@
allow stunnel_t stunnel_etc_t:dir { getattr read search };
allow stunnel_t stunnel_etc_t:file { read getattr };
-@@ -64,6 +65,7 @@
+@@ -63,7 +64,7 @@
+ corenet_tcp_sendrecv_all_ports(stunnel_t)
corenet_udp_sendrecv_all_ports(stunnel_t)
corenet_tcp_bind_all_nodes(stunnel_t)
- #corenet_tcp_bind_stunnel_port(stunnel_t)
-+corenet_tcp_connect_smtp_port(stunnel_t)
+-#corenet_tcp_bind_stunnel_port(stunnel_t)
++corenet_tcp_connect_all_port(stunnel_t)
fs_getattr_all_fs(stunnel_t)
-@@ -105,6 +107,10 @@
+@@ -105,6 +106,14 @@
')
optional_policy(`
+ mount_send_nfs_client_request(stunnel_t)
+ ')
+
++ optional_policy(`
++ mount_send_nfs_client_request(stunnel_t)
++ ')
++
+ optional_policy(`
seutil_sigchld_newrole(stunnel_t)
')
@@ -1740,6 +4502,19 @@
init_use_fds(sysstat_t)
init_use_script_ptys(sysstat_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-2.3.7/policy/modules/services/xfs.te
+--- nsaserefpolicy/policy/modules/services/xfs.te 2006-08-12 06:57:20.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/services/xfs.te 2006-10-23 08:57:13.000000000 -0400
+@@ -21,7 +21,8 @@
+ # Local policy
+ #
+
+-allow xfs_t self:capability { setgid setuid };
++allow xfs_t self:capability { dac_override setgid setuid };
++
+ dontaudit xfs_t self:capability sys_tty_config;
+ allow xfs_t self:process { signal_perms setpgid };
+ allow xfs_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.7/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-08-12 06:57:28.000000000 -0400
+++ serefpolicy-2.3.7/policy/modules/services/xserver.if 2006-08-28 14:20:46.000000000 -0400
@@ -1841,15 +4616,14 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-2.3.7/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2006-08-12 06:57:28.000000000 -0400
-+++ serefpolicy-2.3.7/policy/modules/services/xserver.te 2006-08-28 14:20:46.000000000 -0400
-@@ -81,15 +81,19 @@
++++ serefpolicy-2.3.7/policy/modules/services/xserver.te 2006-10-19 15:08:10.000000000 -0400
+@@ -81,21 +81,29 @@
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
allow xdm_t self:fifo_file rw_file_perms;
-+allow xdm_t self:key link;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
allow xdm_t self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -1860,11 +4634,22 @@
-allow xdm_t self:key write;
+allow xdm_t self:socket create_socket_perms;
+allow xdm_t self:appletalk_socket create_socket_perms;
-+allow xdm_t self:key { search write };
++allow xdm_t self:key { search link write };
# Supress permission check on .ICE-unix
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
-@@ -106,6 +110,8 @@
+
+ allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+
++allow xdm_t xdm_tmp_t:dir manage_dir_perms;
++allow xdm_t xdm_tmp_t:file manage_file_perms;
++allow xdm_t xdm_tmp_t:sock_file manage_file_perms;
++files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
++
+ # Allow gdm to run gdm-binary
+ can_exec(xdm_t, xdm_exec_t)
+
+@@ -106,6 +114,8 @@
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
@@ -1873,7 +4658,7 @@
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-@@ -154,6 +160,7 @@
+@@ -154,6 +164,7 @@
domain_dontaudit_read_all_domains_state(xdm_t)
files_read_etc_files(xdm_t)
@@ -1881,7 +4666,7 @@
files_read_etc_runtime_files(xdm_t)
files_exec_etc_files(xdm_t)
files_list_mnt(xdm_t)
-@@ -180,6 +187,8 @@
+@@ -180,6 +191,8 @@
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -1890,7 +4675,7 @@
init_use_script_ptys(xdm_t)
# Run telinit->init to shutdown.
-@@ -257,7 +266,7 @@
+@@ -257,7 +270,7 @@
allow xdm_t xdm_xserver_tmp_t:sock_file unlink;
allow xdm_t xdm_xserver_tmp_t:file unlink;
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/selinux-policy.spec,v
retrieving revision 1.184
retrieving revision 1.185
diff -u -r1.184 -r1.185
--- selinux-policy.spec 28 Aug 2006 19:31:07 -0000 1.184
+++ selinux-policy.spec 22 Nov 2006 14:25:20 -0000 1.185
@@ -15,8 +15,8 @@
%define CHECKPOLICYVER 1.30.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.3.7
-Release: 3.fc5
+Version: 2.4.5
+Release: 4.fc5
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -73,8 +73,8 @@
%dir %{_usr}/share/selinux/mls
%define setupCmds() \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 bare \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 conf \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 bare \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f ${RPM_SOURCE_DIR}/modules-%1.conf ./policy/modules.conf \
cp -f ${RPM_SOURCE_DIR}/booleans-%1.conf ./policy/booleans.conf \
@@ -82,18 +82,18 @@
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
%define installCmds() \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 modules \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%3 install \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%3 install-appconfig \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 base.pp \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 modules \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 install \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 conf install-appconfig \
#%{__cp} *.pp %{buildroot}/%{_usr}/share/selinux/%1/ \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/modules/active \
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/selinux/%1/contexts/files \
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
touch %{buildroot}/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
-make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 enableaudit \
-make -W base.conf NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 base.pp \
+make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 enableaudit \
+make -W base.conf NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 base.pp \
install -m0644 base.pp %{buildroot}%{_usr}/share/selinux/%1/enableaudit.pp \
rm -rf %{buildroot}%{_sysconfdir}/selinux/%1/booleans \
touch %{buildroot}%{_sysconfdir}/selinux/%1/seusers \
@@ -179,7 +179,7 @@
# Install devel
make clean
-make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 install-headers install-docs
+make NAME=targeted TYPE=targeted-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=%3 MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs
mkdir %{buildroot}%{_usr}/share/selinux/devel/
mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include
install -m 755 ${RPM_SOURCE_DIR}/policygentool %{buildroot}%{_usr}/share/selinux/devel/
@@ -198,8 +198,8 @@
%if %{BUILD_STRICT}
# Build strict policy
# Commented out because only targeted ref policy currently builds
-make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} POLY=n bare
-make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} POLY=n conf
+make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} POLY=n MLS_CATS=1024 MCS_CATS=1024 bare
+make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} POLY=n MLS_CATS=1024 MCS_CATS=1024 conf
cp -f ${RPM_SOURCE_DIR}/modules-strict.conf ./policy/modules.conf
%installCmds strict strict-mcs y n
ln -sf ../devel/include %{buildroot}%{_usr}/share/selinux/strict
@@ -347,6 +347,12 @@
%endif
%changelog
+* Mon Nov 21 2006 Dan Walsh <dwalsh at redhat.com> 2.4.5-4.fc5
+- Bump to fc6 policy
+
+* Mon Oct 16 2006 Dan Walsh <dwalsh at redhat.com> 2.3.7-4.fc5
+- Backport some fixes for FC5 from FC6
+
* Mon Aug 28 2006 Dan Walsh <dwalsh at redhat.com> 2.3.7-3.fc5
- Backport some fixes for FC5 from rawhide
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/sources,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -r1.66 -r1.67
--- sources 22 Aug 2006 13:47:01 -0000 1.66
+++ sources 22 Nov 2006 14:25:20 -0000 1.67
@@ -1 +1 @@
-db77e32295f642a88c7e89673361b15d serefpolicy-2.3.7.tgz
+c6d88e7a588fb11c9844027801bbb0f0 serefpolicy-2.4.5.tgz
More information about the fedora-cvs-commits
mailing list