rpms/selinux-policy/devel policy-20070219.patch, 1.39, 1.40 selinux-policy.spec, 1.426, 1.427
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Apr 7 11:35:22 UTC 2007
- Previous message (by thread): rpms/openoffice.org/devel openoffice.org.spec,1.1160,1.1161
- Next message (by thread): rpms/ppc64-utils/devel ps3.dts, NONE, 1.1 .cvsignore, 1.5, 1.6 ppc64-utils.spec, 1.23, 1.24 sources, 1.10, 1.11
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2924
Modified Files:
policy-20070219.patch selinux-policy.spec
Log Message:
* Thu Apr 5 2007 Dan Walsh <dwalsh at redhat.com> 2.5.11-5
- Allow bluetooth to read inotifyfs
policy-20070219.patch:
Rules.modular | 12 +
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 39 +++-
policy/mls | 31 ++-
policy/modules/admin/acct.te | 1
policy/modules/admin/acct.xml | 43 +++++
policy/modules/admin/alsa.xml | 43 +++++
policy/modules/admin/amanda.xml | 85 ++++++++++
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 53 ++++++
policy/modules/admin/amtu.te | 56 ++++++
policy/modules/admin/amtu.xml | 36 ++++
policy/modules/admin/anaconda.xml | 3
policy/modules/admin/apt.xml | 95 +++++++++++
policy/modules/admin/backup.xml | 35 ++++
policy/modules/admin/bootloader.te | 2
policy/modules/admin/bootloader.xml | 79 +++++++++
policy/modules/admin/certwatch.xml | 37 ++++
policy/modules/admin/consoletype.te | 8
policy/modules/admin/consoletype.xml | 47 +++++
policy/modules/admin/ddcprobe.xml | 35 ++++
policy/modules/admin/dmesg.te | 1
policy/modules/admin/dmesg.xml | 24 ++
policy/modules/admin/dmidecode.xml | 35 ++++
policy/modules/admin/dpkg.xml | 125 +++++++++++++++
policy/modules/admin/firstboot.if | 18 ++
policy/modules/admin/firstboot.xml | 88 ++++++++++
policy/modules/admin/kudzu.te | 2
policy/modules/admin/kudzu.xml | 45 +++++
policy/modules/admin/logrotate.xml | 75 +++++++++
policy/modules/admin/logwatch.te | 2
policy/modules/admin/logwatch.xml | 23 ++
policy/modules/admin/netutils.te | 4
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 65 +++++++
policy/modules/admin/rpm.te | 2
policy/modules/admin/su.if | 6
policy/modules/admin/usermanage.te | 42 +++--
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.if | 26 +++
policy/modules/apps/gpg.fc | 2
policy/modules/apps/loadkeys.if | 44 +----
policy/modules/apps/mozilla.if | 1
policy/modules/apps/slocate.te | 4
policy/modules/apps/usernetctl.te | 10 -
policy/modules/kernel/corecommands.fc | 7
policy/modules/kernel/corecommands.if | 20 ++
policy/modules/kernel/corenetwork.if.in | 54 ++++++
policy/modules/kernel/corenetwork.te.in | 18 +-
policy/modules/kernel/devices.if | 36 ++++
policy/modules/kernel/domain.if | 18 ++
policy/modules/kernel/domain.te | 46 +++++
policy/modules/kernel/files.fc | 1
policy/modules/kernel/files.if | 81 ++++++++-
policy/modules/kernel/filesystem.if | 39 ++++
policy/modules/kernel/filesystem.te | 11 +
policy/modules/kernel/kernel.if | 23 ++
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 20 ++
policy/modules/kernel/mls.te | 3
policy/modules/kernel/selinux.if | 38 ++++
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 14 -
policy/modules/services/apache.if | 169 +++++++++++++++++++-
policy/modules/services/apache.te | 70 ++++++++
policy/modules/services/apcupsd.fc | 9 +
policy/modules/services/apcupsd.if | 108 +++++++++++++
policy/modules/services/apcupsd.te | 81 +++++++++
policy/modules/services/automount.te | 2
policy/modules/services/bluetooth.te | 2
policy/modules/services/ccs.te | 12 +
policy/modules/services/consolekit.fc | 1
policy/modules/services/consolekit.te | 28 ++-
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 +---
policy/modules/services/cron.te | 51 ++++--
policy/modules/services/cups.te | 2
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 5
policy/modules/services/dbus.if | 63 +++++++
policy/modules/services/dhcp.te | 2
policy/modules/services/djbdns.te | 5
policy/modules/services/dovecot.te | 5
policy/modules/services/ftp.te | 5
policy/modules/services/hal.fc | 8
policy/modules/services/hal.if | 19 ++
policy/modules/services/hal.te | 139 ++++++++++++++++
policy/modules/services/inetd.te | 5
policy/modules/services/kerberos.if | 58 ++-----
policy/modules/services/kerberos.te | 36 ++++
policy/modules/services/mta.if | 19 ++
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.if | 4
policy/modules/services/nis.te | 4
policy/modules/services/nscd.te | 10 +
policy/modules/services/ntp.te | 5
policy/modules/services/pegasus.if | 18 ++
policy/modules/services/pegasus.te | 6
policy/modules/services/postfix.if | 1
policy/modules/services/postfix.te | 8
policy/modules/services/ppp.te | 9 -
policy/modules/services/procmail.te | 1
policy/modules/services/pyzor.te | 1
policy/modules/services/radius.te | 4
policy/modules/services/rpc.if | 5
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 3
policy/modules/services/samba.if | 64 +++++++
policy/modules/services/samba.te | 79 +++++++++
policy/modules/services/sasl.te | 11 +
policy/modules/services/sendmail.if | 20 ++
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 10 +
policy/modules/services/spamassassin.te | 7
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 22 ++
policy/modules/services/squid.te | 12 +
policy/modules/services/ssh.if | 39 ++++
policy/modules/services/ssh.te | 5
policy/modules/services/xserver.te | 10 -
policy/modules/services/zabbix.fc | 4
policy/modules/services/zabbix.if | 87 ++++++++++
policy/modules/services/zabbix.te | 64 +++++++
policy/modules/system/application.fc | 1
policy/modules/system/application.if | 104 ++++++++++++
policy/modules/system/application.te | 14 +
policy/modules/system/authlogin.if | 83 ++++++++--
policy/modules/system/authlogin.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/fusermount.fc | 6
policy/modules/system/fusermount.if | 41 +++++
policy/modules/system/fusermount.te | 45 +++++
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14 +
policy/modules/system/init.if | 3
policy/modules/system/init.te | 35 +++-
policy/modules/system/ipsec.if | 20 ++
policy/modules/system/iptables.te | 4
policy/modules/system/libraries.fc | 8
policy/modules/system/libraries.te | 20 ++
policy/modules/system/locallogin.te | 7
policy/modules/system/logging.if | 21 ++
policy/modules/system/logging.te | 2
policy/modules/system/lvm.te | 5
policy/modules/system/modutils.te | 11 +
policy/modules/system/mount.fc | 3
policy/modules/system/mount.if | 37 ++++
policy/modules/system/mount.te | 64 +++++++
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 5
policy/modules/system/selinuxutil.te | 68 +++-----
policy/modules/system/udev.fc | 2
policy/modules/system/udev.te | 11 +
policy/modules/system/unconfined.fc | 1
policy/modules/system/unconfined.if | 10 -
policy/modules/system/unconfined.te | 24 ++
policy/modules/system/userdomain.if | 246 ++++++++++++++++--------------
policy/modules/system/userdomain.te | 46 ++++-
policy/modules/system/xen.te | 35 ++++
policy/support/obj_perm_sets.spt | 12 +
166 files changed, 3877 insertions(+), 435 deletions(-)
Index: policy-20070219.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070219.patch,v
retrieving revision 1.39
retrieving revision 1.40
diff -u -r1.39 -r1.40
--- policy-20070219.patch 4 Apr 2007 20:46:07 -0000 1.39
+++ policy-20070219.patch 7 Apr 2007 11:35:20 -0000 1.40
@@ -1459,7 +1459,7 @@
+</module>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.5.11/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-03-26 16:24:13.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/admin/netutils.te 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/admin/netutils.te 2007-04-05 08:55:43.000000000 -0400
@@ -31,6 +31,7 @@
type traceroute_t;
type traceroute_exec_t;
@@ -1468,6 +1468,23 @@
role system_r types traceroute_t;
########################################
+@@ -40,6 +41,7 @@
+
+ # Perform network administration operations and have raw access to the network.
+ allow netutils_t self:capability { net_admin net_raw setuid setgid };
++dontaudit netutils_t self:capability sys_tty_config;
+ allow netutils_t self:process { sigkill sigstop signull signal };
+ allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
+ allow netutils_t self:packet_socket create_socket_perms;
+@@ -50,6 +52,8 @@
+ manage_files_pattern(netutils_t,netutils_tmp_t,netutils_tmp_t)
+ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
+
++dev_read_sysfs(netutils_t)
++
+ kernel_search_proc(netutils_t)
+
+ corenet_non_ipsec_sendrecv(netutils_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.5.11/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.5.11/policy/modules/admin/rpm.fc 2007-04-04 13:46:37.000000000 -0400
@@ -2493,7 +2510,7 @@
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.5.11/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.11/policy/modules/kernel/kernel.if 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/kernel/kernel.if 2007-04-04 16:41:08.000000000 -0400
@@ -1830,6 +1830,26 @@
########################################
@@ -2719,8 +2736,30 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.5.11/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-04-02 10:58:34.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/apache.if 2007-04-04 13:46:37.000000000 -0400
-@@ -268,8 +268,11 @@
++++ serefpolicy-2.5.11/policy/modules/services/apache.if 2007-04-06 15:34:02.000000000 -0400
+@@ -18,10 +18,6 @@
+ attribute httpd_script_exec_type;
+ type httpd_t, httpd_suexec_t, httpd_log_t;
+ ')
+- # allow write access to public file transfer
+- # services files.
+- gen_tunable(allow_httpd_$1_script_anon_write,false)
+-
+ #This type is for webpages
+ type httpd_$1_content_t, httpdcontent; # customizable
+ files_type(httpd_$1_content_t)
+@@ -120,10 +116,6 @@
+ can_exec(httpd_$1_script_t, httpdcontent)
+ ')
+
+- tunable_policy(`allow_httpd_$1_script_anon_write',`
+- miscfiles_manage_public_files(httpd_$1_script_t)
+- ')
+-
+ # Allow the web server to run scripts and serve pages
+ tunable_policy(`httpd_builtin_scripting',`
+ manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
+@@ -268,8 +260,11 @@
')
apache_content_template($1)
@@ -2733,7 +2772,7 @@
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
-@@ -434,6 +437,24 @@
+@@ -434,6 +429,24 @@
########################################
## <summary>
@@ -2758,7 +2797,7 @@
## Inherit and use file descriptors from Apache.
## </summary>
## <param name="domain">
-@@ -752,6 +773,7 @@
+@@ -752,6 +765,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -2766,7 +2805,7 @@
')
########################################
-@@ -1000,3 +1022,140 @@
+@@ -1000,3 +1014,140 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
@@ -2909,8 +2948,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.5.11/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-04-02 10:58:34.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/apache.te 2007-04-04 13:46:37.000000000 -0400
-@@ -106,6 +106,20 @@
++++ serefpolicy-2.5.11/policy/modules/services/apache.te 2007-04-06 15:38:22.000000000 -0400
+@@ -106,6 +106,27 @@
## </desc>
gen_tunable(httpd_unified,false)
@@ -2928,10 +2967,17 @@
+## </desc>
+gen_tunable(httpd_use_cifs,false)
+
++## <desc>
++## <p>
++## Allow apache scripts to write to public content
++## </p>
++## </desc>
++gen_tunable(allow_httpd_sys_script_anon_write,false)
++
attribute httpdcontent;
# domains that can exec all users scripts
-@@ -257,6 +271,7 @@
+@@ -257,6 +278,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -2939,7 +2985,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -297,6 +312,7 @@
+@@ -297,6 +319,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -2947,7 +2993,18 @@
corenet_non_ipsec_sendrecv(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
-@@ -433,11 +449,21 @@
+@@ -416,6 +439,10 @@
+ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
+ ')
+
++tunable_policy(`allow_httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
++')
++
+ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
+
+@@ -433,11 +460,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -2969,7 +3026,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -468,6 +494,7 @@
+@@ -468,6 +505,7 @@
optional_policy(`
kerberos_use(httpd_t)
@@ -2977,7 +3034,7 @@
')
optional_policy(`
-@@ -667,6 +694,12 @@
+@@ -667,6 +705,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -2990,7 +3047,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -729,11 +762,21 @@
+@@ -729,11 +773,21 @@
')
')
@@ -3012,7 +3069,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -787,3 +830,19 @@
+@@ -787,3 +841,19 @@
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
')
@@ -3261,6 +3318,18 @@
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.5.11/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-03-20 23:38:04.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/bluetooth.te 2007-04-05 08:38:17.000000000 -0400
+@@ -98,7 +98,7 @@
+
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+-fs_search_inotifyfs(bluetooth_t)
++fs_list_inotifyfs(bluetooth_t)
+
+ #Handle bluetooth serial devices
+ term_use_unallocated_ttys(bluetooth_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ccs.te serefpolicy-2.5.11/policy/modules/services/ccs.te
--- nsaserefpolicy/policy/modules/services/ccs.te 2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-2.5.11/policy/modules/services/ccs.te 2007-04-04 13:46:37.000000000 -0400
@@ -3831,8 +3900,8 @@
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.5.11/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.11/policy/modules/services/hal.fc 2007-04-04 13:46:37.000000000 -0400
-@@ -8,4 +8,10 @@
++++ serefpolicy-2.5.11/policy/modules/services/hal.fc 2007-04-04 16:39:58.000000000 -0400
+@@ -8,4 +8,12 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
@@ -3843,10 +3912,38 @@
+/usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
+
+/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
++
++/var/log/pm-suspend.log gen_context(system_u:object_r:hald_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.5.11/policy/modules/services/hal.if
+--- nsaserefpolicy/policy/modules/services/hal.if 2007-02-19 11:32:53.000000000 -0500
++++ serefpolicy-2.5.11/policy/modules/services/hal.if 2007-04-07 07:33:28.000000000 -0400
+@@ -208,3 +208,22 @@
+ files_search_pids($1)
+ allow $1 hald_var_run_t:file rw_file_perms;
+ ')
++
++########################################
++## <summary>
++## Do not audit attempts to write the hal
++## log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`hal_dontaudit_write_log',`
++ gen_require(`
++ type hald_log_t;
++ ')
++
++ dontaudit $1 hald_log_t:file { append write };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.5.11/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-03-20 23:38:00.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/hal.te 2007-04-04 13:46:37.000000000 -0400
-@@ -16,9 +16,30 @@
++++ serefpolicy-2.5.11/policy/modules/services/hal.te 2007-04-06 15:40:37.000000000 -0400
+@@ -16,9 +16,33 @@
type hald_var_run_t;
files_pid_file(hald_var_run_t)
@@ -3856,6 +3953,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
++type hald_log_t;
++files_type(hald_log_t)
++
+type hald_acl_t;
+type hald_acl_exec_t;
+domain_type(hald_acl_t)
@@ -3877,7 +3977,7 @@
########################################
#
# Local policy
-@@ -26,7 +47,7 @@
+@@ -26,7 +50,7 @@
# execute openvt which needs setuid
allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
@@ -3886,7 +3986,14 @@
allow hald_t self:process signal_perms;
allow hald_t self:fifo_file rw_fifo_file_perms;
allow hald_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -51,11 +72,13 @@
+@@ -48,14 +72,20 @@
+ manage_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+ manage_sock_files_pattern(hald_t,hald_var_lib_t,hald_var_lib_t)
+
++# var/log files for hald
++allow hald_t hald_log_t:file manage_file_perms;
++logging_log_filetrans(hald_t,hald_log_t,file)
++
manage_files_pattern(hald_t,hald_var_run_t,hald_var_run_t)
files_pid_filetrans(hald_t,hald_var_run_t,file)
@@ -3894,14 +4001,15 @@
+
kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
- kernel_read_kernel_sysctls(hald_t)
+-kernel_read_kernel_sysctls(hald_t)
++kernel_rw_kernel_sysctl(hald_t)
kernel_read_fs_sysctls(hald_t)
-kernel_read_irq_sysctls(hald_t)
+kernel_rw_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
-@@ -85,9 +108,13 @@
+@@ -85,9 +115,13 @@
dev_rw_power_management(hald_t)
# hal is now execing pm-suspend
dev_rw_sysfs(hald_t)
@@ -3915,7 +4023,7 @@
files_exec_etc_files(hald_t)
files_read_etc_files(hald_t)
-@@ -101,9 +128,11 @@
+@@ -101,9 +135,11 @@
files_create_boot_flag(hald_t)
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
@@ -3927,7 +4035,7 @@
fs_list_auto_mountpoints(hald_t)
files_getattr_all_mountpoints(hald_t)
-@@ -128,10 +157,10 @@
+@@ -128,10 +164,10 @@
auth_use_nsswitch(hald_t)
init_domtrans_script(hald_t)
@@ -3939,7 +4047,7 @@
libs_use_ld_so(hald_t)
libs_use_shared_libs(hald_t)
-@@ -245,3 +274,98 @@
+@@ -245,3 +281,98 @@
optional_policy(`
vbetool_domtrans(hald_t)
')
@@ -4269,9 +4377,30 @@
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.5.11/policy/modules/services/nis.te
+--- nsaserefpolicy/policy/modules/services/nis.te 2007-03-26 10:39:04.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/nis.te 2007-04-05 09:25:36.000000000 -0400
+@@ -258,6 +258,8 @@
+ corenet_udp_bind_all_nodes(ypserv_t)
+ corenet_tcp_bind_reserved_port(ypserv_t)
+ corenet_udp_bind_reserved_port(ypserv_t)
++corenet_tcp_bind_all_rpc_ports(ypserv_t)
++corenet_udp_bind_all_rpc_ports(ypserv_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
+ corenet_sendrecv_generic_server_packets(ypserv_t)
+@@ -332,6 +334,8 @@
+ corenet_udp_bind_all_nodes(ypxfr_t)
+ corenet_tcp_bind_reserved_port(ypxfr_t)
+ corenet_udp_bind_reserved_port(ypxfr_t)
++corenet_tcp_bind_all_rpc_ports(ypxfr_t)
++corenet_udp_bind_all_rpc_ports(ypxfr_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t)
+ corenet_tcp_connect_all_ports(ypxfr_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.5.11/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-03-20 23:37:51.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/nscd.te 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/nscd.te 2007-04-05 09:14:24.000000000 -0400
@@ -30,7 +30,7 @@
allow nscd_t self:capability { kill setgid setuid audit_write };
@@ -4295,7 +4424,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.5.11/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-03-26 10:39:04.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/ntp.te 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/ntp.te 2007-04-07 07:33:52.000000000 -0400
@@ -129,6 +129,7 @@
optional_policy(`
@@ -4304,6 +4433,17 @@
')
optional_policy(`
+@@ -136,6 +137,10 @@
+ ')
+
+ optional_policy(`
++ hal_dontaudit_write_log(ntpd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(ntpd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.5.11/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-11-16 17:15:21.000000000 -0500
+++ serefpolicy-2.5.11/policy/modules/services/pegasus.if 2007-04-04 13:46:37.000000000 -0400
@@ -4478,23 +4618,20 @@
type rsync_data_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-2.5.11/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-02-23 16:50:01.000000000 -0500
-+++ serefpolicy-2.5.11/policy/modules/services/samba.fc 2007-04-04 13:46:37.000000000 -0400
-@@ -25,9 +25,12 @@
- #
- /var/cache/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
++++ serefpolicy-2.5.11/policy/modules/services/samba.fc 2007-04-05 09:14:13.000000000 -0400
+@@ -27,6 +27,9 @@
/var/cache/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
-+/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
/var/lib/samba(/.*)? gen_context(system_u:object_r:samba_var_t,s0)
-
-+/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
++/var/lib/samba/winbindd_privileged(/.*)? gen_context(system_u:object_r:winbind_var_run_t,s0)
+
++/var/lib/samba/scripts(/.*)? gen_context(system_u:object_r:samba_unconfined_script_exec_t,s0)
+
/var/log/samba(/.*)? gen_context(system_u:object_r:samba_log_t,s0)
- /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.5.11/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.11/policy/modules/services/samba.if 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/samba.if 2007-04-05 09:15:08.000000000 -0400
@@ -177,6 +177,27 @@
########################################
@@ -4565,7 +4702,7 @@
## Allow the specified domain to write to smbmount tcp sockets.
## </summary>
## <param name="domain">
-@@ -377,3 +421,22 @@
+@@ -377,3 +421,23 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -4588,9 +4725,10 @@
+ dontaudit $1 smbd_t:fd use;
+')
+
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.5.11/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-03-26 16:24:12.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/samba.te 2007-04-04 14:46:39.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/samba.te 2007-04-05 09:09:57.000000000 -0400
@@ -28,10 +28,39 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -4654,7 +4792,29 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -362,9 +400,12 @@
+@@ -339,6 +377,21 @@
+ udev_read_db(smbd_t)
+ ')
+
++tunable_policy(`samba_export_all_rw',`
++ fs_read_noxattr_fs_files(smbd_t)
++ auth_manage_all_files_except_shadow(smbd_t)
++ fs_read_noxattr_fs_files(nmbd_t)
++ auth_manage_all_files_except_shadow(nmbd_t)
++')
++
++tunable_policy(`samba_export_all_ro',`
++ fs_read_noxattr_fs_files(smbd_t)
++ auth_read_all_files_except_shadow(smbd_t)
++ fs_read_noxattr_fs_files(nmbd_t)
++ auth_read_all_files_except_shadow(nmbd_t)
++')
++
++
+ ########################################
+ #
+ # nmbd Local policy
+@@ -362,9 +415,12 @@
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
@@ -4668,7 +4828,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
-@@ -457,6 +498,7 @@
+@@ -457,6 +513,7 @@
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -4676,20 +4836,35 @@
allow smbmount_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
-@@ -625,6 +667,12 @@
+@@ -514,7 +571,7 @@
+ userdom_use_sysadm_ttys(smbmount_t)
+
+ optional_policy(`
+- cups_read_rw_config(smbd_t)
++ cups_read_rw_config(smbmount_t)
+ ')
+
+ optional_policy(`
+@@ -625,6 +682,8 @@
# Winbind local policy
#
+
+allow winbind_t self:capability setuid;
-+
-+allow winbind_t nmbd_t:process { signal signull };
-+allow winbind_t nmbd_var_run_t:file read_file_perms;
-+
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
allow winbind_t self:fifo_file { read write };
-@@ -645,6 +693,7 @@
+@@ -634,6 +693,9 @@
+ allow winbind_t self:tcp_socket create_stream_socket_perms;
+ allow winbind_t self:udp_socket create_socket_perms;
+
++allow winbind_t nmbd_t:process { signal signull };
++allow winbind_t nmbd_var_run_t:file read_file_perms;
++
+ allow winbind_t samba_etc_t:dir list_dir_perms;
+ read_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
+ read_lnk_files_pattern(winbind_t,samba_etc_t,samba_etc_t)
+@@ -645,6 +707,7 @@
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
@@ -4697,7 +4872,7 @@
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-@@ -736,6 +785,7 @@
+@@ -736,6 +799,7 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
@@ -4705,25 +4880,11 @@
allow winbind_helper_t samba_var_t:dir search;
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -764,3 +814,28 @@
+@@ -764,3 +828,14 @@
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
+
-+tunable_policy(`samba_export_all_rw',`
-+ fs_read_noxattr_fs_files(smbd_t)
-+ auth_manage_all_files_except_shadow(smbd_t)
-+ fs_read_noxattr_fs_files(nmbd_t)
-+ auth_manage_all_files_except_shadow(nmbd_t)
-+')
-+
-+tunable_policy(`samba_export_all_ro',`
-+ fs_read_noxattr_fs_files(smbd_t)
-+ auth_read_all_files_except_shadow(smbd_t)
-+ fs_read_noxattr_fs_files(nmbd_t)
-+ auth_read_all_files_except_shadow(nmbd_t)
-+')
-+
+########################################
+#
+# samba_unconfined_script_t local policy
@@ -5661,7 +5822,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.5.11/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/system/init.if 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/system/init.if 2007-04-05 10:18:25.000000000 -0400
@@ -194,11 +194,14 @@
gen_require(`
type initrc_t;
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.426
retrieving revision 1.427
diff -u -r1.426 -r1.427
--- selinux-policy.spec 4 Apr 2007 20:46:07 -0000 1.426
+++ selinux-policy.spec 7 Apr 2007 11:35:20 -0000 1.427
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.5.11
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -358,6 +358,9 @@
%endif
%changelog
+* Thu Apr 5 2007 Dan Walsh <dwalsh at redhat.com> 2.5.11-5
+- Allow bluetooth to read inotifyfs
+
* Wed Apr 4 2007 Dan Walsh <dwalsh at redhat.com> 2.5.11-4
- Fixes for samba domain controller.
- Allow ConsoleKit to look at ttys
- Previous message (by thread): rpms/openoffice.org/devel openoffice.org.spec,1.1160,1.1161
- Next message (by thread): rpms/ppc64-utils/devel ps3.dts, NONE, 1.1 .cvsignore, 1.5, 1.6 ppc64-utils.spec, 1.23, 1.24 sources, 1.10, 1.11
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list