rpms/selinux-policy/devel policy-20070219.patch, 1.41, 1.42 selinux-policy.spec, 1.428, 1.429
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 9 20:47:58 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14116
Modified Files:
policy-20070219.patch selinux-policy.spec
Log Message:
* Mon Apr 9 2007 Dan Walsh <dwalsh at redhat.com> 2.5.11-7
- Fixes for pyzor, cyrus, consoletype on everything installs
policy-20070219.patch:
Rules.modular | 12 +
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 39 +++-
policy/mls | 31 ++-
policy/modules/admin/acct.te | 1
policy/modules/admin/acct.xml | 43 ++++
policy/modules/admin/alsa.xml | 43 ++++
policy/modules/admin/amanda.xml | 85 +++++++++
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 53 +++++
policy/modules/admin/amtu.te | 56 ++++++
policy/modules/admin/amtu.xml | 36 ++++
policy/modules/admin/anaconda.xml | 3
policy/modules/admin/apt.xml | 95 ++++++++++
policy/modules/admin/backup.xml | 35 +++
policy/modules/admin/bootloader.te | 2
policy/modules/admin/bootloader.xml | 79 ++++++++
policy/modules/admin/certwatch.xml | 37 ++++
policy/modules/admin/consoletype.te | 10 -
policy/modules/admin/consoletype.xml | 47 +++++
policy/modules/admin/ddcprobe.xml | 35 +++
policy/modules/admin/dmesg.te | 1
policy/modules/admin/dmesg.xml | 24 ++
policy/modules/admin/dmidecode.xml | 35 +++
policy/modules/admin/dpkg.xml | 125 +++++++++++++
policy/modules/admin/firstboot.if | 18 ++
policy/modules/admin/firstboot.xml | 88 +++++++++
policy/modules/admin/kudzu.te | 2
policy/modules/admin/kudzu.xml | 45 +++++
policy/modules/admin/logrotate.xml | 75 ++++++++
policy/modules/admin/logwatch.te | 2
policy/modules/admin/logwatch.xml | 23 ++
policy/modules/admin/netutils.te | 4
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 65 +++++++
policy/modules/admin/rpm.te | 2
policy/modules/admin/su.if | 6
policy/modules/admin/usermanage.te | 42 +++-
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.if | 26 ++
policy/modules/apps/gpg.fc | 2
policy/modules/apps/loadkeys.if | 44 +---
policy/modules/apps/mozilla.if | 1
policy/modules/apps/slocate.te | 4
policy/modules/apps/uml.if | 27 ---
policy/modules/apps/usernetctl.te | 10 -
policy/modules/kernel/corecommands.fc | 7
policy/modules/kernel/corecommands.if | 20 ++
policy/modules/kernel/corenetwork.if.in | 54 ++++++
policy/modules/kernel/corenetwork.te.in | 18 +-
policy/modules/kernel/devices.if | 36 ++++
policy/modules/kernel/domain.if | 18 ++
policy/modules/kernel/domain.te | 46 +++++
policy/modules/kernel/files.fc | 1
policy/modules/kernel/files.if | 81 ++++++++-
policy/modules/kernel/filesystem.if | 39 ++++
policy/modules/kernel/filesystem.te | 12 +
policy/modules/kernel/kernel.if | 23 ++
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 20 ++
policy/modules/kernel/mls.te | 3
policy/modules/kernel/selinux.if | 38 ++++
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/amavis.te | 3
policy/modules/services/apache.fc | 14 -
policy/modules/services/apache.if | 169 +++++++++++++++++-
policy/modules/services/apache.te | 70 +++++++
policy/modules/services/apcupsd.fc | 9 +
policy/modules/services/apcupsd.if | 108 ++++++++++++
policy/modules/services/apcupsd.te | 81 +++++++++
policy/modules/services/automount.te | 2
policy/modules/services/bluetooth.te | 2
policy/modules/services/ccs.te | 12 +
policy/modules/services/consolekit.fc | 1
policy/modules/services/consolekit.te | 28 ++-
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 +--
policy/modules/services/cron.te | 51 ++++-
policy/modules/services/cups.te | 2
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 6
policy/modules/services/dbus.if | 63 +++++++
policy/modules/services/dhcp.te | 2
policy/modules/services/djbdns.te | 5
policy/modules/services/dovecot.te | 5
policy/modules/services/ftp.te | 5
policy/modules/services/hal.fc | 8
policy/modules/services/hal.if | 19 ++
policy/modules/services/hal.te | 142 +++++++++++++++
policy/modules/services/inetd.te | 5
policy/modules/services/kerberos.if | 58 ++----
policy/modules/services/kerberos.te | 36 +++-
policy/modules/services/mta.if | 19 ++
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.if | 4
policy/modules/services/nis.te | 4
policy/modules/services/nscd.te | 10 +
policy/modules/services/ntp.te | 5
policy/modules/services/pegasus.if | 18 ++
policy/modules/services/pegasus.te | 6
policy/modules/services/postfix.if | 1
policy/modules/services/postfix.te | 8
policy/modules/services/ppp.te | 9 -
policy/modules/services/procmail.te | 1
policy/modules/services/pyzor.te | 7
policy/modules/services/radius.te | 4
policy/modules/services/rpc.if | 5
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 3
policy/modules/services/samba.if | 64 +++++++
policy/modules/services/samba.te | 79 ++++++++
policy/modules/services/sasl.te | 11 +
policy/modules/services/sendmail.if | 22 ++
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 10 +
policy/modules/services/spamassassin.te | 7
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 22 ++
policy/modules/services/squid.te | 12 +
policy/modules/services/ssh.if | 39 ++++
policy/modules/services/ssh.te | 5
policy/modules/services/xserver.te | 10 -
policy/modules/services/zabbix.fc | 4
policy/modules/services/zabbix.if | 87 +++++++++
policy/modules/services/zabbix.te | 64 +++++++
policy/modules/system/application.fc | 1
policy/modules/system/application.if | 104 +++++++++++
policy/modules/system/application.te | 14 +
policy/modules/system/authlogin.if | 83 +++++++--
policy/modules/system/authlogin.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/fusermount.fc | 6
policy/modules/system/fusermount.if | 41 ++++
policy/modules/system/fusermount.te | 45 +++++
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14 +
policy/modules/system/init.if | 3
policy/modules/system/init.te | 35 +++
policy/modules/system/ipsec.if | 20 ++
policy/modules/system/iptables.te | 4
policy/modules/system/libraries.fc | 8
policy/modules/system/libraries.te | 20 ++
policy/modules/system/locallogin.te | 7
policy/modules/system/logging.if | 21 ++
policy/modules/system/logging.te | 2
policy/modules/system/lvm.te | 5
policy/modules/system/modutils.te | 11 +
policy/modules/system/mount.fc | 3
policy/modules/system/mount.if | 37 ++++
policy/modules/system/mount.te | 64 ++++++-
policy/modules/system/raid.te | 1
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 5
policy/modules/system/selinuxutil.te | 73 +++-----
policy/modules/system/sysnetwork.te | 1
policy/modules/system/udev.fc | 2
policy/modules/system/udev.te | 11 +
policy/modules/system/unconfined.fc | 1
policy/modules/system/unconfined.if | 10 -
policy/modules/system/unconfined.te | 24 ++
policy/modules/system/userdomain.if | 269 +++++++++++++++++-------------
policy/modules/system/userdomain.te | 46 +++--
policy/modules/system/xen.te | 35 +++
policy/support/obj_perm_sets.spt | 12 +
169 files changed, 3920 insertions(+), 466 deletions(-)
Index: policy-20070219.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070219.patch,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- policy-20070219.patch 9 Apr 2007 18:27:25 -0000 1.41
+++ policy-20070219.patch 9 Apr 2007 20:47:56 -0000 1.42
@@ -834,7 +834,7 @@
+</module>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.5.11/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-02-19 11:32:54.000000000 -0500
-+++ serefpolicy-2.5.11/policy/modules/admin/consoletype.te 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/admin/consoletype.te 2007-04-09 15:58:47.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -857,6 +857,15 @@
########################################
#
+@@ -49,7 +55,7 @@
+ init_use_fds(consoletype_t)
+ init_use_script_ptys(consoletype_t)
+ init_use_script_fds(consoletype_t)
+-init_write_script_pipes(consoletype_t)
++init_rw_script_pipes(consoletype_t)
+
+ domain_use_interactive_fds(consoletype_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.xml serefpolicy-2.5.11/policy/modules/admin/consoletype.xml
--- nsaserefpolicy/policy/modules/admin/consoletype.xml 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.5.11/policy/modules/admin/consoletype.xml 2007-04-04 13:46:38.000000000 -0400
@@ -1894,6 +1903,43 @@
libs_use_shared_libs(locate_t)
libs_use_ld_so(locate_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.if serefpolicy-2.5.11/policy/modules/apps/uml.if
+--- nsaserefpolicy/policy/modules/apps/uml.if 2007-03-26 10:38:58.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/apps/uml.if 2007-04-09 15:17:52.000000000 -0400
+@@ -193,33 +193,6 @@
+ nis_use_ypbind($1_uml_t)
+ ')
+
+- ifdef(`TODO',`
+- # for X
+- optional_policy(`
+- ifelse($1, sysadm,`
+- ',`
+- optional_policy(`
+- allow $1_uml_t xdm_xserver_tmp_t:dir search;
+- ')
+- allow $1_uml_t $1_xserver_tmp_t:sock_file write;
+- allow $1_uml_t $1_xserver_t:unix_stream_socket connectto;
+- ')
+- ')
+-
+- optional_policy(`
+- # for uml_net
+- domain_auto_trans($1_uml_t, uml_net_exec_t, uml_net_t)
+- allow uml_net_t $1_uml_t:unix_stream_socket { read write };
+- allow uml_net_t $1_uml_t:unix_dgram_socket { read write };
+- dontaudit uml_net_t privfd:fd use;
+- can_access_pty(uml_net_t, $1_uml)
+- dontaudit uml_net_t $1_uml_rw_t:dir { getattr search };
+- ')
+- #TODO
+- optional_policy(`
+- allow $1_uml_t $1_xauth_home_t:file { getattr read };
+- ')
+- ')
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/usernetctl.te serefpolicy-2.5.11/policy/modules/apps/usernetctl.te
--- nsaserefpolicy/policy/modules/apps/usernetctl.te 2007-03-26 16:24:10.000000000 -0400
+++ serefpolicy-2.5.11/policy/modules/apps/usernetctl.te 2007-04-04 13:46:37.000000000 -0400
@@ -2484,8 +2530,15 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.5.11/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-03-26 16:24:09.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/kernel/filesystem.te 2007-04-04 13:46:37.000000000 -0400
-@@ -60,11 +60,22 @@
++++ serefpolicy-2.5.11/policy/modules/kernel/filesystem.te 2007-04-09 16:04:53.000000000 -0400
+@@ -54,17 +54,29 @@
+
+ type capifs_t;
+ fs_type(capifs_t)
++files_mountpoint(capifs_t)
+ genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+ type configfs_t;
fs_type(configfs_t)
genfscon configfs / gen_context(system_u:object_r:configfs_t,s0)
@@ -2700,6 +2753,31 @@
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.5.11/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2007-03-26 10:39:04.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/amavis.te 2007-04-09 15:52:56.000000000 -0400
+@@ -50,6 +50,7 @@
+ allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
+ allow amavis_t self:tcp_socket { listen accept };
++allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # configuration files
+ allow amavis_t amavis_etc_t:dir list_dir_perms;
+@@ -74,6 +75,7 @@
+ files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
+
+ # var/lib files for amavis
++files_search_var_lib(amavis_t)
+ manage_dirs_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t)
+ manage_files_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t)
+ manage_sock_files_pattern(amavis_t,amavis_var_lib_t,amavis_var_lib_t)
+@@ -177,4 +179,5 @@
+ optional_policy(`
+ spamassassin_exec(amavis_t)
+ spamassassin_exec_client(amavis_t)
++ spamassassin_read_lib_files(amavis_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.5.11/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-02-23 16:50:01.000000000 -0500
+++ serefpolicy-2.5.11/policy/modules/services/apache.fc 2007-04-04 13:46:37.000000000 -0400
@@ -2948,7 +3026,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.5.11/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-04-02 10:58:34.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/apache.te 2007-04-06 15:38:22.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/apache.te 2007-04-09 15:02:54.000000000 -0400
@@ -106,6 +106,27 @@
## </desc>
gen_tunable(httpd_unified,false)
@@ -3320,7 +3398,7 @@
domain_use_interactive_fds(automount_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.5.11/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-03-20 23:38:04.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/bluetooth.te 2007-04-05 08:38:17.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/bluetooth.te 2007-04-09 14:53:07.000000000 -0400
@@ -98,7 +98,7 @@
fs_getattr_all_fs(bluetooth_t)
@@ -3715,7 +3793,7 @@
type cvs_data_t; # customizable
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.5.11/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-03-20 23:38:13.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/services/cyrus.te 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/cyrus.te 2007-04-09 14:53:56.000000000 -0400
@@ -111,6 +111,7 @@
userdom_use_sysadm_ptys(cyrus_t)
@@ -3735,6 +3813,14 @@
ldap_stream_connect(cyrus_t)
')
+@@ -140,6 +145,7 @@
+
+ optional_policy(`
+ snmp_read_snmp_var_lib_files(cyrus_t)
++ snmp_dontaudit_write_snmp_var_lib_files(cyrus_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.5.11/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-03-26 10:39:04.000000000 -0400
+++ serefpolicy-2.5.11/policy/modules/services/dbus.if 2007-04-04 13:46:37.000000000 -0400
@@ -4572,8 +4658,28 @@
type procmail_tmp_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-2.5.11/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-03-08 13:52:43.000000000 -0500
-+++ serefpolicy-2.5.11/policy/modules/services/pyzor.te 2007-04-04 13:46:37.000000000 -0400
-@@ -77,6 +77,7 @@
++++ serefpolicy-2.5.11/policy/modules/services/pyzor.te 2007-04-09 16:02:48.000000000 -0400
+@@ -54,6 +54,11 @@
+ corenet_udp_sendrecv_all_nodes(pyzor_t)
+ corenet_udp_sendrecv_all_ports(pyzor_t)
+
++corenet_tcp_sendrecv_all_if(pyzor_t)
++corenet_tcp_sendrecv_all_nodes(pyzor_t)
++corenet_tcp_sendrecv_all_ports(pyzor_t)
++corenet_tcp_connect_http_port(pyzor_t)
++
+ dev_read_urand(pyzor_t)
+
+ files_read_etc_files(pyzor_t)
+@@ -68,6 +73,7 @@
+ userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
+
+ ifdef(`targeted_policy',`
++ userdom_dontaudit_write_sysadm_home_dirs(pyzor_t)
+ userdom_read_generic_user_home_content_files(pyzor_t)
+ ')
+
+@@ -77,6 +83,7 @@
')
optional_policy(`
@@ -4935,7 +5041,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-2.5.11/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-2.5.11/policy/modules/services/sendmail.if 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/services/sendmail.if 2007-04-09 15:08:40.000000000 -0400
@@ -76,6 +76,26 @@
########################################
@@ -4955,7 +5061,7 @@
+ ')
+
+ logging_search_logs($1)
-+ allow $1 sendmail_log_t:file read_file_perms;
++ read_files_pattern($1, sendmail_log_t, sendmail_log_t)
+')
+
+########################################
@@ -4963,6 +5069,15 @@
## Create, read, write, and delete sendmail logs.
## </summary>
## <param name="domain">
+@@ -91,7 +111,7 @@
+ ')
+
+ logging_search_logs($1)
+- allow $1 sendmail_log_t:file manage_file_perms;
++ manage_files_pattern($1, sendmail_log_t, sendmail_log_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.5.11/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-03-20 23:38:13.000000000 -0400
+++ serefpolicy-2.5.11/policy/modules/services/smartmon.te 2007-04-04 13:46:37.000000000 -0400
@@ -5825,7 +5940,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.5.11/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/system/init.if 2007-04-05 10:18:25.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/system/init.if 2007-04-09 15:56:23.000000000 -0400
@@ -194,11 +194,14 @@
gen_require(`
type initrc_t;
@@ -6409,7 +6524,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.5.11/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-03-26 10:39:07.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/system/selinuxutil.te 2007-04-09 13:43:58.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/system/selinuxutil.te 2007-04-09 14:54:48.000000000 -0400
@@ -1,10 +1,8 @@
policy_module(selinuxutil,1.4.2)
@@ -6464,7 +6579,7 @@
#
# policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
-@@ -83,31 +76,33 @@
+@@ -83,31 +76,34 @@
type restorecon_exec_t;
domain_obj_id_change_exemption(restorecon_t)
init_system_domain(restorecon_t,restorecon_exec_t)
@@ -6499,13 +6614,14 @@
role system_r types semanage_t;
+ifdef(`targeted_policy',`
++init_use_fds(semanage_t)
+init_system_domain(semanage_t, semanage_exec_t)
+')
+
type semanage_store_t;
files_type(semanage_store_t)
-@@ -121,12 +116,10 @@
+@@ -121,12 +117,10 @@
files_type(semanage_trans_lock_t)
type setfiles_t, can_relabelto_binary_policy;
@@ -6521,7 +6637,7 @@
ifdef(`distro_redhat',`
init_system_domain(setfiles_t,setfiles_exec_t)
-@@ -195,6 +188,7 @@
+@@ -195,6 +189,7 @@
fs_getattr_xattr_fs(load_policy_t)
mls_file_read_up(load_policy_t)
@@ -6529,7 +6645,7 @@
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
-@@ -217,7 +211,7 @@
+@@ -217,7 +212,7 @@
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
@@ -6538,7 +6654,7 @@
')
')
-@@ -310,15 +304,13 @@
+@@ -310,15 +305,13 @@
userdom_dontaudit_search_all_users_home_content(newrole_t)
userdom_search_all_users_home_dirs(newrole_t)
@@ -6561,7 +6677,7 @@
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all(newrole_t)
-@@ -571,6 +563,8 @@
+@@ -571,6 +564,8 @@
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
@@ -6570,6 +6686,25 @@
corecmd_exec_bin(semanage_t)
dev_read_urand(semanage_t)
+@@ -700,6 +695,6 @@
+ ifdef(`hide_broken_symptoms',`
+ # cjp: cover up stray file descriptors.
+ optional_policy(`
+- unconfined_dontaudit_read_pipes(setfiles_t)
++ unconfined_dontaudit_rw_pipes(setfiles_t)
+ ')
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.5.11/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-03-26 10:39:07.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/system/sysnetwork.te 2007-04-09 16:43:32.000000000 -0400
+@@ -221,6 +221,7 @@
+ optional_policy(`
+ seutil_sigchld_newrole(dhcpc_t)
+ seutil_dontaudit_search_config(dhcpc_t)
++ seutil_domtrans_restorecon(dhcpc_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-2.5.11/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.5.11/policy/modules/system/udev.fc 2007-04-04 13:46:37.000000000 -0400
@@ -6724,7 +6859,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.5.11/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-03-26 16:24:13.000000000 -0400
-+++ serefpolicy-2.5.11/policy/modules/system/userdomain.if 2007-04-04 13:46:37.000000000 -0400
++++ serefpolicy-2.5.11/policy/modules/system/userdomain.if 2007-04-09 16:02:32.000000000 -0400
@@ -114,6 +114,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
@@ -7065,7 +7200,7 @@
')
########################################
-@@ -5737,3 +5701,69 @@
+@@ -5737,3 +5701,92 @@
allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -7132,9 +7267,32 @@
+ dontaudit $2 $1_file_type:file getattr;
+')
+
++########################################
++## <summary>
++## Do not audit attempts to write to homedirs of sysadm users
++## home directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_write_sysadm_home_dirs',`
++ ifdef(`targeted_policy',`
++ gen_require(`
++ type user_home_dir_t;
++ ')
++
++ dontaudit $1 user_home_dir_t:dir write;
++ ', `
++ gen_require(`
++ type sysadm_home_dir_t;
++ ')
+
-+
-+
++ dontaudit $1 sysadm_home_dir_t:dir write;
++ ')
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.5.11/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-03-26 16:24:13.000000000 -0400
+++ serefpolicy-2.5.11/policy/modules/system/userdomain.te 2007-04-04 13:46:37.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.428
retrieving revision 1.429
diff -u -r1.428 -r1.429
--- selinux-policy.spec 9 Apr 2007 18:36:06 -0000 1.428
+++ selinux-policy.spec 9 Apr 2007 20:47:56 -0000 1.429
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.5.11
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -358,6 +358,9 @@
%endif
%changelog
+* Mon Apr 9 2007 Dan Walsh <dwalsh at redhat.com> 2.5.11-7
+- Fixes for pyzor, cyrus, consoletype on everything installs
+
* Mon Apr 9 2007 Dan Walsh <dwalsh at redhat.com> 2.5.11-6
- Fix hald_acl_t to be able to getattr/setattr on usb devices
- Dontaudit write to unconfined_pipes for load_policy
More information about the fedora-cvs-commits
mailing list