rpms/selinux-policy/FC-6 policy-20061106.patch, 1.13, 1.14 selinux-policy.spec, 1.339, 1.340
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Feb 1 21:36:03 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv32717
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Fri Jan 26 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-35
- Fixes to make setrans work properly on MLS
Resolves: #224441
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 66 +++
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 6
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 14
policy/modules/admin/consoletype.te | 21 -
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 5
policy/modules/admin/firstboot.if | 6
policy/modules/admin/kudzu.te | 5
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 6
policy/modules/admin/netutils.te | 10
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 17
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 49 +-
policy/modules/admin/su.if | 28 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 10
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.te | 34 +
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 106 +++++
policy/modules/apps/evolution.te | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 +++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 38 ++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17
policy/modules/apps/mozilla.if | 209 +++++++++--
policy/modules/apps/mplayer.if | 84 ++++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 3
policy/modules/apps/thunderbird.if | 80 +++-
policy/modules/apps/userhelper.if | 19 -
policy/modules/apps/webalizer.te | 6
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 11
policy/modules/kernel/corecommands.if | 77 ++++
policy/modules/kernel/corenetwork.if.in | 99 +++++
policy/modules/kernel/corenetwork.te.in | 17
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 7
policy/modules/kernel/devices.if | 18
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 58 +++
policy/modules/kernel/domain.te | 22 +
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 222 +++++++++++
policy/modules/kernel/filesystem.if | 23 +
policy/modules/kernel/filesystem.te | 13
policy/modules/kernel/kernel.if | 64 +++
policy/modules/kernel/kernel.te | 12
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 11
policy/modules/services/apache.te | 24 +
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 5
policy/modules/services/bluetooth.te | 7
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 11
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 92 ++--
policy/modules/services/cron.te | 52 ++
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 62 +++
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 2
policy/modules/services/ftp.te | 14
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 57 +++
policy/modules/services/hal.te | 9
policy/modules/services/inetd.te | 28 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 3
policy/modules/services/kerberos.te | 13
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 56 +-
policy/modules/services/lpd.te | 5
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 2
policy/modules/services/munin.te | 5
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 3
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 15
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 3
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 +++
policy/modules/services/pcscd.te | 78 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/portmap.te | 5
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.if | 2
policy/modules/services/postfix.te | 17
policy/modules/services/procmail.te | 19 -
policy/modules/services/pyzor.te | 4
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 ++++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 13
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.te | 23 +
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 17
policy/modules/services/sasl.te | 2
policy/modules/services/sendmail.te | 8
policy/modules/services/setroubleshoot.if | 20 +
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 2
policy/modules/services/spamassassin.if | 22 +
policy/modules/services/spamassassin.te | 16
policy/modules/services/squid.fc | 1
policy/modules/services/squid.if | 1
policy/modules/services/squid.te | 11
policy/modules/services/ssh.if | 65 +++
policy/modules/services/ssh.te | 10
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 +++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 190 +++++++++-
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.if | 74 +++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 13
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 11
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19 -
policy/modules/system/init.if | 23 +
policy/modules/system/init.te | 47 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 +++++
policy/modules/system/ipsec.te | 107 +++++
policy/modules/system/iptables.te | 16
policy/modules/system/libraries.fc | 37 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 14
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.if | 44 ++
policy/modules/system/lvm.te | 75 +++
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 ++++
policy/modules/system/modutils.te | 25 +
policy/modules/system/mount.te | 27 -
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 13
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 119 ++++++
policy/modules/system/selinuxutil.te | 118 ++----
policy/modules/system/sysnetwork.te | 10
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 23 +
policy/modules/system/userdomain.if | 569 ++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 63 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 +
209 files changed, 4612 insertions(+), 582 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- policy-20061106.patch 1 Feb 2007 18:45:58 -0000 1.13
+++ policy-20061106.patch 1 Feb 2007 21:35:56 -0000 1.14
@@ -2261,7 +2261,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2007-02-01 14:53:42.000000000 -0500
@@ -1,4 +1,3 @@
-
#
@@ -2275,7 +2275,15 @@
')
#
-@@ -188,7 +188,12 @@
+@@ -128,6 +128,7 @@
+ /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/bluetooth/bluetoothd-service-input -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -188,7 +189,12 @@
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -2288,7 +2296,7 @@
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -247,3 +252,6 @@
+@@ -247,3 +253,6 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -3166,7 +3174,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.4.6/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.if 2007-01-24 10:35:36.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.if 2007-02-01 16:29:45.000000000 -0500
@@ -1122,7 +1122,7 @@
type dosfs_t;
')
@@ -3578,7 +3586,7 @@
+/opt/fortitude/run(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.4.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/apache.te 2007-01-24 11:06:28.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/apache.te 2007-02-01 14:10:48.000000000 -0500
@@ -143,6 +143,8 @@
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
@@ -3588,7 +3596,7 @@
# Allow httpd_t to put files in /var/cache/httpd etc
allow httpd_t httpd_cache_t:dir create_dir_perms;
-@@ -204,6 +206,8 @@
+@@ -204,9 +206,12 @@
allow httpd_t squirrelmail_spool_t:file create_file_perms;
allow httpd_t squirrelmail_spool_t:lnk_file create_lnk_perms;
@@ -3597,7 +3605,11 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
-@@ -235,7 +239,7 @@
++kernel_search_network_sysctl(httpd_t)
+
+ corenet_non_ipsec_sendrecv(httpd_t)
+ corenet_tcp_sendrecv_all_if(httpd_t)
+@@ -235,7 +240,7 @@
# execute perl
corecmd_exec_bin(httpd_t)
corecmd_exec_sbin(httpd_t)
@@ -3606,7 +3618,7 @@
domain_use_interactive_fds(httpd_t)
-@@ -348,14 +352,20 @@
+@@ -348,14 +353,20 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -3627,7 +3639,7 @@
')
tunable_policy(`httpd_ssi_exec',`
-@@ -453,6 +463,11 @@
+@@ -453,6 +464,11 @@
logging_send_syslog_msg(httpd_helper_t)
@@ -3639,7 +3651,7 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
-@@ -695,6 +710,7 @@
+@@ -695,6 +711,7 @@
optional_policy(`
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
@@ -3647,7 +3659,7 @@
')
########################################
-@@ -704,6 +720,8 @@
+@@ -704,6 +721,8 @@
allow httpd_rotatelogs_t httpd_log_t:dir rw_dir_perms;
allow httpd_rotatelogs_t httpd_log_t:file manage_file_perms;
@@ -3656,7 +3668,7 @@
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
kernel_dontaudit_list_proc(httpd_rotatelogs_t)
-@@ -714,9 +732,12 @@
+@@ -714,9 +733,12 @@
libs_use_ld_so(httpd_rotatelogs_t)
libs_use_shared_libs(httpd_rotatelogs_t)
@@ -4093,7 +4105,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.4.6/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/cron.te 2007-01-16 15:01:32.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/cron.te 2007-02-01 15:59:24.000000000 -0500
@@ -11,9 +11,6 @@
#
attribute cron_spool_type;
@@ -4207,7 +4219,18 @@
# This is to handle creation of files in /var/log directory.
# Used currently by rpm script log files
allow system_crond_t cron_log_t:file manage_file_perms;
-@@ -289,6 +316,9 @@
+@@ -250,6 +277,10 @@
+ files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
+
+ optional_policy(`
++ spamassassin_manage_lib_files(system_crond_t)
++')
++
++optional_policy(`
+ # cjp: why?
+ squid_domtrans(system_crond_t)
+ ')
+@@ -289,6 +320,9 @@
allow system_crond_t system_crond_lock_t:file create_file_perms;
files_lock_filetrans(system_crond_t,system_crond_lock_t,file)
@@ -4217,7 +4240,7 @@
# write temporary files
allow system_crond_t system_crond_tmp_t:file manage_file_perms;
allow system_crond_t system_crond_tmp_t:lnk_file create_lnk_perms;
-@@ -309,6 +339,7 @@
+@@ -309,6 +343,7 @@
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot(system_crond_t)
@@ -4225,7 +4248,7 @@
corecmd_exec_all_executables(system_crond_t)
corenet_non_ipsec_sendrecv(system_crond_t)
-@@ -356,6 +387,7 @@
+@@ -356,6 +391,7 @@
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
init_write_initctl(system_crond_t)
@@ -4233,7 +4256,7 @@
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -414,6 +446,10 @@
+@@ -414,6 +450,10 @@
')
optional_policy(`
@@ -4726,21 +4749,22 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.4.6/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2007-01-16 11:11:26.000000000 -0500
-@@ -156,14 +156,21 @@
++++ serefpolicy-2.4.6/policy/modules/services/kerberos.te 2007-02-01 14:22:50.000000000 -0500
+@@ -156,14 +156,22 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
-allow krb5kdc_t self:process signal_perms;
-+allow krb5kdc_t self:process { getsched signal_perms };
++allow krb5kdc_t self:process { setsched getsched signal_perms };
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
-allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
+allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-
++allow krb5kdc_t self:fifo_file rw_file_perms;
++
+files_read_usr_symlinks(krb5kdc_t)
+files_read_var_files(krb5kdc_t)
-+
+
allow krb5kdc_t krb5_conf_t:file r_file_perms;
dontaudit krb5kdc_t krb5_conf_t:file write;
@@ -4751,6 +4775,14 @@
can_exec(krb5kdc_t, krb5kdc_exec_t)
allow krb5kdc_t krb5kdc_conf_t:dir search;
+@@ -189,6 +197,7 @@
+ kernel_list_proc(krb5kdc_t)
+ kernel_read_proc_symlinks(krb5kdc_t)
+ kernel_read_network_state(krb5kdc_t)
++kernel_search_network_sysctl(krb5kdc_t)
+
+ corenet_non_ipsec_sendrecv(krb5kdc_t)
+ corenet_tcp_sendrecv_all_if(krb5kdc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.fc serefpolicy-2.4.6/policy/modules/services/ktalk.fc
--- nsaserefpolicy/policy/modules/services/ktalk.fc 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/ktalk.fc 2007-01-16 11:11:26.000000000 -0500
@@ -4864,6 +4896,14 @@
+ ssh_sigchld(checkpc_t)
+ ssh_rw_stream_sockets(checkpc_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-2.4.6/policy/modules/services/mta.fc
+--- nsaserefpolicy/policy/modules/services/mta.fc 2006-11-29 12:04:49.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/mta.fc 2007-02-01 14:46:35.000000000 -0500
+@@ -25,3 +25,4 @@
+ #ifdef(`postfix.te', `', `
+ #/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+ #')
++/usr/sbin/exim -- gen_context(system_u:object_r:sendmail_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.6/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/mta.if 2007-01-16 11:11:26.000000000 -0500
@@ -5628,7 +5668,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.6/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ricci.te 2007-01-26 10:10:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ricci.te 2007-02-01 15:34:13.000000000 -0500
@@ -387,6 +387,8 @@
files_search_usr(ricci_modrpm_t)
files_read_etc_files(ricci_modrpm_t)
@@ -5656,7 +5696,7 @@
storage_raw_read_fixed_disk(ricci_modstorage_t)
-@@ -475,13 +481,17 @@
+@@ -475,13 +481,18 @@
logging_send_syslog_msg(ricci_modstorage_t)
lvm_domtrans(ricci_modstorage_t)
@@ -5672,6 +5712,7 @@
+')
+
+optional_policy(`
++ ccs_stream_connect(ricci_modstorage_t)
ccs_read_config(ricci_modstorage_t)
')
@@ -5998,9 +6039,50 @@
fs_search_auto_mountpoints(snmpd_t)
storage_dontaudit_read_fixed_disk(snmpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-2.4.6/policy/modules/services/spamassassin.fc
+--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2006-11-29 12:04:49.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.fc 2007-02-01 15:50:24.000000000 -0500
+@@ -8,6 +8,8 @@
+
+ /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+
++/var/lib/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_lib_t,s0)
++
+ ifdef(`strict_policy',`
+ HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:ROLE_spamassassin_home_t,s0)
+ ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-2.4.6/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if 2006-11-29 12:04:49.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.if 2007-02-01 15:53:44.000000000 -0500
+@@ -506,3 +506,25 @@
+
+ dontaudit $1 spamd_tmp_t:sock_file getattr;
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## spamd lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`spamassassin_manage_lib_files',`
++ gen_require(`
++ type spamd_var_lib_t;
++ ')
++
++ files_search_var_lib($1)
++ allow $1 spamd_var_lib_t:dir create_dir_perms;
++ allow $1 spamd_var_lib_t:file create_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.4.6/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2007-01-16 11:11:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/spamassassin.te 2007-02-01 15:52:08.000000000 -0500
@@ -8,7 +8,7 @@
# spamassassin client executable
@@ -6010,7 +6092,18 @@
type spamd_t;
type spamd_exec_t;
-@@ -24,7 +24,7 @@
+@@ -17,6 +17,10 @@
+ type spamd_spool_t;
+ files_type(spamd_spool_t)
+
++# var/lib files
++type spamd_var_lib_t;
++files_type(spamd_var_lib_t)
++
+ type spamd_tmp_t;
+ files_tmp_file(spamd_tmp_t)
+
+@@ -24,7 +28,7 @@
files_pid_file(spamd_var_run_t)
type spamassassin_exec_t;
@@ -6019,7 +6112,17 @@
########################################
#
-@@ -85,6 +85,7 @@
+@@ -57,6 +61,9 @@
+ allow spamd_t spamd_spool_t:dir create_dir_perms;
+ files_spool_filetrans(spamd_t,spamd_spool_t, { file dir })
+
++allow spamd_t spamd_var_lib_t:dir r_dir_perms;
++allow spamd_t spamd_var_lib_t:file r_file_perms;
++
+ allow spamd_t spamd_tmp_t:dir create_dir_perms;
+ allow spamd_t spamd_tmp_t:file create_file_perms;
+ files_tmp_filetrans(spamd_t, spamd_tmp_t, { file dir })
+@@ -85,6 +92,7 @@
# random ports >= 1024.
corenet_udp_bind_all_nodes(spamd_t)
corenet_udp_bind_generic_port(spamd_t)
@@ -6027,7 +6130,7 @@
corenet_udp_bind_imaze_port(spamd_t)
corenet_sendrecv_imaze_server_packets(spamd_t)
corenet_sendrecv_generic_server_packets(spamd_t)
-@@ -107,7 +108,8 @@
+@@ -107,7 +115,8 @@
files_read_usr_files(spamd_t)
files_read_etc_files(spamd_t)
files_read_etc_runtime_files(spamd_t)
@@ -6037,7 +6140,7 @@
init_use_fds(spamd_t)
init_use_script_ptys(spamd_t)
-@@ -138,6 +140,7 @@
+@@ -138,6 +147,7 @@
tunable_policy(`spamd_enable_home_dirs',`
userdom_home_filetrans_generic_user_home_dir(spamd_t)
@@ -7829,7 +7932,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.6/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2007-01-26 10:04:04.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/lvm.te 2007-02-01 16:30:49.000000000 -0500
@@ -13,6 +13,9 @@
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
@@ -7876,7 +7979,7 @@
corenet_non_ipsec_sendrecv(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
-@@ -71,19 +86,28 @@
+@@ -71,19 +86,29 @@
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
corenet_sendrecv_generic_server_packets(clvmd_t)
@@ -7891,6 +7994,7 @@
fs_getattr_all_fs(clvmd_t)
fs_search_auto_mountpoints(clvmd_t)
+fs_dontaudit_list_tmpfs(clvmd_t)
++fs_dontaudit_read_removable_files(clvmd_t)
term_dontaudit_use_console(clvmd_t)
@@ -7905,7 +8009,7 @@
libs_use_ld_so(clvmd_t)
libs_use_shared_libs(clvmd_t)
-@@ -100,6 +124,11 @@
+@@ -100,6 +125,11 @@
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
@@ -7917,7 +8021,7 @@
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(clvmd_t)
term_dontaudit_use_generic_ptys(clvmd_t)
-@@ -111,6 +140,15 @@
+@@ -111,6 +141,15 @@
')
optional_policy(`
@@ -7933,7 +8037,7 @@
udev_read_db(clvmd_t)
')
-@@ -121,7 +159,9 @@
+@@ -121,7 +160,9 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -7944,7 +8048,7 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -130,6 +170,7 @@
+@@ -130,6 +171,7 @@
allow lvm_t self:fifo_file rw_file_perms;
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -7952,7 +8056,7 @@
allow lvm_t lvm_tmp_t:dir create_dir_perms;
allow lvm_t lvm_tmp_t:file create_file_perms;
-@@ -147,6 +188,10 @@
+@@ -147,6 +189,10 @@
allow lvm_t lvm_lock_t:file create_file_perms;
files_lock_filetrans(lvm_t,lvm_lock_t,file)
@@ -7963,7 +8067,7 @@
allow lvm_t lvm_var_run_t:file manage_file_perms;
allow lvm_t lvm_var_run_t:sock_file manage_file_perms;
allow lvm_t lvm_var_run_t:dir manage_dir_perms;
-@@ -176,6 +221,7 @@
+@@ -176,6 +222,7 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
@@ -7971,7 +8075,7 @@
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
-@@ -201,6 +247,7 @@
+@@ -201,6 +248,7 @@
fs_list_tmpfs(lvm_t)
fs_read_tmpfs_symlinks(lvm_t)
fs_dontaudit_read_removable_files(lvm_t)
@@ -7979,7 +8083,7 @@
storage_relabel_fixed_disk(lvm_t)
storage_dontaudit_read_removable_device(lvm_t)
-@@ -213,11 +260,10 @@
+@@ -213,11 +261,10 @@
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -7994,7 +8098,7 @@
domain_use_interactive_fds(lvm_t)
-@@ -248,8 +294,8 @@
+@@ -248,8 +295,8 @@
')
ifdef(`targeted_policy', `
@@ -8005,7 +8109,7 @@
files_dontaudit_read_root_files(lvm_t)
')
-@@ -259,6 +305,16 @@
+@@ -259,6 +306,16 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.339
retrieving revision 1.340
diff -u -r1.339 -r1.340
--- selinux-policy.spec 1 Feb 2007 18:45:58 -0000 1.339
+++ selinux-policy.spec 1 Feb 2007 21:35:56 -0000 1.340
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -356,9 +356,12 @@
%endif
%changelog
+* Fri Jan 26 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-35
+- Fixes to make setrans work properly on MLS
+Resolves: #224441
+
* Fri Jan 26 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-34
- Fixes to make setrans work properly on MLS
-- Fixes to allow procmail to exec ls
Resolves: #224441
* Fri Jan 26 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-33
More information about the fedora-cvs-commits
mailing list