rpms/selinux-policy/devel policy-20070102.patch,1.2,1.3
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jan 11 22:31:30 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3851
Modified Files:
policy-20070102.patch
Log Message:
* Wed Jan 10 2007 Dan Walsh <dwalsh at redhat.com> 2.5.1-2
- Fixes for prelink, ktalkd, netlabel
policy-20070102.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
policy/flask/access_vectors | 2
policy/global_tunables | 47 +++
policy/mls | 31 +-
policy/modules/admin/acct.te | 1
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 5
policy/modules/admin/consoletype.te | 13
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/prelink.te | 7
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 18 +
policy/modules/admin/su.if | 28 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 10
policy/modules/admin/usermanage.te | 23 +
policy/modules/admin/vpn.te | 1
policy/modules/apps/evolution.if | 135 ++++++++-
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 98 ++++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 33 ++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/loadkeys.te | 13
policy/modules/apps/mozilla.if | 252 +++++++++++++++--
policy/modules/apps/mplayer.if | 79 +++++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.if | 20 +
policy/modules/apps/slocate.te | 3
policy/modules/apps/thunderbird.if | 112 ++++++-
policy/modules/apps/userhelper.if | 19 +
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/corecommands.fc | 10
policy/modules/kernel/corecommands.if | 57 +++-
policy/modules/kernel/corenetwork.if.in | 81 +++++
policy/modules/kernel/corenetwork.te.in | 16 -
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.te | 1
policy/modules/kernel/domain.if | 21 +
policy/modules/kernel/domain.te | 19 +
policy/modules/kernel/files.if | 180 ++++++++++++
policy/modules/kernel/filesystem.if | 19 +
policy/modules/kernel/filesystem.te | 2
policy/modules/kernel/kernel.if | 64 ++++
policy/modules/kernel/kernel.te | 6
policy/modules/kernel/mls.if | 20 +
policy/modules/kernel/mls.te | 3
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 9
policy/modules/services/apache.te | 1
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 86 +++---
policy/modules/services/cron.te | 39 ++
policy/modules/services/cups.te | 5
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 44 +++
policy/modules/services/ftp.te | 12
policy/modules/services/hal.if | 38 ++
policy/modules/services/hal.te | 1
policy/modules/services/inetd.te | 17 -
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 1
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 52 ++-
policy/modules/services/mta.te | 1
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 2
policy/modules/services/nis.if | 5
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15 -
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 58 ++++
policy/modules/services/pcscd.te | 77 +++++
policy/modules/services/pegasus.if | 27 +
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 1
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++++
policy/modules/services/rhgb.te | 3
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.fc | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 2
policy/modules/services/sendmail.te | 4
policy/modules/services/setroubleshoot.if | 20 +
policy/modules/services/setroubleshoot.te | 1
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17 +
policy/modules/services/spamassassin.te | 8
policy/modules/services/ssh.if | 63 ++++
policy/modules/services/ssh.te | 4
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 153 ++++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.if | 72 +++++
policy/modules/system/authlogin.te | 2
policy/modules/system/clock.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 4
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 14
policy/modules/system/init.if | 3
policy/modules/system/init.te | 35 ++
policy/modules/system/iptables.te | 9
policy/modules/system/libraries.fc | 4
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 8
policy/modules/system/lvm.te | 6
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 79 +++++
policy/modules/system/modutils.te | 14
policy/modules/system/mount.te | 8
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 115 ++++++++
policy/modules/system/selinuxutil.te | 96 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 19 +
policy/modules/system/tzdata.te | 38 ++
policy/modules/system/unconfined.fc | 2
policy/modules/system/unconfined.if | 1
policy/modules/system/unconfined.te | 16 +
policy/modules/system/userdomain.if | 423 ++++++++++++++++++++++++++++--
policy/modules/system/userdomain.te | 42 +-
policy/modules/system/xen.te | 20 +
policy/support/obj_perm_sets.spt | 2
146 files changed, 3174 insertions(+), 415 deletions(-)
Index: policy-20070102.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070102.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20070102.patch 10 Jan 2007 22:01:29 -0000 1.2
+++ policy-20070102.patch 11 Jan 2007 22:31:24 -0000 1.3
@@ -2748,6 +2748,35 @@
+ allow $1 tmpfile:file r_file_perms;
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.5.1/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-01-02 12:57:13.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/kernel/filesystem.if 2007-01-11 17:01:46.000000000 -0500
+@@ -2740,6 +2740,25 @@
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to getattr
++## generic tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`fs_dontaudit_getattr_tmpfs_files',`
++ gen_require(`
++ type tmpfs_t;
++ ')
++
++ dontaudit $1 tmpfs_t:file getattr;
++')
++
++########################################
++## <summary>
+ ## Create, read, write, and delete
+ ## auto moutpoints.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.5.1/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-01-02 12:57:13.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/kernel/filesystem.te 2007-01-08 12:19:13.000000000 -0500
@@ -2850,7 +2879,7 @@
## <desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.5.1/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2007-01-02 12:57:13.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/kernel/kernel.te 2007-01-05 12:59:57.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/kernel/kernel.te 2007-01-11 16:49:31.000000000 -0500
@@ -138,6 +138,8 @@
type unlabeled_t;
sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
@@ -2860,7 +2889,16 @@
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid file_labels gen_context(system_u:object_r:unlabeled_t,s0)
-@@ -345,7 +347,7 @@
+@@ -288,6 +290,8 @@
+ corenet_sendrecv_generic_server_packets(kernel_t)
+
+ fs_getattr_xattr_fs(kernel_t)
++ # Bugzilla 222337
++ fs_rw_tmpfs_chr_files(kernel_t)
+
+ auth_dontaudit_getattr_shadow(kernel_t)
+
+@@ -345,7 +349,7 @@
# Rules for unconfined acccess to this module
#
@@ -3625,22 +3663,35 @@
libs_use_shared_libs(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-2.5.1/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/services/inetd.te 2007-01-10 15:48:24.000000000 -0500
-@@ -215,6 +215,13 @@
- ')
++++ serefpolicy-2.5.1/policy/modules/services/inetd.te 2007-01-11 17:26:52.000000000 -0500
+@@ -149,6 +149,10 @@
')
+ optional_policy(`
++ ssh_domtrans(inetd_t)
++')
++
++optional_policy(`
+ udev_read_db(inetd_t)
+ ')
+
+@@ -209,10 +213,11 @@
+
+ sysnet_read_config(inetd_child_t)
+
+-ifdef(`strict_policy',`
+- tunable_policy(`run_ssh_inetd',`
+- corenet_tcp_bind_ssh_port(inetd_t)
+- ')
+ifdef(`enable_mls',`
+ corenet_tcp_recv_netlabel(inetd_t)
+ corenet_udp_recv_netlabel(inetd_t)
+ mls_socket_read_to_clearance(inetd_t)
+ mls_socket_write_to_clearance(inetd_t)
-+')
-+
+ ')
+
optional_policy(`
- tunable_policy(`ftpd_is_daemon',`
- # Allows it to check exec privs on daemon
-@@ -233,3 +240,7 @@
+@@ -233,3 +238,7 @@
optional_policy(`
nscd_socket_use(inetd_child_t)
')
@@ -4488,7 +4539,7 @@
userdom_manage_generic_user_home_content_symlinks(spamd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.5.1/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/services/ssh.if 2007-01-05 13:14:09.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/services/ssh.if 2007-01-11 17:26:28.000000000 -0500
@@ -226,6 +226,7 @@
domain_type($1_ssh_agent_t)
domain_entry_file($1_ssh_agent_t,ssh_agent_exec_t)
@@ -4507,7 +4558,7 @@
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
-@@ -713,3 +717,44 @@
+@@ -713,3 +717,62 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -4550,8 +4601,26 @@
+ dontaudit $2 $1_ssh_agent_t:fd use;
+')
+
++########################################
++## <summary>
++## Execute the ssh daemon sshd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ssh_domtrans',`
++ gen_require(`
++ type sshd_t, sshd_exec_t;
++ ')
+
-+
++ domain_auto_trans($1,sshd_exec_t,sshd_t)
++ allow sshd_t $1:fd use;
++ allow sshd_t $1:fifo_file rw_file_perms;
++ allow sshd_t $1:process sigchld;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.5.1/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/services/ssh.te 2007-01-05 12:59:57.000000000 -0500
@@ -5336,7 +5405,7 @@
corenet_sendrecv_syslogd_server_packets(syslogd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.5.1/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/system/lvm.te 2007-01-05 12:59:57.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/system/lvm.te 2007-01-11 17:02:09.000000000 -0500
@@ -44,6 +44,7 @@
# Cluster LVM daemon local policy
#
@@ -5356,6 +5425,23 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
+@@ -228,6 +231,7 @@
+ fs_list_tmpfs(lvm_t)
+ fs_read_tmpfs_symlinks(lvm_t)
+ fs_dontaudit_read_removable_files(lvm_t)
++fs_dontaudit_getattr_tmpfs_files(lvm_t)
+
+ storage_relabel_fixed_disk(lvm_t)
+ storage_dontaudit_read_removable_device(lvm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-2.5.1/policy/modules/system/miscfiles.fc
+--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-01-02 12:57:49.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/system/miscfiles.fc 2007-01-11 15:23:26.000000000 -0500
+@@ -74,3 +74,5 @@
+ /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+ /var/lib/usbutils(/.*)? gen_context(system_u:object_r:hwdata_t,s0)
+ ')
++/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
++/var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-2.5.1/policy/modules/system/miscfiles.if
--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/system/miscfiles.if 2007-01-05 12:59:57.000000000 -0500
@@ -5880,8 +5966,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/tzdata.te serefpolicy-2.5.1/policy/modules/system/tzdata.te
--- nsaserefpolicy/policy/modules/system/tzdata.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/system/tzdata.te 2007-01-05 12:59:57.000000000 -0500
-@@ -0,0 +1,34 @@
++++ serefpolicy-2.5.1/policy/modules/system/tzdata.te 2007-01-11 08:08:34.000000000 -0500
+@@ -0,0 +1,38 @@
+policy_module(tzdata,1.0.0)
+
+########################################
@@ -5916,6 +6002,10 @@
+ term_dontaudit_use_generic_ptys(tzdata_t)
+')
+
++# tzdata looks for /var/spool/postfix/etc/localtime.
++optional_policy(`
++ postfix_search_spool(tzdata_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.5.1/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.1/policy/modules/system/unconfined.fc 2007-01-05 12:59:57.000000000 -0500
@@ -5983,7 +6073,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.5.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-01-02 12:57:49.000000000 -0500
-+++ serefpolicy-2.5.1/policy/modules/system/userdomain.if 2007-01-07 09:01:00.000000000 -0500
++++ serefpolicy-2.5.1/policy/modules/system/userdomain.if 2007-01-11 16:28:07.000000000 -0500
@@ -102,6 +102,9 @@
libs_exec_ld_so($1_t)
@@ -5994,7 +6084,18 @@
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -154,6 +157,7 @@
+@@ -112,6 +115,10 @@
+ # Allow making the stack executable via mprotect.
+ allow $1_t self:process execstack;
+ ')
++
++ optional_policy(`
++ ssh_rw_stream_sockets($1_t)
++ ')
+ ')
+
+ #######################################
+@@ -154,6 +161,7 @@
files_mountpoint($1_home_dir_t)
files_associate_tmp($1_home_dir_t)
fs_associate_tmpfs($1_home_dir_t)
@@ -6002,7 +6103,7 @@
##############################
#
-@@ -337,12 +341,11 @@
+@@ -337,12 +345,11 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -6020,7 +6121,7 @@
')
#######################################
-@@ -409,9 +412,7 @@
+@@ -409,9 +416,7 @@
## <rolebase/>
#
template(`userdom_poly_tmp_template',`
@@ -6031,7 +6132,7 @@
')
#######################################
-@@ -593,6 +594,8 @@
+@@ -593,6 +598,8 @@
xserver_read_xdm_pid($1_t)
# gnome-session creates socket under /tmp/.ICE-unix/
xserver_create_xdm_tmp_sockets($1_t)
@@ -6040,7 +6141,7 @@
')
')
-@@ -701,6 +704,8 @@
+@@ -701,6 +708,8 @@
allow $1_t self:context contains;
@@ -6049,7 +6150,7 @@
# evolution and gnome-session try to create a netlink socket
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
-@@ -727,6 +732,8 @@
+@@ -727,6 +736,8 @@
dev_write_sound_mixer($1_t)
domain_use_interactive_fds($1_t)
@@ -6058,7 +6159,7 @@
files_exec_etc_files($1_t)
files_search_locks($1_t)
-@@ -762,6 +769,7 @@
+@@ -762,6 +773,7 @@
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
@@ -6066,7 +6167,7 @@
init_read_utmp($1_t)
# The library functions always try to open read-write first,
-@@ -784,6 +792,8 @@
+@@ -784,6 +796,8 @@
seutil_read_default_contexts($1_t)
seutil_read_config($1_t)
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
@@ -6075,7 +6176,7 @@
# for when the network connection is killed
# this is needed when a login role can change
# to this one.
-@@ -809,6 +819,10 @@
+@@ -809,6 +823,10 @@
')
optional_policy(`
@@ -6086,23 +6187,23 @@
# Allow graphical boot to check battery lifespan
apm_stream_connect($1_t)
')
-@@ -819,9 +833,15 @@
+@@ -819,9 +837,15 @@
optional_policy(`
cups_stream_connect_ptal($1_t)
+ cups_stream_connect($1_t)
- ')
-
- optional_policy(`
-+ locate_read_lib_files($1_t)
+ ')
+
+ optional_policy(`
++ locate_read_lib_files($1_t)
+ ')
+
+ optional_policy(`
+ allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
optional_policy(`
-@@ -829,6 +849,11 @@
+@@ -829,6 +853,11 @@
')
optional_policy(`
@@ -6114,7 +6215,7 @@
cups_dbus_chat_config($1_t)
')
-@@ -881,6 +906,11 @@
+@@ -881,6 +910,11 @@
')
optional_policy(`
@@ -6126,7 +6227,7 @@
quota_dontaudit_getattr_db($1_t)
')
-@@ -1012,6 +1042,10 @@
+@@ -1012,6 +1046,10 @@
')
optional_policy(`
@@ -6137,7 +6238,7 @@
loadkeys_run($1_t,$1_r,$1_tty_device_t)
')
-@@ -1148,6 +1182,7 @@
+@@ -1148,6 +1186,7 @@
domain_read_all_domains_state($1_t)
domain_getattr_all_domains($1_t)
domain_dontaudit_ptrace_all_domains($1_t)
@@ -6145,7 +6246,7 @@
# signal all domains:
domain_kill_all_domains($1_t)
domain_signal_all_domains($1_t)
-@@ -1197,6 +1232,10 @@
+@@ -1197,6 +1236,10 @@
')
optional_policy(`
@@ -6156,7 +6257,7 @@
cron_admin_template($1,$1_t,$1_r)
')
-@@ -1212,14 +1251,6 @@
+@@ -1212,14 +1255,6 @@
mta_admin_template($1,$1_t,$1_r)
')
@@ -6171,7 +6272,7 @@
')
########################################
-@@ -2293,6 +2324,55 @@
+@@ -2293,6 +2328,55 @@
## <summary>
## Create objects in a user home directory
## with an automatic type transition to
@@ -6227,7 +6328,7 @@
## the user home file type.
## </summary>
## <desc>
-@@ -3128,6 +3208,39 @@
+@@ -3128,6 +3212,39 @@
########################################
## <summary>
@@ -6267,7 +6368,7 @@
## Do not audit attempts to read users
## untrusted files.
## </summary>
-@@ -5549,3 +5662,271 @@
+@@ -5549,3 +5666,275 @@
allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -6470,6 +6571,9 @@
+
+ files_create_boot_flag($1)
+
++ # Necessary for managing /boot/efi
++ fs_manage_dos_files($1)
++
+ mls_process_read_up($1)
+ mls_file_read_up($1)
+ mls_file_upgrade($1)
@@ -6496,6 +6600,7 @@
+ optional_policy(`
+ aide_run($1,$2, $3)
+ ')
++
+')
+
+########################################
More information about the fedora-cvs-commits
mailing list