rpms/selinux-policy/FC-6 policy-20061106.patch,1.55,1.56
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 5 03:14:52 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv19037
Modified Files:
policy-20061106.patch
Log Message:
* Sat Sep 1 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-88
- Cleanup of fusermount/mount-ntfs and apcupsd to match rawhide
- Allow cimserver to create pegasus_data directories
Resolves: #213809
- Allow dmidecode to search sysfs_t
Resolves: #263141
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 21
policy/flask/security_classes | 8
policy/global_tunables | 94 +++-
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/alsa.fc | 3
policy/modules/admin/alsa.te | 15
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 11
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 57 ++
policy/modules/admin/amtu.te | 56 ++
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 15
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 6
policy/modules/admin/firstboot.if | 24 -
policy/modules/admin/kudzu.te | 14
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 22
policy/modules/admin/netutils.te | 19
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 25 -
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 104 ++++
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 38 +
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 13
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.if | 2
policy/modules/admin/usermanage.te | 58 ++
policy/modules/admin/vbetool.te | 1
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++
policy/modules/apps/evolution.te | 1
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 ++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 70 +++
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 39 -
policy/modules/apps/mozilla.if | 208 +++++++--
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 7
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 20
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 32 +
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 140 ++++++
policy/modules/kernel/corenetwork.te.in | 17
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 56 ++
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 80 +++
policy/modules/kernel/domain.te | 26 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 279 +++++++++++-
policy/modules/kernel/filesystem.if | 62 ++
policy/modules/kernel/filesystem.te | 30 +
policy/modules/kernel/kernel.if | 84 +++
policy/modules/kernel/kernel.te | 22
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 4
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 2
policy/modules/kernel/terminal.if | 21
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.te | 11
policy/modules/services/amavis.if | 19
policy/modules/services/amavis.te | 4
policy/modules/services/apache.fc | 18
policy/modules/services/apache.if | 157 ++++++
policy/modules/services/apache.te | 61 ++
policy/modules/services/apm.te | 3
policy/modules/services/arpwatch.te | 5
policy/modules/services/audioentropy.te | 4
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 15
policy/modules/services/avahi.if | 40 +
policy/modules/services/avahi.te | 10
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 12
policy/modules/services/bluetooth.te | 10
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 25 -
policy/modules/services/clamav.te | 3
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 105 ++--
policy/modules/services/cron.te | 58 ++
policy/modules/services/cups.fc | 5
policy/modules/services/cups.te | 19
policy/modules/services/cvs.te | 2
policy/modules/services/cyrus.te | 6
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 66 ++
policy/modules/services/dbus.te | 4
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 3
policy/modules/services/dovecot.fc | 2
policy/modules/services/dovecot.if | 44 +
policy/modules/services/dovecot.te | 73 ++-
policy/modules/services/fail2ban.fc | 3
policy/modules/services/fail2ban.if | 80 +++
policy/modules/services/fail2ban.te | 74 +++
policy/modules/services/ftp.te | 21
policy/modules/services/hal.fc | 14
policy/modules/services/hal.if | 160 ++++++
policy/modules/services/hal.te | 177 +++++++
policy/modules/services/inetd.te | 34 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 29 +
policy/modules/services/kerberos.te | 44 +
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 13
policy/modules/services/lpd.if | 75 ++-
policy/modules/services/lpd.te | 5
policy/modules/services/mailman.if | 20
policy/modules/services/mailman.te | 1
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 20
policy/modules/services/mta.te | 3
policy/modules/services/munin.te | 5
policy/modules/services/nagios.fc | 6
policy/modules/services/nagios.te | 14
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 7
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 39 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 31 -
policy/modules/services/ntp.te | 10
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 5
policy/modules/services/openca.if | 4
policy/modules/services/openca.te | 2
policy/modules/services/openct.te | 2
policy/modules/services/openvpn.te | 20
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 79 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 13
policy/modules/services/portmap.te | 5
policy/modules/services/portslave.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 46 +
policy/modules/services/postfix.te | 98 ++++
policy/modules/services/ppp.te | 2
policy/modules/services/procmail.te | 32 +
policy/modules/services/pyzor.if | 18
policy/modules/services/pyzor.te | 13
policy/modules/services/radius.te | 3
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 26 +
policy/modules/services/rlogin.te | 11
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.if | 3
policy/modules/services/rpc.te | 27 -
policy/modules/services/rshd.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 6
policy/modules/services/samba.if | 101 ++++
policy/modules/services/samba.te | 100 +++-
policy/modules/services/sasl.te | 14
policy/modules/services/sendmail.if | 41 +
policy/modules/services/sendmail.te | 22
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 20
policy/modules/services/soundserver.te | 4
policy/modules/services/spamassassin.fc | 5
policy/modules/services/spamassassin.if | 42 +
policy/modules/services/spamassassin.te | 26 -
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 21
policy/modules/services/squid.te | 17
policy/modules/services/ssh.if | 83 +++
policy/modules/services/ssh.te | 14
policy/modules/services/telnet.te | 3
policy/modules/services/tftp.te | 3
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++
policy/modules/services/uucp.te | 44 +
policy/modules/services/uwimap.te | 1
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 211 +++++++++
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.fc | 1
policy/modules/system/authlogin.if | 180 +++++++
policy/modules/system/authlogin.te | 47 +-
policy/modules/system/clock.te | 18
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.if | 19
policy/modules/system/fstools.te | 20
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 75 +++
policy/modules/system/init.te | 51 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 121 +++++
policy/modules/system/iptables.te | 28 -
policy/modules/system/libraries.fc | 44 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 11
policy/modules/system/logging.fc | 5
policy/modules/system/logging.if | 61 ++
policy/modules/system/logging.te | 36 +
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 44 +
policy/modules/system/lvm.te | 95 +++-
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 38 +
policy/modules/system/mount.te | 37 +
policy/modules/system/netlabel.te | 10
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 16
policy/modules/system/selinuxutil.fc | 10
policy/modules/system/selinuxutil.if | 146 ++++++
policy/modules/system/selinuxutil.te | 138 ++---
policy/modules/system/sysnetwork.if | 2
policy/modules/system/sysnetwork.te | 14
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/udev.te | 22
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 22
policy/modules/system/unconfined.te | 23
policy/modules/system/userdomain.if | 622 +++++++++++++++++++++++----
policy/modules/system/userdomain.te | 117 ++---
policy/modules/system/xen.fc | 2
policy/modules/system/xen.if | 64 ++
policy/modules/system/xen.te | 65 ++
policy/support/*Warnings* | 189 ++++++++
policy/support/file_patterns.spt | 534 +++++++++++++++++++++++
policy/support/misc_macros.spt | 8
policy/support/obj_perm_sets.spt | 144 ++++++
270 files changed, 8397 insertions(+), 863 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.55
retrieving revision 1.56
diff -u -r1.55 -r1.56
--- policy-20061106.patch 4 Sep 2007 19:47:59 -0000 1.55
+++ policy-20061106.patch 5 Sep 2007 03:14:49 -0000 1.56
@@ -3102,7 +3102,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2007-05-29 11:39:16.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.fc 2007-09-04 15:56:01.000000000 -0400
@@ -1,4 +1,3 @@
-
#
@@ -3139,7 +3139,16 @@
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
-@@ -188,7 +197,12 @@
+@@ -163,6 +172,8 @@
+ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
++/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+
+@@ -188,7 +199,12 @@
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -3152,7 +3161,7 @@
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pwlib/make/ptlib-config -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/pydict/pydict\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -239,6 +253,7 @@
+@@ -239,6 +255,7 @@
/var/ftp/bin/ls -- gen_context(system_u:object_r:ls_exec_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -3160,7 +3169,7 @@
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -247,3 +262,16 @@
+@@ -247,3 +264,16 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -8834,13 +8843,16 @@
init_rw_utmp(portslave_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.4.6/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/postfix.fc 2007-06-14 09:48:37.000000000 -0400
-@@ -9,10 +9,12 @@
- /usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
- /usr/libexec/postfix/showq -- gen_context(system_u:object_r:postfix_showq_exec_t,s0)
- /usr/libexec/postfix/smtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
++++ serefpolicy-2.4.6/policy/modules/services/postfix.fc 2007-09-04 17:48:34.000000000 -0400
+@@ -3,6 +3,7 @@
+ ifdef(`distro_redhat', `
+ /usr/libexec/postfix/.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+ /usr/libexec/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/lmtp -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
- /usr/libexec/postfix/scache -- gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+ /usr/libexec/postfix/local -- gen_context(system_u:object_r:postfix_local_exec_t,s0)
+ /usr/libexec/postfix/master -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
+ /usr/libexec/postfix/pickup -- gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+@@ -13,6 +14,7 @@
/usr/libexec/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
/usr/libexec/postfix/pipe -- gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
@@ -8850,8 +8862,8 @@
/usr/lib/postfix/cleanup -- gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.4.6/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/postfix.if 2007-06-04 13:46:25.000000000 -0400
-@@ -48,8 +48,6 @@
++++ serefpolicy-2.4.6/policy/modules/services/postfix.if 2007-09-04 17:39:35.000000000 -0400
+@@ -48,10 +48,9 @@
can_exec(postfix_$1_t, postfix_$1_exec_t)
allow postfix_$1_t postfix_exec_t:file rx_file_perms;
@@ -8859,8 +8871,11 @@
- allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
allow postfix_$1_t postfix_master_t:process sigchld;
++ allow postfix_$1_t postfix_master_t:file read;
+
+ allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
-@@ -147,10 +145,8 @@
+@@ -147,10 +146,8 @@
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
@@ -8872,7 +8887,7 @@
')
')
-@@ -468,6 +464,26 @@
+@@ -468,6 +465,26 @@
########################################
## <summary>
@@ -8899,7 +8914,7 @@
## Execute postfix user mail programs
## in their respective domains.
## </summary>
-@@ -484,3 +500,22 @@
+@@ -484,3 +501,22 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -8924,7 +8939,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.4.6/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2006-11-29 12:04:49.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/postfix.te 2007-06-14 09:55:45.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/services/postfix.te 2007-09-04 17:42:57.000000000 -0400
@@ -84,6 +84,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -8967,7 +8982,7 @@
cyrus_stream_connect(postfix_master_t)
')
-@@ -186,6 +200,10 @@
+@@ -186,9 +200,17 @@
')
optional_policy(`
@@ -8978,7 +8993,14 @@
nis_use_ypbind(postfix_master_t)
')
-@@ -222,6 +240,7 @@
++optional_policy(`
++ sendmail_signal(postfix_master_t)
++')
++
+ ###########################################################
+ #
+ # Partially converted rules. THESE ARE ONLY TEMPORARY
+@@ -222,6 +244,7 @@
allow postfix_bounce_t self:capability dac_read_search;
allow postfix_bounce_t self:tcp_socket create_socket_perms;
@@ -8986,7 +9008,7 @@
allow postfix_bounce_t postfix_public_t:sock_file write;
allow postfix_bounce_t postfix_public_t:dir search;
-@@ -240,6 +259,7 @@
+@@ -240,6 +263,7 @@
#
allow postfix_cleanup_t self:process setrlimit;
@@ -8994,7 +9016,7 @@
# connect to master process
allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
-@@ -265,6 +285,7 @@
+@@ -265,6 +289,7 @@
allow postfix_local_t self:fifo_file rw_file_perms;
allow postfix_local_t self:process { setsched setrlimit };
@@ -9002,7 +9024,7 @@
allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
-@@ -298,6 +319,7 @@
+@@ -298,6 +323,7 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
@@ -9010,7 +9032,7 @@
')
optional_policy(`
-@@ -382,6 +404,10 @@
+@@ -382,6 +408,10 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -9021,7 +9043,7 @@
# a "run" interface needs to be
# added, and have sysadm_t use it
# in a optional_policy block.
-@@ -394,6 +420,7 @@
+@@ -394,6 +424,7 @@
allow postfix_pickup_t self:tcp_socket create_socket_perms;
allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
@@ -9029,7 +9051,7 @@
allow postfix_pickup_t postfix_private_t:dir search;
allow postfix_pickup_t postfix_private_t:sock_file write;
-@@ -412,7 +439,7 @@
+@@ -412,7 +443,7 @@
# Postfix pipe local policy
#
@@ -9038,7 +9060,7 @@
allow postfix_pipe_t postfix_private_t:dir search;
allow postfix_pipe_t postfix_private_t:sock_file write;
-@@ -423,6 +450,12 @@
+@@ -423,6 +454,12 @@
allow postfix_pipe_t postfix_spool_t:dir search;
allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
@@ -9051,7 +9073,7 @@
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -431,6 +464,14 @@
+@@ -431,6 +468,14 @@
mailman_domtrans_queue(postfix_pipe_t)
')
@@ -9066,7 +9088,7 @@
########################################
#
# Postfix postdrop local policy
-@@ -468,6 +509,10 @@
+@@ -468,6 +513,10 @@
')
optional_policy(`
@@ -9077,7 +9099,7 @@
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
')
-@@ -515,6 +560,7 @@
+@@ -515,6 +564,7 @@
#
allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
@@ -9085,7 +9107,7 @@
allow postfix_qmgr_t postfix_private_t:dir search;
allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
-@@ -574,9 +620,14 @@
+@@ -574,9 +624,14 @@
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
@@ -9100,7 +9122,7 @@
########################################
#
# Postfix smtpd local policy
-@@ -594,9 +645,19 @@
+@@ -594,9 +649,19 @@
corecmd_exec_bin(postfix_smtpd_t)
@@ -9120,7 +9142,7 @@
optional_policy(`
postgrey_stream_connect(postfix_smtpd_t)
-@@ -605,3 +666,34 @@
+@@ -605,3 +670,34 @@
optional_policy(`
sasl_connect(postfix_smtpd_t)
')
@@ -10238,8 +10260,34 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-2.4.6/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/sendmail.if 2007-05-22 12:40:26.000000000 -0400
-@@ -76,6 +76,27 @@
++++ serefpolicy-2.4.6/policy/modules/services/sendmail.if 2007-09-04 17:43:33.000000000 -0400
+@@ -56,6 +56,25 @@
+
+ allow $1 sendmail_t:tcp_socket { read write };
+ ')
++
++########################################
++## <summary>
++##f allow domain to signal sendmail
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`sendmail_signal',`
++ gen_require(`
++ type sendmail_t;
++ ')
++ allow $1 sendmail_t:process signal;
++')
++
++
+ ########################################
+ ## <summary>
+ ## Read and write sendmail unix_stream_sockets.
+@@ -76,6 +95,27 @@
########################################
## <summary>
@@ -10267,7 +10315,7 @@
## Create, read, write, and delete sendmail logs.
## </summary>
## <param name="domain">
-@@ -91,6 +112,7 @@
+@@ -91,6 +131,7 @@
')
logging_search_logs($1)
@@ -13889,7 +13937,7 @@
# /var/run
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.4.6/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2007-05-23 10:43:52.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.if 2007-09-04 16:32:49.000000000 -0400
@@ -471,6 +471,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -13916,15 +13964,37 @@
allow $1 default_context_t:file manage_file_perms;
')
-@@ -821,7 +822,6 @@
+@@ -821,7 +822,28 @@
allow $1 selinux_config_t:dir search;
allow $1 file_context_t:dir r_dir_perms;
allow $1 file_context_t:file r_file_perms;
- allow $1 file_context_t:lnk_file { getattr read };
++')
++
++########################################
++## <summary>
++## dontaudit Read the file_contexts files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`seutil_dontaudit_read_file_contexts',`
++ gen_require(`
++ type selinux_config_t, default_context_t, file_context_t;
++ ')
++
++ files_search_etc($1)
++ dontaudit $1 { selinux_config_t default_context_t }:dir search_dir_perms;
++ dontaudit $1 file_context_t:dir search_dir_perms;
++ dontaudit $1 file_context_t:file r_file_perms;
')
########################################
-@@ -1014,6 +1014,7 @@
+@@ -1014,6 +1036,7 @@
gen_require(`
type semanage_t, semanage_exec_t;
')
@@ -13932,7 +14002,7 @@
files_search_usr($1)
corecmd_search_bin($1)
-@@ -1121,3 +1122,120 @@
+@@ -1121,3 +1144,120 @@
allow $1 selinux_config_t:dir search_dir_perms;
allow $1 semanage_trans_lock_t:file rw_file_perms;
')
More information about the fedora-cvs-commits
mailing list