rpms/selinux-policy/devel .cvsignore, 1.122, 1.123 modules-targeted.conf, 1.64, 1.65 policy-20070703.patch, 1.43, 1.44 selinux-policy.spec, 1.510, 1.511 sources, 1.133, 1.134
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Aug 27 21:43:39 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20116
Modified Files:
.cvsignore modules-targeted.conf policy-20070703.patch
selinux-policy.spec sources
Log Message:
* Mon Aug 27 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-1
- Update an readd modules
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -r1.122 -r1.123
--- .cvsignore 22 Aug 2007 14:46:21 -0000 1.122
+++ .cvsignore 27 Aug 2007 21:43:05 -0000 1.123
@@ -124,3 +124,4 @@
serefpolicy-3.0.4.tgz
serefpolicy-3.0.5.tgz
serefpolicy-3.0.6.tgz
+serefpolicy-3.0.7.tgz
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.64
retrieving revision 1.65
diff -u -r1.64 -r1.65
--- modules-targeted.conf 23 Aug 2007 13:31:59 -0000 1.64
+++ modules-targeted.conf 27 Aug 2007 21:43:05 -0000 1.65
@@ -1298,11 +1298,18 @@
# Layer: system
# Module: xen
#
-# TCP/IP encryption
+# virtualization software
#
xen = base
# Layer: system
+# Module: virt
+#
+# Virtualization libraries
+#
+virt = base
+
+# Layer: system
# Module: brctl
#
# Utilities for configuring the linux ethernet bridge
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- policy-20070703.patch 24 Aug 2007 14:20:35 -0000 1.43
+++ policy-20070703.patch 27 Aug 2007 21:43:05 -0000 1.44
@@ -313,7 +313,7 @@
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.0.6/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/admin/alsa.te 2007-08-24 16:06:03.000000000 -0400
@@ -19,20 +19,24 @@
# Local policy
#
@@ -342,7 +342,7 @@
libs_use_ld_so(alsa_t)
libs_use_shared_libs(alsa_t)
-@@ -43,7 +47,14 @@
+@@ -43,7 +47,13 @@
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
@@ -356,7 +356,6 @@
+ hal_use_fds(alsa_t)
+ hal_write_log(alsa_t)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/anaconda.te serefpolicy-3.0.6/policy/modules/admin/anaconda.te
--- nsaserefpolicy/policy/modules/admin/anaconda.te 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/anaconda.te 2007-08-22 08:03:53.000000000 -0400
@@ -389,6 +388,18 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/certwatch.if serefpolicy-3.0.6/policy/modules/admin/certwatch.if
+--- nsaserefpolicy/policy/modules/admin/certwatch.if 2007-05-29 14:10:59.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/admin/certwatch.if 2007-08-25 06:42:08.000000000 -0400
+@@ -44,7 +44,7 @@
+ ## </param>
+ ## <rolecap/>
+ #
+-interface(`certwatach_run',`
++interface(`certwatch_run',`
+ gen_require(`
+ type certwatch_t;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/admin/consoletype.te 2007-08-22 08:03:53.000000000 -0400
@@ -1213,7 +1224,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.6/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/admin/vbetool.te 2007-08-24 16:33:17.000000000 -0400
@@ -32,4 +32,5 @@
optional_policy(`
@@ -1500,6 +1511,17 @@
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.6/policy/modules/apps/java.fc
+--- nsaserefpolicy/policy/modules/apps/java.fc 2007-05-29 14:10:48.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/apps/java.fc 2007-08-27 09:51:03.000000000 -0400
+@@ -11,6 +11,7 @@
+ #
+ /usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/lib(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/lib/eclipse/eclipse -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.0.6/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-08-02 08:17:26.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/apps/java.if 2007-08-22 08:03:53.000000000 -0400
@@ -2567,7 +2589,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/kernel/files.if 2007-08-27 09:57:19.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2652,10 +2674,28 @@
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -3323,6 +3359,24 @@
+@@ -3323,6 +3359,42 @@
########################################
## <summary>
++## dontaudit Add and remove entries from /usr directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_rw_usr_dirs',`
++ gen_require(`
++ type usr_t;
++ ')
++
++ dontaudit $1 usr_t:dir rw_dir_perms;
++')
++
++########################################
++## <summary>
+## Create, read, write, and delete files in the /usr directory.
+## </summary>
+## <param name="domain">
@@ -2677,7 +2717,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3381,7 +3435,7 @@
+@@ -3381,7 +3453,7 @@
########################################
## <summary>
@@ -2686,7 +2726,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3389,17 +3443,17 @@
+@@ -3389,17 +3461,17 @@
## </summary>
## </param>
#
@@ -2707,7 +2747,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3407,12 +3461,12 @@
+@@ -3407,12 +3479,12 @@
## </summary>
## </param>
#
@@ -2722,7 +2762,7 @@
')
########################################
-@@ -4043,7 +4097,7 @@
+@@ -4043,7 +4115,7 @@
type var_t, var_lock_t;
')
@@ -2731,7 +2771,7 @@
')
########################################
-@@ -4560,6 +4614,8 @@
+@@ -4560,6 +4632,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2740,7 +2780,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4638,11 @@
+@@ -4582,6 +4656,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2752,7 +2792,7 @@
')
########################################
-@@ -4619,3 +4680,28 @@
+@@ -4619,3 +4698,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -2903,6 +2943,17 @@
+ rw_files_pattern($1,anon_inodefs_t,anon_inodefs_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.6/policy/modules/kernel/filesystem.te
+--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-08-22 07:14:06.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/kernel/filesystem.te 2007-08-27 09:16:03.000000000 -0400
+@@ -80,6 +80,7 @@
+ type fusefs_t;
+ fs_noxattr_type(fusefs_t)
+ allow fusefs_t self:filesystem associate;
++allow fusefs_t fs_t:filesystem associate;
+ genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
+ genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.6/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/kernel/kernel.if 2007-08-22 08:03:53.000000000 -0400
@@ -3385,7 +3436,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.6/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/apache.te 2007-08-27 17:32:31.000000000 -0400
@@ -30,6 +30,13 @@
## <desc>
@@ -3466,7 +3517,7 @@
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
-@@ -202,7 +245,7 @@
+@@ -202,9 +245,11 @@
# Apache server local policy
#
@@ -3474,8 +3525,12 @@
+allow httpd_t self:capability { chown dac_override kill setgid setuid sys_nice sys_tty_config };
dontaudit httpd_t self:capability { net_admin sys_tty_config };
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++dontaudit httpd_t self:process setfscreate;
++
allow httpd_t self:fd use;
-@@ -244,6 +287,7 @@
+ allow httpd_t self:sock_file read_sock_file_perms;
+ allow httpd_t self:fifo_file rw_fifo_file_perms;
+@@ -244,6 +289,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -3483,7 +3538,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -284,6 +328,7 @@
+@@ -284,6 +330,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -3491,7 +3546,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +375,9 @@
+@@ -330,6 +377,9 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -3501,7 +3556,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -348,7 +396,9 @@
+@@ -348,7 +398,9 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -3512,7 +3567,7 @@
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +410,7 @@
+@@ -360,6 +412,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -3520,7 +3575,7 @@
')
')
-@@ -367,6 +418,16 @@
+@@ -367,6 +420,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -3537,7 +3592,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +448,17 @@
+@@ -387,6 +450,17 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -3555,7 +3610,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +476,21 @@
+@@ -404,11 +478,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -3577,7 +3632,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +512,12 @@
+@@ -430,6 +514,12 @@
')
optional_policy(`
@@ -3590,7 +3645,21 @@
calamaris_read_www_files(httpd_t)
')
-@@ -461,7 +549,6 @@
+@@ -442,6 +532,13 @@
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client_template(httpd,httpd_t)
++ dbus_send_system_bus(httpd_t)
++ tunable_policy(`allow_httpd_dbus_avahi',`
++ avahi_dbus_chat(httpd_t)
++ ')
++')
++optional_policy(`
+ kerberos_use(httpd_t)
+ kerberos_read_kdc_config(httpd_t)
+ ')
+@@ -461,7 +558,6 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -3598,7 +3667,15 @@
')
optional_policy(`
-@@ -512,10 +599,16 @@
+@@ -481,6 +577,7 @@
+ ')
+
+ optional_policy(`
++ files_dontaudit_rw_usr_dirs(httpd_t)
+ snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
+ snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
+ ')
+@@ -512,10 +609,16 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
@@ -3616,7 +3693,7 @@
########################################
#
# Apache PHP script local policy
-@@ -567,7 +660,6 @@
+@@ -567,7 +670,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -3624,7 +3701,7 @@
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +673,10 @@
+@@ -581,6 +683,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3635,7 +3712,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +702,10 @@
+@@ -606,6 +712,10 @@
miscfiles_read_localization(httpd_suexec_t)
@@ -3646,7 +3723,7 @@
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +720,13 @@
+@@ -620,10 +730,13 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -3661,7 +3738,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -634,6 +737,12 @@
+@@ -634,6 +747,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3674,7 +3751,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +760,6 @@
+@@ -651,18 +770,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -3693,7 +3770,7 @@
########################################
#
# Apache system script local policy
-@@ -672,7 +769,8 @@
+@@ -672,7 +779,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3703,7 +3780,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +784,66 @@
+@@ -686,15 +794,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3719,15 +3796,15 @@
+')
+
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -3771,7 +3848,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -711,6 +860,19 @@
+@@ -711,6 +870,19 @@
########################################
#
@@ -3791,7 +3868,7 @@
# httpd_rotatelogs local policy
#
-@@ -728,3 +890,27 @@
+@@ -728,3 +900,20 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -3802,6 +3879,8 @@
+
+files_search_var_lib(httpd_bugzilla_script_t)
+
++mta_send_mail(httpd_bugzilla_script_t)
++
+optional_policy(`
+ mysql_search_db(httpd_bugzilla_script_t)
+ mysql_stream_connect(httpd_bugzilla_script_t)
@@ -3810,15 +3889,6 @@
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
-+
-+
-+optional_policy(`
-+ dbus_system_bus_client_template(httpd,httpd_t)
-+ dbus_send_system_bus(httpd_t)
-+ tunable_policy(`allow_httpd_dbus_avahi',`
-+ avahi_dbus_chat(httpd_t)
-+ ')
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.6/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/apcupsd.fc 2007-08-22 08:03:53.000000000 -0400
@@ -5028,6 +5098,18 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.6/policy/modules/services/dnsmasq.te
+--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/dnsmasq.te 2007-08-27 10:56:52.000000000 -0400
+@@ -94,3 +94,8 @@
+ optional_policy(`
+ udev_read_db(dnsmasq_t)
+ ')
++
++optional_policy(`
++ virt_read_lib_files(dnsmasq_t)
++ virt_append_lib_files(dnsmasq_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.6/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/dovecot.fc 2007-08-22 08:03:53.000000000 -0400
@@ -6255,7 +6337,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.6/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/ntp.te 2007-08-24 16:30:03.000000000 -0400
@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
@@ -6304,7 +6386,7 @@
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-@@ -126,9 +139,14 @@
+@@ -122,6 +135,10 @@
')
optional_policy(`
@@ -6312,9 +6394,10 @@
+')
+
+optional_policy(`
- seutil_sigchld_newrole(ntpd_t)
+ logrotate_exec(ntpd_t)
')
+@@ -132,3 +149,4 @@
optional_policy(`
udev_read_db(ntpd_t)
')
@@ -7822,7 +7905,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soundserver.te serefpolicy-3.0.6/policy/modules/services/soundserver.te
--- nsaserefpolicy/policy/modules/services/soundserver.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/services/soundserver.te 2007-08-24 16:10:39.000000000 -0400
@@ -10,9 +10,6 @@
type soundd_exec_t;
init_daemon_domain(soundd_t,soundd_exec_t)
@@ -7833,7 +7916,7 @@
type soundd_state_t;
files_type(soundd_state_t)
-@@ -28,20 +25,28 @@
+@@ -28,20 +25,24 @@
########################################
#
@@ -7853,10 +7936,6 @@
+
+fs_getattr_all_fs(soundd_t)
+
-+optional_policy(`
-+ alsa_domtrans(soundd_t)
-+')
-+
# for yiff
allow soundd_t self:shm create_shm_perms;
@@ -7867,7 +7946,7 @@
manage_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
manage_lnk_files_pattern(soundd_t,soundd_state_t,soundd_state_t)
-@@ -55,8 +60,10 @@
+@@ -55,8 +56,10 @@
manage_sock_files_pattern(soundd_t,soundd_tmpfs_t,soundd_tmpfs_t)
fs_tmpfs_filetrans(soundd_t,soundd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -7879,6 +7958,17 @@
kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
+@@ -99,6 +102,10 @@
+ userdom_dontaudit_search_sysadm_home_dirs(soundd_t)
+
+ optional_policy(`
++ alsa_domtrans(soundd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(soundd_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.6/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-06-11 16:05:30.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/services/spamassassin.fc 2007-08-22 08:03:53.000000000 -0400
@@ -9189,8 +9279,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.6/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-22 08:03:53.000000000 -0400
-@@ -0,0 +1,50 @@
++++ serefpolicy-3.0.6/policy/modules/system/brctl.te 2007-08-27 10:44:36.000000000 -0400
+@@ -0,0 +1,51 @@
+policy_module(brctl,1.0.0)
+
+########################################
@@ -9213,6 +9303,7 @@
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
++dev_write_sysfs_dirs(brctl_t)
+dev_rw_sysfs(brctl_t)
+
+# Init script handling
@@ -9409,7 +9500,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.0.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/getty.te 2007-08-27 10:45:03.000000000 -0400
@@ -33,7 +33,8 @@
#
@@ -9803,7 +9894,7 @@
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.0.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/iptables.te 2007-08-27 10:45:25.000000000 -0400
@@ -44,6 +44,8 @@
corenet_relabelto_all_packets(iptables_t)
@@ -9821,20 +9912,23 @@
libs_use_ld_so(iptables_t)
libs_use_shared_libs(iptables_t)
-@@ -96,10 +99,6 @@
+@@ -96,11 +99,11 @@
')
optional_policy(`
- nscd_socket_use(iptables_t)
--')
--
--optional_policy(`
- ppp_dontaudit_use_fds(iptables_t)
++ ppp_dontaudit_use_fds(iptables_t)
+ ')
+
+ optional_policy(`
+- ppp_dontaudit_use_fds(iptables_t)
++ rhgb_dontaudit_use_ptys(iptables_t)
')
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/libraries.fc 2007-08-27 10:58:43.000000000 -0400
@@ -65,11 +65,12 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -9867,7 +9961,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +289,7 @@
+@@ -284,3 +289,8 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -9875,6 +9969,7 @@
+/usr/lib64/mozilla/plugins/libvlcplugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ldconfig_cache_t,s0)
++/usr/lib/libtheora\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.6/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/libraries.te 2007-08-22 08:03:53.000000000 -0400
@@ -10437,7 +10532,7 @@
/var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.6/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-08-22 07:14:12.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/modutils.te 2007-08-24 16:32:27.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -10544,7 +10639,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/mount.te 2007-08-24 16:33:07.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@@ -11695,7 +11790,7 @@
+
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.6/policy/modules/system/userdomain.if
---- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-22 07:14:12.000000000 -0400
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/userdomain.if 2007-08-22 08:03:53.000000000 -0400
@@ -62,6 +62,10 @@
@@ -11719,22 +11814,7 @@
')
#######################################
-@@ -183,14 +191,6 @@
- read_sock_files_pattern($1_t,{ $1_home_t $1_home_dir_t },$1_home_t)
- files_list_home($1_t)
-
-- # privileged home directory writers
-- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
-- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
--
- tunable_policy(`use_nfs_home_dirs',`
- fs_list_nfs_dirs($1_t)
- fs_read_nfs_files($1_t)
-@@ -323,13 +323,19 @@
+@@ -315,13 +323,19 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@@ -11757,7 +11837,7 @@
fs_exec_cifs_files($1_t)
')
')
-@@ -403,7 +409,9 @@
+@@ -395,7 +409,9 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@@ -11768,7 +11848,7 @@
')
#######################################
-@@ -517,10 +525,6 @@
+@@ -509,10 +525,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -11779,7 +11859,7 @@
corecmd_exec_bin($1_t)
')
-@@ -538,9 +542,6 @@
+@@ -530,9 +542,6 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@@ -11789,7 +11869,7 @@
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
-@@ -571,32 +572,29 @@
+@@ -563,32 +572,29 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -11843,7 +11923,7 @@
')
#######################################
-@@ -672,67 +670,39 @@
+@@ -664,67 +670,39 @@
attribute unpriv_userdomain;
')
@@ -11914,7 +11994,7 @@
files_exec_etc_files($1_t)
files_search_locks($1_t)
# Check to see if cdrom is mounted
-@@ -745,12 +715,6 @@
+@@ -737,12 +715,6 @@
# Stat lost+found.
files_getattr_lost_found_dirs($1_t)
@@ -11927,7 +12007,7 @@
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -763,31 +727,16 @@
+@@ -755,31 +727,16 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@@ -11961,7 +12041,7 @@
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
-@@ -802,19 +751,12 @@
+@@ -794,19 +751,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@@ -11981,7 +12061,7 @@
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -829,11 +771,6 @@
+@@ -821,11 +771,6 @@
')
optional_policy(`
@@ -11993,7 +12073,7 @@
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
-@@ -842,21 +779,18 @@
+@@ -834,21 +779,18 @@
')
optional_policy(`
@@ -12019,7 +12099,7 @@
')
optional_policy(`
-@@ -884,17 +818,17 @@
+@@ -876,17 +818,17 @@
')
optional_policy(`
@@ -12045,7 +12125,7 @@
')
optional_policy(`
-@@ -908,16 +842,6 @@
+@@ -900,16 +842,6 @@
')
optional_policy(`
@@ -12062,7 +12142,7 @@
resmgr_stream_connect($1_t)
')
-@@ -927,11 +851,6 @@
+@@ -919,11 +851,6 @@
')
optional_policy(`
@@ -12074,7 +12154,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -962,21 +881,162 @@
+@@ -954,21 +881,162 @@
## </summary>
## </param>
#
@@ -12243,7 +12323,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -985,15 +1045,51 @@
+@@ -977,23 +1045,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -12288,10 +12368,17 @@
+ # Declarations
#
-- corecmd_exec_all_executables($1_t)
+- # privileged home directory writers
+- manage_dirs_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_lnk_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_sock_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+- manage_fifo_files_pattern(privhome,{ $1_home_dir_t $1_home_t },$1_home_t)
+- filetrans_pattern(privhome,$1_home_dir_t,$1_home_t,{ dir file lnk_file sock_file fifo_file })
+ # Inherit rules for ordinary users.
+ userdom_common_user_template($1)
-+
+
+- corecmd_exec_all_executables($1_t)
+ ##############################
+ #
+ # Local policy
@@ -12718,7 +12805,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.0.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-08-22 07:14:11.000000000 -0400
-+++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-22 08:03:53.000000000 -0400
++++ serefpolicy-3.0.6/policy/modules/system/userdomain.te 2007-08-27 17:33:50.000000000 -0400
@@ -74,6 +74,9 @@
# users home directory contents
attribute home_type;
@@ -12766,6 +12853,15 @@
apache_run_helper(sysadm_t,sysadm_r,admin_terminal)
#apache_run_all_scripts(sysadm_t,sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
+@@ -278,7 +283,7 @@
+ ')
+
+ optional_policy(`
+- certwatach_run(sysadm_t,sysadm_r,admin_terminal)
++ certwatch_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
+ optional_policy(`
@@ -286,14 +291,6 @@
')
@@ -12816,6 +12912,80 @@
+tunable_policy(`allow_console_login', `
+ term_use_console(userdomain)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.fc serefpolicy-3.0.6/policy/modules/system/virt.fc
+--- nsaserefpolicy/policy/modules/system/virt.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.6/policy/modules/system/virt.fc 2007-08-27 10:52:37.000000000 -0400
+@@ -0,0 +1 @@
++/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.6/policy/modules/system/virt.if
+--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.6/policy/modules/system/virt.if 2007-08-27 10:53:48.000000000 -0400
+@@ -0,0 +1,58 @@
++## <summary>Virtualization </summary>
++
++########################################
++## <summary>
++## Read virt library files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_read_lib_files',`
++ gen_require(`
++ type virt_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ read_files_pattern($1, virt_var_lib_t,virt_var_lib_t)
++')
++
++########################################
++## <summary>
++## append virt library files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`virt_append_lib_files',`
++ gen_require(`
++ type virt_var_lib_t;
++ ')
++
++ allow $1 virt_var_lib_t:file append;
++')
++
++########################################
++## <summary>
++## Allow the specified domain to read/write
++## virt library files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`virt_rw_lib_files',`
++ gen_require(`
++ type virt_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.6/policy/modules/system/virt.te
+--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.0.6/policy/modules/system/virt.te 2007-08-27 10:52:32.000000000 -0400
+@@ -0,0 +1,3 @@
++# var/lib files
++type virt_var_lib_t;
++files_type(virt_var_lib_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.0.6/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-07-03 07:06:32.000000000 -0400
+++ serefpolicy-3.0.6/policy/modules/system/xen.if 2007-08-22 08:03:53.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.510
retrieving revision 1.511
diff -u -r1.510 -r1.511
--- selinux-policy.spec 24 Aug 2007 21:38:11 -0000 1.510
+++ selinux-policy.spec 27 Aug 2007 21:43:05 -0000 1.511
@@ -16,8 +16,8 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.0.6
-Release: 3%{?dist}
+Version: 3.0.7
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -82,8 +82,8 @@
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
-%define moduleList() %([ -f $RPM_SOURCE_DIR/modules-%{1}.conf ] && \
-awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' $RPM_SOURCE_DIR/modules-%{1}.conf )
+%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
+awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "-i %%s.pp ", $1 }' %{_sourcedir}/modules-%{1}.conf )
%define installCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 base.pp \
@@ -289,6 +289,7 @@
%loadpolicy targeted
%relabel targeted
if [ $1 = 0 ]; then
+semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u
semanage user -a -P guest -R guest_r guest_u
semanage user -a -P xguest -R xguest_r xguest_u
@@ -361,6 +362,9 @@
%endif
%changelog
+* Mon Aug 27 2007 Dan Walsh <dwalsh at redhat.com> 3.0.7-1
+- Update an readd modules
+
* Fri Aug 24 2007 Dan Walsh <dwalsh at redhat.com> 3.0.6-3
- Cleanup spec file
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/sources,v
retrieving revision 1.133
retrieving revision 1.134
diff -u -r1.133 -r1.134
--- sources 22 Aug 2007 14:46:21 -0000 1.133
+++ sources 27 Aug 2007 21:43:05 -0000 1.134
@@ -1 +1 @@
-a5d797f1b43fd89f8f815f5cd2664999 serefpolicy-3.0.6.tgz
+cf3ad58b7f285398e7b19a9f2d097f8e serefpolicy-3.0.7.tgz
More information about the fedora-extras-commits
mailing list