rpms/selinux-policy/F-8 policy-20070703.patch, 1.160, 1.161 selinux-policy.spec, 1.599, 1.600
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Dec 31 21:06:19 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31794
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-73
- Fix specification for clamav and clamd log files
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.160
retrieving revision 1.161
diff -u -r1.160 -r1.161
--- policy-20070703.patch 22 Dec 2007 12:15:41 -0000 1.160
+++ policy-20070703.patch 31 Dec 2007 21:06:12 -0000 1.161
@@ -3259,7 +3259,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-22 07:11:43.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2007-12-24 06:40:46.000000000 -0500
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -3353,11 +3353,12 @@
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-@@ -113,10 +154,12 @@
+@@ -112,11 +153,13 @@
+ ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
- kernel_read_kernel_sysctls($1_mozilla_t)
+ kernel_read_fs_sysctls($1_mozilla_t)
+ kernel_read_kernel_sysctls($1_mozilla_t)
kernel_read_network_state($1_mozilla_t)
# Access /proc, sysctl
- kernel_read_system_state($1_mozilla_t)
@@ -3392,7 +3393,7 @@
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
-@@ -184,16 +240,13 @@
+@@ -184,12 +240,8 @@
sysnet_dns_name_resolve($1_mozilla_t)
sysnet_read_config($1_mozilla_t)
@@ -3407,12 +3408,7 @@
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
- xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
-+ xserver_xdm_sigchld($1_mozilla_t)
-
- tunable_policy(`allow_execmem',`
- allow $1_mozilla_t self:process { execmem execstack };
-@@ -211,131 +264,8 @@
+@@ -211,131 +263,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -3546,7 +3542,7 @@
')
optional_policy(`
-@@ -350,21 +280,27 @@
+@@ -350,21 +279,27 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -3578,7 +3574,7 @@
')
optional_policy(`
-@@ -384,25 +320,6 @@
+@@ -384,25 +319,6 @@
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -3604,7 +3600,7 @@
')
########################################
-@@ -575,3 +492,27 @@
+@@ -575,3 +491,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -3910,8 +3906,16 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-21 13:30:42.000000000 -0500
-@@ -36,6 +36,11 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2007-12-31 06:44:32.000000000 -0500
+@@ -7,6 +7,7 @@
+ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -36,6 +37,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -3923,7 +3927,7 @@
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -108,7 +113,6 @@
+@@ -108,7 +114,6 @@
/opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0)
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -3931,7 +3935,7 @@
#
# /usr
#
-@@ -126,10 +130,10 @@
+@@ -126,10 +131,10 @@
/usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
@@ -3944,7 +3948,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
-@@ -163,8 +167,13 @@
+@@ -163,8 +168,13 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -3959,7 +3963,7 @@
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0)
-@@ -180,6 +189,7 @@
+@@ -180,6 +190,7 @@
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
@@ -3967,7 +3971,7 @@
ifdef(`distro_gentoo', `
/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -259,3 +269,23 @@
+@@ -259,3 +270,23 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4052,7 +4056,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-13 16:59:06.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:13:11.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -4087,7 +4091,7 @@
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
-@@ -108,12 +115,15 @@
+@@ -108,12 +115,16 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -4100,12 +4104,13 @@
network_port(monopd, tcp,1234,s0)
-network_port(mysqld, tcp,3306,s0)
+network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(mythtv, tcp,6543,s0, udp,6543,s0)
+network_port(mysqld, tcp,3306,s0, tcp,1186,s0)
+portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -122,6 +132,7 @@
+@@ -122,6 +133,7 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -4113,7 +4118,7 @@
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -141,12 +152,12 @@
+@@ -141,12 +153,12 @@
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
@@ -4128,7 +4133,7 @@
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +171,19 @@
+@@ -160,13 +172,19 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
@@ -4151,7 +4156,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-12-31 08:18:10.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4160,7 +4165,7 @@
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -14,22 +15,31 @@
+@@ -14,22 +15,33 @@
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -4181,6 +4186,8 @@
/dev/hw_random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/hwrng -c gen_context(system_u:object_r:random_device_t,s0)
/dev/i915 -c gen_context(system_u:object_r:dri_device_t,s0)
++/dev/ipmi[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
++/dev/ipmi/[0-9]+ -c gen_context(system_u:object_r:ipmi_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
+/dev/elographics/e2201 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4192,7 +4199,7 @@
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-@@ -41,6 +51,11 @@
+@@ -41,6 +53,11 @@
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
@@ -4204,7 +4211,7 @@
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -49,6 +64,9 @@
+@@ -49,6 +66,9 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4214,7 +4221,7 @@
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -65,9 +83,11 @@
+@@ -65,9 +85,11 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
@@ -4226,7 +4233,7 @@
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -95,11 +115,21 @@
+@@ -95,11 +117,21 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4250,7 +4257,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.0.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-12-18 10:37:23.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.if 2007-12-27 11:35:15.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -4427,8 +4434,20 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.0.8/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.te 2007-12-02 21:15:34.000000000 -0500
-@@ -72,6 +72,13 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.te 2007-12-31 08:18:33.000000000 -0500
+@@ -66,12 +66,25 @@
+ dev_node(framebuf_device_t)
+
+ #
++# Type for /dev/ipmi/0
++#
++type ipmi_device_t;
++dev_node(ipmi_device_t)
++
++#
+ # Type for /dev/kmsg
+ #
+ type kmsg_device_t;
dev_node(kmsg_device_t)
#
@@ -5753,7 +5772,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-12-04 08:45:26.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-12-31 07:17:25.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -5782,7 +5801,15 @@
kernel_dontaudit_search_sysctl(httpd_$1_script_t)
kernel_dontaudit_search_kernel_sysctl(httpd_$1_script_t)
-@@ -120,10 +115,6 @@
+@@ -96,6 +91,7 @@
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_all_executables(httpd_$1_script_t)
++ application_exec_all(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+@@ -120,10 +116,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
@@ -5793,7 +5820,7 @@
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,48 +168,6 @@
+@@ -177,48 +169,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
@@ -5842,7 +5869,7 @@
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -265,12 +214,19 @@
+@@ -265,12 +215,19 @@
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
@@ -5864,7 +5891,7 @@
typeattribute httpd_$1_script_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
-@@ -324,6 +280,7 @@
+@@ -324,6 +281,7 @@
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
@@ -5872,7 +5899,7 @@
')
')
-@@ -345,12 +302,11 @@
+@@ -345,12 +303,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
@@ -5889,7 +5916,7 @@
')
########################################
-@@ -371,12 +327,12 @@
+@@ -371,12 +328,12 @@
#
template(`apache_read_user_content',`
gen_require(`
@@ -5906,7 +5933,7 @@
')
########################################
-@@ -754,6 +710,7 @@
+@@ -754,6 +711,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -5914,7 +5941,7 @@
')
########################################
-@@ -838,6 +795,10 @@
+@@ -838,6 +796,10 @@
type httpd_sys_script_t;
')
@@ -5925,7 +5952,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
-@@ -925,7 +886,7 @@
+@@ -925,7 +887,7 @@
type httpd_squirrelmail_t;
')
@@ -5934,7 +5961,7 @@
')
########################################
-@@ -1005,6 +966,31 @@
+@@ -1005,6 +967,31 @@
########################################
## <summary>
@@ -5966,7 +5993,7 @@
## Search system script state directory.
## </summary>
## <param name="domain">
-@@ -1056,3 +1042,138 @@
+@@ -1056,3 +1043,138 @@
allow httpd_t $1:process signal;
')
@@ -6107,7 +6134,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-12-31 07:21:15.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(apache,1.7.1)
@@ -6258,7 +6285,18 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +367,10 @@
+@@ -310,9 +347,7 @@
+
+ auth_use_nsswitch(httpd_t)
+
+-# execute perl
+-corecmd_exec_bin(httpd_t)
+-corecmd_exec_shell(httpd_t)
++application_exec_all(httpd_t)
+
+ domain_use_interactive_fds(httpd_t)
+
+@@ -330,6 +365,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -6269,7 +6307,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -344,12 +385,8 @@
+@@ -344,12 +383,8 @@
seutil_dontaudit_search_config(httpd_t)
@@ -6282,7 +6320,7 @@
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-@@ -358,8 +395,16 @@
+@@ -358,8 +393,16 @@
#
# We need optionals to be able to be within booleans to make this work
#
@@ -6299,7 +6337,7 @@
')
')
-@@ -367,6 +412,16 @@
+@@ -367,6 +410,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -6316,7 +6354,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +442,10 @@
+@@ -387,6 +440,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -6327,7 +6365,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +463,21 @@
+@@ -404,11 +461,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -6349,7 +6387,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +499,12 @@
+@@ -430,6 +497,12 @@
')
optional_policy(`
@@ -6362,7 +6400,7 @@
calamaris_read_www_files(httpd_t)
')
-@@ -442,8 +517,14 @@
+@@ -442,8 +515,14 @@
')
optional_policy(`
@@ -6378,7 +6416,7 @@
')
optional_policy(`
-@@ -457,11 +538,11 @@
+@@ -457,11 +536,11 @@
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -6391,7 +6429,7 @@
')
optional_policy(`
-@@ -481,6 +562,7 @@
+@@ -481,6 +560,7 @@
')
optional_policy(`
@@ -6399,7 +6437,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -516,6 +598,13 @@
+@@ -516,6 +596,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -6413,7 +6451,7 @@
########################################
#
# Apache PHP script local policy
-@@ -553,6 +642,7 @@
+@@ -553,6 +640,7 @@
optional_policy(`
mysql_stream_connect(httpd_php_t)
@@ -6421,7 +6459,7 @@
')
optional_policy(`
-@@ -567,7 +657,6 @@
+@@ -567,7 +655,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -6429,7 +6467,7 @@
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +670,10 @@
+@@ -581,6 +668,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -6440,7 +6478,17 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -620,8 +713,6 @@
+@@ -590,8 +681,7 @@
+ fs_search_auto_mountpoints(httpd_suexec_t)
+
+ # for shell scripts
+-corecmd_exec_bin(httpd_suexec_t)
+-corecmd_exec_shell(httpd_suexec_t)
++application_exec_all(httpd_suexec_t)
+
+ files_read_etc_files(httpd_suexec_t)
+ files_read_usr_files(httpd_suexec_t)
+@@ -620,8 +710,6 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -6449,7 +6497,7 @@
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -634,6 +725,12 @@
+@@ -634,6 +722,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -6462,7 +6510,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +748,6 @@
+@@ -651,18 +745,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -6481,7 +6529,7 @@
########################################
#
# Apache system script local policy
-@@ -672,7 +757,8 @@
+@@ -672,7 +754,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6491,7 +6539,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +772,62 @@
+@@ -686,15 +769,62 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -6555,7 +6603,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -707,6 +840,7 @@
+@@ -707,6 +837,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -6563,7 +6611,7 @@
')
########################################
-@@ -728,3 +862,46 @@
+@@ -728,3 +859,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -7013,7 +7061,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-3.0.8/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/clamav.fc 2007-12-31 09:05:48.000000000 -0500
@@ -5,16 +5,18 @@
/usr/bin/freshclam -- gen_context(system_u:object_r:freshclam_exec_t,s0)
@@ -7030,9 +7078,9 @@
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
-+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
-+/var/log/clamav.milter -- gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
@@ -7407,7 +7455,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.0.8/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cron.te 2007-12-27 07:19:45.000000000 -0500
@@ -50,6 +50,7 @@
type crond_tmp_t;
@@ -7472,7 +7520,12 @@
corecmd_exec_shell(crond_t)
corecmd_list_bin(crond_t)
-@@ -146,7 +157,9 @@
+@@ -142,11 +153,14 @@
+ files_search_default(crond_t)
+
+ init_rw_utmp(crond_t)
++init_spec_domtrans_script(crond_t)
+
libs_use_ld_so(crond_t)
libs_use_shared_libs(crond_t)
@@ -7482,7 +7535,7 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -160,6 +173,16 @@
+@@ -160,6 +174,16 @@
mta_send_mail(crond_t)
@@ -7499,7 +7552,7 @@
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
-@@ -180,29 +203,34 @@
+@@ -180,29 +204,34 @@
locallogin_link_keys(crond_t)
')
@@ -7542,7 +7595,7 @@
')
optional_policy(`
-@@ -239,7 +267,6 @@
+@@ -239,7 +268,6 @@
allow system_crond_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
@@ -7550,7 +7603,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -249,6 +276,8 @@
+@@ -249,6 +277,8 @@
# for this purpose.
allow system_crond_t system_cron_spool_t:file entrypoint;
@@ -7559,7 +7612,7 @@
# Permit a transition from the crond_t domain to this domain.
# The transition is requested explicitly by the modified crond
# via setexeccon. There is no way to set up an automatic
-@@ -270,9 +299,16 @@
+@@ -270,9 +300,16 @@
filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@@ -7577,7 +7630,7 @@
kernel_read_kernel_sysctls(system_crond_t)
kernel_read_system_state(system_crond_t)
-@@ -326,7 +362,7 @@
+@@ -326,7 +363,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -7586,7 +7639,7 @@
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -334,6 +370,7 @@
+@@ -334,6 +371,7 @@
libs_exec_ld_so(system_crond_t)
logging_read_generic_logs(system_crond_t)
@@ -7594,7 +7647,7 @@
logging_send_syslog_msg(system_crond_t)
miscfiles_read_localization(system_crond_t)
-@@ -384,6 +421,14 @@
+@@ -384,6 +422,14 @@
')
optional_policy(`
@@ -7609,7 +7662,7 @@
mrtg_append_create_logs(system_crond_t)
')
-@@ -424,8 +469,7 @@
+@@ -424,8 +470,7 @@
')
optional_policy(`
@@ -7619,7 +7672,7 @@
')
optional_policy(`
-@@ -433,15 +477,12 @@
+@@ -433,15 +478,12 @@
')
optional_policy(`
@@ -8102,7 +8155,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-21 16:31:32.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2007-12-24 06:13:08.000000000 -0500
@@ -50,6 +50,12 @@
## </param>
#
@@ -9688,7 +9741,7 @@
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.0.8/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/lpd.if 2007-12-31 06:38:31.000000000 -0500
@@ -303,6 +303,25 @@
########################################
@@ -9715,7 +9768,19 @@
## Create, read, write, and delete printer spool files.
## </summary>
## <param name="domain">
-@@ -394,3 +413,22 @@
+@@ -317,10 +336,8 @@
+ ')
+
+ files_search_spool($1)
++ manage_dirs_pattern($1,print_spool_t,print_spool_t)
+ manage_files_pattern($1,print_spool_t,print_spool_t)
+-
+- # cjp: cups wants setattr
+- allow $1 print_spool_t:dir setattr;
+ ')
+
+ ########################################
+@@ -394,3 +411,22 @@
domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
')
@@ -9738,6 +9803,35 @@
+
+ can_exec($1,lpr_exec_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.0.8/policy/modules/services/mailman.if
+--- nsaserefpolicy/policy/modules/services/mailman.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mailman.if 2007-12-31 14:17:27.000000000 -0500
+@@ -256,6 +256,25 @@
+
+ #######################################
+ ## <summary>
++## read
++## mailman logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mailman_read_log',`
++ gen_require(`
++ type mailman_log_t;
++ ')
++
++ read_files_pattern($1,mailman_log_t,mailman_log_t)
++')
++
++#######################################
++## <summary>
+ ## Append to mailman logs.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2007-12-02 21:15:34.000000000 -0500
@@ -9853,7 +9947,7 @@
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-12-06 16:44:16.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.if 2007-12-27 11:44:18.000000000 -0500
@@ -87,6 +87,8 @@
# It wants to check for nscd
files_dontaudit_search_pids($1_mail_t)
@@ -9967,7 +10061,15 @@
')
optional_policy(`
-@@ -447,20 +491,18 @@
+@@ -431,6 +475,7 @@
+ # apache should set close-on-exec
+ apache_dontaudit_rw_stream_sockets($1)
+ apache_dontaudit_rw_sys_script_stream_sockets($1)
++ apache_append_log($1)
+ ')
+ ')
+
+@@ -447,20 +492,18 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -9994,7 +10096,7 @@
')
########################################
-@@ -595,6 +637,25 @@
+@@ -595,6 +638,25 @@
files_search_etc($1)
allow $1 etc_aliases_t:file { rw_file_perms setattr };
')
@@ -10020,6 +10122,30 @@
#######################################
## <summary>
+@@ -901,3 +963,23 @@
+
+ allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+ ')
++
++########################################
++## <summary>
++## read mail queue files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mta_read_queue',`
++ gen_require(`
++ type mqueue_spool_t;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-12-02 21:15:34.000000000 -0500
@@ -10116,6 +10242,17 @@
smartmon_read_tmp_files(system_mail_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.0.8/policy/modules/services/munin.fc
+--- nsaserefpolicy/policy/modules/services/munin.fc 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/munin.fc 2007-12-26 20:33:19.000000000 -0500
+@@ -6,6 +6,6 @@
+ /usr/share/munin/plugins/.* -- gen_context(system_u:object_r:munin_exec_t,s0)
+
+ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
+-/var/log/munin.* -- gen_context(system_u:object_r:munin_log_t,s0)
++/var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)? gen_context(system_u:object_r:munin_var_run_t,s0)
+ /var/www/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if
--- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-12-02 21:15:34.000000000 -0500
@@ -10235,7 +10372,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.0.8/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mysql.te 2007-12-31 06:59:24.000000000 -0500
@@ -25,6 +25,9 @@
type mysqld_tmp_t;
files_tmp_file(mysqld_tmp_t)
@@ -10246,6 +10383,16 @@
########################################
#
# Local policy
+@@ -33,7 +36,8 @@
+ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+ dontaudit mysqld_t self:capability sys_tty_config;
+ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+-allow mysqld_t self:fifo_file { read write };
++allow mysqld_t self:fifo_file rw_fifo_file_perms;
++allow mysqld_t self:shm create_shm_file_perms;
+ allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+ allow mysqld_t self:tcp_socket create_stream_socket_perms;
+ allow mysqld_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.0.8/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nagios.fc 2007-12-02 21:15:34.000000000 -0500
@@ -10405,16 +10552,21 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-12-02 21:15:34.000000000 -0500
-@@ -5,3 +5,4 @@
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-12-31 08:48:19.000000000 -0500
+@@ -1,7 +1,9 @@
+ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+ /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+
+ /var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/log/wpa_supplicant.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-12-02 21:15:34.000000000 -0500
-@@ -97,3 +97,24 @@
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-12-31 08:56:04.000000000 -0500
+@@ -97,3 +97,42 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
@@ -10439,15 +10591,33 @@
+ dontaudit $1 NetworkManager_t:dbus send_msg;
+ dontaudit NetworkManager_t $1:dbus send_msg;
+')
++
++########################################
++## <summary>
++## Send a generic signal to NetworkManager
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_signal',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:process signal;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-12-26 20:31:56.000000000 -0500
@@ -13,6 +13,9 @@
type NetworkManager_var_run_t;
files_pid_file(NetworkManager_var_run_t)
+type NetworkManager_log_t;
-+files_pid_file(NetworkManager_log_t)
++logging_log_file(NetworkManager_log_t)
+
########################################
#
@@ -11217,7 +11387,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2007-12-31 14:17:40.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -11309,15 +11479,16 @@
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -275,6 +302,7 @@
+@@ -275,6 +302,8 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
++ mailman_read_log(postfix_local_t)
')
optional_policy(`
-@@ -327,6 +355,8 @@
+@@ -327,6 +356,8 @@
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
@@ -11326,7 +11497,7 @@
libs_use_ld_so(postfix_map_t)
libs_use_shared_libs(postfix_map_t)
-@@ -334,10 +364,6 @@
+@@ -334,10 +365,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -11337,7 +11508,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -350,10 +376,6 @@
+@@ -350,10 +377,6 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -11348,7 +11519,7 @@
########################################
#
# Postfix pickup local policy
-@@ -377,7 +399,7 @@
+@@ -377,7 +400,7 @@
# Postfix pipe local policy
#
@@ -11357,7 +11528,7 @@
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -386,6 +408,10 @@
+@@ -386,6 +409,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -11368,7 +11539,7 @@
procmail_domtrans(postfix_pipe_t)
')
-@@ -394,6 +420,10 @@
+@@ -394,6 +421,10 @@
')
optional_policy(`
@@ -11379,7 +11550,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -418,14 +448,17 @@
+@@ -418,14 +449,17 @@
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
@@ -11399,7 +11570,7 @@
optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
-@@ -454,8 +487,6 @@
+@@ -454,8 +488,6 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -11408,7 +11579,7 @@
########################################
#
# Postfix qmgr local policy
-@@ -498,15 +529,11 @@
+@@ -498,15 +530,11 @@
term_use_all_user_ptys(postfix_showq_t)
term_use_all_user_ttys(postfix_showq_t)
@@ -11424,7 +11595,7 @@
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -514,6 +541,8 @@
+@@ -514,6 +542,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -11433,7 +11604,7 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -538,9 +567,45 @@
+@@ -538,9 +568,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -11688,9 +11859,51 @@
## Read PPP-writable configuration files.
## </summary>
## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.0.8/policy/modules/services/ppp.te
+--- nsaserefpolicy/policy/modules/services/ppp.te 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ppp.te 2007-12-31 08:55:01.000000000 -0500
+@@ -197,11 +197,7 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(pppd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(pppd_t)
++ NetworkManager_signal(pppd_t)
+ ')
+
+ optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.if serefpolicy-3.0.8/policy/modules/services/procmail.if
+--- nsaserefpolicy/policy/modules/services/procmail.if 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/procmail.if 2007-12-31 15:18:54.000000000 -0500
+@@ -39,3 +39,22 @@
+ corecmd_search_bin($1)
+ can_exec($1,procmail_exec_t)
+ ')
++
++########################################
++## <summary>
++## Read procmail tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`procmail_read_tmp_files',`
++ gen_require(`
++ type procmail_tmp_t;
++ ')
++
++ files_search_tmp($1)
++ allow $1 procmail_tmp_t:file read_file_perms;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-12-26 18:17:07.000000000 -0500
@@ -30,6 +30,8 @@
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@@ -11739,7 +11952,12 @@
')
optional_policy(`
-@@ -129,3 +133,7 @@
+@@ -125,7 +129,12 @@
+ corenet_udp_bind_generic_port(procmail_t)
+ corenet_dontaudit_udp_bind_all_ports(procmail_t)
+
++ spamassassin_read_user_home_files(procmail_t)
+ spamassassin_exec(procmail_t)
spamassassin_exec_client(procmail_t)
spamassassin_read_lib_files(procmail_t)
')
@@ -11772,6 +11990,32 @@
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.0.8/policy/modules/services/pyzor.te
+--- nsaserefpolicy/policy/modules/services/pyzor.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/pyzor.te 2007-12-31 15:18:29.000000000 -0500
+@@ -68,6 +68,8 @@
+
+ miscfiles_read_localization(pyzor_t)
+
++mta_read_queue(pyzor_t)
++
+ userdom_dontaudit_search_sysadm_home_dirs(pyzor_t)
+
+ optional_policy(`
+@@ -76,8 +78,13 @@
+ ')
+
+ optional_policy(`
++ procmail_read_tmp_files(pyzor_t)
++')
++
++optional_policy(`
+ spamassassin_signal_spamd(pyzor_t)
+ spamassassin_read_spamd_tmp_files(pyzor_t)
++ userdom_read_user_home_content_files(unconfined,pyzor_t)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.fc serefpolicy-3.0.8/policy/modules/services/radius.fc
--- nsaserefpolicy/policy/modules/services/radius.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/radius.fc 2007-12-02 21:15:34.000000000 -0500
@@ -13093,7 +13337,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-17 13:48:38.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-31 15:41:55.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -13108,8 +13352,9 @@
#
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
+-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
- allow sendmail_t self:process signal;
++allow sendmail_t self:process { signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -13454,7 +13699,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-18 13:43:52.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-12-26 18:17:32.000000000 -0500
@@ -286,6 +286,12 @@
userdom_manage_user_home_content_symlinks($1,spamd_t)
')
@@ -13468,7 +13713,15 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($1_spamassassin_t)
fs_manage_nfs_files($1_spamassassin_t)
-@@ -531,3 +537,21 @@
+@@ -472,6 +478,7 @@
+ ')
+
+ files_search_var_lib($1)
++ read_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+ read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+ ')
+
+@@ -531,3 +538,56 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -13490,9 +13743,44 @@
+
+ stream_connect_pattern($1,spamd_var_run_t,spamd_var_run_t,spamd_t)
+')
++
++########################################
++## <summary>
++## Read spamassassin per user homedir
++## </summary>
++## <desc>
++## <p>
++## Read spamassassin per user homedir
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`spamassassin_read_user_home_files',`
++ gen_require(`
++ type user_spamassassin_home_t;
++ ')
++
++ allow $1 user_spamassassin_home_t:dir list_dir_perms;
++ allow $1 user_spamassassin_home_t:file read_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-18 13:54:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-12-27 11:47:32.000000000 -0500
@@ -81,11 +81,12 @@
# var/lib files for spamd
@@ -14279,8 +14567,8 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-12-04 15:52:53.000000000 -0500
-@@ -116,8 +116,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-12-31 07:34:12.000000000 -0500
+@@ -116,16 +116,19 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
dev_manage_dri_dev($1_xserver_t)
@@ -14290,7 +14578,10 @@
# raw memory access is needed if not using the frame buffer
dev_read_raw_memory($1_xserver_t)
dev_wx_raw_memory($1_xserver_t)
-@@ -126,6 +125,8 @@
+ # for other device nodes such as the NVidia binary-only driver
+ dev_rw_xserver_misc($1_xserver_t)
++ dev_setattr_xserver_misc_dev($1_xserver_t)
++
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
dev_rwx_zero($1_xserver_t)
@@ -14299,7 +14590,7 @@
domain_mmap_low($1_xserver_t)
-@@ -141,10 +142,12 @@
+@@ -141,10 +144,12 @@
fs_getattr_xattr_fs($1_xserver_t)
fs_search_nfs($1_xserver_t)
fs_search_auto_mountpoints($1_xserver_t)
@@ -14313,7 +14604,7 @@
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -178,13 +181,7 @@
+@@ -178,13 +183,7 @@
auth_search_pam_console_data($1_xserver_t)
')
@@ -14328,7 +14619,7 @@
optional_policy(`
rhgb_getpgid($1_xserver_t)
-@@ -251,7 +248,7 @@
+@@ -251,7 +250,7 @@
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
@@ -14337,7 +14628,7 @@
type $1_iceauth_t;
domain_type($1_iceauth_t)
-@@ -282,11 +279,15 @@
+@@ -282,11 +281,15 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -14353,7 +14644,7 @@
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +317,7 @@
+@@ -316,6 +319,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -14361,7 +14652,7 @@
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -324,13 +326,6 @@
+@@ -324,13 +328,6 @@
userhelper_search_config($1_xserver_t)
')
@@ -14375,7 +14666,7 @@
##############################
#
# $1_xauth_t Local policy
-@@ -353,12 +348,6 @@
+@@ -353,12 +350,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -14388,7 +14679,7 @@
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +376,14 @@
+@@ -387,6 +378,14 @@
')
optional_policy(`
@@ -14403,7 +14694,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -536,17 +533,16 @@
+@@ -536,17 +535,16 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -14428,7 +14719,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +551,55 @@
+@@ -555,25 +553,55 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -14492,7 +14783,7 @@
')
')
-@@ -626,6 +652,24 @@
+@@ -626,6 +654,24 @@
########################################
## <summary>
@@ -14517,7 +14808,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +703,73 @@
+@@ -659,6 +705,73 @@
########################################
## <summary>
@@ -14591,7 +14882,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1038,7 @@
+@@ -927,6 +1040,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -14599,7 +14890,7 @@
')
########################################
-@@ -987,6 +1099,37 @@
+@@ -987,6 +1101,37 @@
########################################
## <summary>
@@ -14637,7 +14928,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1279,7 @@
+@@ -1136,7 +1281,7 @@
type xdm_xserver_tmp_t;
')
@@ -14646,31 +14937,13 @@
')
########################################
-@@ -1325,3 +1468,82 @@
+@@ -1325,3 +1470,64 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
+
+########################################
+## <summary>
-+## Sigchld XDM
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit
-+## </summary>
-+## </param>
-+#
-+interface(`xserver_xdm_sigchld',`
-+ gen_require(`
-+ type xdm_t;
-+ ')
-+
-+ allow $1 xdm_t:process sigchld;
-+')
-+
-+########################################
-+## <summary>
+## Connect to apmd over an unix stream socket.
+## </summary>
+## <param name="domain">
@@ -15836,7 +16109,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.if 2007-12-27 07:18:07.000000000 -0500
@@ -211,6 +211,21 @@
kernel_dontaudit_use_fds($1)
')
@@ -16074,7 +16347,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-13 14:24:45.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2007-12-31 09:16:41.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -16138,7 +16411,7 @@
userdom_shell_domtrans_sysadm(init_t)
+',`
+ optional_policy(`
-+ unconfined_shell_domtrans(init_t)
++ unconfined_shel_domtrans(init_t)
+ unconfined_domain(init_t)
+ ')
')
@@ -16457,7 +16730,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-17 11:22:51.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-27 11:39:05.000000000 -0500
@@ -65,11 +65,15 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -16523,7 +16796,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +296,11 @@
+@@ -284,3 +296,14 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -16535,6 +16808,9 @@
+/usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/Adobe/Reader8/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
++/usr/lib/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib64/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.8/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/libraries.te 2007-12-10 16:27:26.000000000 -0500
@@ -16986,7 +17262,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2007-12-25 07:00:48.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(logging,1.7.3)
@@ -17083,7 +17359,18 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -194,6 +208,7 @@
+@@ -157,6 +171,10 @@
+ userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
+
+ optional_policy(`
++ mta_send_mail(auditd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(auditd_t)
+ ')
+
+@@ -194,6 +212,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -17091,7 +17378,7 @@
domain_use_interactive_fds(klogd_t)
-@@ -241,12 +256,16 @@
+@@ -241,12 +260,16 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -17108,7 +17395,7 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -255,6 +274,9 @@
+@@ -255,6 +278,9 @@
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
@@ -17118,7 +17405,7 @@
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-@@ -312,6 +334,7 @@
+@@ -312,6 +338,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -17501,7 +17788,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-12-21 02:36:44.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-12-31 11:02:48.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -19148,7 +19435,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-22 07:12:33.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-12-31 09:17:49.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -20217,7 +20504,19 @@
')
########################################
-@@ -4574,6 +4757,7 @@
+@@ -4444,9 +4627,11 @@
+ interface(`userdom_dontaudit_search_sysadm_home_dirs',`
+ gen_require(`
+ type sysadm_home_dir_t;
++ type user_home_dir_t;
+ ')
+
+ dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
++ dontaudit $1 user_home_dir_t:dir search_dir_perms;
+ ')
+
+ ########################################
+@@ -4574,6 +4759,7 @@
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
read_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
read_lnk_files_pattern($1,{ sysadm_home_dir_t sysadm_home_t },sysadm_home_t)
@@ -20225,7 +20524,7 @@
')
########################################
-@@ -4609,11 +4793,29 @@
+@@ -4609,11 +4795,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -20256,7 +20555,7 @@
')
########################################
-@@ -4633,6 +4835,14 @@
+@@ -4633,6 +4837,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -20271,7 +20570,7 @@
')
########################################
-@@ -5323,7 +5533,7 @@
+@@ -5323,7 +5535,7 @@
attribute user_tmpfile;
')
@@ -20280,7 +20579,7 @@
')
########################################
-@@ -5346,6 +5556,25 @@
+@@ -5346,6 +5558,25 @@
########################################
## <summary>
@@ -20306,7 +20605,7 @@
## Write all unprivileged users files in /tmp
## </summary>
## <param name="domain">
-@@ -5529,6 +5758,24 @@
+@@ -5529,6 +5760,24 @@
########################################
## <summary>
@@ -20331,7 +20630,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5806,419 @@
+@@ -5559,3 +5808,419 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -21199,7 +21498,7 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.0.8/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-21 16:23:42.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/users/guest.te 2007-12-22 07:19:20.000000000 -0500
@@ -0,0 +1,12 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.599
retrieving revision 1.600
diff -u -r1.599 -r1.600
--- selinux-policy.spec 22 Dec 2007 12:18:57 -0000 1.599
+++ selinux-policy.spec 31 Dec 2007 21:06:12 -0000 1.600
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 72%{?dist}
+Release: 73%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -382,8 +382,12 @@
%endif
%changelog
+* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-73
+- Fix specification for clamav and clamd log files
+
* Sat Dec 22 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-72
- Fixes to make confined mozilla work better
+- Allow procmail to transition to spamd
* Fri Dec 21 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-71
- add file context for nspluginwrapper
More information about the fedora-extras-commits
mailing list