rpms/selinux-policy/F-7 policy-20070501.patch, 1.85, 1.86 selinux-policy.spec, 1.514, 1.515
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Dec 31 21:06:32 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31838
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-67
- Allow ppp to signal networkmanager
- Allow mount to transition to lvm
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.85
retrieving revision 1.86
diff -u -r1.85 -r1.86
--- policy-20070501.patch 27 Dec 2007 01:16:34 -0000 1.85
+++ policy-20070501.patch 31 Dec 2007 21:06:21 -0000 1.86
@@ -1827,8 +1827,16 @@
/opt/vmware/workstation/bin/vmnet-bridge -- gen_context(system_u:object_r:vmware_host_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-11-14 10:47:47.000000000 -0500
-@@ -36,6 +36,11 @@
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-12-31 06:44:11.000000000 -0500
+@@ -7,6 +7,7 @@
+ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
+ /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -36,6 +37,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -1840,7 +1848,7 @@
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
-@@ -72,10 +77,6 @@
+@@ -72,10 +78,6 @@
/etc/mysql/debian-start -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -1851,7 +1859,7 @@
#
# /lib
#
-@@ -131,7 +132,10 @@
+@@ -131,7 +133,10 @@
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -1863,7 +1871,7 @@
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
-@@ -164,6 +168,10 @@
+@@ -164,6 +169,10 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -1874,7 +1882,7 @@
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -189,6 +197,7 @@
+@@ -189,6 +198,7 @@
ifdef(`distro_redhat', `
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -1882,7 +1890,7 @@
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -220,6 +229,7 @@
+@@ -220,6 +230,7 @@
/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -1890,7 +1898,7 @@
/usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -248,6 +258,7 @@
+@@ -248,6 +259,7 @@
/var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0)
@@ -1898,7 +1906,7 @@
/var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0)
/var/qmail/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -256,3 +267,18 @@
+@@ -256,3 +268,18 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -2056,7 +2064,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:37:43.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-12-31 07:12:48.000000000 -0500
@@ -48,6 +48,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -2086,7 +2094,7 @@
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -100,7 +106,7 @@
+@@ -100,11 +106,12 @@
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -2095,7 +2103,12 @@
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
-@@ -114,6 +120,7 @@
+ network_port(monopd, tcp,1234,s0)
++network_port(mythtv, tcp,6543,s0, udp,6543,s0)
+ network_port(mysqld, tcp,3306,s0)
+ network_port(nessus, tcp,1241,s0)
+ network_port(netsupport, tcp,5405,s0, udp,5405,s0)
+@@ -114,6 +121,7 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -2103,7 +2116,7 @@
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
-@@ -152,13 +159,18 @@
+@@ -152,13 +160,18 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
@@ -3645,7 +3658,7 @@
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-2.6.4/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-09-05 07:17:12.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.if 2007-12-31 07:12:12.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -3673,7 +3686,15 @@
allow httpd_$1_script_t httpd_$1_script_ra_t:dir { list_dir_perms add_entry_dir_perms };
read_files_pattern(httpd_$1_script_t,httpd_$1_script_ra_t,httpd_$1_script_ra_t)
-@@ -120,10 +116,6 @@
+@@ -96,6 +92,7 @@
+ dev_read_urand(httpd_$1_script_t)
+
+ corecmd_exec_all_executables(httpd_$1_script_t)
++ application_exec_all(httpd_$1_script_t)
+
+ files_exec_etc_files(httpd_$1_script_t)
+ files_read_etc_files(httpd_$1_script_t)
+@@ -120,10 +117,6 @@
can_exec(httpd_$1_script_t, httpdcontent)
')
@@ -3684,7 +3705,7 @@
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -214,10 +206,6 @@
+@@ -214,10 +207,6 @@
')
optional_policy(`
@@ -3695,7 +3716,7 @@
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
-@@ -268,8 +256,11 @@
+@@ -268,8 +257,11 @@
')
apache_content_template($1)
@@ -3708,7 +3729,7 @@
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
-@@ -434,6 +425,24 @@
+@@ -434,6 +426,24 @@
########################################
## <summary>
@@ -3733,7 +3754,7 @@
## Inherit and use file descriptors from Apache.
## </summary>
## <param name="domain">
-@@ -752,6 +761,7 @@
+@@ -752,6 +762,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -3741,7 +3762,7 @@
')
########################################
-@@ -923,7 +933,7 @@
+@@ -923,7 +934,7 @@
type httpd_squirrelmail_t;
')
@@ -3750,7 +3771,7 @@
')
########################################
-@@ -1000,3 +1010,159 @@
+@@ -1000,3 +1011,159 @@
allow $1 httpd_sys_script_t:dir search_dir_perms;
')
@@ -3912,7 +3933,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-12-26 19:16:45.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-12-31 07:17:50.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
@@ -4010,7 +4031,18 @@
corenet_non_ipsec_sendrecv(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
-@@ -342,6 +379,9 @@
+@@ -322,9 +359,7 @@
+
+ auth_use_nsswitch(httpd_t)
+
+-# execute perl
+-corecmd_exec_bin(httpd_t)
+-corecmd_exec_shell(httpd_t)
++application_exec_all(httpd_t)
+
+ domain_use_interactive_fds(httpd_t)
+
+@@ -342,6 +377,9 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -4020,7 +4052,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -360,16 +400,14 @@
+@@ -360,16 +398,14 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -4040,7 +4072,7 @@
')
tunable_policy(`allow_httpd_anon_write',`
-@@ -382,6 +420,7 @@
+@@ -382,6 +418,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -4048,7 +4080,7 @@
')
')
-@@ -389,6 +428,16 @@
+@@ -389,6 +426,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -4065,7 +4097,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -416,6 +465,10 @@
+@@ -416,6 +463,10 @@
allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
')
@@ -4076,7 +4108,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -433,11 +486,21 @@
+@@ -433,11 +484,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -4098,7 +4130,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -459,10 +522,27 @@
+@@ -459,10 +520,27 @@
')
optional_policy(`
@@ -4126,7 +4158,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
-@@ -486,7 +566,6 @@
+@@ -486,7 +564,6 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -4134,7 +4166,7 @@
')
optional_policy(`
-@@ -506,6 +585,7 @@
+@@ -506,6 +583,7 @@
')
optional_policy(`
@@ -4142,7 +4174,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -606,6 +686,10 @@
+@@ -606,6 +684,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -4153,7 +4185,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -668,6 +752,12 @@
+@@ -668,6 +750,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -4166,7 +4198,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -685,18 +775,6 @@
+@@ -685,18 +773,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -4185,7 +4217,7 @@
########################################
#
# Apache system script local policy
-@@ -706,7 +784,8 @@
+@@ -706,7 +782,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -4195,7 +4227,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,21 +799,64 @@
+@@ -720,21 +797,64 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -4265,7 +4297,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -754,14 +876,8 @@
+@@ -754,14 +874,8 @@
# Apache unconfined script local policy
#
@@ -4281,7 +4313,7 @@
')
########################################
-@@ -784,7 +900,19 @@
+@@ -784,7 +898,19 @@
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -4672,8 +4704,8 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.6.4/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/clamav.fc 2007-11-14 10:43:00.000000000 -0500
-@@ -9,8 +9,9 @@
++++ serefpolicy-2.6.4/policy/modules/services/clamav.fc 2007-12-31 09:06:13.000000000 -0500
+@@ -9,8 +9,10 @@
/var/run/amavis(d)?/clamd\.pid -- gen_context(system_u:object_r:clamd_var_run_t,s0)
/var/run/clamav(/.*)? gen_context(system_u:object_r:clamd_var_run_t,s0)
@@ -4682,7 +4714,8 @@
/var/lib/clamav(/.*)? gen_context(system_u:object_r:clamd_var_lib_t,s0)
-/var/log/clamav -d gen_context(system_u:object_r:clamd_var_log_t,s0)
-/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
-+/var/log/clamav(/.*)? gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamav.* gen_context(system_u:object_r:clamd_var_log_t,s0)
++/var/log/clamd.* gen_context(system_u:object_r:clamd_var_log_t,s0)
/var/log/clamav/freshclam.* -- gen_context(system_u:object_r:freshclam_var_log_t,s0)
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te
@@ -7890,8 +7923,20 @@
+/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.6.4/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/lpd.if 2007-08-07 09:42:35.000000000 -0400
-@@ -394,3 +394,22 @@
++++ serefpolicy-2.6.4/policy/modules/services/lpd.if 2007-12-31 06:41:14.000000000 -0500
+@@ -317,10 +317,8 @@
+ ')
+
+ files_search_spool($1)
++ manage_dirs_pattern($1,print_spool_t,print_spool_t)
+ manage_files_pattern($1,print_spool_t,print_spool_t)
+-
+- # cjp: cups wants setattr
+- allow $1 print_spool_t:dir setattr;
+ ')
+
+ ########################################
+@@ -394,3 +392,22 @@
domtrans_pattern($2, lpr_exec_t, $1_lpr_t)
')
@@ -7916,8 +7961,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-2.6.4/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mailman.if 2007-08-07 09:42:35.000000000 -0400
-@@ -275,6 +275,25 @@
++++ serefpolicy-2.6.4/policy/modules/services/mailman.if 2007-12-31 14:17:22.000000000 -0500
+@@ -275,6 +275,44 @@
#######################################
## <summary>
@@ -7940,6 +7985,25 @@
+
+#######################################
+## <summary>
++## read
++## mailman logs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`mailman_read_log',`
++ gen_require(`
++ type mailman_log_t;
++ ')
++
++ read_files_pattern($1,mailman_log_t,mailman_log_t)
++')
++
++#######################################
++## <summary>
## Allow domain to read mailman archive files.
## </summary>
## <param name="domain">
@@ -8272,6 +8336,19 @@
logrotate_read_tmp_files(system_mail_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.6.4/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mysql.te 2007-12-31 07:00:25.000000000 -0500
+@@ -33,7 +33,8 @@
+ allow mysqld_t self:capability { dac_override setgid setuid sys_resource net_bind_service };
+ dontaudit mysqld_t self:capability sys_tty_config;
+ allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+-allow mysqld_t self:fifo_file { read write };
++allow mysqld_t self:fifo_file rw_fifo_file_perms;
++allow mysqld_t self:shm create_shm_file_perms;
+ allow mysqld_t self:unix_stream_socket create_stream_socket_perms;
+ allow mysqld_t self:tcp_socket create_stream_socket_perms;
+ allow mysqld_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-09-01 07:24:41.000000000 -0400
@@ -8417,18 +8494,19 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.6.4/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.fc 2007-08-07 09:42:35.000000000 -0400
-@@ -1,5 +1,6 @@
++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.fc 2007-12-31 08:49:01.000000000 -0500
+@@ -1,5 +1,7 @@
/usr/(s)?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
+/usr/(s)?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
++/usr/sbin/NetworkManagerDispatcher -- gen_context(system_u:object_r:NetworkManager_exec_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-2.6.4/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if 2007-08-07 09:42:35.000000000 -0400
-@@ -78,3 +78,22 @@
++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if 2007-12-31 08:56:57.000000000 -0500
+@@ -78,3 +78,40 @@
allow $1 NetworkManager_t:dbus send_msg;
allow NetworkManager_t $1:dbus send_msg;
')
@@ -8451,10 +8529,33 @@
+ domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
+
+')
++
++########################################
++## <summary>
++## Send a generic signal to NetworkManager
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`networkmanager_signal',`
++ gen_require(`
++ type NetworkManager_t;
++ ')
++
++ allow $1 NetworkManager_t:process signal;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.6.4/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te 2007-10-17 14:24:35.000000000 -0400
-@@ -20,7 +20,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/networkmanager.te 2007-12-31 14:14:32.000000000 -0500
+@@ -1,4 +1,3 @@
+-
+ policy_module(networkmanager,1.6.0)
+
+ ########################################
+@@ -20,7 +19,7 @@
# networkmanager will ptrace itself if gdb is installed
# and it receives a unexpected signal (rh bug #204161)
@@ -8463,7 +8564,7 @@
dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
-@@ -41,6 +41,8 @@
+@@ -41,6 +40,8 @@
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
@@ -8472,7 +8573,7 @@
corenet_non_ipsec_sendrecv(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
corenet_udp_sendrecv_all_if(NetworkManager_t)
-@@ -145,6 +147,9 @@
+@@ -145,6 +146,9 @@
dbus_system_bus_client_template(NetworkManager,NetworkManager_t)
dbus_connect_system_bus(NetworkManager_t)
dbus_send_system_bus(NetworkManager_t)
@@ -8482,7 +8583,7 @@
')
optional_policy(`
-@@ -161,9 +166,15 @@
+@@ -161,9 +165,15 @@
')
optional_policy(`
@@ -8498,7 +8599,7 @@
')
optional_policy(`
-@@ -178,3 +189,4 @@
+@@ -178,3 +188,4 @@
vpn_domtrans(NetworkManager_t)
vpn_signal(NetworkManager_t)
')
@@ -9357,7 +9458,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-10-12 09:13:26.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te 2007-12-31 14:16:44.000000000 -0500
@@ -6,6 +6,14 @@
# Declarations
#
@@ -9442,15 +9543,16 @@
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -280,6 +312,7 @@
+@@ -280,6 +312,8 @@
optional_policy(`
# for postalias
mailman_manage_data_files(postfix_local_t)
+ mailman_append_log(postfix_local_t)
++ mailman_read_log(postfix_local_t)
')
optional_policy(`
-@@ -386,7 +419,7 @@
+@@ -386,7 +420,7 @@
# Postfix pipe local policy
#
@@ -9459,7 +9561,7 @@
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -395,6 +428,10 @@
+@@ -395,6 +429,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -9470,7 +9572,7 @@
procmail_domtrans(postfix_pipe_t)
')
-@@ -403,6 +440,10 @@
+@@ -403,6 +441,10 @@
')
optional_policy(`
@@ -9481,7 +9583,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -441,6 +482,10 @@
+@@ -441,6 +483,10 @@
')
optional_policy(`
@@ -9492,7 +9594,7 @@
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
')
-@@ -519,8 +564,6 @@
+@@ -519,8 +565,6 @@
# Postfix smtp delivery local policy
#
@@ -9501,7 +9603,7 @@
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -528,6 +571,8 @@
+@@ -528,6 +572,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -9510,7 +9612,7 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -536,6 +581,7 @@
+@@ -536,6 +582,7 @@
#
# Postfix smtpd local policy
#
@@ -9518,7 +9620,7 @@
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
# connect to master process
-@@ -552,9 +598,45 @@
+@@ -552,9 +599,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -9607,7 +9709,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-2.6.4/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ppp.te 2007-10-31 07:37:19.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ppp.te 2007-12-31 08:55:04.000000000 -0500
@@ -155,7 +155,7 @@
files_exec_etc_files(pppd_t)
@@ -9617,7 +9719,16 @@
files_dontaudit_write_etc_files(pppd_t)
# for scripts
-@@ -202,6 +202,8 @@
+@@ -164,6 +164,8 @@
+ init_read_utmp(pppd_t)
+ init_dontaudit_write_utmp(pppd_t)
+
++auth_use_nsswitch(pppd_t)
++
+ libs_use_ld_so(pppd_t)
+ libs_use_shared_libs(pppd_t)
+
+@@ -202,14 +204,12 @@
optional_policy(`
mta_send_mail(pppd_t)
@@ -9626,6 +9737,15 @@
')
optional_policy(`
+- nis_use_ypbind(pppd_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(pppd_t)
++ NetworkManager_signal(pppd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.6.4/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/procmail.te 2007-08-07 09:42:35.000000000 -0400
@@ -11955,7 +12075,7 @@
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-12-27 11:36:50.000000000 -0500
@@ -83,6 +83,8 @@
manage_files_pattern($1_xserver_t,xserver_log_t,xserver_log_t)
logging_log_filetrans($1_xserver_t,xserver_log_t,file)
@@ -11965,7 +12085,15 @@
kernel_read_system_state($1_xserver_t)
kernel_read_device_sysctls($1_xserver_t)
kernel_read_modprobe_sysctls($1_xserver_t)
-@@ -540,6 +542,9 @@
+@@ -121,6 +123,7 @@
+ dev_wx_raw_memory($1_xserver_t)
+ # for other device nodes such as the NVidia binary-only driver
+ dev_rw_xserver_misc($1_xserver_t)
++ dev_setattr_xserver_misc_dev($1_xserver_t)
+ # read events - the synaptics touchpad driver reads raw events
+ dev_rw_input_dev($1_xserver_t)
+ dev_rwx_zero($1_xserver_t)
+@@ -540,6 +543,9 @@
allow $2 self:unix_dgram_socket create_socket_perms;
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
@@ -11975,7 +12103,7 @@
# Read .Xauthority file
allow $2 $1_xauth_home_t:file { getattr read };
allow $2 $1_iceauth_home_t:file { getattr read };
-@@ -1136,7 +1141,7 @@
+@@ -1136,7 +1142,7 @@
type xdm_xserver_tmp_t;
')
@@ -11984,7 +12112,7 @@
')
########################################
-@@ -1325,3 +1330,4 @@
+@@ -1325,3 +1331,4 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -14107,7 +14235,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-12-21 02:33:51.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-12-31 09:58:45.000000000 -0500
@@ -9,6 +9,13 @@
ifdef(`targeted_policy',`
## <desc>
@@ -14213,7 +14341,18 @@
')
optional_policy(`
-@@ -192,9 +212,6 @@
+@@ -183,6 +203,10 @@
+ ')
+ ')
+
++optional_policy(`
++ lvm_domtrans(mount_t)
++')
++
+ # for kernel package installation
+ optional_policy(`
+ rpm_rw_pipes(mount_t)
+@@ -192,9 +216,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -14223,7 +14362,7 @@
########################################
#
-@@ -204,4 +221,30 @@
+@@ -204,4 +225,30 @@
ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -14231,7 +14370,7 @@
+ hal_dbus_chat(unconfined_mount_t)
+ ')
+
- ')
++')
+
+########################################
+#
@@ -14252,7 +14391,7 @@
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_rw_pipes(mount_t)
-+')
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.4/policy/modules/system/netlabel.te
--- nsaserefpolicy/policy/modules/system/netlabel.te 2007-05-07 14:51:02.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.514
retrieving revision 1.515
diff -u -r1.514 -r1.515
--- selinux-policy.spec 27 Dec 2007 01:16:34 -0000 1.514
+++ selinux-policy.spec 31 Dec 2007 21:06:21 -0000 1.515
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 66%{?dist}
+Release: 67%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -363,6 +363,10 @@
%endif
%changelog
+* Mon Dec 31 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-67
+- Allow ppp to signal networkmanager
+- Allow mount to transition to lvm
+
* Tue Dec 25 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-66
- Allow mail delivery to append to apache logs.
More information about the fedora-extras-commits
mailing list