rpms/selinux-policy/F-7 policy-20070501.patch, 1.22, 1.23 selinux-policy.spec, 1.466, 1.467
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jun 19 17:14:27 UTC 2007
- Previous message (by thread): rpms/wpa_supplicant/devel wpa_supplicant.init.d, 1.1, 1.2 wpa_supplicant.spec, 1.23, 1.24 wpa_supplicant.sysconfig, 1.1, 1.2
- Next message (by thread): rpms/powermanga/F-7 powermanga-0.80-install.patch, NONE, 1.1 powermanga.desktop, NONE, 1.1 powermanga.spec, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv32042
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Tue Jun 19 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-18
- Fix udev for xen again
- Allow cron to set loginuid
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- policy-20070501.patch 18 Jun 2007 16:20:49 -0000 1.22
+++ policy-20070501.patch 19 Jun 2007 17:14:21 -0000 1.23
@@ -483,7 +483,7 @@
selinux_get_enforce_mode(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.6.4/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/logwatch.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/admin/logwatch.te 2007-06-18 12:01:25.000000000 -0400
@@ -30,7 +30,6 @@
allow logwatch_t self:process signal;
allow logwatch_t self:fifo_file rw_file_perms;
@@ -492,7 +492,17 @@
manage_dirs_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
manage_files_pattern(logwatch_t,logwatch_cache_t,logwatch_cache_t)
-@@ -63,6 +62,8 @@
+@@ -42,6 +41,9 @@
+ manage_files_pattern(logwatch_t,logwatch_tmp_t,logwatch_tmp_t)
+ files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir })
+
++init_read_utmp(logwatch_t)
++init_dontaudit_write_utmp(logwatch_t)
++
+ kernel_read_fs_sysctls(logwatch_t)
+ kernel_read_kernel_sysctls(logwatch_t)
+ kernel_read_system_state(logwatch_t)
+@@ -63,6 +65,8 @@
files_search_mnt(logwatch_t)
files_dontaudit_search_home(logwatch_t)
files_dontaudit_search_boot(logwatch_t)
@@ -501,7 +511,7 @@
fs_getattr_all_fs(logwatch_t)
fs_dontaudit_list_auto_mountpoints(logwatch_t)
-@@ -83,8 +84,6 @@
+@@ -83,8 +87,6 @@
selinux_dontaudit_getattr_dir(logwatch_t)
@@ -510,7 +520,7 @@
userdom_dontaudit_search_sysadm_home_dirs(logwatch_t)
userdom_dontaudit_getattr_sysadm_home_dirs(logwatch_t)
-@@ -95,6 +94,10 @@
+@@ -95,6 +97,10 @@
')
optional_policy(`
@@ -521,7 +531,7 @@
avahi_dontaudit_search_pid(logwatch_t)
')
-@@ -116,14 +119,6 @@
+@@ -116,14 +122,6 @@
')
optional_policy(`
@@ -536,7 +546,7 @@
ntp_domtrans(logwatch_t)
')
-@@ -133,4 +128,5 @@
+@@ -133,4 +131,5 @@
optional_policy(`
samba_read_log(logwatch_t)
@@ -872,8 +882,16 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.6.4/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/usermanage.te 2007-06-18 10:18:55.000000000 -0400
-@@ -184,7 +184,7 @@
++++ serefpolicy-2.6.4/policy/modules/admin/usermanage.te 2007-06-19 09:05:35.000000000 -0400
+@@ -99,6 +99,7 @@
+ dev_read_urand(chfn_t)
+
+ auth_domtrans_chk_passwd(chfn_t)
++auth_domtrans_upd_passwd(chfn_t)
+ auth_dontaudit_read_shadow(chfn_t)
+
+ # allow checking if a shell is executable
+@@ -184,7 +185,7 @@
# Groupadd local policy
#
@@ -882,7 +900,7 @@
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
-@@ -198,7 +198,6 @@
+@@ -198,7 +199,6 @@
allow groupadd_t self:unix_stream_socket create_stream_socket_perms;
allow groupadd_t self:unix_dgram_socket sendto;
allow groupadd_t self:unix_stream_socket connectto;
@@ -890,7 +908,7 @@
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
-@@ -231,6 +230,7 @@
+@@ -231,6 +231,7 @@
corecmd_exec_bin(groupadd_t)
logging_send_syslog_msg(groupadd_t)
@@ -898,7 +916,7 @@
miscfiles_read_localization(groupadd_t)
-@@ -252,8 +252,13 @@
+@@ -252,8 +253,13 @@
')
optional_policy(`
@@ -912,7 +930,7 @@
')
########################################
-@@ -261,7 +266,7 @@
+@@ -261,7 +267,7 @@
# Passwd local policy
#
@@ -921,7 +939,7 @@
allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow passwd_t self:process { setrlimit setfscreate };
allow passwd_t self:fd use;
-@@ -271,7 +276,6 @@
+@@ -271,7 +277,6 @@
allow passwd_t self:unix_stream_socket create_stream_socket_perms;
allow passwd_t self:unix_dgram_socket sendto;
allow passwd_t self:unix_stream_socket connectto;
@@ -929,7 +947,7 @@
allow passwd_t self:shm create_shm_perms;
allow passwd_t self:sem create_sem_perms;
allow passwd_t self:msgq create_msgq_perms;
-@@ -324,6 +328,7 @@
+@@ -324,6 +329,7 @@
libs_use_shared_libs(passwd_t)
logging_send_syslog_msg(passwd_t)
@@ -937,7 +955,7 @@
miscfiles_read_localization(passwd_t)
-@@ -343,6 +348,7 @@
+@@ -343,6 +349,7 @@
optional_policy(`
nscd_socket_use(passwd_t)
@@ -945,7 +963,7 @@
')
########################################
-@@ -396,6 +402,8 @@
+@@ -396,6 +403,8 @@
auth_relabel_shadow(sysadm_passwd_t)
auth_etc_filetrans_shadow(sysadm_passwd_t)
@@ -954,7 +972,7 @@
# allow vipw to exec the editor
corecmd_exec_bin(sysadm_passwd_t)
corecmd_exec_shell(sysadm_passwd_t)
-@@ -412,6 +420,7 @@
+@@ -412,6 +421,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(sysadm_passwd_t)
@@ -962,7 +980,7 @@
libs_use_ld_so(sysadm_passwd_t)
libs_use_shared_libs(sysadm_passwd_t)
-@@ -433,6 +442,7 @@
+@@ -433,6 +443,7 @@
optional_policy(`
nscd_socket_use(sysadm_passwd_t)
@@ -970,7 +988,7 @@
')
########################################
-@@ -440,7 +450,7 @@
+@@ -440,7 +451,7 @@
# Useradd local policy
#
@@ -979,7 +997,7 @@
dontaudit useradd_t self:capability sys_tty_config;
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
-@@ -454,7 +464,6 @@
+@@ -454,7 +465,6 @@
allow useradd_t self:unix_stream_socket create_stream_socket_perms;
allow useradd_t self:unix_dgram_socket sendto;
allow useradd_t self:unix_stream_socket connectto;
@@ -987,7 +1005,7 @@
# for getting the number of groups
kernel_read_kernel_sysctls(useradd_t)
-@@ -500,6 +509,7 @@
+@@ -500,6 +510,7 @@
libs_use_shared_libs(useradd_t)
logging_send_syslog_msg(useradd_t)
@@ -995,7 +1013,7 @@
miscfiles_read_localization(useradd_t)
-@@ -508,6 +518,9 @@
+@@ -508,6 +519,9 @@
seutil_read_default_contexts(useradd_t)
seutil_domtrans_semanage(useradd_t)
seutil_domtrans_restorecon(useradd_t)
@@ -1005,7 +1023,7 @@
userdom_use_unpriv_users_fds(useradd_t)
# for when /root is the cwd
-@@ -521,11 +534,26 @@
+@@ -521,11 +535,26 @@
mta_manage_spool(useradd_t)
optional_policy(`
@@ -1322,6 +1340,17 @@
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/userhelper.if serefpolicy-2.6.4/policy/modules/apps/userhelper.if
+--- nsaserefpolicy/policy/modules/apps/userhelper.if 2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/apps/userhelper.if 2007-06-19 09:05:14.000000000 -0400
+@@ -131,6 +131,7 @@
+ term_use_all_user_ptys($1_userhelper_t)
+
+ auth_domtrans_chk_passwd($1_userhelper_t)
++ auth_domtrans_upd_passwd($1_userhelper_t)
+ auth_manage_pam_pid($1_userhelper_t)
+ auth_manage_var_auth($1_userhelper_t)
+ auth_search_pam_console_data($1_userhelper_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc 2007-06-18 10:18:55.000000000 -0400
@@ -2631,7 +2660,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-06-19 09:08:16.000000000 -0400
@@ -47,6 +47,13 @@
## Allow http daemon to tcp connect
## </p>
@@ -2720,7 +2749,15 @@
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(httpd_t)
term_dontaudit_use_generic_ptys(httpd_t)
-@@ -389,6 +426,14 @@
+@@ -382,6 +419,7 @@
+ #
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+ auth_domtrans_chk_passwd(httpd_t)
++ auth_domtrans_upd_passwd(httpd_t)
+ ')
+ ')
+
+@@ -389,6 +427,14 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -2735,7 +2772,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -416,6 +461,10 @@
+@@ -416,6 +462,10 @@
allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
')
@@ -2746,7 +2783,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -433,11 +482,21 @@
+@@ -433,11 +483,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -2768,7 +2805,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -668,6 +727,12 @@
+@@ -668,6 +728,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -2781,7 +2818,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -706,7 +771,8 @@
+@@ -706,7 +772,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -2791,7 +2828,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,6 +786,8 @@
+@@ -720,6 +787,8 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -2800,7 +2837,7 @@
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file { getattr append };
')
-@@ -730,11 +798,21 @@
+@@ -730,11 +799,21 @@
')
')
@@ -2822,7 +2859,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -788,3 +866,19 @@
+@@ -788,3 +867,19 @@
term_dontaudit_use_generic_ptys(httpd_rotatelogs_t)
term_dontaudit_use_unallocated_ttys(httpd_rotatelogs_t)
')
@@ -2885,8 +2922,18 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-2.6.4/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-06-18 10:24:44.000000000 -0400
-@@ -24,6 +24,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/apcupsd.te 2007-06-19 09:29:01.000000000 -0400
+@@ -16,6 +16,9 @@
+ type apcupsd_log_t;
+ logging_log_file(apcupsd_log_t)
+
++type apcupsd_tmp_t;
++files_tmp_file(apcupsd_tmp_t)
++
+ type apcupsd_var_run_t;
+ files_pid_file(apcupsd_var_run_t)
+
+@@ -24,6 +27,7 @@
# apcupsd local policy
#
@@ -2894,7 +2941,13 @@
allow apcupsd_t self:fifo_file rw_file_perms;
allow apcupsd_t self:unix_stream_socket create_stream_socket_perms;
allow apcupsd_t self:tcp_socket create_stream_socket_perms;
-@@ -38,13 +39,16 @@
+@@ -35,16 +39,23 @@
+ manage_files_pattern(apcupsd_t,apcupsd_log_t,apcupsd_log_t)
+ logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
+
++manage_files_pattern(apcupsd_t,apcupsd_tmp_t,apcupsd_tmp_t)
++files_tmp_filetrans(apcupsd_t,apcupsd_tmp_t,file)
++
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
@@ -2910,10 +2963,11 @@
-#corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
+corenet_tcp_bind_apcupsd_port(apcupsd_t)
+corenet_sendrecv_apcupsd_server_packets(apcupsd_t)
++corenet_tcp_connect_apcupsd_port(apcupsd_t)
dev_rw_generic_usb_dev(apcupsd_t)
-@@ -54,6 +58,12 @@
+@@ -54,6 +65,12 @@
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
@@ -2926,7 +2980,7 @@
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
-@@ -61,7 +71,35 @@
+@@ -61,7 +78,39 @@
miscfiles_read_localization(apcupsd_t)
@@ -2940,6 +2994,10 @@
+term_dontaudit_use_generic_ptys(apcupsd_t)
+
+optional_policy(`
++ hostname_exec(apcupsd_t)
++')
++
++optional_policy(`
+ mta_send_mail(apcupsd_t)
')
+
@@ -3086,8 +3144,19 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/bind.te 2007-06-18 10:18:55.000000000 -0400
-@@ -236,6 +236,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/bind.te 2007-06-18 12:03:41.000000000 -0400
+@@ -119,6 +119,10 @@
+ corenet_sendrecv_rndc_server_packets(named_t)
+ corenet_sendrecv_rndc_client_packets(named_t)
+
++#dnsmasq
++corenet_tcp_bind_dhcpd_port(named_t)
++corenet_udp_bind_dhcpd_port(named_t)
++
+ dev_read_sysfs(named_t)
+ dev_read_rand(named_t)
+
+@@ -236,6 +240,7 @@
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
corenet_tcp_connect_rndc_port(ndc_t)
@@ -3172,6 +3241,17 @@
+ unconfined_ptrace(consolekit_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/courier.te serefpolicy-2.6.4/policy/modules/services/courier.te
+--- nsaserefpolicy/policy/modules/services/courier.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/courier.te 2007-06-19 09:01:34.000000000 -0400
+@@ -58,6 +58,7 @@
+ files_getattr_tmp_dirs(courier_authdaemon_t)
+
+ auth_domtrans_chk_passwd(courier_authdaemon_t)
++auth_domtrans_upd_passwd(courier_authdaemon_t)
+
+ libs_read_lib_files(courier_authdaemon_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-2.6.4/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/cron.fc 2007-06-18 10:18:55.000000000 -0400
@@ -3293,7 +3373,7 @@
# fcron wants an instant update of a crontab change for the administrator
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.6.4/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-06-18 11:40:38.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cron.te 2007-06-19 13:05:07.000000000 -0400
@@ -42,6 +42,9 @@
type cron_log_t;
logging_log_file(cron_log_t)
@@ -3364,15 +3444,16 @@
domain_use_interactive_fds(crond_t)
files_read_etc_files(crond_t)
-@@ -152,6 +168,7 @@
+@@ -152,6 +168,8 @@
libs_use_shared_libs(crond_t)
logging_send_syslog_msg(crond_t)
+logging_send_audit_msg(crond_t)
++logging_set_loginuid(crond_t)
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -165,6 +182,12 @@
+@@ -165,6 +183,12 @@
mta_send_mail(crond_t)
@@ -3385,7 +3466,7 @@
ifdef(`distro_debian',`
optional_policy(`
# Debian logcheck has the home dir set to its cache
-@@ -185,34 +208,9 @@
+@@ -185,34 +209,9 @@
locallogin_link_keys(crond_t)
')
@@ -3423,7 +3504,7 @@
tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file manage_file_perms;
-@@ -232,11 +230,7 @@
+@@ -232,11 +231,7 @@
')
optional_policy(`
@@ -3436,7 +3517,7 @@
')
optional_policy(`
-@@ -258,17 +252,26 @@
+@@ -258,17 +253,26 @@
# System cron process domain
#
@@ -3463,7 +3544,7 @@
# cjp: why?
squid_domtrans(system_crond_t)
')
-@@ -369,7 +372,7 @@
+@@ -369,7 +373,7 @@
init_read_utmp(system_crond_t)
init_dontaudit_rw_utmp(system_crond_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -3472,7 +3553,7 @@
libs_use_ld_so(system_crond_t)
libs_use_shared_libs(system_crond_t)
-@@ -428,6 +431,10 @@
+@@ -428,6 +432,10 @@
')
optional_policy(`
@@ -3496,7 +3577,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-06-19 09:01:44.000000000 -0400
@@ -93,8 +93,6 @@
# generic socket here until appletalk socket is available in kernels
allow cupsd_t self:socket create_socket_perms;
@@ -3518,7 +3599,15 @@
dev_rw_printer(cupsd_t)
dev_read_urand(cupsd_t)
-@@ -214,6 +214,7 @@
+@@ -177,6 +177,7 @@
+ term_search_ptys(cupsd_t)
+
+ auth_domtrans_chk_passwd(cupsd_t)
++auth_domtrans_upd_passwd(cupsd_t)
+ auth_dontaudit_read_pam_pid(cupsd_t)
+
+ # Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
+@@ -214,6 +215,7 @@
libs_read_lib_files(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -3526,7 +3615,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
-@@ -223,6 +224,7 @@
+@@ -223,6 +225,7 @@
sysnet_read_config(cupsd_t)
@@ -3534,7 +3623,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
-@@ -284,6 +286,10 @@
+@@ -284,6 +287,10 @@
')
optional_policy(`
@@ -3545,7 +3634,7 @@
nscd_socket_use(cupsd_t)
')
-@@ -294,6 +300,10 @@
+@@ -294,6 +301,10 @@
')
optional_policy(`
@@ -3558,7 +3647,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.6.4/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cvs.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cvs.te 2007-06-19 09:01:50.000000000 -0400
@@ -16,6 +16,7 @@
type cvs_t;
type cvs_exec_t;
@@ -3567,6 +3656,14 @@
role system_r types cvs_t;
type cvs_data_t; # customizable
+@@ -67,6 +68,7 @@
+ fs_getattr_xattr_fs(cvs_t)
+
+ auth_domtrans_chk_passwd(cvs_t)
++auth_domtrans_upd_passwd(cvs_t)
+
+ corecmd_exec_bin(cvs_t)
+ corecmd_exec_shell(cvs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.6.4/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/cyrus.te 2007-06-18 10:18:55.000000000 -0400
@@ -3741,7 +3838,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.6.4/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dhcp.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dhcp.te 2007-06-18 12:03:07.000000000 -0400
@@ -119,6 +119,8 @@
dbus_system_bus_client_template(dhcpd,dhcpd_t)
dbus_connect_system_bus(dhcpd_t)
@@ -3975,8 +4072,16 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-06-18 10:18:55.000000000 -0400
-@@ -168,6 +168,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-06-19 09:01:13.000000000 -0400
+@@ -156,6 +156,7 @@
+
+ auth_use_nsswitch(ftpd_t)
+ auth_domtrans_chk_passwd(ftpd_t)
++auth_domtrans_upd_passwd(ftpd_t)
+ # Append to /var/log/wtmp.
+ auth_append_login_records(ftpd_t)
+ #kerberized ftp requires the following
+@@ -168,6 +169,7 @@
libs_use_shared_libs(ftpd_t)
logging_send_syslog_msg(ftpd_t)
@@ -3984,7 +4089,7 @@
miscfiles_read_localization(ftpd_t)
miscfiles_read_public_files(ftpd_t)
-@@ -223,10 +224,15 @@
+@@ -223,10 +225,15 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -4487,6 +4592,17 @@
## Allow domain to read mailman archive files.
## </summary>
## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-2.6.4/policy/modules/services/mailman.te
+--- nsaserefpolicy/policy/modules/services/mailman.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mailman.te 2007-06-19 09:02:05.000000000 -0400
+@@ -96,6 +96,7 @@
+ kernel_read_proc_symlinks(mailman_queue_t)
+
+ auth_domtrans_chk_passwd(mailman_queue_t)
++auth_domtrans_upd_passwd(mailman_queue_t)
+
+ files_dontaudit_search_pids(mailman_queue_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailscanner.fc serefpolicy-2.6.4/policy/modules/services/mailscanner.fc
--- nsaserefpolicy/policy/modules/services/mailscanner.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/services/mailscanner.fc 2007-06-18 10:18:55.000000000 -0400
@@ -5150,7 +5266,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.6.4/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/pegasus.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/pegasus.te 2007-06-19 09:02:12.000000000 -0400
@@ -38,8 +38,6 @@
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:tcp_socket create_stream_socket_perms;
@@ -5160,10 +5276,11 @@
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
-@@ -96,13 +94,12 @@
+@@ -96,13 +94,13 @@
auth_use_nsswitch(pegasus_t)
auth_domtrans_chk_passwd(pegasus_t)
++auth_domtrans_upd_passwd(pegasus_t)
+auth_read_shadow(pegasus_t)
domain_use_interactive_fds(pegasus_t)
@@ -5176,7 +5293,7 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
-@@ -116,6 +113,7 @@
+@@ -116,6 +114,7 @@
miscfiles_read_localization(pegasus_t)
sysnet_read_config(pegasus_t)
@@ -5184,7 +5301,7 @@
userdom_dontaudit_use_unpriv_user_fds(pegasus_t)
userdom_dontaudit_search_sysadm_home_dirs(pegasus_t)
-@@ -129,6 +127,7 @@
+@@ -129,6 +128,7 @@
optional_policy(`
logging_send_syslog_msg(pegasus_t)
@@ -5192,6 +5309,17 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-2.6.4/policy/modules/services/portslave.te
+--- nsaserefpolicy/policy/modules/services/portslave.te 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/portslave.te 2007-06-19 09:02:18.000000000 -0400
+@@ -84,6 +84,7 @@
+
+ auth_rw_login_records(portslave_t)
+ auth_domtrans_chk_passwd(portslave_t)
++auth_domtrans_upd_passwd(portslave_t)
+
+ init_rw_utmp(portslave_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-2.6.4/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/postfix.fc 2007-06-18 10:18:55.000000000 -0400
@@ -5527,8 +5655,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-2.6.4/policy/modules/services/radius.te
--- nsaserefpolicy/policy/modules/services/radius.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/radius.te 2007-06-18 10:18:55.000000000 -0400
-@@ -130,3 +130,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/radius.te 2007-06-19 09:02:24.000000000 -0400
+@@ -81,6 +81,7 @@
+
+ auth_read_shadow(radiusd_t)
+ auth_domtrans_chk_passwd(radiusd_t)
++auth_domtrans_upd_passwd(radiusd_t)
+
+ corecmd_exec_bin(radiusd_t)
+ corecmd_exec_shell(radiusd_t)
+@@ -130,3 +131,7 @@
optional_policy(`
udev_read_db(radiusd_t)
')
@@ -5549,8 +5685,16 @@
xserver_kill_xdm_xserver(rhgb_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.6.4/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ricci.te 2007-06-18 11:07:45.000000000 -0400
-@@ -328,6 +328,10 @@
++++ serefpolicy-2.6.4/policy/modules/services/ricci.te 2007-06-19 09:02:30.000000000 -0400
+@@ -137,6 +137,7 @@
+ files_create_boot_flag(ricci_t)
+
+ auth_domtrans_chk_passwd(ricci_t)
++auth_domtrans_upd_passwd(ricci_t)
+ auth_append_login_records(ricci_t)
+
+ init_dontaudit_stream_connect_script(ricci_t)
+@@ -328,6 +329,10 @@
')
optional_policy(`
@@ -5812,6 +5956,17 @@
')
tunable_policy(`nfs_export_all_ro',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-2.6.4/policy/modules/services/rshd.te
+--- nsaserefpolicy/policy/modules/services/rshd.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2007-06-19 09:02:43.000000000 -0400
+@@ -44,6 +44,7 @@
+ selinux_compute_user_contexts(rshd_t)
+
+ auth_domtrans_chk_passwd(rshd_t)
++auth_domtrans_upd_passwd(rshd_t)
+
+ corecmd_read_bin_symlinks(rshd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.6.4/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/rsync.te 2007-06-18 10:18:55.000000000 -0400
@@ -6101,7 +6256,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-06-19 09:03:00.000000000 -0400
@@ -28,6 +28,35 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -6196,7 +6351,7 @@
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
-@@ -265,11 +300,13 @@
+@@ -265,11 +300,14 @@
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
@@ -6204,13 +6359,14 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
++auth_domtrans_upd_passwd(smbd_t)
domain_use_interactive_fds(smbd_t)
+domain_dontaudit_list_all_domains_state(smbd_t)
files_list_var_lib(smbd_t)
files_read_etc_files(smbd_t)
-@@ -296,6 +333,12 @@
+@@ -296,6 +334,12 @@
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -6223,7 +6379,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -319,6 +362,10 @@
+@@ -319,6 +363,10 @@
')
optional_policy(`
@@ -6234,7 +6390,7 @@
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -339,6 +386,23 @@
+@@ -339,6 +387,23 @@
udev_read_db(smbd_t)
')
@@ -6258,7 +6414,7 @@
########################################
#
# nmbd Local policy
-@@ -352,7 +416,7 @@
+@@ -352,7 +417,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -6267,7 +6423,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -362,9 +426,12 @@
+@@ -362,9 +427,12 @@
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
@@ -6281,7 +6437,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
-@@ -391,6 +458,7 @@
+@@ -391,6 +459,7 @@
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
@@ -6289,7 +6445,7 @@
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
-@@ -457,6 +525,7 @@
+@@ -457,6 +526,7 @@
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -6297,7 +6453,7 @@
allow smbmount_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
-@@ -514,7 +583,7 @@
+@@ -514,7 +584,7 @@
userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
@@ -6306,7 +6462,7 @@
')
optional_policy(`
-@@ -534,7 +603,6 @@
+@@ -534,7 +604,6 @@
allow swat_t self:process signal_perms;
allow swat_t self:fifo_file rw_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
@@ -6314,7 +6470,15 @@
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -625,6 +693,8 @@
+@@ -588,6 +657,7 @@
+ fs_getattr_xattr_fs(swat_t)
+
+ auth_domtrans_chk_passwd(swat_t)
++auth_domtrans_upd_passwd(swat_t)
+
+ libs_use_ld_so(swat_t)
+ libs_use_shared_libs(swat_t)
+@@ -625,6 +695,8 @@
# Winbind local policy
#
@@ -6323,7 +6487,7 @@
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
allow winbind_t self:fifo_file { read write };
-@@ -634,10 +704,15 @@
+@@ -634,10 +706,15 @@
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
@@ -6339,7 +6503,7 @@
manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
-@@ -645,6 +720,8 @@
+@@ -645,6 +722,8 @@
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
@@ -6348,7 +6512,15 @@
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-@@ -736,6 +813,7 @@
+@@ -683,6 +762,7 @@
+ fs_search_auto_mountpoints(winbind_t)
+
+ auth_domtrans_chk_passwd(winbind_t)
++auth_domtrans_upd_passwd(winbind_t)
+
+ domain_use_interactive_fds(winbind_t)
+
+@@ -736,6 +816,7 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
@@ -6356,7 +6528,7 @@
allow winbind_helper_t samba_var_t:dir search;
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -764,3 +842,23 @@
+@@ -764,3 +845,23 @@
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
@@ -6745,6 +6917,17 @@
udev_read_db(tftpd_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-2.6.4/policy/modules/services/uwimap.te
+--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/uwimap.te 2007-06-19 09:03:07.000000000 -0400
+@@ -63,6 +63,7 @@
+ fs_search_auto_mountpoints(imapd_t)
+
+ auth_domtrans_chk_passwd(imapd_t)
++auth_domtrans_upd_passwd(imapd_t)
+
+ libs_use_ld_so(imapd_t)
+ libs_use_shared_libs(imapd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.fc serefpolicy-2.6.4/policy/modules/services/w3c.fc
--- nsaserefpolicy/policy/modules/services/w3c.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-2.6.4/policy/modules/services/w3c.fc 2007-06-18 10:18:55.000000000 -0400
@@ -6930,7 +7113,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-06-19 09:04:26.000000000 -0400
@@ -27,11 +27,9 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@@ -7016,7 +7199,12 @@
# for SSP/ProPolice
dev_read_urand($1)
-@@ -211,9 +212,11 @@
+@@ -207,13 +208,16 @@
+ mls_fd_share_all_levels($1)
+
+ auth_domtrans_chk_passwd($1)
++ auth_domtrans_upd_passwd($1)
+ auth_dontaudit_read_shadow($1)
auth_read_login_records($1)
auth_append_login_records($1)
auth_rw_lastlog($1)
@@ -7029,7 +7217,7 @@
init_rw_utmp($1)
logging_send_syslog_msg($1)
-@@ -221,6 +224,7 @@
+@@ -221,6 +225,7 @@
seutil_read_config($1)
seutil_read_default_contexts($1)
@@ -7037,7 +7225,7 @@
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -320,10 +324,6 @@
+@@ -320,10 +325,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -7048,7 +7236,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -357,6 +357,37 @@
+@@ -357,6 +358,37 @@
########################################
## <summary>
@@ -7086,7 +7274,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -1391,3 +1422,114 @@
+@@ -1391,3 +1423,114 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -7762,7 +7950,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-06-19 08:52:19.000000000 -0400
@@ -81,8 +81,8 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -7791,6 +7979,15 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -254,6 +257,8 @@
+ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/libdvdcss\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ # vmware
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-2.6.4/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/libraries.te 2007-06-18 10:18:55.000000000 -0400
@@ -8332,7 +8529,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-06-19 09:43:34.000000000 -0400
@@ -9,6 +9,13 @@
ifdef(`targeted_policy',`
## <desc>
@@ -8387,9 +8584,14 @@
')
')
-@@ -205,3 +222,53 @@
+@@ -204,4 +221,58 @@
+ ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
++ optional_policy(`
++ hal_dbus_chat(unconfined_mount_t)
++ ')
++
')
+
+########################################
@@ -8757,6 +8959,19 @@
')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-2.6.4/policy/modules/system/sysnetwork.if
+--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.if 2007-06-18 15:37:29.000000000 -0400
+@@ -520,6 +520,9 @@
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file read_file_perms;
++
++ # LDAP Configuration using encrypted requires
++ dev_read_urand($1)
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.6.4/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.te 2007-06-18 10:18:55.000000000 -0400
@@ -8971,7 +9186,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-06-18 10:18:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-06-19 09:42:56.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -9806,8 +10021,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.6.4/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/xen.if 2007-06-18 10:18:55.000000000 -0400
-@@ -72,12 +72,35 @@
++++ serefpolicy-2.6.4/policy/modules/system/xen.if 2007-06-19 11:35:35.000000000 -0400
+@@ -72,12 +72,34 @@
')
logging_search_logs($1)
@@ -9833,9 +10048,8 @@
+ ')
+
+ logging_search_logs($1)
-+ allow $1 xend_var_log_t:dir create_dir_perms;
-+ allow $1 xend_var_log_t:file create_file_perms;
-+ dontaudit $1 xend_var_log_t:file write;
++ manage_dirs_pattern($1,xend_var_log_t,xend_var_log_t)
++ manage_files_pattern($1,xend_var_log_t,xend_var_log_t)
+')
+
+########################################
@@ -9843,7 +10057,7 @@
## Do not audit attempts to read and write
## Xen unix domain stream sockets. These
## are leaked file descriptors.
-@@ -151,3 +174,25 @@
+@@ -151,3 +173,25 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.466
retrieving revision 1.467
diff -u -r1.466 -r1.467
--- selinux-policy.spec 18 Jun 2007 16:20:49 -0000 1.466
+++ selinux-policy.spec 19 Jun 2007 17:14:21 -0000 1.467
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,10 @@
%endif
%changelog
+* Tue Jun 19 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-18
+- Fix udev for xen again
+- Allow cron to set loginuid
+
* Thu Jun 14 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-17
- Allow udev to manage xen logs
- Previous message (by thread): rpms/wpa_supplicant/devel wpa_supplicant.init.d, 1.1, 1.2 wpa_supplicant.spec, 1.23, 1.24 wpa_supplicant.sysconfig, 1.1, 1.2
- Next message (by thread): rpms/powermanga/F-7 powermanga-0.80-install.patch, NONE, 1.1 powermanga.desktop, NONE, 1.1 powermanga.spec, 1.14, 1.15
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list