rpms/selinux-policy/F-7 modules-targeted.conf, 1.61, 1.62 policy-20070501.patch, 1.58, 1.59 selinux-policy.spec, 1.493, 1.494
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Sep 21 20:22:48 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv3517
Modified Files:
modules-targeted.conf policy-20070501.patch
selinux-policy.spec
Log Message:
* Thu Sep 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-43
- Make /dev/fuse a fuse_device_t
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/modules-targeted.conf,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- modules-targeted.conf 11 Jul 2007 20:43:44 -0000 1.61
+++ modules-targeted.conf 21 Sep 2007 20:22:15 -0000 1.62
@@ -1470,3 +1470,10 @@
#
w3c = module
+#
+# Layer: services
+# Module: exim
+#
+# exim mail server
+#
+exim = module
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -r1.58 -r1.59
--- policy-20070501.patch 11 Sep 2007 20:04:54 -0000 1.58
+++ policy-20070501.patch 21 Sep 2007 20:22:15 -0000 1.59
@@ -1711,7 +1711,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.if.in 2007-09-11 15:53:08.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.if.in 2007-09-11 15:55:52.000000000 -0400
@@ -1449,6 +1449,44 @@
########################################
@@ -1881,7 +1881,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.6.4/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/devices.fc 2007-09-21 14:29:34.000000000 -0400
@@ -19,6 +19,8 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -1917,6 +1917,14 @@
/dev/cpu/.* -c gen_context(system_u:object_r:cpu_device_t,s0)
/dev/cpu/mtrr -c gen_context(system_u:object_r:mtrr_device_t,s0)
+@@ -92,6 +97,7 @@
+ /dev/input/event.* -c gen_context(system_u:object_r:event_device_t,s0)
+ /dev/input/mice -c gen_context(system_u:object_r:mouse_device_t,s0)
+ /dev/input/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
++/dev/input/uimput -c gen_context(system_u:object_r:scanner_device_t,s0)
+
+ /dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.6.4/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/devices.if 2007-08-07 09:42:35.000000000 -0400
@@ -2933,7 +2941,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.6.4/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/storage.fc 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/storage.fc 2007-09-13 12:46:00.000000000 -0400
@@ -23,6 +23,7 @@
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -2942,9 +2950,18 @@
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -51,7 +52,7 @@
+
+ /dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
+-/dev/fuse -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/fuse -c gen_context(system_u:object_r:fuse_device_t,mls_systemhigh)
+ /dev/floppy/[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+
+ /dev/i2o/hd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-2.6.4/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/storage.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/storage.if 2007-09-13 12:46:54.000000000 -0400
@@ -100,6 +100,7 @@
dev_list_all_dev_nodes($1)
@@ -2961,6 +2978,84 @@
typeattribute $1 fixed_disk_raw_write;
')
+@@ -670,3 +672,61 @@
+
+ typeattribute $1 storage_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## Allow the caller to get the attributes
++## of device nodes of fuse devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`storage_getattr_fuse_dev',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ dev_list_all_dev_nodes($1)
++ allow $1 fuse_device_t:chr_file getattr;
++')
++
++########################################
++## <summary>
++## read or write fuse device interfaces.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`storage_rw_fuse',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ allow $1 fuse_device_t:chr_file rw_file_perms;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read or write
++## fuse device interfaces.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`storage_dontaudit_rw_fuse',`
++ gen_require(`
++ type fuse_device_t;
++ ')
++
++ dontaudit $1 fuse_device_t:chr_file rw_file_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.te serefpolicy-2.6.4/policy/modules/kernel/storage.te
+--- nsaserefpolicy/policy/modules/kernel/storage.te 2007-05-07 14:51:04.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/storage.te 2007-09-13 12:45:24.000000000 -0400
+@@ -23,6 +23,12 @@
+ neverallow ~{ fixed_disk_raw_write storage_unconfined_type } fixed_disk_device_t:{ chr_file blk_file } { append write };
+
+ #
++# fuse_device_t is the type of /dev/fuse
++#
++type fuse_device_t;
++dev_node(fuse_device_t)
++
++#
+ # scsi_generic_device_t is the type of /dev/sg*
+ # it gives access to ALL SCSI devices (both fixed and removable)
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.fc serefpolicy-2.6.4/policy/modules/kernel/terminal.fc
--- nsaserefpolicy/policy/modules/kernel/terminal.fc 2007-05-07 14:51:04.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/kernel/terminal.fc 2007-08-07 09:42:35.000000000 -0400
@@ -3981,7 +4076,7 @@
fs_getattr_all_fs(entropyd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.6.4/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/automount.te 2007-08-21 13:38:42.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/automount.te 2007-09-13 12:51:25.000000000 -0400
@@ -69,6 +69,7 @@
files_mounton_all_mountpoints(automount_t)
files_mount_all_file_type_fs(automount_t)
@@ -3998,7 +4093,16 @@
dev_read_urand(automount_t)
domain_use_interactive_fds(automount_t)
-@@ -178,6 +180,11 @@
+@@ -138,6 +140,8 @@
+ # Run mount in the mount_t domain.
+ mount_domtrans(automount_t)
+
++storage_rw_fuse(automount_t)
++
+ sysnet_dns_name_resolve(automount_t)
+ sysnet_use_ldap(automount_t)
+ sysnet_read_config(automount_t)
+@@ -178,6 +182,11 @@
')
optional_policy(`
@@ -4102,6 +4206,18 @@
corenet_sendrecv_rndc_client_packets(ndc_t)
fs_getattr_xattr_fs(ndc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.6.4/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/bluetooth.te 2007-09-18 13:32:53.000000000 -0400
+@@ -139,6 +139,8 @@
+ dbus_system_bus_client_template(bluetooth,bluetooth_t)
+ dbus_connect_system_bus(bluetooth_t)
+ dbus_send_system_bus(bluetooth_t)
++ allow bluetooth_t self:dbus send_msg;
++
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.6.4/policy/modules/services/clamav.fc
--- nsaserefpolicy/policy/modules/services/clamav.fc 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/clamav.fc 2007-08-07 09:42:35.000000000 -0400
@@ -5208,6 +5324,462 @@
+ term_dontaudit_use_unallocated_ttys(dovecot_deliver_t)
+ term_dontaudit_use_generic_ptys(dovecot_deliver_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-2.6.4/policy/modules/services/exim.fc
+--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-09-13 12:59:21.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
++/etc/rc.d/init.d/exim -- gen_context(system_u:object_r:exim_script_exec_t,s0)
++/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
++/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
++/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-2.6.4/policy/modules/services/exim.if
+--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/exim.if 2007-09-13 12:59:21.000000000 -0400
+@@ -0,0 +1,330 @@
++
++## <summary>policy for exim</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run exim.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`exim_domtrans',`
++ gen_require(`
++ type exim_t;
++ type exim_exec_t;
++ ')
++
++ domain_auto_trans($1,exim_exec_t,exim_t)
++
++ allow exim_t $1:fd use;
++ allow exim_t $1:fifo_file rw_file_perms;
++ allow exim_t $1:process sigchld;
++')
++
++
++########################################
++## <summary>
++## Execute exim server in the exim domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`exim_script_domtrans',`
++ gen_require(`
++ type exim_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,exim_script_exec_t)
++')
++
++########################################
++## <summary>
++## Do not audit attempts to read,
++## exim tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`exim_dontaudit_read_tmp_files',`
++ gen_require(`
++ type exim_tmp_t;
++ ')
++
++ dontaudit $1 exim_tmp_t:file r_file_perms;
++')
++
++########################################
++## <summary>
++## Allow domain to read, exim tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`exim_read_tmp_files',`
++ gen_require(`
++ type exim_tmp_t;
++ ')
++
++ allow $1 exim_tmp_t:file r_file_perms;
++')
++
++########################################
++## <summary>
++## Allow domain to manage exim tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`exim_manage_tmp',`
++ gen_require(`
++ type exim_tmp_t;
++ ')
++
++ manage_dir_perms($1,exim_tmp_t,exim_tmp_t)
++ manage_file_perms($1,exim_tmp_t,exim_tmp_t)
++ manage_lnk_file_perms($1,exim_tmp_t,exim_tmp_t)
++')
++
++########################################
++## <summary>
++## Read exim PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`exim_read_pid_files',`
++ gen_require(`
++ type exim_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 exim_var_run_t:file r_file_perms;
++')
++
++########################################
++## <summary>
++## Manage exim var_run files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`exim_manage_var_run',`
++ gen_require(`
++ type exim_var_run_t;
++ ')
++
++ manage_dir_perms($1,exim_var_run_t,exim_var_run_t)
++ manage_file_perms($1,exim_var_run_t,exim_var_run_t)
++ manage_lnk_file_perms($1,exim_var_run_t,exim_var_run_t)
++')
++
++
++########################################
++## <summary>
++## Allow the specified domain to read exim's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_read_log',`
++ gen_require(`
++ type exim_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 exim_log_t:dir r_dir_perms;
++ allow $1 exim_log_t:file { read getattr lock };
++')
++
++########################################
++## <summary>
++## Allow the specified domain to append
++## exim log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`exim_append_log',`
++ gen_require(`
++ type var_log_t, exim_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 exim_log_t:dir r_dir_perms;
++ allow $1 exim_log_t:file { getattr append };
++')
++
++########################################
++## <summary>
++## Allow domain to manage exim log files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`exim_manage_log',`
++ gen_require(`
++ type exim_log_t;
++ ')
++
++ manage_dir_perms($1,exim_log_t,exim_log_t)
++ manage_file_perms($1,exim_log_t,exim_log_t)
++ manage_lnk_file_perms($1,exim_log_t,exim_log_t)
++')
++
++########################################
++## <summary>
++## Search exim spool directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`exim_search_spool',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ allow $1 exim_spool_t:dir search_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Read exim spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`exim_read_spool_files',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ allow $1 exim_spool_t:file r_file_perms;
++ allow $1 exim_spool_t:dir list_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete
++## exim spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`exim_manage_spool_files',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ allow $1 exim_spool_t:file manage_file_perms;
++ allow $1 exim_spool_t:dir rw_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Allow domain to manage exim spool files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`exim_manage_spool',`
++ gen_require(`
++ type exim_spool_t;
++ ')
++
++ manage_dir_perms($1,exim_spool_t,exim_spool_t)
++ manage_file_perms($1,exim_spool_t,exim_spool_t)
++ manage_lnk_file_perms($1,exim_spool_t,exim_spool_t)
++')
++
++
++########################################
++## <summary>
++## All of the rules required to administrate an exim environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the exim domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the dmidecode domain to use.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_admin',`
++ gen_require(`
++ type exim_t;
++ ')
++
++ allow $1 exim_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, exim_t, exim_t)
++
++
++ # Allow $1 to restart the apache service
++ exim_script_domtrans($1)
++ domain_system_change_exemption($1)
++ role_transition $2 exim_script_exec_t system_r;
++ allow $2 system_r;
++
++ exim_manage_tmp($1)
++
++ exim_manage_var_run($1)
++
++ exim_manage_log($1)
++
++ exim_manage_spool($1)
++
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te
+--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-09-13 12:59:21.000000000 -0400
+@@ -0,0 +1,108 @@
++policy_module(exim,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type exim_t;
++type exim_exec_t;
++domain_type(exim_t)
++init_daemon_domain(exim_t, exim_exec_t)
++
++type exim_script_exec_t;
++init_script_type(exim_script_exec_t)
++
++type exim_tmp_t;
++files_tmp_file(exim_tmp_t)
++
++type exim_var_run_t;
++files_pid_file(exim_var_run_t)
++
++type exim_log_t;
++logging_log_file(exim_log_t)
++
++type exim_spool_t;
++files_type(exim_spool_t)
++
++########################################
++#
++# exim local policy
++#
++
++allow exim_t self:capability { dac_override dac_read_search setuid setgid };
++
++## internal communication is often done using fifo and unix sockets.
++allow exim_t self:fifo_file rw_file_perms;
++allow exim_t self:unix_stream_socket create_stream_socket_perms;
++
++allow exim_t exim_tmp_t:file manage_file_perms;
++allow exim_t exim_tmp_t:dir create_dir_perms;
++files_tmp_filetrans(exim_t,exim_tmp_t, { file dir })
++
++allow exim_t exim_var_run_t:file manage_file_perms;
++allow exim_t exim_var_run_t:dir manage_dir_perms;
++files_pid_filetrans(exim_t,exim_var_run_t, { file dir })
++
++allow exim_t exim_log_t:file manage_file_perms;
++allow exim_t exim_log_t:dir { rw_dir_perms setattr };
++logging_log_filetrans(exim_t,exim_log_t,{ file dir })
++
++allow exim_t exim_spool_t:dir manage_dir_perms;
++allow exim_t exim_spool_t:file manage_file_perms;
++allow exim_t exim_spool_t:sock_file create_file_perms;
++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++
++auth_use_nsswitch(exim_t)
++
++can_exec(exim_t,exim_exec_t)
++
++# Init script handling
++domain_use_interactive_fds(exim_t)
++
++files_read_etc_files(exim_t)
++
++sysnet_dns_name_resolve(exim_t)
++corenet_all_recvfrom_unlabeled(exim_t)
++
++allow exim_t self:tcp_socket create_stream_socket_perms;
++corenet_tcp_sendrecv_all_if(exim_t)
++corenet_tcp_sendrecv_all_nodes(exim_t)
++corenet_tcp_sendrecv_all_ports(exim_t)
++corenet_tcp_bind_all_nodes(exim_t)
++corenet_tcp_bind_smtp_port(exim_t)
++corenet_tcp_bind_amavisd_send_port(exim_t)
++corenet_tcp_connect_auth_port(exim_t)
++corenet_tcp_connect_inetd_child_port(exim_t)
++
++corecmd_search_bin(exim_t)
++
++libs_use_ld_so(exim_t)
++libs_use_shared_libs(exim_t)
++logging_send_syslog_msg(exim_t)
++
++miscfiles_read_localization(exim_t)
++
++kernel_read_kernel_sysctls(exim_t)
++
++mta_mailclient(exim_exec_t)
++mta_read_aliases(exim_t)
++mta_rw_spool(exim_t)
++
++userdom_dontaudit_search_sysadm_home_dirs(exim_t)
++userdom_dontaudit_search_generic_user_home_dirs(exim_t)
++
++bool exim_read_user_files false;
++bool exim_manage_user_files false;
++
++if (exim_read_user_files) {
++ userdom_read_unpriv_users_home_content_files(exim_t)
++ userdom_read_unpriv_users_tmp_files(exim_t)
++}
++
++if (exim_manage_user_files) {
++ userdom_manage_unpriv_users_home_content_dirs(exim_t)
++ userdom_read_unpriv_users_tmp_files(exim_t)
++ userdom_write_unpriv_users_tmp_files(exim_t)
++}
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-08-07 09:42:35.000000000 -0400
@@ -5387,7 +5959,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.6.4/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-09-21 14:56:10.000000000 -0400
@@ -61,8 +61,6 @@
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
@@ -5450,6 +6022,15 @@
dev_setattr_sound_dev(hald_acl_t)
dev_setattr_generic_usb_dev(hald_acl_t)
dev_setattr_usbfs_files(hald_acl_t)
+@@ -341,6 +349,8 @@
+
+ files_read_usr_files(hald_mac_t)
+
++kernel_read_system_state(hald_mac_t)
++
+ libs_use_ld_so(hald_mac_t)
+ libs_use_shared_libs(hald_mac_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-2.6.4/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/inetd.te 2007-08-07 09:42:35.000000000 -0400
@@ -5889,7 +6470,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.4/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-08-22 09:45:09.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-09-13 13:07:23.000000000 -0400
@@ -226,6 +226,15 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
@@ -5906,7 +6487,33 @@
')
optional_policy(`
-@@ -394,6 +403,7 @@
+@@ -316,6 +325,25 @@
+
+ ########################################
+ ## <summary>
++## Make the specified type usable for a mta_send_mail.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used as a mail client.
++## </summary>
++## </param>
++#
++interface(`mta_mailclient',`
++ gen_require(`
++ attribute mailclient_exec_type;
++ ')
++
++ typeattribute $1 mailclient_exec_type;
++')
++
++
++########################################
++## <summary>
+ ## Modified mailserver interface for
+ ## sendmail daemon use.
+ ## </summary>
+@@ -394,6 +422,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -5914,7 +6521,23 @@
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -847,6 +857,25 @@
+@@ -449,11 +478,12 @@
+ interface(`mta_send_mail',`
+ gen_require(`
+ attribute mta_user_agent;
+- type system_mail_t, sendmail_exec_t;
++ type system_mail_t;
++ attribute mailclient_exec_type;
+ ')
+
+- allow $1 sendmail_exec_t:lnk_file read_lnk_file_perms;
+- domain_auto_trans($1, sendmail_exec_t, system_mail_t)
++ allow $1 mailclient_exec_type:lnk_file read_lnk_file_perms;
++ domain_auto_trans($1, mailclient_exec_type, system_mail_t)
+
+ allow $1 system_mail_t:fd use;
+ allow system_mail_t $1:fd use;
+@@ -847,6 +877,25 @@
manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
')
@@ -5942,16 +6565,34 @@
## Read sendmail binary.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-08-07 09:42:35.000000000 -0400
-@@ -27,6 +27,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-09-13 13:02:46.000000000 -0400
+@@ -6,6 +6,7 @@
+ # Declarations
+ #
+
++attribute mailclient_exec_type;
+ attribute mta_user_agent;
+ attribute mailserver_delivery;
+ attribute mailserver_domain;
+@@ -26,7 +27,8 @@
+ files_type(mail_spool_t)
type sendmail_exec_t;
- files_type(sendmail_exec_t)
+-files_type(sendmail_exec_t)
+application_executable_file(sendmail_exec_t)
++mta_mailclient(sendmail_exec_t)
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -91,12 +92,14 @@
+@@ -52,6 +54,7 @@
+ kernel_read_system_state(system_mail_t)
+ kernel_read_network_state(system_mail_t)
+
++dev_read_sysfs(system_mail_t)
+ dev_read_rand(system_mail_t)
+ dev_read_urand(system_mail_t)
+
+@@ -91,12 +94,14 @@
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
@@ -5966,7 +6607,7 @@
')
optional_policy(`
-@@ -109,6 +112,7 @@
+@@ -109,6 +114,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -7902,7 +8543,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.6.4/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-09-11 09:24:04.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-09-18 08:18:51.000000000 -0400
@@ -177,6 +177,27 @@
########################################
@@ -8119,7 +8760,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-09-11 09:56:07.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-09-18 08:17:55.000000000 -0400
@@ -16,6 +16,14 @@
## <desc>
@@ -8205,7 +8846,7 @@
########################################
#
# smbd Local policy
-@@ -191,18 +222,16 @@
+@@ -191,20 +222,16 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
@@ -8222,12 +8863,14 @@
-create_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
-create_files_pattern(smbd_t,samba_log_t,samba_log_t)
-append_files_pattern(smbd_t,samba_log_t,samba_log_t)
+-allow smbd_t samba_log_t:dir setattr;
+-dontaudit smbd_t samba_log_t:dir remove_name;
+manage_dirs_pattern(smbd_t,samba_log_t,samba_log_t)
+manage_files_pattern(smbd_t,samba_log_t,samba_log_t)
- allow smbd_t samba_log_t:dir setattr;
- dontaudit smbd_t samba_log_t:dir remove_name;
-@@ -231,7 +260,8 @@
+ allow smbd_t samba_net_tmp_t:file getattr;
+
+@@ -231,7 +258,8 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -8237,7 +8880,7 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -241,6 +271,9 @@
+@@ -241,6 +269,9 @@
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -8247,7 +8890,7 @@
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
-@@ -265,11 +298,14 @@
+@@ -265,11 +296,14 @@
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
@@ -8262,7 +8905,7 @@
files_list_var_lib(smbd_t)
files_read_etc_files(smbd_t)
-@@ -290,12 +326,16 @@
+@@ -290,12 +324,16 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -8281,7 +8924,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -319,6 +359,14 @@
+@@ -319,6 +357,14 @@
')
optional_policy(`
@@ -8296,7 +8939,7 @@
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
')
-@@ -339,6 +387,23 @@
+@@ -339,6 +385,23 @@
udev_read_db(smbd_t)
')
@@ -8320,7 +8963,7 @@
########################################
#
# nmbd Local policy
-@@ -352,7 +417,7 @@
+@@ -352,7 +415,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -8329,21 +8972,21 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -362,9 +427,12 @@
+@@ -362,9 +425,11 @@
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
+files_list_var_lib(nmbd_t)
++
++manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
++manage_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-create_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
-+manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
- append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-+allow nmbd_t samba_log_t:file unlink;
-+
+-append_files_pattern(nmbd_t,samba_log_t,samba_log_t)
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
-@@ -373,6 +441,8 @@
+@@ -373,6 +438,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -8352,7 +8995,7 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -391,6 +461,7 @@
+@@ -391,6 +458,7 @@
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
@@ -8360,7 +9003,7 @@
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
-@@ -402,6 +473,7 @@
+@@ -402,6 +470,7 @@
files_read_usr_files(nmbd_t)
files_read_etc_files(nmbd_t)
@@ -8368,7 +9011,7 @@
libs_use_ld_so(nmbd_t)
libs_use_shared_libs(nmbd_t)
-@@ -411,8 +483,6 @@
+@@ -411,8 +480,6 @@
miscfiles_read_localization(nmbd_t)
@@ -8377,7 +9020,7 @@
userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)
-@@ -457,6 +527,7 @@
+@@ -457,6 +524,7 @@
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -8385,7 +9028,7 @@
allow smbmount_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
-@@ -489,6 +560,8 @@
+@@ -489,6 +557,8 @@
term_list_ptys(smbmount_t)
term_use_controlling_term(smbmount_t)
@@ -8394,7 +9037,7 @@
corecmd_list_bin(smbmount_t)
files_list_mnt(smbmount_t)
-@@ -508,21 +581,11 @@
+@@ -508,21 +578,11 @@
logging_search_logs(smbmount_t)
@@ -8417,7 +9060,7 @@
')
########################################
-@@ -530,22 +593,30 @@
+@@ -530,22 +590,30 @@
# SWAT Local policy
#
@@ -8454,7 +9097,7 @@
allow swat_t smbd_t:process signull;
-@@ -558,7 +629,11 @@
+@@ -558,7 +626,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -8467,7 +9110,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -582,23 +657,24 @@
+@@ -582,23 +654,24 @@
dev_read_urand(swat_t)
@@ -8494,7 +9137,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -612,32 +688,30 @@
+@@ -612,32 +685,30 @@
kerberos_use(swat_t)
')
@@ -8534,7 +9177,7 @@
manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
-@@ -645,6 +719,8 @@
+@@ -645,6 +716,8 @@
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
@@ -8543,7 +9186,7 @@
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-@@ -682,7 +758,9 @@
+@@ -682,7 +755,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -8553,7 +9196,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -695,9 +773,6 @@
+@@ -695,9 +770,6 @@
miscfiles_read_localization(winbind_t)
@@ -8563,7 +9206,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -713,10 +788,6 @@
+@@ -713,10 +785,6 @@
')
optional_policy(`
@@ -8574,7 +9217,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -736,6 +807,7 @@
+@@ -736,6 +804,7 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
@@ -8582,12 +9225,12 @@
allow winbind_helper_t samba_var_t:dir search;
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -763,4 +835,60 @@
+@@ -763,4 +832,64 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
+ squid_rw_stream_sockets(winbind_helper_t)
- ')
++')
+
+########################################
+#
@@ -8643,6 +9286,10 @@
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
++ifdef(`targeted_policy',`
++ term_use_generic_ptys(smbcontrol_t)
++ term_use_unallocated_ttys(smbcontrol_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/sasl.te 2007-08-07 09:42:35.000000000 -0400
@@ -10086,8 +10733,8 @@
\ No newline at end of file
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fusermount.te serefpolicy-2.6.4/policy/modules/system/fusermount.te
--- nsaserefpolicy/policy/modules/system/fusermount.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/system/fusermount.te 2007-08-07 09:42:35.000000000 -0400
-@@ -0,0 +1,47 @@
++++ serefpolicy-2.6.4/policy/modules/system/fusermount.te 2007-09-13 12:51:28.000000000 -0400
+@@ -0,0 +1,48 @@
+policy_module(fusermount,1.0.0)
+
+########################################
@@ -10123,6 +10770,7 @@
+
+storage_raw_read_fixed_disk(fusermount_t)
+storage_raw_write_fixed_disk(fusermount_t)
++storage_rw_fuse(fusermount_t)
+
+optional_policy(`
+ hal_write_log(fusermount_t)
@@ -10640,6 +11288,18 @@
+optional_policy(`
+ fail2ban_append_log(iptables_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-2.6.4/policy/modules/system/iscsi.te
+--- nsaserefpolicy/policy/modules/system/iscsi.te 2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/iscsi.te 2007-09-21 14:52:05.000000000 -0400
+@@ -67,6 +67,8 @@
+
+ files_read_etc_files(iscsid_t)
+
++kernel_read_system_state(iscsid_t)
++
+ libs_use_ld_so(iscsid_t)
+ libs_use_shared_libs(iscsid_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-08-07 09:42:35.000000000 -0400
@@ -11001,7 +11661,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.6.4/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/logging.te 2007-09-18 09:11:29.000000000 -0400
@@ -7,10 +7,15 @@
#
@@ -11028,7 +11688,7 @@
type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
-@@ -59,13 +67,18 @@
+@@ -59,19 +67,25 @@
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
')
@@ -11050,7 +11710,14 @@
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
-@@ -91,6 +104,7 @@
+
+ # Needed for adding watches
+ files_getattr_all_dirs(auditctl_t)
++files_getattr_all_files(auditctl_t)
+ files_read_etc_files(auditctl_t)
+
+ kernel_read_kernel_sysctls(auditctl_t)
+@@ -91,6 +105,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
@@ -11058,7 +11725,7 @@
logging_send_syslog_msg(auditctl_t)
ifdef(`targeted_policy',`
-@@ -103,12 +117,11 @@
+@@ -103,12 +118,11 @@
# Auditd local policy
#
@@ -11072,7 +11739,7 @@
allow auditd_t self:fifo_file rw_file_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -146,6 +159,7 @@
+@@ -146,6 +160,7 @@
init_telinit(auditd_t)
@@ -11080,7 +11747,7 @@
logging_send_syslog_msg(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -265,8 +279,14 @@
+@@ -265,8 +280,14 @@
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
@@ -11095,7 +11762,7 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -331,6 +351,7 @@
+@@ -331,6 +352,7 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -11268,7 +11935,7 @@
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te 2007-09-13 12:47:13.000000000 -0400
@@ -9,6 +9,13 @@
ifdef(`targeted_policy',`
## <desc>
@@ -11323,7 +11990,15 @@
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
-@@ -103,6 +117,8 @@
+@@ -65,6 +79,7 @@
+ storage_raw_write_fixed_disk(mount_t)
+ storage_raw_read_removable_device(mount_t)
+ storage_raw_write_removable_device(mount_t)
++storage_rw_fuse(mount_t)
+
+ fs_getattr_xattr_fs(mount_t)
+ fs_getattr_cifs(mount_t)
+@@ -103,6 +118,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@@ -11332,7 +12007,7 @@
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
-@@ -130,10 +146,15 @@
+@@ -130,10 +147,15 @@
')
ifdef(`targeted_policy',`
@@ -11349,7 +12024,7 @@
')
')
-@@ -162,13 +183,8 @@
+@@ -162,13 +184,8 @@
fs_search_rpc(mount_t)
@@ -11363,7 +12038,7 @@
')
optional_policy(`
-@@ -192,9 +208,6 @@
+@@ -192,9 +209,6 @@
samba_domtrans_smbmount(mount_t)
')
@@ -11373,7 +12048,7 @@
########################################
#
-@@ -204,4 +217,30 @@
+@@ -204,4 +218,30 @@
ifdef(`targeted_policy',`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@@ -12047,7 +12722,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-09-18 08:18:22.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -12092,7 +12767,7 @@
')
optional_policy(`
-@@ -153,6 +161,8 @@
+@@ -153,11 +161,14 @@
optional_policy(`
rpm_domtrans(unconfined_t)
@@ -12101,7 +12776,13 @@
')
optional_policy(`
-@@ -192,6 +202,9 @@
+ samba_domtrans_net(unconfined_t)
+ samba_domtrans_winbind_helper(unconfined_t)
++ samba_domtrans_smbcontrol(unconfined_t)
+ ')
+
+ optional_policy(`
+@@ -192,6 +203,9 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
@@ -12111,7 +12792,7 @@
')
########################################
-@@ -200,10 +213,18 @@
+@@ -200,10 +214,18 @@
#
ifdef(`targeted_policy',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.493
retrieving revision 1.494
diff -u -r1.493 -r1.494
--- selinux-policy.spec 10 Sep 2007 18:25:11 -0000 1.493
+++ selinux-policy.spec 21 Sep 2007 20:22:15 -0000 1.494
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 42%{?dist}
+Release: 43%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
%endif
%changelog
+* Thu Sep 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-43
+- Make /dev/fuse a fuse_device_t
+
* Mon Sep 10 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-42
- Allow modprobe to setsched on kernel
More information about the fedora-extras-commits
mailing list