rpms/selinux-policy/F-10 policy-20080710.patch, 1.114, 1.115 selinux-policy.spec, 1.762, 1.763
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Dec 18 19:46:07 UTC 2008
- Previous message (by thread): rpms/control-center/devel .cvsignore, 1.84, 1.85 control-center.spec, 1.424, 1.425 sources, 1.87, 1.88 gcc-enroll-stages.patch, 1.1, NONE
- Next message (by thread): rpms/kanyremote/F-10 .cvsignore, 1.9, 1.10 import.log, 1.8, 1.9 kanyremote.spec, 1.9, 1.10 sources, 1.11, 1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28020
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Tue Dec 9 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-35
- Allow staff_t to execute at jobs
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -r1.114 -r1.115
--- policy-20080710.patch 10 Dec 2008 14:19:58 -0000 1.114
+++ policy-20080710.patch 18 Dec 2008 19:45:35 -0000 1.115
@@ -475,14 +475,14 @@
init_use_fds(consoletype_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-12-02 11:02:32.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2008-12-12 09:38:05.000000000 -0500
@@ -25,11 +25,13 @@
# kismet local policy
#
-allow kismet_t self:capability { net_admin net_raw setuid setgid };
-+allow kismet_t self:capability { kill net_admin net_raw setuid setgid };
-+allow kismet_t self:process signal;
++allow kismet_t self:capability { dac_override kill net_admin net_raw setuid setgid };
++allow kismet_t self:process signal_perms;
allow kismet_t self:fifo_file rw_file_perms;
allow kismet_t self:packet_socket create_socket_perms;
-allow kismet_t self:unix_dgram_socket create_socket_perms;
@@ -492,7 +492,7 @@
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
allow kismet_t kismet_log_t:dir setattr;
-@@ -43,9 +45,19 @@
+@@ -43,9 +45,20 @@
allow kismet_t kismet_var_run_t:dir manage_dir_perms;
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
@@ -508,13 +508,14 @@
+corenet_tcp_sendrecv_all_ports(kismet_t)
+corenet_tcp_bind_all_nodes(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
++corenet_tcp_connect_kismet_port(kismet_t)
+
+kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
auth_use_nsswitch(kismet_t)
-@@ -55,3 +67,11 @@
+@@ -55,3 +68,11 @@
libs_use_shared_libs(kismet_t)
miscfiles_read_localization(kismet_t)
@@ -2233,7 +2234,7 @@
+/usr/lib(64)?/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.5.13/policy/modules/apps/gpg.if
--- nsaserefpolicy/policy/modules/apps/gpg.if 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/gpg.if 2008-12-18 10:34:23.000000000 -0500
@@ -37,6 +37,9 @@
template(`gpg_per_role_template',`
gen_require(`
@@ -2244,7 +2245,7 @@
')
########################################
-@@ -44,290 +47,60 @@
+@@ -44,290 +47,61 @@
# Declarations
#
@@ -2560,6 +2561,7 @@
- dontaudit $1_gpg_pinentry_t cifs_t:dir write;
- dontaudit $1_gpg_pinentry_t cifs_t:file write;
- ')
++ userdom_use_user_terminals($1, gpg_helper_t)
+ unprivuser_manage_home_content_files(gpg_helper_t)
- dontaudit $1_gpg_pinentry_t { sysctl_t sysctl_kernel_t }:dir { getattr search };
@@ -2835,13 +2837,15 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.5.13/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -3,14 +3,15 @@
++++ serefpolicy-3.5.13/policy/modules/apps/java.fc 2008-12-17 09:15:53.000000000 -0500
+@@ -2,15 +2,16 @@
+ # /opt
#
/opt/(.*/)?bin/java[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
- /opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+-/opt/ibm/java2-ppc64-50/jre/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/local/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
-/opt/matlab/bin/(.*/)?MATLAB. -- gen_context(system_u:object_r:java_exec_t,s0)
++/opt/ibm/java.*/(bin|javaws)(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/local/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/opt/matlab.*/bin.*/MATLAB.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -4496,7 +4500,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-10 08:53:06.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-15 12:10:17.000000000 -0500
@@ -0,0 +1,279 @@
+
+policy_module(nsplugin, 1.0.0)
@@ -4695,7 +4699,7 @@
+#
+
+allow nsplugin_config_t self:capability { dac_override dac_read_search sys_nice setuid setgid };
-+allow nsplugin_config_t self:process { setsched sigkill getsched execmem };
++allow nsplugin_config_t self:process { setsched signal_perms getsched execmem };
+#execing pulseaudio
+dontaudit nsplugin_t self:process { getcap setcap };
+
@@ -6441,7 +6445,7 @@
+wm_domain_template(user,xdm)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-05 08:46:59.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/corecommands.fc 2008-12-18 09:14:19.000000000 -0500
@@ -129,6 +129,9 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -6465,7 +6469,7 @@
/usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -222,8 +223,8 @@
+@@ -222,14 +223,15 @@
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -6476,7 +6480,14 @@
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0)
-@@ -292,3 +293,14 @@
+ /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
+@@ -292,3 +294,14 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -6819,7 +6830,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.5.13/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/devices.if 2008-12-17 09:31:56.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -8416,7 +8427,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-11-25 09:48:18.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2008-12-12 10:10:49.000000000 -0500
@@ -21,7 +21,7 @@
# Use xattrs for the following filesystem types.
@@ -8447,11 +8458,12 @@
type vxfs_t;
fs_noxattr_type(vxfs_t)
-@@ -241,6 +248,7 @@
+@@ -241,6 +248,8 @@
genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
+genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon dazukofs / gen_context(system_u:object_r:nfs_t,s0)
########################################
#
@@ -13277,17 +13289,21 @@
# Calendar (PCP) local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.5.13/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -17,6 +17,8 @@
++++ serefpolicy-3.5.13/policy/modules/services/cron.fc 2008-12-10 10:09:03.000000000 -0500
+@@ -17,9 +17,9 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
+-/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
+-/var/spool/at/[^/]* -- <<none>>
+/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+
- /var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
- /var/spool/at/[^/]* -- <<none>>
-@@ -45,3 +47,8 @@
++/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+
+ /var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
+ #/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
+@@ -45,3 +45,8 @@
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
@@ -13298,8 +13314,8 @@
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-11-24 10:49:49.000000000 -0500
-@@ -35,39 +35,24 @@
++++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-12-10 10:11:34.000000000 -0500
+@@ -35,39 +35,25 @@
#
template(`cron_per_role_template',`
gen_require(`
@@ -13307,6 +13323,7 @@
attribute cron_spool_type;
type crond_t, cron_spool_t, crontab_exec_t;
- class dbus send_msg;
++ type crond_var_run_t;
')
+ typealias $1_t alias $1_crond_t;
@@ -13344,7 +13361,7 @@
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
# not directly executed, crond must ensure that
-@@ -75,116 +60,23 @@
+@@ -75,116 +61,23 @@
# for the domain of the user cron job. It
# performs an entrypoint permission check
# for this purpose.
@@ -13468,11 +13485,14 @@
##############################
#
# $1_crontab_t local policy
-@@ -193,10 +85,13 @@
+@@ -192,23 +85,27 @@
+
# dac_override is to create the file in the directory under /tmp
allow $1_crontab_t self:capability { fowner setuid setgid chown dac_override };
- allow $1_crontab_t self:process signal_perms;
+- allow $1_crontab_t self:process signal_perms;
++ allow $1_cronjob_t self:process { signal_perms setsched };
+ allow $1_crontab_t self:fifo_file rw_fifo_file_perms;
++ allow $1_crontab_t crond_t:process signal;
# Transition from the user domain to the derived domain.
domtrans_pattern($2, crontab_exec_t, $1_crontab_t)
@@ -13482,7 +13502,12 @@
# crontab shows up in user ps
ps_process_pattern($2, $1_crontab_t)
-@@ -206,9 +101,6 @@
++ init_dontaudit_write_utmp($1_crontab_t)
++ init_read_utmp($1_crontab_t)
++
+ # for ^Z
+ allow $2 $1_crontab_t:process signal;
+
# Allow crond to read those crontabs in cron spool.
allow crond_t $1_cron_spool_t:file manage_file_perms;
@@ -13492,7 +13517,15 @@
# create files in /var/spool/cron
manage_files_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t)
filetrans_pattern($1_crontab_t, cron_spool_t, $1_cron_spool_t,file)
-@@ -227,27 +119,32 @@
+@@ -216,6 +113,7 @@
+
+ # crontab signals crond by updating the mtime on the spooldir
+ allow $1_crontab_t cron_spool_t:dir setattr;
++ read_files_pattern($1_crontab_t, crond_var_run_t,crond_var_run_t)
+
+ kernel_read_system_state($1_crontab_t)
+
+@@ -227,27 +125,33 @@
# Run helper programs as the user domain
corecmd_bin_domtrans($1_crontab_t, $2)
corecmd_shell_domtrans($1_crontab_t, $2)
@@ -13510,6 +13543,7 @@
logging_send_syslog_msg($1_crontab_t)
+ logging_send_audit_msgs($1_crontab_t)
++ logging_set_loginuid($1_crontab_t)
miscfiles_read_localization($1_crontab_t)
@@ -13527,7 +13561,7 @@
tunable_policy(`fcron_crond',`
# fcron wants an instant update of a crontab change for the administrator
-@@ -286,14 +183,12 @@
+@@ -286,14 +190,12 @@
template(`cron_admin_template',`
gen_require(`
attribute cron_spool_type;
@@ -13543,7 +13577,7 @@
# Manipulate other users crontab.
selinux_get_fs_mount($1_crontab_t)
selinux_validate_context($1_crontab_t)
-@@ -421,6 +316,24 @@
+@@ -421,6 +323,24 @@
########################################
## <summary>
@@ -13568,7 +13602,7 @@
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -439,7 +352,7 @@
+@@ -439,7 +359,7 @@
########################################
## <summary>
@@ -13577,7 +13611,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -447,7 +360,7 @@
+@@ -447,7 +367,7 @@
## </summary>
## </param>
#
@@ -13586,7 +13620,7 @@
gen_require(`
type crond_t;
')
-@@ -559,11 +472,14 @@
+@@ -559,11 +479,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -13602,7 +13636,7 @@
')
########################################
-@@ -584,3 +500,64 @@
+@@ -584,3 +507,64 @@
dontaudit $1 system_crond_tmp_t:file append;
')
@@ -13943,9 +13977,13 @@
-') dnl end TODO
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -8,24 +8,35 @@
- /etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-12-18 10:07:31.000000000 -0500
+@@ -5,27 +5,38 @@
+ /etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+ /etc/cups/lpoptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+-/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++/etc/cups/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/printers\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/etc/cups/subscriptions.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -14141,7 +14179,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.5.13/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-12-05 08:56:59.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/cups.te 2008-12-15 11:14:05.000000000 -0500
@@ -20,9 +20,18 @@
type cupsd_etc_t;
files_config_file(cupsd_etc_t)
@@ -14198,7 +14236,7 @@
dontaudit cupsd_t self:capability { sys_tty_config net_admin };
-allow cupsd_t self:process { setsched signal_perms };
-allow cupsd_t self:fifo_file rw_file_perms;
-+allow cupsd_t self:process { setpgid setsched signal_perms };
++allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
+allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
@@ -14453,17 +14491,20 @@
')
optional_policy(`
-@@ -500,7 +564,8 @@
+@@ -500,7 +564,11 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
-allow hplip_t cupsd_etc_t:dir search;
+allow hplip_t cupsd_etc_t:dir search_dir_perms;
-+allow hplip_t cupsd_tmp_t:file rw_file_perms;
++manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
++manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
++files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
++
cups_stream_connect(hplip_t)
-@@ -509,6 +574,8 @@
+@@ -509,6 +577,8 @@
read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t)
files_search_etc(hplip_t)
@@ -14472,7 +14513,7 @@
manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t)
files_pid_filetrans(hplip_t, hplip_var_run_t, file)
-@@ -538,7 +605,8 @@
+@@ -538,7 +608,8 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -14482,7 +14523,7 @@
fs_getattr_all_fs(hplip_t)
fs_search_auto_mountpoints(hplip_t)
-@@ -552,6 +620,8 @@
+@@ -552,6 +623,8 @@
files_read_etc_runtime_files(hplip_t)
files_read_usr_files(hplip_t)
@@ -14491,7 +14532,7 @@
libs_use_ld_so(hplip_t)
libs_use_shared_libs(hplip_t)
-@@ -564,12 +634,14 @@
+@@ -564,12 +637,14 @@
userdom_dontaudit_use_unpriv_user_fds(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -14507,7 +14548,7 @@
')
optional_policy(`
-@@ -651,3 +723,44 @@
+@@ -651,3 +726,44 @@
optional_policy(`
udev_read_db(ptal_t)
')
@@ -16623,7 +16664,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-10 09:04:13.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-12 09:32:28.000000000 -0500
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -16642,7 +16683,15 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-@@ -280,6 +284,12 @@
+@@ -197,6 +201,7 @@
+ seutil_read_file_contexts(hald_t)
+
+ sysnet_read_config(hald_t)
++sysnet_domtrans_dhcpc(hald_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(hald_t)
+
+@@ -280,6 +285,12 @@
')
optional_policy(`
@@ -16655,7 +16704,7 @@
rpc_search_nfs_state_data(hald_t)
')
-@@ -300,12 +310,20 @@
+@@ -300,12 +311,20 @@
vbetool_domtrans(hald_t)
')
@@ -16677,7 +16726,7 @@
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-@@ -344,13 +362,22 @@
+@@ -344,13 +363,22 @@
libs_use_ld_so(hald_acl_t)
libs_use_shared_libs(hald_acl_t)
@@ -16700,7 +16749,7 @@
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
allow hald_mac_t hald_t:unix_stream_socket connectto;
-@@ -359,6 +386,8 @@
+@@ -359,6 +387,8 @@
manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_mac_t)
@@ -16709,7 +16758,7 @@
kernel_read_system_state(hald_mac_t)
dev_read_raw_memory(hald_mac_t)
-@@ -366,6 +395,9 @@
+@@ -366,6 +396,9 @@
dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
@@ -16719,7 +16768,7 @@
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
-@@ -388,6 +420,8 @@
+@@ -388,6 +421,8 @@
manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_sonypic_t)
@@ -16728,7 +16777,7 @@
files_read_usr_files(hald_sonypic_t)
libs_use_ld_so(hald_sonypic_t)
-@@ -408,6 +442,8 @@
+@@ -408,6 +443,8 @@
manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_keymap_t)
@@ -16737,7 +16786,7 @@
dev_rw_input_dev(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
-@@ -419,4 +455,4 @@
+@@ -419,4 +456,4 @@
# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
@@ -17103,14 +17152,29 @@
+files_type(mailscanner_spool_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-11-25 08:45:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2008-12-15 09:22:33.000000000 -0500
@@ -1,4 +1,4 @@
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
/etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
/etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
-@@ -22,7 +22,3 @@
+@@ -9,11 +9,14 @@
+ /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+ ')
+
++/usr/bin/esmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++
+ /usr/lib(64)?/sendmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /usr/sbin/rmail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail\.postfix -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
++/usr/sbin/ssmtp -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+
+ /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+
+@@ -22,7 +25,3 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
@@ -17443,7 +17507,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-04 16:13:54.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-18 11:33:10.000000000 -0500
@@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
@@ -17496,7 +17560,7 @@
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,30 +82,40 @@
+@@ -73,30 +82,41 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
@@ -17526,6 +17590,7 @@
libs_use_shared_libs(munin_t)
logging_send_syslog_msg(munin_t)
++logging_read_all_logs(munin_t)
+miscfiles_read_fonts(munin_t)
miscfiles_read_localization(munin_t)
@@ -17539,7 +17604,7 @@
sysadm_dontaudit_search_home_dirs(munin_t)
optional_policy(`
-@@ -109,7 +128,30 @@
+@@ -109,7 +129,30 @@
')
optional_policy(`
@@ -17571,7 +17636,7 @@
')
optional_policy(`
-@@ -119,3 +161,9 @@
+@@ -119,3 +162,9 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -20837,7 +20902,7 @@
+#domain_use_interactive_fds(portreserve_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.fc serefpolicy-3.5.13/policy/modules/services/postfix.fc
--- nsaserefpolicy/policy/modules/services/postfix.fc 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/postfix.fc 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/postfix.fc 2008-12-18 11:29:44.000000000 -0500
@@ -29,12 +29,10 @@
/usr/lib/postfix/smtpd -- gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
/usr/lib/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
@@ -20853,7 +20918,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-12-18 11:31:38.000000000 -0500
@@ -211,9 +211,8 @@
type postfix_etc_t;
')
@@ -20901,10 +20966,46 @@
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-@@ -508,6 +526,25 @@
+@@ -461,10 +479,10 @@
+ #
+ interface(`postfix_search_spool',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
- ########################################
- ## <summary>
+- allow $1 postfix_spool_t:dir search_dir_perms;
++ allow $1 postfix_spool_type:dir search_dir_perms;
+ files_search_spool($1)
+ ')
+
+@@ -480,10 +498,10 @@
+ #
+ interface(`postfix_list_spool',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
+ ')
+
+- allow $1 postfix_spool_t:dir list_dir_perms;
++ allow $1 postfix_spool_type:dir list_dir_perms;
+ files_search_spool($1)
+ ')
+
+@@ -499,11 +517,30 @@
+ #
+ interface(`postfix_read_spool_files',`
+ gen_require(`
+- type postfix_spool_t;
++ attribute postfix_spool_type;
++ ')
++
++ files_search_spool($1)
++ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
++')
++
++########################################
++## <summary>
+## Manage postfix mail spool files.
+## </summary>
+## <param name="domain">
@@ -20915,18 +21016,15 @@
+#
+interface(`postfix_manage_spool_files',`
+ gen_require(`
-+ type postfix_spool_t;
-+ ')
-+
-+ files_search_spool($1)
-+ manage_files_pattern($1, postfix_spool_t, postfix_spool_t)
-+')
-+
-+########################################
-+## <summary>
- ## Execute postfix user mail programs
- ## in their respective domains.
- ## </summary>
++ attribute postfix_spool_type;
+ ')
+
+ files_search_spool($1)
+- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
++ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
+ ')
+
+ ########################################
@@ -524,3 +561,23 @@
typeattribute $1 postfix_user_domtrans;
@@ -20953,8 +21051,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-11-25 08:33:46.000000000 -0500
-@@ -6,6 +6,14 @@
++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-12-18 11:30:38.000000000 -0500
+@@ -6,6 +6,15 @@
# Declarations
#
@@ -20966,10 +21064,18 @@
+## </desc>
+gen_tunable(allow_postfix_local_write_mail_spool, false)
+
++attribute postfix_spool_type;
attribute postfix_user_domains;
# domains that transition to the
# postfix user domains
-@@ -19,7 +27,7 @@
+@@ -13,13 +22,13 @@
+
+ postfix_server_domain_template(bounce)
+
+-type postfix_spool_bounce_t;
++type postfix_spool_bounce_t, postfix_spool_type;
+ files_type(postfix_spool_bounce_t)
+
postfix_server_domain_template(cleanup)
type postfix_etc_t;
@@ -20978,7 +21084,7 @@
type postfix_exec_t;
application_executable_file(postfix_exec_t)
-@@ -27,6 +35,12 @@
+@@ -27,6 +36,12 @@
postfix_server_domain_template(local)
mta_mailserver_delivery(postfix_local_t)
@@ -20991,7 +21097,7 @@
type postfix_local_tmp_t;
files_tmp_file(postfix_local_tmp_t)
-@@ -34,6 +48,7 @@
+@@ -34,6 +49,7 @@
type postfix_map_t;
type postfix_map_exec_t;
application_domain(postfix_map_t, postfix_map_exec_t)
@@ -20999,7 +21105,24 @@
type postfix_map_tmp_t;
files_tmp_file(postfix_map_tmp_t)
-@@ -103,6 +118,7 @@
+@@ -68,13 +84,13 @@
+
+ postfix_server_domain_template(smtpd)
+
+-type postfix_spool_t;
++type postfix_spool_t, postfix_spool_type;
+ files_type(postfix_spool_t)
+
+-type postfix_spool_maildrop_t;
++type postfix_spool_maildrop_t, postfix_spool_type;
+ files_type(postfix_spool_maildrop_t)
+
+-type postfix_spool_flush_t;
++type postfix_spool_flush_t, postfix_spool_type;
+ files_type(postfix_spool_flush_t)
+
+ type postfix_public_t;
+@@ -103,6 +119,7 @@
allow postfix_master_t self:fifo_file rw_fifo_file_perms;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
allow postfix_master_t self:udp_socket create_socket_perms;
@@ -21007,7 +21130,7 @@
allow postfix_master_t postfix_etc_t:file rw_file_perms;
-@@ -142,6 +158,7 @@
+@@ -142,6 +159,7 @@
delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
@@ -21015,7 +21138,7 @@
kernel_read_all_sysctls(postfix_master_t)
-@@ -170,6 +187,8 @@
+@@ -170,6 +188,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -21024,7 +21147,7 @@
term_dontaudit_search_ptys(postfix_master_t)
-@@ -181,15 +200,14 @@
+@@ -181,15 +201,14 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -21044,7 +21167,7 @@
')
optional_policy(`
-@@ -202,9 +220,29 @@
+@@ -202,9 +221,29 @@
')
optional_policy(`
@@ -21074,7 +21197,7 @@
########################################
#
# Postfix bounce local policy
-@@ -245,6 +283,10 @@
+@@ -245,6 +284,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -21085,7 +21208,7 @@
########################################
#
# Postfix local local policy
-@@ -270,18 +312,25 @@
+@@ -270,18 +313,25 @@
files_read_etc_files(postfix_local_t)
@@ -21111,7 +21234,7 @@
')
optional_policy(`
-@@ -292,8 +341,7 @@
+@@ -292,8 +342,7 @@
#
# Postfix map local policy
#
@@ -21121,7 +21244,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -343,8 +391,6 @@
+@@ -343,8 +392,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -21130,7 +21253,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -357,6 +403,11 @@
+@@ -357,6 +404,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -21142,7 +21265,7 @@
########################################
#
# Postfix pickup local policy
-@@ -381,6 +432,7 @@
+@@ -381,6 +433,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -21150,7 +21273,7 @@
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -388,6 +440,12 @@
+@@ -388,6 +441,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -21163,7 +21286,7 @@
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -397,6 +455,15 @@
+@@ -397,6 +456,15 @@
')
optional_policy(`
@@ -21179,7 +21302,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -433,8 +500,11 @@
+@@ -433,8 +501,11 @@
')
optional_policy(`
@@ -21193,7 +21316,7 @@
')
#######################################
-@@ -460,6 +530,15 @@
+@@ -460,6 +531,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -21209,7 +21332,7 @@
########################################
#
# Postfix qmgr local policy
-@@ -540,9 +619,18 @@
+@@ -540,9 +620,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -21228,7 +21351,7 @@
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -569,7 +657,7 @@
+@@ -569,7 +658,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -23672,7 +23795,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-08 15:15:16.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-15 12:24:35.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -23725,7 +23848,7 @@
# Samba net local policy
#
-
-+allow samba_net_t self:capability { dac_read_search dac_override };
++allow samba_net_t self:capability { sys_nice dac_read_search dac_override };
+allow samba_net_t self:process { getsched setsched };
allow samba_net_t self:unix_dgram_socket create_socket_perms;
allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
@@ -23744,15 +23867,18 @@
corenet_all_recvfrom_unlabeled(samba_net_t)
corenet_all_recvfrom_netlabel(samba_net_t)
-@@ -190,6 +205,7 @@
+@@ -190,8 +205,10 @@
domain_use_interactive_fds(samba_net_t)
files_read_etc_files(samba_net_t)
+files_read_usr_symlinks(samba_net_t)
auth_use_nsswitch(samba_net_t)
++auth_read_cache(samba_net_t)
-@@ -200,7 +216,14 @@
+ libs_use_ld_so(samba_net_t)
+ libs_use_shared_libs(samba_net_t)
+@@ -200,7 +217,14 @@
miscfiles_read_localization(samba_net_t)
@@ -23767,7 +23893,7 @@
optional_policy(`
kerberos_use(samba_net_t)
-@@ -210,7 +233,7 @@
+@@ -210,7 +234,7 @@
#
# smbd Local policy
#
@@ -23776,7 +23902,7 @@
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -228,10 +251,8 @@
+@@ -228,10 +252,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -23788,7 +23914,7 @@
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -241,6 +262,7 @@
+@@ -241,6 +263,7 @@
manage_dirs_pattern(smbd_t, samba_share_t, samba_share_t)
manage_files_pattern(smbd_t, samba_share_t, samba_share_t)
manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
@@ -23796,7 +23922,7 @@
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-@@ -258,7 +280,7 @@
+@@ -258,7 +281,7 @@
manage_sock_files_pattern(smbd_t, smbd_var_run_t, smbd_var_run_t)
files_pid_filetrans(smbd_t, smbd_var_run_t, file)
@@ -23805,7 +23931,15 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -314,20 +336,24 @@
+@@ -300,6 +323,7 @@
+
+ auth_use_nsswitch(smbd_t)
+ auth_domtrans_chk_passwd(smbd_t)
++auth_domtrans_upd_passwd(smbd_t)
+
+ domain_use_interactive_fds(smbd_t)
+ domain_dontaudit_list_all_domains_state(smbd_t)
+@@ -314,20 +338,24 @@
init_rw_utmp(smbd_t)
@@ -23833,7 +23967,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -348,6 +374,25 @@
+@@ -348,6 +376,25 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -23859,7 +23993,7 @@
')
optional_policy(`
-@@ -360,6 +405,11 @@
+@@ -360,6 +407,11 @@
')
optional_policy(`
@@ -23871,7 +24005,7 @@
rpc_search_nfs_state_data(smbd_t)
')
-@@ -379,8 +429,10 @@
+@@ -379,8 +431,10 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@@ -23882,7 +24016,7 @@
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -452,6 +504,7 @@
+@@ -452,6 +506,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -23890,7 +24024,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -536,6 +589,7 @@
+@@ -536,6 +591,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -23898,7 +24032,7 @@
corecmd_list_bin(smbmount_t)
-@@ -547,32 +601,46 @@
+@@ -547,32 +603,46 @@
auth_use_nsswitch(smbmount_t)
@@ -23951,7 +24085,7 @@
rw_files_pattern(swat_t, samba_etc_t, samba_etc_t)
-@@ -592,6 +660,9 @@
+@@ -592,6 +662,9 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -23961,7 +24095,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -616,10 +687,12 @@
+@@ -616,10 +689,12 @@
dev_read_urand(swat_t)
@@ -23974,7 +24108,7 @@
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -628,6 +701,7 @@
+@@ -628,6 +703,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -23982,7 +24116,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -645,6 +719,17 @@
+@@ -645,15 +721,26 @@
kerberos_use(swat_t)
')
@@ -24000,16 +24134,18 @@
########################################
#
# Winbind local policy
-@@ -653,7 +738,7 @@
+ #
+
- allow winbind_t self:capability { dac_override ipc_lock setuid };
+-allow winbind_t self:capability { dac_override ipc_lock setuid };
++allow winbind_t self:capability { sys_nice dac_override ipc_lock setuid };
dontaudit winbind_t self:capability sys_tty_config;
-allow winbind_t self:process signal_perms;
-+allow winbind_t self:process { signal_perms getsched };
++allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
-@@ -694,9 +779,10 @@
+@@ -694,9 +781,10 @@
manage_sock_files_pattern(winbind_t, winbind_var_run_t, winbind_var_run_t)
files_pid_filetrans(winbind_t, winbind_var_run_t, file)
@@ -24022,7 +24158,12 @@
corenet_all_recvfrom_unlabeled(winbind_t)
corenet_all_recvfrom_netlabel(winbind_t)
-@@ -724,6 +810,7 @@
+@@ -720,10 +808,12 @@
+
+ auth_domtrans_chk_passwd(winbind_t)
+ auth_use_nsswitch(winbind_t)
++auth_rw_cache(winbind_t)
+
domain_use_interactive_fds(winbind_t)
files_read_etc_files(winbind_t)
@@ -24030,7 +24171,7 @@
libs_use_ld_so(winbind_t)
libs_use_shared_libs(winbind_t)
-@@ -780,8 +867,13 @@
+@@ -780,8 +870,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -24044,7 +24185,7 @@
')
########################################
-@@ -790,6 +882,16 @@
+@@ -790,6 +885,16 @@
#
optional_policy(`
@@ -24061,7 +24202,7 @@
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -800,9 +902,46 @@
+@@ -800,9 +905,46 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -24629,7 +24770,7 @@
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.5.13/policy/modules/services/snmp.fc
--- nsaserefpolicy/policy/modules/services/snmp.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/snmp.fc 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/snmp.fc 2008-12-18 09:13:48.000000000 -0500
@@ -1,3 +1,6 @@
+/etc/rc\.d/init\.d/snmpd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/snmptrapd -- gen_context(system_u:object_r:snmp_initrc_exec_t,s0)
@@ -24645,6 +24786,13 @@
/var/lib/net-snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
/var/lib/snmp(/.*)? gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+@@ -15,5 +19,5 @@
+
+ /var/net-snmp(/.*) gen_context(system_u:object_r:snmpd_var_lib_t,s0)
+
+-/var/run/snmpd -d gen_context(system_u:object_r:snmpd_var_run_t,s0)
++/var/run/snmpd(/.*)? gen_context(system_u:object_r:snmpd_var_run_t,s0)
+ /var/run/snmpd\.pid -- gen_context(system_u:object_r:snmpd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.if serefpolicy-3.5.13/policy/modules/services/snmp.if
--- nsaserefpolicy/policy/modules/services/snmp.if 2008-10-17 08:49:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/snmp.if 2008-11-24 10:49:49.000000000 -0500
@@ -25769,7 +25917,7 @@
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.13/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-05 11:39:29.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ssh.if 2008-12-18 10:02:59.000000000 -0500
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -25895,16 +26043,17 @@
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-@@ -254,6 +249,8 @@
+@@ -254,6 +249,9 @@
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
userdom_search_user_home_dirs($1,$1_ssh_t)
+ userdom_write_user_tmp_sockets(user,$1_ssh_t)
++ userdom_read_user_home_content_symlinks($1_ssh_t)
+
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
# needs to read krb tgt
-@@ -279,24 +276,14 @@
+@@ -279,24 +277,15 @@
# for port forwarding
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_ssh_port($1_ssh_t)
@@ -25915,6 +26064,7 @@
- xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
+# xserver_user_x_domain_template($1, $1_ssh, $1_ssh_t, $1_ssh_tmpfs_t)
xserver_domtrans_user_xauth($1, $1_ssh_t)
++ xserver_stream_connect_xdm_xserver($1_ssh_t)
')
- ifdef(`TODO',`
@@ -25931,7 +26081,7 @@
##############################
#
# $1_ssh_agent_t local policy
-@@ -381,12 +368,9 @@
+@@ -381,12 +370,9 @@
optional_policy(`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
@@ -25945,7 +26095,7 @@
##############################
#
# $1_ssh_keysign_t local policy
-@@ -413,6 +397,25 @@
+@@ -413,6 +399,25 @@
')
')
@@ -25971,7 +26121,7 @@
#######################################
## <summary>
## The template to define a ssh server.
-@@ -443,13 +446,14 @@
+@@ -443,13 +448,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -25987,7 +26137,7 @@
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -478,7 +482,12 @@
+@@ -478,7 +484,12 @@
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
@@ -26000,7 +26150,7 @@
fs_dontaudit_getattr_all_fs($1_t)
-@@ -506,9 +515,14 @@
+@@ -506,9 +517,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@@ -26015,7 +26165,7 @@
')
tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +531,7 @@
+@@ -517,11 +533,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -26028,7 +26178,7 @@
')
optional_policy(`
-@@ -710,3 +720,22 @@
+@@ -710,3 +722,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -26820,7 +26970,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-12-02 15:46:34.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-12-15 12:15:34.000000000 -0500
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -28848,7 +28998,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.5.13/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-12-08 15:05:47.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/authlogin.if 2008-12-15 12:01:46.000000000 -0500
@@ -56,10 +56,6 @@
miscfiles_read_localization($1_chkpwd_t)
@@ -30023,7 +30173,7 @@
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-09 10:22:43.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-15 11:28:03.000000000 -0500
@@ -60,12 +60,15 @@
#
# /opt
@@ -30147,7 +30297,7 @@
') dnl end distro_redhat
#
-@@ -310,3 +332,21 @@
+@@ -310,3 +332,20 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -30164,9 +30314,8 @@
+
+/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
-+/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib(64)?/i686/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.762
retrieving revision 1.763
diff -u -r1.762 -r1.763
--- selinux-policy.spec 9 Dec 2008 21:04:52 -0000 1.762
+++ selinux-policy.spec 18 Dec 2008 19:45:36 -0000 1.763
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 34%{?dist}
+Release: 35%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -459,6 +459,9 @@
%endif
%changelog
+* Tue Dec 9 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-35
+- Allow staff_t to execute at jobs
+
* Tue Dec 9 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-34
- Allow semanage to send signals to itself
- Previous message (by thread): rpms/control-center/devel .cvsignore, 1.84, 1.85 control-center.spec, 1.424, 1.425 sources, 1.87, 1.88 gcc-enroll-stages.patch, 1.1, NONE
- Next message (by thread): rpms/kanyremote/F-10 .cvsignore, 1.9, 1.10 import.log, 1.8, 1.9 kanyremote.spec, 1.9, 1.10 sources, 1.11, 1.12
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list