rpms/selinux-policy/F-10 policy-20080710.patch, 1.116, 1.117 selinux-policy.spec, 1.763, 1.764
Daniel J Walsh
dwalsh at fedoraproject.org
Sat Dec 27 13:05:47 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv588
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Sat Dec 27 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-37
- Allow sshd to use inotify
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117
--- policy-20080710.patch 18 Dec 2008 21:00:56 -0000 1.116
+++ policy-20080710.patch 27 Dec 2008 13:05:44 -0000 1.117
@@ -5471,7 +5471,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-12-23 11:35:12.000000000 -0500
@@ -6,6 +6,9 @@
# Declarations
#
@@ -5482,12 +5482,19 @@
## <desc>
## <p>
## Allow qemu to connect fully to the network
-@@ -13,16 +16,102 @@
+@@ -13,16 +16,109 @@
## </desc>
gen_tunable(qemu_full_network, false)
+## <desc>
+## <p>
++## Allow qemu to use cifs/Samba file systems
++## </p>
++## </desc>
++gen_tunable(qemu_use_cifs, true)
++
++## <desc>
++## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
@@ -5495,10 +5502,10 @@
+
+## <desc>
+## <p>
-+## Allow qemu to use cifs/Samba file systems
++## Allow qemu to use usb devices
+## </p>
+## </desc>
-+gen_tunable(qemu_use_cifs, true)
++gen_tunable(qemu_use_usb, true)
+
type qemu_exec_t;
qemu_domain_template(qemu)
@@ -5585,16 +5592,24 @@
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -35,6 +124,30 @@
+@@ -35,6 +131,38 @@
corenet_tcp_connect_all_ports(qemu_t)
')
++tunable_policy(`qemu_use_cifs',`
++ fs_manage_cifs_dirs(qemu_t)
++ fs_manage_cifs_files(qemu_t)
++')
++
+tunable_policy(`qemu_use_nfs',`
++ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
-+tunable_policy(`qemu_use_cifs',`
-+ fs_manage_cifs_dirs(qemu_t)
++tunable_policy(`qemu_use_usb',`
++ dev_rw_usbfs(qemu_t)
++ fs_manage_dos_dirs(qemu_t)
++ fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
@@ -6571,7 +6586,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-08 15:25:33.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-19 17:15:39.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(corenetwork, 1.10.0)
@@ -6593,7 +6608,7 @@
network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
-@@ -79,26 +82,31 @@
+@@ -79,26 +82,33 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -6606,9 +6621,11 @@
+portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
++network_port(dccm, tcp,5679,s0, udp,5679,s0)
network_port(dbskkd, tcp,1178,s0)
- network_port(dhcpc, udp,68,s0)
+-network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
++network_port(dhcpc, udp,68,s0, tcp,68,s0)
+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
@@ -6618,6 +6635,7 @@
+network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
++network_port(ftps, tcp,990,s0, udp,990,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
@@ -6626,7 +6644,7 @@
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
-@@ -109,6 +117,7 @@
+@@ -109,6 +119,7 @@
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
network_port(ircd, tcp,6667,s0)
@@ -6634,7 +6652,7 @@
network_port(isakmp, udp,500,s0)
network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
-@@ -117,6 +126,8 @@
+@@ -117,6 +128,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -6643,7 +6661,7 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -126,6 +137,7 @@
+@@ -126,6 +139,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -6651,7 +6669,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -136,12 +148,21 @@
+@@ -136,12 +150,21 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -6673,7 +6691,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -159,9 +180,11 @@
+@@ -159,9 +182,11 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6686,7 +6704,7 @@
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,14 +193,17 @@
+@@ -170,14 +195,17 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -8469,7 +8487,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.5.13/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/kernel/kernel.if 2008-12-19 17:00:37.000000000 -0500
@@ -1198,6 +1198,7 @@
')
@@ -11171,7 +11189,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-12-08 16:48:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-12-27 07:05:53.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -13012,7 +13030,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.5.13/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2008-11-24 10:49:49.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/clamav.te 2008-12-22 14:30:16.000000000 -0500
@@ -13,7 +13,10 @@
# configuration files
@@ -13977,7 +13995,7 @@
-') dnl end TODO
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.5.13/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-12-18 10:07:31.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/cups.fc 2008-12-19 11:43:08.000000000 -0500
@@ -5,27 +5,38 @@
/etc/cups/classes\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/cupsd\.conf.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -14030,19 +14048,20 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -43,10 +54,18 @@
+@@ -43,10 +54,19 @@
/var/lib/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/log/cups(/.*)? gen_context(system_u:object_r:cupsd_log_t,s0)
-/var/log/turboprint_cups\.log.* -- gen_context(system_u:object_r:cupsd_log_t,s0)
+/var/log/turboprint.* gen_context(system_u:object_r:cupsd_log_t,s0)
- /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+/var/ccpd(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+ /var/run/cups(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
/var/run/hp.*\.pid -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
++/var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_var_run_t,s0)
+
+/usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
+/usr/local/Printer/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -16598,8 +16617,13 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-3.5.13/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2008-11-24 10:49:49.000000000 -0500
-@@ -9,6 +9,7 @@
++++ serefpolicy-3.5.13/policy/modules/services/hal.fc 2008-12-19 17:07:45.000000000 -0500
+@@ -5,10 +5,12 @@
+ /usr/bin/hal-setup-keymap -- gen_context(system_u:object_r:hald_keymap_exec_t,s0)
+
+ /usr/libexec/hal-acl-tool -- gen_context(system_u:object_r:hald_acl_exec_t,s0)
++/usr/libexec/hal-dccm -- gen_context(system_u:object_r:hald_dccm_exec_t,s0)
+ /usr/libexec/hal-hotplug-map -- gen_context(system_u:object_r:hald_exec_t,s0)
/usr/libexec/hal-system-sonypic -- gen_context(system_u:object_r:hald_sonypic_exec_t,s0)
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
/usr/libexec/hald-addon-macbook-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
@@ -16607,7 +16631,7 @@
/usr/sbin/hald -- gen_context(system_u:object_r:hald_exec_t,s0)
-@@ -17,7 +18,7 @@
+@@ -17,7 +19,7 @@
/var/lib/hal(/.*)? gen_context(system_u:object_r:hald_var_lib_t,s0)
/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
@@ -16664,18 +16688,24 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-12 09:32:28.000000000 -0500
-@@ -49,6 +49,9 @@
++++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-12-19 17:16:31.000000000 -0500
+@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
+typealias hald_log_t alias pmtools_log_t;
+typealias hald_var_run_t alias pmtools_var_run_t;
+
++type hald_dccm_t;
++type hald_dccm_exec_t;
++domain_type(hald_dccm_t)
++domain_entry_file(hald_dccm_t, hald_dccm_exec_t)
++role system_r types hald_dccm_t;
++
########################################
#
# Local policy
-@@ -143,6 +146,7 @@
+@@ -143,6 +152,7 @@
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
files_rw_lock_dirs(hald_t)
@@ -16683,7 +16713,7 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
-@@ -197,6 +201,7 @@
+@@ -197,6 +207,7 @@
seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
@@ -16691,7 +16721,7 @@
userdom_dontaudit_use_unpriv_user_fds(hald_t)
-@@ -280,6 +285,12 @@
+@@ -280,6 +291,12 @@
')
optional_policy(`
@@ -16704,7 +16734,7 @@
rpc_search_nfs_state_data(hald_t)
')
-@@ -300,12 +311,20 @@
+@@ -300,12 +317,20 @@
vbetool_domtrans(hald_t)
')
@@ -16726,7 +16756,7 @@
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
-@@ -344,13 +363,22 @@
+@@ -344,13 +369,22 @@
libs_use_ld_so(hald_acl_t)
libs_use_shared_libs(hald_acl_t)
@@ -16749,7 +16779,7 @@
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
allow hald_mac_t hald_t:unix_stream_socket connectto;
-@@ -359,6 +387,8 @@
+@@ -359,6 +393,8 @@
manage_files_pattern(hald_mac_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_mac_t)
@@ -16758,7 +16788,7 @@
kernel_read_system_state(hald_mac_t)
dev_read_raw_memory(hald_mac_t)
-@@ -366,6 +396,9 @@
+@@ -366,6 +402,9 @@
dev_read_sysfs(hald_mac_t)
files_read_usr_files(hald_mac_t)
@@ -16768,7 +16798,7 @@
libs_use_ld_so(hald_mac_t)
libs_use_shared_libs(hald_mac_t)
-@@ -388,6 +421,8 @@
+@@ -388,6 +427,8 @@
manage_files_pattern(hald_sonypic_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_sonypic_t)
@@ -16777,7 +16807,7 @@
files_read_usr_files(hald_sonypic_t)
libs_use_ld_so(hald_sonypic_t)
-@@ -408,6 +443,8 @@
+@@ -408,6 +449,8 @@
manage_files_pattern(hald_keymap_t, hald_var_lib_t, hald_var_lib_t)
files_search_var_lib(hald_keymap_t)
@@ -16786,12 +16816,58 @@
dev_rw_input_dev(hald_keymap_t)
files_read_usr_files(hald_keymap_t)
-@@ -419,4 +456,4 @@
+@@ -419,4 +462,50 @@
# This is caused by a bug in hald and PolicyKit.
# Should be removed when this is fixed
-#cron_read_system_job_lib_files(hald_t)
+cron_read_system_job_lib_files(hald_t)
++
++########################################
++#
++# Local hald dccm policy
++#
++allow hald_dccm_t self:capability { net_bind_service };
++allow hald_dccm_t self:process getsched;
++
++allow hald_dccm_t self:tcp_socket create_stream_socket_perms;
++allow hald_dccm_t self:udp_socket create_socket_perms;
++allow hald_dccm_t self:netlink_route_socket rw_netlink_socket_perms;
++
++domtrans_pattern(hald_t, hald_dccm_exec_t, hald_dccm_t)
++allow hald_t hald_dccm_t:process signal;
++allow hald_dccm_t hald_t:unix_stream_socket connectto;
++
++corenet_all_recvfrom_unlabeled(hald_dccm_t)
++corenet_all_recvfrom_netlabel(hald_dccm_t)
++corenet_tcp_sendrecv_all_if(hald_dccm_t)
++corenet_udp_sendrecv_all_if(hald_dccm_t)
++corenet_tcp_sendrecv_all_nodes(hald_dccm_t)
++corenet_udp_sendrecv_all_nodes(hald_dccm_t)
++corenet_tcp_sendrecv_all_ports(hald_dccm_t)
++corenet_udp_sendrecv_all_ports(hald_dccm_t)
++corenet_tcp_bind_all_nodes(hald_dccm_t)
++corenet_udp_bind_all_nodes(hald_dccm_t)
++corenet_udp_bind_dhcpc_port(hald_dccm_t)
++corenet_tcp_bind_ftps_port(hald_dccm_t)
++corenet_tcp_bind_dccm_port(hald_dccm_t)
++
++kernel_search_network_sysctl(hald_dccm_t)
++
++manage_dirs_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
++manage_files_pattern(hald_dccm_t, hald_var_lib_t, hald_var_lib_t)
++files_search_var_lib(hald_dccm_t)
++
++write_files_pattern(hald_dccm_t, hald_log_t, hald_log_t)
++
++files_read_usr_files(hald_dccm_t)
++
++libs_use_ld_so(hald_dccm_t)
++libs_use_shared_libs(hald_dccm_t)
++
++miscfiles_read_localization(hald_dccm_t)
++
++permissive hald_dccm_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.5.13/policy/modules/services/inetd.fc
--- nsaserefpolicy/policy/modules/services/inetd.fc 2008-10-17 08:49:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/inetd.fc 2008-11-24 10:49:49.000000000 -0500
@@ -17507,7 +17583,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.5.13/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-18 11:33:10.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/munin.te 2008-12-27 07:23:36.000000000 -0500
@@ -13,6 +13,9 @@
type munin_etc_t alias lrrd_etc_t;
files_config_file(munin_etc_t)
@@ -17604,7 +17680,7 @@
sysadm_dontaudit_search_home_dirs(munin_t)
optional_policy(`
-@@ -109,7 +129,30 @@
+@@ -109,7 +129,31 @@
')
optional_policy(`
@@ -17625,6 +17701,7 @@
+
+optional_policy(`
+ postfix_list_spool(munin_t)
++ postfix_getattr_spool_files(munin_t)
+')
+
+optional_policy(`
@@ -17636,7 +17713,7 @@
')
optional_policy(`
-@@ -119,3 +162,9 @@
+@@ -119,3 +163,9 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -20918,7 +20995,7 @@
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.5.13/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-12-18 11:31:38.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/postfix.if 2008-12-27 07:22:46.000000000 -0500
@@ -211,9 +211,8 @@
type postfix_etc_t;
')
@@ -20979,28 +21056,49 @@
files_search_spool($1)
')
-@@ -480,10 +498,10 @@
+@@ -480,11 +498,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
++ ')
++
++ allow $1 postfix_spool_type:dir list_dir_perms;
++ files_search_spool($1)
++')
++
++########################################
++## <summary>
++## Getattr postfix mail spool files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_getattr_spool_files',`
++ gen_require(`
++ attribute postfix_spool_type;
')
- allow $1 postfix_spool_t:dir list_dir_perms;
-+ allow $1 postfix_spool_type:dir list_dir_perms;
files_search_spool($1)
++ getattr_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
-@@ -499,11 +517,30 @@
+ ########################################
+@@ -499,11 +536,30 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
- type postfix_spool_t;
+ attribute postfix_spool_type;
-+ ')
-+
-+ files_search_spool($1)
+ ')
+
+ files_search_spool($1)
+- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
+ read_files_pattern($1, postfix_spool_type, postfix_spool_type)
+')
+
@@ -21017,15 +21115,14 @@
+interface(`postfix_manage_spool_files',`
+ gen_require(`
+ attribute postfix_spool_type;
- ')
-
- files_search_spool($1)
-- read_files_pattern($1, postfix_spool_t, postfix_spool_t)
++ ')
++
++ files_search_spool($1)
+ manage_files_pattern($1, postfix_spool_type, postfix_spool_type)
')
########################################
-@@ -524,3 +561,23 @@
+@@ -524,3 +580,23 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -21051,7 +21148,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-12-18 11:30:38.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-12-22 10:48:25.000000000 -0500
@@ -6,6 +6,15 @@
# Declarations
#
@@ -21138,7 +21235,17 @@
kernel_read_all_sysctls(postfix_master_t)
-@@ -170,6 +188,8 @@
+@@ -153,6 +171,9 @@
+ corenet_udp_sendrecv_all_nodes(postfix_master_t)
+ corenet_tcp_sendrecv_all_ports(postfix_master_t)
+ corenet_udp_sendrecv_all_ports(postfix_master_t)
++corenet_udp_bind_all_nodes(postfix_master_t)
++corenet_udp_bind_all_unreserved_ports(postfix_master_t)
++corenet_dontaudit_udp_bind_all_ports(postfix_master_t)
+ corenet_tcp_bind_all_nodes(postfix_master_t)
+ corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+ corenet_tcp_bind_smtp_port(postfix_master_t)
+@@ -170,6 +191,8 @@
domain_use_interactive_fds(postfix_master_t)
files_read_usr_files(postfix_master_t)
@@ -21147,7 +21254,7 @@
term_dontaudit_search_ptys(postfix_master_t)
-@@ -181,15 +201,14 @@
+@@ -181,15 +204,14 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -21167,7 +21274,7 @@
')
optional_policy(`
-@@ -202,9 +221,29 @@
+@@ -202,9 +224,29 @@
')
optional_policy(`
@@ -21197,7 +21304,7 @@
########################################
#
# Postfix bounce local policy
-@@ -245,6 +284,10 @@
+@@ -245,6 +287,10 @@
corecmd_exec_bin(postfix_cleanup_t)
@@ -21208,7 +21315,7 @@
########################################
#
# Postfix local local policy
-@@ -270,18 +313,25 @@
+@@ -270,18 +316,25 @@
files_read_etc_files(postfix_local_t)
@@ -21234,7 +21341,7 @@
')
optional_policy(`
-@@ -292,8 +342,7 @@
+@@ -292,8 +345,7 @@
#
# Postfix map local policy
#
@@ -21244,7 +21351,7 @@
allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
allow postfix_map_t self:unix_dgram_socket create_socket_perms;
allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -343,8 +392,6 @@
+@@ -343,8 +395,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -21253,7 +21360,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -357,6 +404,11 @@
+@@ -357,6 +407,11 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -21265,7 +21372,7 @@
########################################
#
# Postfix pickup local policy
-@@ -381,6 +433,7 @@
+@@ -381,6 +436,7 @@
#
allow postfix_pipe_t self:fifo_file rw_fifo_file_perms;
@@ -21273,7 +21380,7 @@
write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t)
-@@ -388,6 +441,12 @@
+@@ -388,6 +444,12 @@
rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t)
@@ -21286,7 +21393,7 @@
optional_policy(`
procmail_domtrans(postfix_pipe_t)
')
-@@ -397,6 +456,15 @@
+@@ -397,6 +459,15 @@
')
optional_policy(`
@@ -21302,7 +21409,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -433,8 +501,11 @@
+@@ -433,8 +504,11 @@
')
optional_policy(`
@@ -21316,7 +21423,7 @@
')
#######################################
-@@ -460,6 +531,15 @@
+@@ -460,6 +534,15 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -21332,7 +21439,7 @@
########################################
#
# Postfix qmgr local policy
-@@ -540,9 +620,18 @@
+@@ -540,9 +623,18 @@
# for OpenSSL certificates
files_read_usr_files(postfix_smtpd_t)
@@ -21351,7 +21458,7 @@
mailman_read_data_files(postfix_smtpd_t)
')
-@@ -569,7 +658,7 @@
+@@ -569,7 +661,7 @@
files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
# connect to master process
@@ -23795,7 +23902,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.5.13/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-15 12:24:35.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/samba.te 2008-12-22 10:23:59.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -23898,7 +24005,7 @@
# smbd Local policy
#
-allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
-+allow smbd_t self:capability { chown fowner setgid setuid sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { chown fowner setgid setuid sys_nice sys_resource lease dac_override dac_read_search };
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
@@ -26203,7 +26310,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.5.13/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-12-04 09:20:48.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/ssh.te 2008-12-27 07:06:56.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -26230,7 +26337,13 @@
#################################
#
# sshd local policy
-@@ -78,6 +88,9 @@
+@@ -74,10 +84,15 @@
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+
++fs_list_inotifyfs(sshd_t)
++
+ # for X forwarding
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
@@ -26240,7 +26353,7 @@
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -99,6 +112,14 @@
+@@ -99,6 +114,14 @@
')
optional_policy(`
@@ -26255,7 +26368,7 @@
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -117,7 +138,11 @@
+@@ -117,7 +140,11 @@
')
optional_policy(`
@@ -26268,7 +26381,7 @@
unconfined_shell_domtrans(sshd_t)
')
-@@ -176,6 +201,8 @@
+@@ -176,6 +203,8 @@
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.763
retrieving revision 1.764
diff -u -r1.763 -r1.764
--- selinux-policy.spec 18 Dec 2008 19:45:36 -0000 1.763
+++ selinux-policy.spec 27 Dec 2008 13:05:46 -0000 1.764
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 35%{?dist}
+Release: 37%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -459,6 +459,12 @@
%endif
%changelog
+* Sat Dec 27 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-37
+- Allow sshd to use inotify
+
+* Fri Dec 19 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-36
+- Add hal_dccm policy
+
* Tue Dec 9 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-35
- Allow staff_t to execute at jobs
More information about the fedora-extras-commits
mailing list