rpms/selinux-policy/F-8 policy-20070703.patch, 1.189, 1.190 selinux-policy.spec, 1.615, 1.616
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Mar 4 21:37:18 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16514
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-90
- Allow mozilla to auth_use_nsswitch
- Change location of mock
- Fix context on /usr/sbin/validate
- allow vbetool to map low kernel memory
- Allow fail2ban to connect to whois port
- Allow bitlbee to read locale files
- Allow clamd to execute shell
- dontaudit setroubleshoot reading cifs and nfs files
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.189
retrieving revision 1.190
diff -u -r1.189 -r1.190
--- policy-20070703.patch 27 Feb 2008 02:34:01 -0000 1.189
+++ policy-20070703.patch 4 Mar 2008 21:37:10 -0000 1.190
@@ -1124,7 +1124,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te 2008-02-27 23:26:06.000000000 -0500
@@ -215,3 +215,7 @@
userdom_dontaudit_search_staff_home_dirs(bootloader_t)
userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
@@ -2507,8 +2507,17 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.8/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te 2008-01-17 09:03:07.000000000 -0500
-@@ -33,4 +33,5 @@
++++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te 2008-03-04 15:48:23.000000000 -0500
+@@ -23,6 +23,8 @@
+ dev_rwx_zero(vbetool_t)
+ dev_read_sysfs(vbetool_t)
+
++domain_mmap_low(vbetool_t)
++
+ term_use_unallocated_ttys(vbetool_t)
+
+ libs_use_ld_so(vbetool_t)
+@@ -33,4 +35,5 @@
optional_policy(`
hal_rw_pid_files(vbetool_t)
hal_write_log(vbetool_t)
@@ -3444,7 +3453,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2008-01-21 12:59:59.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if 2008-03-04 10:34:00.000000000 -0500
@@ -36,6 +36,8 @@
gen_require(`
type mozilla_conf_t, mozilla_exec_t;
@@ -3477,7 +3486,12 @@
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
-@@ -71,6 +81,11 @@
+@@ -66,11 +76,15 @@
+ allow $1_mozilla_t self:unix_stream_socket { listen accept };
+ # Browse the web, connect to printer
+ allow $1_mozilla_t self:tcp_socket create_socket_perms;
+- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
@@ -3489,7 +3503,7 @@
# X access, Home files
manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
-@@ -96,15 +111,41 @@
+@@ -96,15 +110,41 @@
relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
@@ -3538,7 +3552,7 @@
# Unrestricted inheritance from the caller.
allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
-@@ -112,11 +153,13 @@
+@@ -112,11 +152,13 @@
ps_process_pattern($2,$1_mozilla_t)
allow $2 $1_mozilla_t:process signal_perms;
@@ -3554,7 +3568,7 @@
# Look for plugins
corecmd_list_bin($1_mozilla_t)
-@@ -165,10 +208,23 @@
+@@ -165,13 +207,28 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -3578,10 +3592,19 @@
term_dontaudit_getattr_pty_dirs($1_mozilla_t)
-@@ -184,12 +240,8 @@
- sysnet_dns_name_resolve($1_mozilla_t)
- sysnet_read_config($1_mozilla_t)
-
++ auth_use_nsswitch($1_mozilla_t)
++
+ libs_use_ld_so($1_mozilla_t)
+ libs_use_shared_libs($1_mozilla_t)
+
+@@ -180,16 +237,8 @@
+ miscfiles_read_fonts($1_mozilla_t)
+ miscfiles_read_localization($1_mozilla_t)
+
+- # Browse the web, connect to printer
+- sysnet_dns_name_resolve($1_mozilla_t)
+- sysnet_read_config($1_mozilla_t)
+-
- userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
- userdom_manage_user_home_content_files($1,$1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
@@ -3593,7 +3616,7 @@
xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -211,131 +263,8 @@
+@@ -211,131 +260,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -3727,7 +3750,7 @@
')
optional_policy(`
-@@ -350,21 +279,27 @@
+@@ -350,21 +276,27 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -3759,7 +3782,14 @@
')
optional_policy(`
-@@ -384,25 +319,6 @@
+@@ -377,32 +309,9 @@
+ ')
+
+ optional_policy(`
+- nscd_socket_use($1_mozilla_t)
+- ')
+-
+- optional_policy(`
thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
')
@@ -3785,7 +3815,7 @@
')
########################################
-@@ -575,3 +491,27 @@
+@@ -575,3 +484,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -4294,7 +4324,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-20 17:16:46.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-03-04 16:32:54.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -4387,10 +4417,11 @@
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +175,19 @@
+@@ -160,13 +175,20 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
++network_port(whois, tcp,43,s0, udp,43,s0)
+network_port(wccp, udp,2048,s0)
+network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
@@ -4410,7 +4441,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-02-20 08:52:30.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2008-02-27 17:11:36.000000000 -0500
@@ -1,8 +1,9 @@
/dev -d gen_context(system_u:object_r:device_t,s0)
@@ -4476,7 +4507,7 @@
/dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
-@@ -65,9 +83,8 @@
+@@ -65,14 +83,14 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
@@ -4488,7 +4519,13 @@
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -94,12 +111,23 @@
+ ')
+ /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/vboxadd.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -94,12 +112,23 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@@ -4512,7 +4549,7 @@
/dev/pts(/.*)? <<none>>
-@@ -113,14 +141,9 @@
+@@ -113,14 +142,9 @@
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
@@ -7683,8 +7720,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2008-02-26 16:46:48.000000000 -0500
-@@ -0,0 +1,75 @@
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2008-03-03 11:03:14.000000000 -0500
+@@ -0,0 +1,77 @@
+
+policy_module(bitlbee, 1.0.0)
+
@@ -7754,6 +7791,8 @@
+libs_legacy_use_shared_libs(bitlbee_t)
+libs_use_ld_so(bitlbee_t)
+
++miscfiles_read_localization(bitlbee_t)
++
+sysnet_dns_name_resolve(bitlbee_t)
+
+optional_policy(`
@@ -7850,7 +7889,7 @@
/var/spool/amavisd/clamd\.sock -s gen_context(system_u:object_r:clamd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/clamav.te 2008-03-03 09:51:53.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(clamav,1.4.1)
@@ -7858,24 +7897,27 @@
########################################
#
-@@ -87,6 +87,7 @@
+@@ -87,6 +87,9 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
kernel_read_kernel_sysctls(clamd_t)
+kernel_read_system_state(clamd_t)
++
++corecmd_exec_shell(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
-@@ -120,6 +121,8 @@
+@@ -120,6 +123,9 @@
cron_use_system_job_fds(clamd_t)
cron_rw_pipes(clamd_t)
+mta_read_config(clamd_t)
++mta_send_mail(clamd_t)
+
optional_policy(`
amavis_read_lib_files(clamd_t)
amavis_read_spool_files(clamd_t)
-@@ -127,6 +130,10 @@
+@@ -127,6 +133,10 @@
amavis_create_pid_files(clamd_t)
')
@@ -7886,7 +7928,7 @@
########################################
#
# Freshclam local policy
-@@ -233,3 +240,7 @@
+@@ -233,3 +243,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -10087,16 +10129,25 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.0.8/policy/modules/services/fail2ban.fc
--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-02-01 10:04:19.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc 2008-03-04 16:30:22.000000000 -0500
@@ -1,3 +1,5 @@
-+/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
- /var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
- /var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+-/var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+-/var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
++/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
++/var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
++/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te
--- nsaserefpolicy/policy/modules/services/fail2ban.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-02-01 07:42:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te 2008-03-04 16:29:48.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(fail2ban,1.0.0)
++policy_module(fail2ban,1.1.0)
+
+ ########################################
+ #
@@ -33,8 +33,9 @@
logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
@@ -10108,7 +10159,20 @@
kernel_read_system_state(fail2ban_t)
-@@ -55,6 +56,8 @@
+@@ -47,14 +48,20 @@
+
+ files_read_etc_files(fail2ban_t)
+ files_read_usr_files(fail2ban_t)
++files_list_var(fail2ban_t)
++files_search_var_lib(fail2ban_t)
++
++fs_list_inotifyfs(fail2ban_t)
+
+ libs_use_ld_so(fail2ban_t)
+ libs_use_shared_libs(fail2ban_t)
+
+-logging_read_generic_logs(fail2ban_t)
++logging_read_all_logs(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
@@ -15514,7 +15578,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-02-15 15:40:37.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te 2008-02-29 09:08:55.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.4.1)
@@ -15551,7 +15615,7 @@
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -67,16 +72,22 @@
+@@ -67,16 +72,24 @@
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
@@ -15572,10 +15636,12 @@
fs_getattr_all_dirs(setroubleshootd_t)
fs_getattr_all_files(setroubleshootd_t)
+fs_read_fusefs_symlinks(setroubleshootd_t)
++fs_dontaudit_read_nfs_files(setroubleshootd_t)
++fs_dontaudit_read_cifs_files(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -96,17 +107,23 @@
+@@ -96,17 +109,23 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -17184,7 +17250,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-01-24 13:40:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-02-27 23:18:23.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -17513,16 +17579,18 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-01-29 09:14:26.000000000 -0500
-@@ -14,6 +14,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2008-03-04 15:32:46.000000000 -0500
+@@ -13,7 +13,9 @@
+ /sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/validate -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/sbin/unix_verify -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
+/sbin/unix_update -- gen_context(system_u:object_r:updpwd_exec_t,s0)
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
-@@ -38,5 +39,9 @@
+@@ -38,5 +40,9 @@
/var/log/wtmp.* -- gen_context(system_u:object_r:wtmp_t,s0)
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
@@ -18157,7 +18225,7 @@
/sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.8/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/fstools.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/fstools.te 2008-02-27 23:25:25.000000000 -0500
@@ -109,8 +109,7 @@
term_use_console(fsadm_t)
@@ -18597,7 +18665,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.te 2008-02-27 23:24:47.000000000 -0500
@@ -10,6 +10,20 @@
# Declarations
#
@@ -18827,7 +18895,15 @@
')
optional_policy(`
-@@ -749,6 +803,12 @@
+@@ -738,6 +792,7 @@
+
+ optional_policy(`
+ unconfined_domain(initrc_t)
++ unconfined_domain(init_t)
+
+ ifdef(`distro_redhat',`
+ # system-config-services causes avc messages that should be dontaudited
+@@ -749,6 +804,12 @@
')
')
@@ -19283,7 +19359,7 @@
+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-02-15 15:38:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-02-29 15:22:06.000000000 -0500
@@ -34,6 +34,51 @@
#
interface(`logging_send_audit_msgs',`
@@ -19400,7 +19476,7 @@
')
########################################
-@@ -597,3 +657,270 @@
+@@ -597,3 +657,272 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -19666,10 +19742,12 @@
+interface(`logging_stream_connect_audisp',`
+ gen_require(`
+ type audisp_t, audisp_var_run_t;
++ type auditd_t, auditd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
++ stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2007-10-22 13:21:40.000000000 -0400
@@ -19917,7 +19995,7 @@
/etc/lvm/lock(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-02-27 23:24:15.000000000 -0500
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -19987,18 +20065,23 @@
userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
-@@ -131,10 +144,6 @@
+@@ -131,12 +144,12 @@
')
optional_policy(`
- nis_use_ypbind(clvmd_t)
--')
--
--optional_policy(`
- ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
- ricci_dontaudit_use_modcluster_fds(clvmd_t)
++ ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
++ ricci_dontaudit_use_modcluster_fds(clvmd_t)
')
-@@ -150,7 +159,8 @@
+
+ optional_policy(`
+- ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
+- ricci_dontaudit_use_modcluster_fds(clvmd_t)
++ unconfined_domain(clvmd_t)
+ ')
+
+ optional_policy(`
+@@ -150,7 +163,8 @@
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
@@ -20008,7 +20091,7 @@
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal };
# LVM will complain a lot if it cannot set its priority.
-@@ -160,7 +170,8 @@
+@@ -160,7 +174,8 @@
allow lvm_t self:unix_dgram_socket create_socket_perms;
allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -20018,7 +20101,7 @@
manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
-@@ -208,7 +219,6 @@
+@@ -208,7 +223,6 @@
selinux_compute_user_contexts(lvm_t)
dev_create_generic_chr_files(lvm_t)
@@ -20026,7 +20109,7 @@
dev_read_rand(lvm_t)
dev_read_urand(lvm_t)
dev_rw_lvm_control(lvm_t)
-@@ -228,6 +238,8 @@
+@@ -228,6 +242,8 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -20035,7 +20118,7 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -246,6 +258,7 @@
+@@ -246,6 +262,7 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
@@ -20043,7 +20126,7 @@
term_getattr_all_user_ttys(lvm_t)
term_list_ptys(lvm_t)
-@@ -254,10 +267,12 @@
+@@ -254,10 +271,12 @@
domain_use_interactive_fds(lvm_t)
@@ -20056,7 +20139,7 @@
init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
-@@ -275,6 +290,8 @@
+@@ -275,6 +294,8 @@
seutil_search_default_contexts(lvm_t)
seutil_sigchld_newrole(lvm_t)
@@ -20065,7 +20148,7 @@
ifdef(`distro_redhat',`
# this is from the initrd:
files_rw_isid_type_dirs(lvm_t)
-@@ -293,5 +310,18 @@
+@@ -293,5 +314,18 @@
')
optional_policy(`
@@ -21292,7 +21375,7 @@
xen_append_log(ifconfig_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2008-02-27 23:27:54.000000000 -0500
@@ -132,6 +132,7 @@
init_read_utmp(udev_t)
@@ -21337,7 +21420,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-01-22 09:29:20.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc 2008-03-04 10:18:00.000000000 -0500
@@ -7,6 +7,10 @@
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
@@ -21348,7 +21431,7 @@
/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/rhythmbox -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/bin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
++/usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-10-22 13:21:40.000000000 -0400
@@ -24123,7 +24206,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/xen.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/xen.te 2008-02-27 23:16:42.000000000 -0500
@@ -45,9 +45,7 @@
type xenstored_t;
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.615
retrieving revision 1.616
diff -u -r1.615 -r1.616
--- selinux-policy.spec 26 Feb 2008 23:02:12 -0000 1.615
+++ selinux-policy.spec 4 Mar 2008 21:37:10 -0000 1.616
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 89%{?dist}
+Release: 90%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,17 @@
%endif
%changelog
+* Tue Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-90
+- Allow mozilla to auth_use_nsswitch
+- Change location of mock
+- Fix context on /usr/sbin/validate
+- allow vbetool to map low kernel memory
+- Allow fail2ban to connect to whois port
+- Allow bitlbee to read locale files
+- Allow clamd to execute shell
+- dontaudit setroubleshoot reading cifs and nfs files
+
+
* Thu Feb 21 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-89
- Add jkubin changes for nx and groupadd
- Add isns port
More information about the fedora-extras-commits
mailing list