rpms/selinux-policy/F-8 policy-20070703.patch, 1.189, 1.190 selinux-policy.spec, 1.615, 1.616

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Mar 4 21:37:18 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16514

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Tue Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-90
- Allow mozilla to auth_use_nsswitch
- Change location of mock
- Fix context on /usr/sbin/validate
- allow vbetool to map low kernel memory
- Allow fail2ban to connect to whois port
- Allow bitlbee to read locale files
- Allow clamd to execute shell
- dontaudit setroubleshoot reading cifs and nfs files


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.189
retrieving revision 1.190
diff -u -r1.189 -r1.190
--- policy-20070703.patch	27 Feb 2008 02:34:01 -0000	1.189
+++ policy-20070703.patch	4 Mar 2008 21:37:10 -0000	1.190
@@ -1124,7 +1124,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-3.0.8/policy/modules/admin/bootloader.te
 --- nsaserefpolicy/policy/modules/admin/bootloader.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/bootloader.te	2008-02-27 23:26:06.000000000 -0500
 @@ -215,3 +215,7 @@
  	userdom_dontaudit_search_staff_home_dirs(bootloader_t)
  	userdom_dontaudit_search_sysadm_home_dirs(bootloader_t)
@@ -2507,8 +2507,17 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.0.8/policy/modules/admin/vbetool.te
 --- nsaserefpolicy/policy/modules/admin/vbetool.te	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te	2008-01-17 09:03:07.000000000 -0500
-@@ -33,4 +33,5 @@
++++ serefpolicy-3.0.8/policy/modules/admin/vbetool.te	2008-03-04 15:48:23.000000000 -0500
+@@ -23,6 +23,8 @@
+ dev_rwx_zero(vbetool_t)
+ dev_read_sysfs(vbetool_t)
+ 
++domain_mmap_low(vbetool_t)
++
+ term_use_unallocated_ttys(vbetool_t)
+ 
+ libs_use_ld_so(vbetool_t)
+@@ -33,4 +35,5 @@
  optional_policy(`
  	hal_rw_pid_files(vbetool_t)
  	hal_write_log(vbetool_t)
@@ -3444,7 +3453,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.0.8/policy/modules/apps/mozilla.if
 --- nsaserefpolicy/policy/modules/apps/mozilla.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if	2008-01-21 12:59:59.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/apps/mozilla.if	2008-03-04 10:34:00.000000000 -0500
 @@ -36,6 +36,8 @@
  	gen_require(`
  		type mozilla_conf_t, mozilla_exec_t;
@@ -3477,7 +3486,12 @@
  	allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
  	allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
  	allow $1_mozilla_t self:sem create_sem_perms;
-@@ -71,6 +81,11 @@
+@@ -66,11 +76,15 @@
+ 	allow $1_mozilla_t self:unix_stream_socket { listen accept };
+ 	# Browse the web, connect to printer
+ 	allow $1_mozilla_t self:tcp_socket create_socket_perms;
+-	allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
+ 
  	# for bash - old mozilla binary
  	can_exec($1_mozilla_t, mozilla_exec_t)
  
@@ -3489,7 +3503,7 @@
  	# X access, Home files
  	manage_dirs_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
  	manage_files_pattern($1_mozilla_t,$1_mozilla_home_t,$1_mozilla_home_t)
-@@ -96,15 +111,41 @@
+@@ -96,15 +110,41 @@
  	relabel_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
  	relabel_lnk_files_pattern($2,$1_mozilla_home_t,$1_mozilla_home_t)
  
@@ -3538,7 +3552,7 @@
  	# Unrestricted inheritance from the caller.
  	allow $2 $1_mozilla_t:process { noatsecure siginh rlimitinh };
  
-@@ -112,11 +153,13 @@
+@@ -112,11 +152,13 @@
  	ps_process_pattern($2,$1_mozilla_t)
  	allow $2 $1_mozilla_t:process signal_perms;
  	
@@ -3554,7 +3568,7 @@
  
  	# Look for plugins 
  	corecmd_list_bin($1_mozilla_t)
-@@ -165,10 +208,23 @@
+@@ -165,13 +207,28 @@
  	files_read_var_files($1_mozilla_t)
  	files_read_var_symlinks($1_mozilla_t)
   	files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -3578,10 +3592,19 @@
  
  	term_dontaudit_getattr_pty_dirs($1_mozilla_t)
  	
-@@ -184,12 +240,8 @@
- 	sysnet_dns_name_resolve($1_mozilla_t)
- 	sysnet_read_config($1_mozilla_t)
- 	
++	auth_use_nsswitch($1_mozilla_t)
++
+ 	libs_use_ld_so($1_mozilla_t)
+ 	libs_use_shared_libs($1_mozilla_t)
+ 
+@@ -180,16 +237,8 @@
+ 	miscfiles_read_fonts($1_mozilla_t)
+ 	miscfiles_read_localization($1_mozilla_t)
+ 
+-	# Browse the web, connect to printer
+-	sysnet_dns_name_resolve($1_mozilla_t)
+-	sysnet_read_config($1_mozilla_t)
+-	
 -	userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
 -	userdom_manage_user_home_content_files($1,$1_mozilla_t)
 -	userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
@@ -3593,7 +3616,7 @@
  	
  	xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
  	xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
-@@ -211,131 +263,8 @@
+@@ -211,131 +260,8 @@
  		fs_manage_cifs_symlinks($1_mozilla_t)
  	')
  
@@ -3727,7 +3750,7 @@
  	')
  
  	optional_policy(`
-@@ -350,21 +279,27 @@
+@@ -350,21 +276,27 @@
  	optional_policy(`
  		cups_read_rw_config($1_mozilla_t)
  		cups_dbus_chat($1_mozilla_t)
@@ -3759,7 +3782,14 @@
  	')
  
  	optional_policy(`
-@@ -384,25 +319,6 @@
+@@ -377,32 +309,9 @@
+ 	')
+ 
+ 	optional_policy(`
+-		nscd_socket_use($1_mozilla_t)
+-	')
+-
+-	optional_policy(`
  		thunderbird_domtrans_user_thunderbird($1, $1_mozilla_t)
  	')
  
@@ -3785,7 +3815,7 @@
  ')
  
  ########################################
-@@ -575,3 +491,27 @@
+@@ -575,3 +484,27 @@
  
  	allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
  ')
@@ -4294,7 +4324,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2008-02-20 17:16:46.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in	2008-03-04 16:32:54.000000000 -0500
 @@ -55,6 +55,11 @@
  type reserved_port_t, port_type, reserved_port_type;
  
@@ -4387,10 +4417,11 @@
  type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
  type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
  network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +175,19 @@
+@@ -160,13 +175,20 @@
  type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
  network_port(uucpd, tcp,540,s0)
  network_port(vnc, tcp,5900,s0)
++network_port(whois, tcp,43,s0, udp,43,s0)
 +network_port(wccp, udp,2048,s0)
 +network_port(xdmcp, udp,177,s0, tcp,177,s0)
  network_port(xen, tcp,8002,s0)
@@ -4410,7 +4441,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
 --- nsaserefpolicy/policy/modules/kernel/devices.fc	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2008-02-20 08:52:30.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc	2008-02-27 17:11:36.000000000 -0500
 @@ -1,8 +1,9 @@
  
  /dev			-d	gen_context(system_u:object_r:device_t,s0)
@@ -4476,7 +4507,7 @@
  /dev/par.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  /dev/patmgr[01]		-c	gen_context(system_u:object_r:sound_device_t,s0)
  /dev/pmu		-c	gen_context(system_u:object_r:power_device_t,s0)
-@@ -65,9 +83,8 @@
+@@ -65,14 +83,14 @@
  /dev/sonypi		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/tlk[0-3]		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  /dev/urandom		-c	gen_context(system_u:object_r:urandom_device_t,s0)
@@ -4488,7 +4519,13 @@
  /dev/usblp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
  ifdef(`distro_suse', `
  /dev/usbscanner		-c	gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -94,12 +111,23 @@
+ ')
+ /dev/vbi.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/vboxadd.*		-c	gen_context(system_u:object_r:xserver_misc_device_t,s0)
+ /dev/vmmon		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/vmnet.*		-c	gen_context(system_u:object_r:vmware_device_t,s0)
+ /dev/video.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -94,12 +112,23 @@
  
  /dev/dvb/.*		-c	gen_context(system_u:object_r:v4l_device_t,s0)
  
@@ -4512,7 +4549,7 @@
  
  /dev/pts(/.*)?			<<none>>
  
-@@ -113,14 +141,9 @@
+@@ -113,14 +142,9 @@
  /dev/xen/blktap.*	-c	gen_context(system_u:object_r:xen_device_t,s0)
  /dev/xen/evtchn		-c	gen_context(system_u:object_r:xen_device_t,s0)
  
@@ -7683,8 +7720,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te
 --- nsaserefpolicy/policy/modules/services/bitlbee.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te	2008-02-26 16:46:48.000000000 -0500
-@@ -0,0 +1,75 @@
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te	2008-03-03 11:03:14.000000000 -0500
+@@ -0,0 +1,77 @@
 +
 +policy_module(bitlbee, 1.0.0)
 +
@@ -7754,6 +7791,8 @@
 +libs_legacy_use_shared_libs(bitlbee_t)
 +libs_use_ld_so(bitlbee_t)
 +
++miscfiles_read_localization(bitlbee_t)
++
 +sysnet_dns_name_resolve(bitlbee_t)
 +
 +optional_policy(`
@@ -7850,7 +7889,7 @@
  /var/spool/amavisd/clamd\.sock	-s	gen_context(system_u:object_r:clamd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.8/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/clamav.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/clamav.te	2008-03-03 09:51:53.000000000 -0500
 @@ -1,5 +1,5 @@
  
 -policy_module(clamav,1.4.1)
@@ -7858,24 +7897,27 @@
  
  ########################################
  #
-@@ -87,6 +87,7 @@
+@@ -87,6 +87,9 @@
  kernel_dontaudit_list_proc(clamd_t)
  kernel_read_sysctl(clamd_t)
  kernel_read_kernel_sysctls(clamd_t)
 +kernel_read_system_state(clamd_t)
++
++corecmd_exec_shell(clamd_t)
  
  corenet_all_recvfrom_unlabeled(clamd_t)
  corenet_all_recvfrom_netlabel(clamd_t)
-@@ -120,6 +121,8 @@
+@@ -120,6 +123,9 @@
  cron_use_system_job_fds(clamd_t)
  cron_rw_pipes(clamd_t)
  
 +mta_read_config(clamd_t)
++mta_send_mail(clamd_t)
 +
  optional_policy(`
  	amavis_read_lib_files(clamd_t)
  	amavis_read_spool_files(clamd_t)
-@@ -127,6 +130,10 @@
+@@ -127,6 +133,10 @@
  	amavis_create_pid_files(clamd_t)
  ')
  
@@ -7886,7 +7928,7 @@
  ########################################
  #
  # Freshclam local policy
-@@ -233,3 +240,7 @@
+@@ -233,3 +243,7 @@
  optional_policy(`
  	apache_read_sys_content(clamscan_t)
  ')
@@ -10087,16 +10129,25 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.0.8/policy/modules/services/fail2ban.fc
 --- nsaserefpolicy/policy/modules/services/fail2ban.fc	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc	2008-02-01 10:04:19.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.fc	2008-03-04 16:30:22.000000000 -0500
 @@ -1,3 +1,5 @@
-+/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
  /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
- /var/log/fail2ban.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
- /var/run/fail2ban.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+-/var/log/fail2ban.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+-/var/run/fail2ban.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
++/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
++/var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
++/var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 +/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.0.8/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te	2008-02-01 07:42:49.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/fail2ban.te	2008-03-04 16:29:48.000000000 -0500
+@@ -1,5 +1,5 @@
+ 
+-policy_module(fail2ban,1.0.0)
++policy_module(fail2ban,1.1.0)
+ 
+ ########################################
+ #
 @@ -33,8 +33,9 @@
  logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
  
@@ -10108,7 +10159,20 @@
  
  kernel_read_system_state(fail2ban_t)
  
-@@ -55,6 +56,8 @@
+@@ -47,14 +48,20 @@
+ 
+ files_read_etc_files(fail2ban_t)
+ files_read_usr_files(fail2ban_t)
++files_list_var(fail2ban_t)
++files_search_var_lib(fail2ban_t)
++
++fs_list_inotifyfs(fail2ban_t)
+ 
+ libs_use_ld_so(fail2ban_t)
+ libs_use_shared_libs(fail2ban_t)
+ 
+-logging_read_generic_logs(fail2ban_t)
++logging_read_all_logs(fail2ban_t)
  
  miscfiles_read_localization(fail2ban_t)
  
@@ -15514,7 +15578,7 @@
 -') dnl end TODO
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te
 --- nsaserefpolicy/policy/modules/services/setroubleshoot.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te	2008-02-15 15:40:37.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/setroubleshoot.te	2008-02-29 09:08:55.000000000 -0500
 @@ -1,5 +1,5 @@
  
 -policy_module(setroubleshoot,1.4.1)
@@ -15551,7 +15615,7 @@
  
  corecmd_exec_bin(setroubleshootd_t)
  corecmd_exec_shell(setroubleshootd_t)
-@@ -67,16 +72,22 @@
+@@ -67,16 +72,24 @@
  corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
  
  dev_read_urand(setroubleshootd_t)
@@ -15572,10 +15636,12 @@
  fs_getattr_all_dirs(setroubleshootd_t)
  fs_getattr_all_files(setroubleshootd_t)
 +fs_read_fusefs_symlinks(setroubleshootd_t)
++fs_dontaudit_read_nfs_files(setroubleshootd_t)
++fs_dontaudit_read_cifs_files(setroubleshootd_t)
  
  selinux_get_enforce_mode(setroubleshootd_t)
  selinux_validate_context(setroubleshootd_t)
-@@ -96,17 +107,23 @@
+@@ -96,17 +109,23 @@
  
  locallogin_dontaudit_use_fds(setroubleshootd_t)
  
@@ -17184,7 +17250,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2008-01-24 13:40:36.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te	2008-02-27 23:18:23.000000000 -0500
 @@ -16,6 +16,13 @@
  
  ## <desc>
@@ -17513,16 +17579,18 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc	2008-01-29 09:14:26.000000000 -0500
-@@ -14,6 +14,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc	2008-03-04 15:32:46.000000000 -0500
+@@ -13,7 +13,9 @@
+ /sbin/pam_console_apply	 --	gen_context(system_u:object_r:pam_console_exec_t,s0)
  /sbin/pam_timestamp_check --	gen_context(system_u:object_r:pam_exec_t,s0)
  /sbin/unix_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
++/usr/sbin/validate	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  /sbin/unix_verify	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
 +/sbin/unix_update	--	gen_context(system_u:object_r:updpwd_exec_t,s0)
  ifdef(`distro_suse', `
  /sbin/unix2_chkpwd	--	gen_context(system_u:object_r:chkpwd_exec_t,s0)
  ')
-@@ -38,5 +39,9 @@
+@@ -38,5 +40,9 @@
  /var/log/wtmp.*		--	gen_context(system_u:object_r:wtmp_t,s0)
  
  /var/run/console(/.*)?	 	gen_context(system_u:object_r:pam_var_console_t,s0)
@@ -18157,7 +18225,7 @@
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.0.8/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/fstools.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/fstools.te	2008-02-27 23:25:25.000000000 -0500
 @@ -109,8 +109,7 @@
  
  term_use_console(fsadm_t)
@@ -18597,7 +18665,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.8/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.te	2008-02-27 23:24:47.000000000 -0500
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -18827,7 +18895,15 @@
  ')
  
  optional_policy(`
-@@ -749,6 +803,12 @@
+@@ -738,6 +792,7 @@
+ 
+ optional_policy(`
+ 	unconfined_domain(initrc_t)
++	unconfined_domain(init_t)
+ 
+ 	ifdef(`distro_redhat',`
+ 		# system-config-services causes avc messages that should be dontaudited
+@@ -749,6 +804,12 @@
  	')
  ')
  
@@ -19283,7 +19359,7 @@
 +/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if	2008-02-15 15:38:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/logging.if	2008-02-29 15:22:06.000000000 -0500
 @@ -34,6 +34,51 @@
  #
  interface(`logging_send_audit_msgs',`
@@ -19400,7 +19476,7 @@
  ')
  
  ########################################
-@@ -597,3 +657,270 @@
+@@ -597,3 +657,272 @@
  	files_search_var($1)
  	manage_files_pattern($1,var_log_t,var_log_t)
  ')
@@ -19666,10 +19742,12 @@
 +interface(`logging_stream_connect_audisp',`
 +	gen_require(`
 +		type audisp_t, audisp_var_run_t;
++		type auditd_t, auditd_var_run_t;
 +	')
 +
 +	files_search_pids($1)
 +	stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
++	stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2007-10-22 13:21:40.000000000 -0400
@@ -19917,7 +19995,7 @@
  /etc/lvm/lock(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
 --- nsaserefpolicy/policy/modules/system/lvm.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/lvm.te	2008-02-27 23:24:15.000000000 -0500
 @@ -44,9 +44,9 @@
  # Cluster LVM daemon local policy
  #
@@ -19987,18 +20065,23 @@
  
  userdom_dontaudit_use_unpriv_user_fds(clvmd_t)
  userdom_dontaudit_search_sysadm_home_dirs(clvmd_t)
-@@ -131,10 +144,6 @@
+@@ -131,12 +144,12 @@
  ')
  
  optional_policy(`
 -	nis_use_ypbind(clvmd_t)
--')
--
--optional_policy(`
- 	ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
- 	ricci_dontaudit_use_modcluster_fds(clvmd_t)
++	ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
++	ricci_dontaudit_use_modcluster_fds(clvmd_t)
  ')
-@@ -150,7 +159,8 @@
+ 
+ optional_policy(`
+-	ricci_dontaudit_rw_modcluster_pipes(clvmd_t)
+-	ricci_dontaudit_use_modcluster_fds(clvmd_t)
++	unconfined_domain(clvmd_t)
+ ')
+ 
+ optional_policy(`
+@@ -150,7 +163,8 @@
  
  # DAC overrides and mknod for modifying /dev entries (vgmknodes)
  # rawio needed for dmraid
@@ -20008,7 +20091,7 @@
  dontaudit lvm_t self:capability sys_tty_config;
  allow lvm_t self:process { sigchld sigkill sigstop signull signal };
  # LVM will complain a lot if it cannot set its priority.
-@@ -160,7 +170,8 @@
+@@ -160,7 +174,8 @@
  allow lvm_t self:unix_dgram_socket create_socket_perms;
  allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
  
@@ -20018,7 +20101,7 @@
  
  manage_dirs_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
  manage_files_pattern(lvm_t,lvm_tmp_t,lvm_tmp_t)
-@@ -208,7 +219,6 @@
+@@ -208,7 +223,6 @@
  selinux_compute_user_contexts(lvm_t)
  
  dev_create_generic_chr_files(lvm_t)
@@ -20026,7 +20109,7 @@
  dev_read_rand(lvm_t)
  dev_read_urand(lvm_t)
  dev_rw_lvm_control(lvm_t)
-@@ -228,6 +238,8 @@
+@@ -228,6 +242,8 @@
  dev_dontaudit_getattr_generic_blk_files(lvm_t)
  dev_dontaudit_getattr_generic_pipes(lvm_t)
  dev_create_generic_dirs(lvm_t)
@@ -20035,7 +20118,7 @@
  
  fs_getattr_xattr_fs(lvm_t)
  fs_search_auto_mountpoints(lvm_t)
-@@ -246,6 +258,7 @@
+@@ -246,6 +262,7 @@
  storage_dev_filetrans_fixed_disk(lvm_t)
  # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
  storage_manage_fixed_disk(lvm_t)
@@ -20043,7 +20126,7 @@
  
  term_getattr_all_user_ttys(lvm_t)
  term_list_ptys(lvm_t)
-@@ -254,10 +267,12 @@
+@@ -254,10 +271,12 @@
  
  domain_use_interactive_fds(lvm_t)
  
@@ -20056,7 +20139,7 @@
  
  init_use_fds(lvm_t)
  init_dontaudit_getattr_initctl(lvm_t)
-@@ -275,6 +290,8 @@
+@@ -275,6 +294,8 @@
  seutil_search_default_contexts(lvm_t)
  seutil_sigchld_newrole(lvm_t)
  
@@ -20065,7 +20148,7 @@
  ifdef(`distro_redhat',`
  	# this is from the initrd:
  	files_rw_isid_type_dirs(lvm_t)
-@@ -293,5 +310,18 @@
+@@ -293,5 +314,18 @@
  ')
  
  optional_policy(`
@@ -21292,7 +21375,7 @@
  	xen_append_log(ifconfig_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/udev.te	2008-02-27 23:27:54.000000000 -0500
 @@ -132,6 +132,7 @@
  
  init_read_utmp(udev_t)
@@ -21337,7 +21420,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.0.8/policy/modules/system/unconfined.fc
 --- nsaserefpolicy/policy/modules/system/unconfined.fc	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc	2008-01-22 09:29:20.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.fc	2008-03-04 10:18:00.000000000 -0500
 @@ -7,6 +7,10 @@
  /usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
  
@@ -21348,7 +21431,7 @@
  /usr/local/RealPlayer/realplay\.bin --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/rhythmbox		    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 +/usr/bin/sbcl			    --	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
-+/usr/bin/mock			    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
++/usr/sbin/mock			    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 +/usr/sbin/sysreport	 	    --	gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-10-22 13:21:40.000000000 -0400
@@ -24123,7 +24206,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.0.8/policy/modules/system/xen.te
 --- nsaserefpolicy/policy/modules/system/xen.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/xen.te	2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/xen.te	2008-02-27 23:16:42.000000000 -0500
 @@ -45,9 +45,7 @@
  
  type xenstored_t;


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.615
retrieving revision 1.616
diff -u -r1.615 -r1.616
--- selinux-policy.spec	26 Feb 2008 23:02:12 -0000	1.615
+++ selinux-policy.spec	4 Mar 2008 21:37:10 -0000	1.616
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 89%{?dist}
+Release: 90%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,17 @@
 %endif
 
 %changelog
+* Tue Mar 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-90
+- Allow mozilla to auth_use_nsswitch
+- Change location of mock
+- Fix context on /usr/sbin/validate
+- allow vbetool to map low kernel memory
+- Allow fail2ban to connect to whois port
+- Allow bitlbee to read locale files
+- Allow clamd to execute shell
+- dontaudit setroubleshoot reading cifs and nfs files
+
+
 * Thu Feb 21 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-89
 - Add jkubin changes for nx and groupadd
 - Add isns port




More information about the fedora-extras-commits mailing list