rpms/selinux-policy/devel modules-targeted.conf, 1.84, 1.85 policy-20071130.patch, 1.101, 1.102 selinux-policy.spec, 1.632, 1.633
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Mar 14 00:25:37 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26732
Modified Files:
modules-targeted.conf policy-20071130.patch
selinux-policy.spec
Log Message:
* Thu Mar 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-18
- Add cups_pdf policy
- Add openoffice policy to run in xguest
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- modules-targeted.conf 6 Mar 2008 21:50:52 -0000 1.84
+++ modules-targeted.conf 14 Mar 2008 00:24:59 -0000 1.85
@@ -1641,3 +1641,10 @@
#
kerneloops = module
+# Layer: apps
+# Module: openoffice
+#
+# openoffice executable
+#
+openoffice = base
+
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102
--- policy-20071130.patch 13 Mar 2008 12:58:24 -0000 1.101
+++ policy-20071130.patch 14 Mar 2008 00:24:59 -0000 1.102
@@ -3962,7 +3962,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.3.1/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-03-01 10:01:48.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-06 11:17:59.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/java.fc 2008-03-13 18:18:13.000000000 -0400
@@ -11,6 +11,7 @@
#
/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3971,7 +3971,7 @@
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-@@ -20,5 +21,15 @@
+@@ -20,5 +21,11 @@
/usr/bin/grmic -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/grmiregistry -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/jv-convert -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -3984,10 +3984,6 @@
+/usr/lib/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/lib64/jvm/java(.*/)bin(/.*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+
-+/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:java_exec_t,s0)
-+
-+
+/usr/bin/octave-[^/]* -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-3.3.1/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 2007-10-12 08:56:02.000000000 -0400
@@ -4446,7 +4442,7 @@
# /bin
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2007-10-29 07:52:48.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-03-06 10:13:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-03-13 18:42:48.000000000 -0400
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -4643,16 +4639,16 @@
- # Browse the web, connect to printer
- sysnet_dns_name_resolve($1_mozilla_t)
- sysnet_read_config($1_mozilla_t)
--
++ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
++ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
+
- userdom_manage_user_home_content_dirs($1,$1_mozilla_t)
- userdom_manage_user_home_content_files($1,$1_mozilla_t)
- userdom_manage_user_home_content_symlinks($1,$1_mozilla_t)
- userdom_manage_user_tmp_dirs($1,$1_mozilla_t)
- userdom_manage_user_tmp_files($1,$1_mozilla_t)
- userdom_manage_user_tmp_sockets($1,$1_mozilla_t)
-+ userdom_dontaudit_read_user_tmp_files($1,$1_mozilla_t)
-+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
-
+-
- xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
+ xserver_user_x_domain_template($1,$1_mozilla,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
@@ -4792,7 +4788,7 @@
')
optional_policy(`
-@@ -350,19 +277,27 @@
+@@ -350,19 +277,31 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -4804,14 +4800,14 @@
- dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_user_bus_client_template($1,$1_mozilla,$1_mozilla_t)
+# dbus_connectto_user_bus($1,$1_mozilla_t)
-+ ')
-+
-+ optional_policy(`
-+ gnome_exec_gconf($1_mozilla_t)
-+ gnome_manage_user_gnome_config($1,$1_mozilla_t)
')
optional_policy(`
++ gnome_exec_gconf($1_mozilla_t)
++ gnome_manage_user_gnome_config($1,$1_mozilla_t)
++ ')
++
++ optional_policy(`
+ gnome_domtrans_user_gconf($1,$1_mozilla_t)
gnome_stream_connect_gconf_template($1,$1_mozilla_t)
')
@@ -4819,10 +4815,14 @@
optional_policy(`
- java_domtrans_user_javaplugin($1, $1_mozilla_t)
+ java_plugin_per_role_template($1, $1_mozilla_t, $1_r)
++ ')
++
++ optional_policy(`
++ openoffice_plugin_per_role_template($1, $1_mozilla_t, $1_r)
')
optional_policy(`
-@@ -370,37 +305,18 @@
+@@ -370,37 +309,18 @@
')
optional_policy(`
@@ -4863,7 +4863,7 @@
')
########################################
-@@ -430,11 +346,11 @@
+@@ -430,11 +350,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
@@ -4878,7 +4878,7 @@
')
########################################
-@@ -464,11 +380,10 @@
+@@ -464,11 +384,10 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
@@ -4892,7 +4892,7 @@
')
########################################
-@@ -573,3 +488,27 @@
+@@ -573,3 +492,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -5598,6 +5598,247 @@
+
+allow nsplugin_t user_home_t:dir { write read };
+allow nsplugin_t user_home_t:file write;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.3.1/policy/modules/apps/openoffice.fc
+--- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/openoffice.fc 2008-03-13 18:18:07.000000000 -0400
+@@ -0,0 +1,3 @@
++/usr/lib/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
++/usr/lib64/openoffice\.org.*/program/.+\.bin -- gen_context(system_u:object_r:openoffice_exec_t,s0)
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.3.1/policy/modules/apps/openoffice.if
+--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/openoffice.if 2008-03-13 18:21:30.000000000 -0400
+@@ -0,0 +1,212 @@
++## <summary>Openoffice</summary>
++
++#######################################
++## <summary>
++## The per role template for the openoffice module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for openoffice plugins that are executed by a browser.
++## </p>
++## <p>
++## This template is invoked automatically for each user, and
++## generally does not need to be invoked directly
++## by policy writers.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`openoffice_plugin_per_role_template',`
++ gen_require(`
++ type openoffice_exec_t;
++ ')
++
++ ########################################
++ #
++ # Declarations
++ #
++
++ type $1_openofficeplugin_t;
++ application_domain($1_openofficeplugin_t,openoffice_exec_t)
++ role $3 types $1_openofficeplugin_t;
++
++ type $1_openofficeplugin_tmp_t;
++ files_tmp_file($1_openofficeplugin_tmp_t)
++
++ type $1_openofficeplugin_tmpfs_t;
++ files_tmpfs_file($1_openofficeplugin_tmpfs_t)
++
++ ########################################
++ #
++ # Local policy
++ #
++
++ allow $1_openofficeplugin_t self:process { execmem execstack signal_perms getsched ptrace setsched };
++ allow $1_openofficeplugin_t self:fifo_file rw_fifo_file_perms;
++ allow $1_openofficeplugin_t self:tcp_socket create_stream_socket_perms;
++ allow $1_openofficeplugin_t self:udp_socket create_socket_perms;
++
++ allow $1_openofficeplugin_t $1_t:process signull;
++ allow $1_openofficeplugin_t $1_t:unix_stream_socket connectto;
++ allow $1_t $1_openofficeplugin_t:unix_stream_socket connectto;
++ allow $1_openofficeplugin_t $2:unix_stream_socket connectto;
++ allow $1_openofficeplugin_t $2:tcp_socket { read write };
++
++ manage_dirs_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t)
++ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,$1_openofficeplugin_tmp_t)
++ files_tmp_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmp_t,{ file dir })
++ allow $1_openofficeplugin_t $1_openofficeplugin_tmp_t:file execute;
++
++ manage_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ manage_lnk_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ manage_fifo_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ manage_sock_files_pattern($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,$1_openofficeplugin_tmpfs_t)
++ fs_tmpfs_filetrans($1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t,{ file lnk_file sock_file fifo_file })
++
++ can_exec($1_openofficeplugin_t, openoffice_exec_t)
++
++ domtrans_pattern($2, openoffice_exec_t, $1_openofficeplugin_t)
++ # Unrestricted inheritance from the caller.
++ allow $2 $1_openofficeplugin_t:process { noatsecure siginh rlimitinh };
++ allow $1_openofficeplugin_t $2:process signull;
++
++ kernel_read_all_sysctls($1_openofficeplugin_t)
++ kernel_search_vm_sysctl($1_openofficeplugin_t)
++ kernel_read_network_state($1_openofficeplugin_t)
++ kernel_read_system_state($1_openofficeplugin_t)
++
++ # Search bin directory under openofficeplugin for openofficeplugin executable
++ corecmd_exec_bin($1_openofficeplugin_t)
++
++ corenet_all_recvfrom_unlabeled($1_openofficeplugin_t)
++ corenet_all_recvfrom_netlabel($1_openofficeplugin_t)
++ corenet_tcp_sendrecv_generic_if($1_openofficeplugin_t)
++ corenet_udp_sendrecv_generic_if($1_openofficeplugin_t)
++ corenet_tcp_sendrecv_all_nodes($1_openofficeplugin_t)
++ corenet_udp_sendrecv_all_nodes($1_openofficeplugin_t)
++ corenet_tcp_sendrecv_all_ports($1_openofficeplugin_t)
++ corenet_udp_sendrecv_all_ports($1_openofficeplugin_t)
++ corenet_tcp_connect_all_ports($1_openofficeplugin_t)
++ corenet_sendrecv_all_client_packets($1_openofficeplugin_t)
++
++ dev_list_sysfs($1_openofficeplugin_t)
++ dev_read_sound($1_openofficeplugin_t)
++ dev_write_sound($1_openofficeplugin_t)
++ dev_read_urand($1_openofficeplugin_t)
++ dev_read_rand($1_openofficeplugin_t)
++ dev_write_rand($1_openofficeplugin_t)
++
++ files_read_etc_files($1_openofficeplugin_t)
++ files_read_usr_files($1_openofficeplugin_t)
++ files_search_home($1_openofficeplugin_t)
++ files_search_var_lib($1_openofficeplugin_t)
++ files_read_etc_runtime_files($1_openofficeplugin_t)
++ # Read global fonts and font config
++ files_read_etc_files($1_openofficeplugin_t)
++
++ fs_getattr_xattr_fs($1_openofficeplugin_t)
++ fs_dontaudit_rw_tmpfs_files($1_openofficeplugin_t)
++ fs_getattr_tmpfs($1_openofficeplugin_t)
++
++ auth_use_nsswitch($1_openofficeplugin_t)
++
++ libs_use_ld_so($1_openofficeplugin_t)
++ libs_use_shared_libs($1_openofficeplugin_t)
++
++ logging_send_syslog_msg($1_openofficeplugin_t)
++
++ miscfiles_read_localization($1_openofficeplugin_t)
++ # Read global fonts and font config
++ miscfiles_read_fonts($1_openofficeplugin_t)
++
++ userdom_manage_unpriv_users_home_content_files($1_openofficeplugin_t)
++ userdom_dontaudit_use_user_terminals($1,$1_openofficeplugin_t)
++ userdom_dontaudit_setattr_user_home_content_files($1,$1_openofficeplugin_t)
++ userdom_exec_user_home_content_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_tmp_dirs($1,$1_openofficeplugin_t)
++ userdom_manage_user_tmp_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_tmp_sockets($1,$1_openofficeplugin_t)
++ userdom_read_user_tmpfs_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_dirs($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_files($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_symlinks($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_pipes($1,$1_openofficeplugin_t)
++ userdom_manage_user_home_content_sockets($1,$1_openofficeplugin_t)
++ userdom_user_home_dir_filetrans_user_home_content($1,$1_openofficeplugin_t,{ file lnk_file sock_file fifo_file })
++
++ optional_policy(`
++ xserver_user_x_domain_template($1,$1_openofficeplugin,$1_openofficeplugin_t,$1_openofficeplugin_tmpfs_t)
++ ')
++
++')
++
++#######################################
++## <summary>
++## The per role template for the openoffice module.
++## </summary>
++## <desc>
++## <p>
++## This template creates a derived domains which are used
++## for openoffice applications.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="user_domain">
++## <summary>
++## The type of the user domain.
++## </summary>
++## </param>
++## <param name="user_role">
++## <summary>
++## The role associated with the user domain.
++## </summary>
++## </param>
++#
++template(`openoffice_per_role_template',`
++ gen_require(`
++ type openoffice_exec_t;
++ ')
++
++ type $1_openoffice_t;
++ domain_type($1_openoffice_t)
++ domain_entry_file($1_openoffice_t,openoffice_exec_t)
++ role $3 types $1_openoffice_t;
++
++ domain_interactive_fd($1_openoffice_t)
++
++ userdom_unpriv_usertype($1, $1_openoffice_t)
++ userdom_exec_user_home_content_files($1,$1_openoffice_t)
++
++ allow $1_openoffice_t self:process { getsched sigkill execheap execmem execstack };
++
++ allow $2 $1_openoffice_t:process { getattr ptrace signal_perms noatsecure siginh rlimitinh };
++ allow $1_openoffice_t $2:tcp_socket { read write };
++
++ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
++
++ dev_read_urand($1_openoffice_t)
++ dev_read_rand($1_openoffice_t)
++
++ fs_dontaudit_rw_tmpfs_files($1_openoffice_t)
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.te serefpolicy-3.3.1/policy/modules/apps/openoffice.te
+--- nsaserefpolicy/policy/modules/apps/openoffice.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/openoffice.te 2008-03-13 18:14:49.000000000 -0400
+@@ -0,0 +1,14 @@
++
++policy_module(openoffice,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type openoffice_t;
++type openoffice_exec_t;
++application_domain(openoffice_t,openoffice_exec_t)
++
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.3.1/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2007-10-12 08:56:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/apps/screen.fc 2008-02-26 08:29:22.000000000 -0500
@@ -11186,7 +11427,7 @@
-') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.3.1/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-11-16 15:30:49.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/cups.fc 2008-03-13 17:46:00.000000000 -0400
@@ -8,24 +8,28 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -11230,7 +11471,7 @@
/var/cache/alchemist/printconf.* gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/var/cache/foomatic(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
-@@ -50,3 +54,10 @@
+@@ -50,3 +54,12 @@
/var/run/hp.*\.port -- gen_context(system_u:object_r:hplip_var_run_t,s0)
/var/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
@@ -11241,9 +11482,11 @@
+/etc/rc.d/init.d/cups -- gen_context(system_u:object_r:cups_script_exec_t,s0)
+
+/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
++
++/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.3.1/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-03-10 12:18:38.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-03-13 17:47:08.000000000 -0400
@@ -20,6 +20,30 @@
########################################
@@ -11406,7 +11649,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.3.1/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-03-10 12:08:24.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.te 2008-03-13 17:48:08.000000000 -0400
@@ -43,14 +43,13 @@
type cupsd_var_run_t;
@@ -11425,13 +11668,23 @@
type hplip_var_run_t;
files_pid_file(hplip_var_run_t)
-@@ -65,12 +64,17 @@
+@@ -65,12 +64,27 @@
type ptal_var_run_t;
files_pid_file(ptal_var_run_t)
+type cups_script_exec_t;
+init_script_type(cups_script_exec_t)
+
++type cups_pdf_t;
++type cups_pdf_exec_t;
++domain_type(cups_pdf_t)
++domain_entry_file(cups_pdf_t, cups_pdf_exec_t)
++cups_backend(cups_pdf_t, cups_pdf_exec_t)
++role system_r types cups_pdf_t;
++
++type cups_pdf_tmp_t;
++files_tmp_file(cups_pdf_tmp_t)
++
ifdef(`enable_mcs',`
init_ranged_daemon_domain(cupsd_t,cupsd_exec_t,s0 - mcs_systemhigh)
')
@@ -11443,7 +11696,7 @@
')
########################################
-@@ -79,13 +83,14 @@
+@@ -79,13 +93,14 @@
#
# /usr/lib/cups/backend/serial needs sys_admin(?!)
@@ -11461,7 +11714,7 @@
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -104,7 +109,7 @@
+@@ -104,7 +119,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
@@ -11470,7 +11723,7 @@
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
-@@ -116,13 +121,19 @@
+@@ -116,13 +131,19 @@
manage_fifo_files_pattern(cupsd_t,cupsd_tmp_t,cupsd_tmp_t)
files_tmp_filetrans(cupsd_t, cupsd_tmp_t, { file dir fifo_file })
@@ -11492,7 +11745,7 @@
allow cupsd_t hplip_var_run_t:file { read getattr };
stream_connect_pattern(cupsd_t,ptal_var_run_t,ptal_var_run_t,ptal_t)
-@@ -149,32 +160,35 @@
+@@ -149,32 +170,35 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
corenet_tcp_connect_all_ports(cupsd_t)
@@ -11532,7 +11785,7 @@
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
corecmd_exec_shell(cupsd_t)
corecmd_exec_bin(cupsd_t)
-@@ -186,7 +200,7 @@
+@@ -186,7 +210,7 @@
# read python modules
files_read_usr_files(cupsd_t)
# for /var/lib/defoma
@@ -11541,7 +11794,7 @@
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
-@@ -195,15 +209,15 @@
+@@ -195,15 +219,15 @@
files_read_var_symlinks(cupsd_t)
# for /etc/printcap
files_dontaudit_write_etc_files(cupsd_t)
@@ -11561,7 +11814,7 @@
auth_use_nsswitch(cupsd_t)
libs_use_ld_so(cupsd_t)
-@@ -219,17 +233,22 @@
+@@ -219,17 +243,22 @@
miscfiles_read_fonts(cupsd_t)
seutil_read_config(cupsd_t)
@@ -11586,7 +11839,7 @@
')
optional_policy(`
-@@ -242,12 +261,21 @@
+@@ -242,12 +271,21 @@
optional_policy(`
dbus_system_bus_client_template(cupsd,cupsd_t)
@@ -11608,7 +11861,7 @@
')
optional_policy(`
-@@ -263,6 +291,10 @@
+@@ -263,6 +301,10 @@
')
optional_policy(`
@@ -11619,7 +11872,7 @@
# cups execs smbtool which reads samba_etc_t files
samba_read_config(cupsd_t)
samba_rw_var_files(cupsd_t)
-@@ -326,6 +358,7 @@
+@@ -326,6 +368,7 @@
dev_read_sysfs(cupsd_config_t)
dev_read_urand(cupsd_config_t)
dev_read_rand(cupsd_config_t)
@@ -11627,7 +11880,7 @@
fs_getattr_all_fs(cupsd_config_t)
fs_search_auto_mountpoints(cupsd_config_t)
-@@ -353,6 +386,7 @@
+@@ -353,6 +396,7 @@
logging_send_syslog_msg(cupsd_config_t)
miscfiles_read_localization(cupsd_config_t)
@@ -11635,7 +11888,7 @@
seutil_dontaudit_search_config(cupsd_config_t)
-@@ -372,6 +406,10 @@
+@@ -372,6 +416,10 @@
')
optional_policy(`
@@ -11646,7 +11899,7 @@
cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
')
-@@ -387,6 +425,7 @@
+@@ -387,6 +435,7 @@
optional_policy(`
hal_domtrans(cupsd_config_t)
hal_read_tmp_files(cupsd_config_t)
@@ -11654,7 +11907,7 @@
')
optional_policy(`
-@@ -499,15 +538,10 @@
+@@ -499,15 +548,10 @@
allow hplip_t self:udp_socket create_socket_perms;
allow hplip_t self:rawip_socket create_socket_perms;
@@ -11671,7 +11924,7 @@
manage_files_pattern(hplip_t,hplip_var_run_t,hplip_var_run_t)
files_pid_filetrans(hplip_t,hplip_var_run_t,file)
-@@ -537,14 +571,14 @@
+@@ -537,14 +581,14 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -11688,7 +11941,7 @@
domain_use_interactive_fds(hplip_t)
files_read_etc_files(hplip_t)
-@@ -564,7 +598,8 @@
+@@ -564,7 +608,8 @@
userdom_dontaudit_search_sysadm_home_dirs(hplip_t)
userdom_dontaudit_search_all_users_home_content(hplip_t)
@@ -11698,6 +11951,45 @@
optional_policy(`
seutil_sigchld_newrole(hplip_t)
+@@ -645,3 +690,38 @@
+ optional_policy(`
+ udev_read_db(ptal_t)
+ ')
++
++########################################
++#
++# cups_pdf local policy
++#
++
++allow cups_pdf_t self:capability { chown fsetid setuid setgid dac_override };
++
++## internal communication is often done using fifo and unix sockets.
++allow cups_pdf_t self:fifo_file rw_file_perms;
++allow cups_pdf_t self:unix_stream_socket create_stream_socket_perms;
++
++files_read_etc_files(cups_pdf_t)
++files_read_usr_files(cups_pdf_t)
++
++kernel_read_system_state(cups_pdf_t)
++
++libs_use_ld_so(cups_pdf_t)
++libs_use_shared_libs(cups_pdf_t)
++
++corecmd_exec_ls(cups_pdf_t)
++corecmd_exec_shell(cups_pdf_t)
++corecmd_exec_bin(cups_pdf_t)
++
++miscfiles_read_localization(cups_pdf_t)
++
++manage_files_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
++manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t)
++files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir })
++
++userdom_home_filetrans_generic_user_home_dir(cups_pdf_t)
++userdom_manage_generic_user_home_content_dirs(cups_pdf_t)
++userdom_manage_generic_user_home_content_files(cups_pdf_t)
++
++lpd_manage_spool(cups_pdf_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.3.1/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-3.3.1/policy/modules/services/cvs.if 2008-02-26 08:29:22.000000000 -0500
@@ -29350,7 +29642,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-04 16:05:25.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te 2008-03-13 20:23:44.000000000 -0400
@@ -6,35 +6,67 @@
# Declarations
#
@@ -29534,23 +29826,13 @@
oddjob_domtrans_mkhomedir(unconfined_t)
')
-@@ -154,38 +199,37 @@
+@@ -154,62 +199,76 @@
')
optional_policy(`
- postfix_run_map(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t)
--')
--
--
--optional_policy(`
-- pyzor_per_role_template(unconfined)
--')
--
--optional_policy(`
-- # cjp: this should probably be removed:
-- rpc_domtrans_nfsd(unconfined_t)
+ tunable_policy(`allow_unconfined_qemu_transition', `
+ qemu_runas(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ', `
@@ -29560,56 +29842,76 @@
+ qemu_unconfined_role(unconfined_r)
')
- optional_policy(`
- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++optional_policy(`
++ rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ # Allow SELinux aware applications to request rpm_script execution
+ rpm_transition_script(unconfined_t)
+ rpm_role_transition(unconfined_r)
- ')
++')
optional_policy(`
- samba_per_role_template(unconfined)
-- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- pyzor_per_role_template(unconfined)
++ samba_per_role_template(unconfined)
+ samba_run_unconfined_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_smbcontrol(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
+- # cjp: this should probably be removed:
+- rpc_domtrans_nfsd(unconfined_t)
+ sendmail_run_unconfined(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
- sysnet_dbus_chat_dhcpc(unconfined_t)
+- rpm_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ sysnet_dbus_chat_dhcpc(unconfined_t)
+ sysnet_role_transition_dhcpc(unconfined_r)
')
optional_policy(`
-@@ -205,11 +249,30 @@
+- samba_per_role_template(unconfined)
+- samba_run_net(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- samba_run_winbind_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
')
optional_policy(`
-- wine_domtrans(unconfined_t)
+- spamassassin_per_role_template(unconfined, unconfined_t, unconfined_r)
++ vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
+- sysnet_run_dhcpc(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+- sysnet_dbus_chat_dhcpc(unconfined_t)
++ webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ ')
+
+ optional_policy(`
+- tzdata_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ wine_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- usermanage_run_admin_passwd(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ java_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- vpn_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ mono_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- webalizer_run(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- wine_domtrans(unconfined_t)
+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
@@ -29620,7 +29922,7 @@
')
########################################
-@@ -219,14 +282,34 @@
+@@ -219,14 +278,34 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
@@ -29675,7 +29977,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-12 08:26:37.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-13 18:42:23.000000000 -0400
@@ -29,9 +29,14 @@
')
@@ -30694,7 +30996,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1104,25 @@
+@@ -1091,32 +1104,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -30709,25 +31011,27 @@
- optional_policy(`
- consolekit_dbus_chat($1_t)
- ')
--
-- optional_policy(`
-- cups_dbus_chat($1_t)
-- ')
-- ')
+ # Broken Cover up bugzilla #345921 Should be removed when this is fixed
+ corenet_tcp_connect_soundd_port($1_t)
+ corenet_tcp_sendrecv_soundd_port($1_t)
+ corenet_tcp_sendrecv_all_if($1_t)
+ corenet_tcp_sendrecv_lo_node($1_t)
+- optional_policy(`
+- cups_dbus_chat($1_t)
+- ')
++ optional_policy(`
++ apache_per_role_template($1, $1_usertype, $1_r)
+ ')
+
optional_policy(`
- java_per_role_template($1, $1_t, $1_r)
-+ apache_per_role_template($1, $1_usertype, $1_r)
++ nsplugin_per_role_template($1, $1_usertype, $1_r)
')
optional_policy(`
- mono_per_role_template($1, $1_t, $1_r)
-+ nsplugin_per_role_template($1, $1_usertype, $1_r)
++ openoffice_per_role_template($1, $1_usertype, $1_r)
')
optional_policy(`
@@ -30736,7 +31040,7 @@
')
')
-@@ -1127,10 +1133,10 @@
+@@ -1127,10 +1137,10 @@
## </summary>
## <desc>
## <p>
@@ -30751,7 +31055,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1193,12 +1199,11 @@
+@@ -1193,12 +1203,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -30766,7 +31070,7 @@
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1212,27 @@
+@@ -1207,7 +1216,27 @@
')
optional_policy(`
@@ -30795,7 +31099,7 @@
')
')
-@@ -1284,8 +1309,6 @@
+@@ -1284,8 +1313,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -30804,7 +31108,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
-@@ -1363,13 +1386,6 @@
+@@ -1363,13 +1390,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -30818,7 +31122,7 @@
optional_policy(`
userhelper_exec($1_t)
')
-@@ -1422,6 +1438,7 @@
+@@ -1422,6 +1442,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -30826,7 +31130,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1787,10 +1804,14 @@
+@@ -1787,10 +1808,14 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -30842,7 +31146,7 @@
')
########################################
-@@ -1886,11 +1907,11 @@
+@@ -1886,11 +1911,11 @@
#
template(`userdom_search_user_home_dirs',`
gen_require(`
@@ -30856,7 +31160,7 @@
')
########################################
-@@ -1920,11 +1941,11 @@
+@@ -1920,11 +1945,11 @@
#
template(`userdom_list_user_home_dirs',`
gen_require(`
@@ -30870,7 +31174,7 @@
')
########################################
-@@ -1968,12 +1989,12 @@
+@@ -1968,12 +1993,12 @@
#
template(`userdom_user_home_domtrans',`
gen_require(`
@@ -30886,7 +31190,7 @@
')
########################################
-@@ -2003,10 +2024,10 @@
+@@ -2003,10 +2028,10 @@
#
template(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
@@ -30899,7 +31203,7 @@
')
########################################
-@@ -2038,11 +2059,47 @@
+@@ -2038,11 +2063,47 @@
#
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
@@ -30949,7 +31253,7 @@
')
########################################
-@@ -2074,10 +2131,10 @@
+@@ -2074,10 +2135,10 @@
#
template(`userdom_dontaudit_setattr_user_home_content_files',`
gen_require(`
@@ -30962,7 +31266,7 @@
')
########################################
-@@ -2107,11 +2164,11 @@
+@@ -2107,11 +2168,11 @@
#
template(`userdom_read_user_home_content_files',`
gen_require(`
@@ -30976,7 +31280,7 @@
')
########################################
-@@ -2141,11 +2198,11 @@
+@@ -2141,11 +2202,11 @@
#
template(`userdom_dontaudit_read_user_home_content_files',`
gen_require(`
@@ -30991,7 +31295,7 @@
')
########################################
-@@ -2175,10 +2232,14 @@
+@@ -2175,10 +2236,14 @@
#
template(`userdom_dontaudit_write_user_home_content_files',`
gen_require(`
@@ -31008,7 +31312,7 @@
')
########################################
-@@ -2208,11 +2269,11 @@
+@@ -2208,11 +2273,11 @@
#
template(`userdom_read_user_home_content_symlinks',`
gen_require(`
@@ -31022,7 +31326,7 @@
')
########################################
-@@ -2242,11 +2303,11 @@
+@@ -2242,11 +2307,11 @@
#
template(`userdom_exec_user_home_content_files',`
gen_require(`
@@ -31036,7 +31340,7 @@
')
########################################
-@@ -2276,10 +2337,10 @@
+@@ -2276,10 +2341,10 @@
#
template(`userdom_dontaudit_exec_user_home_content_files',`
gen_require(`
@@ -31049,7 +31353,7 @@
')
########################################
-@@ -2311,12 +2372,12 @@
+@@ -2311,12 +2376,12 @@
#
template(`userdom_manage_user_home_content_files',`
gen_require(`
@@ -31065,7 +31369,7 @@
')
########################################
-@@ -2348,10 +2409,10 @@
+@@ -2348,10 +2413,10 @@
#
template(`userdom_dontaudit_manage_user_home_content_dirs',`
gen_require(`
@@ -31078,7 +31382,7 @@
')
########################################
-@@ -2383,12 +2444,12 @@
+@@ -2383,12 +2448,12 @@
#
template(`userdom_manage_user_home_content_symlinks',`
gen_require(`
@@ -31094,7 +31398,7 @@
')
########################################
-@@ -2420,12 +2481,12 @@
+@@ -2420,12 +2485,12 @@
#
template(`userdom_manage_user_home_content_pipes',`
gen_require(`
@@ -31110,7 +31414,7 @@
')
########################################
-@@ -2457,12 +2518,12 @@
+@@ -2457,12 +2522,12 @@
#
template(`userdom_manage_user_home_content_sockets',`
gen_require(`
@@ -31126,7 +31430,7 @@
')
########################################
-@@ -2507,11 +2568,11 @@
+@@ -2507,11 +2572,11 @@
#
template(`userdom_user_home_dir_filetrans',`
gen_require(`
@@ -31140,7 +31444,7 @@
')
########################################
-@@ -2556,11 +2617,11 @@
+@@ -2556,11 +2621,11 @@
#
template(`userdom_user_home_content_filetrans',`
gen_require(`
@@ -31154,7 +31458,7 @@
')
########################################
-@@ -2600,11 +2661,11 @@
+@@ -2600,11 +2665,11 @@
#
template(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
@@ -31168,7 +31472,7 @@
')
########################################
-@@ -2634,11 +2695,11 @@
+@@ -2634,11 +2699,11 @@
#
template(`userdom_write_user_tmp_sockets',`
gen_require(`
@@ -31182,7 +31486,7 @@
')
########################################
-@@ -2668,11 +2729,11 @@
+@@ -2668,11 +2733,11 @@
#
template(`userdom_list_user_tmp',`
gen_require(`
@@ -31196,7 +31500,7 @@
')
########################################
-@@ -2704,10 +2765,10 @@
+@@ -2704,10 +2769,10 @@
#
template(`userdom_dontaudit_list_user_tmp',`
gen_require(`
@@ -31209,7 +31513,7 @@
')
########################################
-@@ -2739,10 +2800,10 @@
+@@ -2739,10 +2804,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_dirs',`
gen_require(`
@@ -31222,7 +31526,7 @@
')
########################################
-@@ -2772,12 +2833,12 @@
+@@ -2772,12 +2837,12 @@
#
template(`userdom_read_user_tmp_files',`
gen_require(`
@@ -31238,7 +31542,7 @@
')
########################################
-@@ -2809,10 +2870,10 @@
+@@ -2809,10 +2874,10 @@
#
template(`userdom_dontaudit_read_user_tmp_files',`
gen_require(`
@@ -31251,7 +31555,7 @@
')
########################################
-@@ -2844,10 +2905,48 @@
+@@ -2844,10 +2909,48 @@
#
template(`userdom_dontaudit_append_user_tmp_files',`
gen_require(`
@@ -31302,7 +31606,7 @@
')
########################################
-@@ -2877,12 +2976,12 @@
+@@ -2877,12 +2980,12 @@
#
template(`userdom_rw_user_tmp_files',`
gen_require(`
@@ -31318,7 +31622,7 @@
')
########################################
-@@ -2914,10 +3013,10 @@
+@@ -2914,10 +3017,10 @@
#
template(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
@@ -31331,7 +31635,7 @@
')
########################################
-@@ -2949,12 +3048,12 @@
+@@ -2949,12 +3052,12 @@
#
template(`userdom_read_user_tmp_symlinks',`
gen_require(`
@@ -31347,7 +31651,7 @@
')
########################################
-@@ -2986,11 +3085,11 @@
+@@ -2986,11 +3089,11 @@
#
template(`userdom_manage_user_tmp_dirs',`
gen_require(`
@@ -31361,7 +31665,7 @@
')
########################################
-@@ -3022,11 +3121,11 @@
+@@ -3022,11 +3125,11 @@
#
template(`userdom_manage_user_tmp_files',`
gen_require(`
@@ -31375,7 +31679,7 @@
')
########################################
-@@ -3058,11 +3157,11 @@
+@@ -3058,11 +3161,11 @@
#
template(`userdom_manage_user_tmp_symlinks',`
gen_require(`
@@ -31389,7 +31693,7 @@
')
########################################
-@@ -3094,11 +3193,11 @@
+@@ -3094,11 +3197,11 @@
#
template(`userdom_manage_user_tmp_pipes',`
gen_require(`
@@ -31403,7 +31707,7 @@
')
########################################
-@@ -3130,11 +3229,11 @@
+@@ -3130,11 +3233,11 @@
#
template(`userdom_manage_user_tmp_sockets',`
gen_require(`
@@ -31417,7 +31721,7 @@
')
########################################
-@@ -3179,10 +3278,10 @@
+@@ -3179,10 +3282,10 @@
#
template(`userdom_user_tmp_filetrans',`
gen_require(`
@@ -31430,7 +31734,7 @@
files_search_tmp($2)
')
-@@ -3223,10 +3322,10 @@
+@@ -3223,10 +3326,10 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -31443,7 +31747,7 @@
')
########################################
-@@ -3254,6 +3353,42 @@
+@@ -3254,6 +3357,42 @@
## </summary>
## </param>
#
@@ -31486,7 +31790,7 @@
template(`userdom_rw_user_tmpfs_files',`
gen_require(`
type $1_tmpfs_t;
-@@ -4231,11 +4366,11 @@
+@@ -4231,11 +4370,11 @@
#
interface(`userdom_search_staff_home_dirs',`
gen_require(`
@@ -31500,7 +31804,7 @@
')
########################################
-@@ -4251,10 +4386,10 @@
+@@ -4251,10 +4390,10 @@
#
interface(`userdom_dontaudit_search_staff_home_dirs',`
gen_require(`
@@ -31513,7 +31817,7 @@
')
########################################
-@@ -4270,11 +4405,11 @@
+@@ -4270,11 +4409,11 @@
#
interface(`userdom_manage_staff_home_dirs',`
gen_require(`
@@ -31527,7 +31831,7 @@
')
########################################
-@@ -4289,16 +4424,16 @@
+@@ -4289,16 +4428,16 @@
#
interface(`userdom_relabelto_staff_home_dirs',`
gen_require(`
@@ -31547,7 +31851,7 @@
## users home directory.
## </summary>
## <param name="domain">
-@@ -4307,12 +4442,27 @@
+@@ -4307,12 +4446,27 @@
## </summary>
## </param>
#
@@ -31578,7 +31882,7 @@
')
########################################
-@@ -4327,13 +4477,13 @@
+@@ -4327,13 +4481,13 @@
#
interface(`userdom_read_staff_home_content_files',`
gen_require(`
@@ -31596,7 +31900,7 @@
')
########################################
-@@ -4531,10 +4681,10 @@
+@@ -4531,10 +4685,10 @@
#
interface(`userdom_getattr_sysadm_home_dirs',`
gen_require(`
@@ -31609,7 +31913,7 @@
')
########################################
-@@ -4551,10 +4701,10 @@
+@@ -4551,10 +4705,10 @@
#
interface(`userdom_dontaudit_getattr_sysadm_home_dirs',`
gen_require(`
@@ -31622,7 +31926,7 @@
')
########################################
-@@ -4569,10 +4719,10 @@
+@@ -4569,10 +4723,10 @@
#
interface(`userdom_search_sysadm_home_dirs',`
gen_require(`
@@ -31635,7 +31939,7 @@
')
########################################
-@@ -4588,10 +4738,10 @@
+@@ -4588,10 +4742,10 @@
#
interface(`userdom_dontaudit_search_sysadm_home_dirs',`
gen_require(`
@@ -31648,7 +31952,7 @@
')
########################################
-@@ -4606,10 +4756,10 @@
+@@ -4606,10 +4760,10 @@
#
interface(`userdom_list_sysadm_home_dirs',`
gen_require(`
@@ -31661,7 +31965,7 @@
')
########################################
-@@ -4625,10 +4775,10 @@
+@@ -4625,10 +4779,10 @@
#
interface(`userdom_dontaudit_list_sysadm_home_dirs',`
gen_require(`
@@ -31674,7 +31978,7 @@
')
########################################
-@@ -4644,12 +4794,11 @@
+@@ -4644,12 +4798,11 @@
#
interface(`userdom_dontaudit_read_sysadm_home_content_files',`
gen_require(`
@@ -31690,7 +31994,7 @@
')
########################################
-@@ -4676,10 +4825,10 @@
+@@ -4676,10 +4829,10 @@
#
interface(`userdom_sysadm_home_dir_filetrans',`
gen_require(`
@@ -31703,7 +32007,7 @@
')
########################################
-@@ -4694,10 +4843,10 @@
+@@ -4694,10 +4847,10 @@
#
interface(`userdom_search_sysadm_home_content_dirs',`
gen_require(`
@@ -31716,7 +32020,7 @@
')
########################################
-@@ -4712,13 +4861,13 @@
+@@ -4712,13 +4865,13 @@
#
interface(`userdom_read_sysadm_home_content_files',`
gen_require(`
@@ -31734,7 +32038,7 @@
')
########################################
-@@ -4754,11 +4903,49 @@
+@@ -4754,11 +4907,49 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -31785,7 +32089,7 @@
')
########################################
-@@ -4778,6 +4965,14 @@
+@@ -4778,6 +4969,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -31800,7 +32104,7 @@
')
########################################
-@@ -4839,6 +5034,26 @@
+@@ -4839,6 +5038,26 @@
########################################
## <summary>
@@ -31827,7 +32131,7 @@
## Create, read, write, and delete all directories
## in all users home directories.
## </summary>
-@@ -4859,6 +5074,25 @@
+@@ -4859,6 +5078,25 @@
########################################
## <summary>
@@ -31853,7 +32157,7 @@
## Create, read, write, and delete all files
## in all users home directories.
## </summary>
-@@ -4879,6 +5113,26 @@
+@@ -4879,6 +5117,26 @@
########################################
## <summary>
@@ -31880,7 +32184,7 @@
## Create, read, write, and delete all symlinks
## in all users home directories.
## </summary>
-@@ -5115,7 +5369,7 @@
+@@ -5115,7 +5373,7 @@
#
interface(`userdom_relabelto_generic_user_home_dirs',`
gen_require(`
@@ -31889,7 +32193,7 @@
')
files_search_home($1)
-@@ -5304,6 +5558,50 @@
+@@ -5304,6 +5562,50 @@
########################################
## <summary>
@@ -31940,7 +32244,7 @@
## Create, read, write, and delete directories in
## unprivileged users home directories.
## </summary>
-@@ -5509,6 +5807,42 @@
+@@ -5509,6 +5811,42 @@
########################################
## <summary>
@@ -31983,7 +32287,7 @@
## Read and write unprivileged user ttys.
## </summary>
## <param name="domain">
-@@ -5674,6 +6008,42 @@
+@@ -5674,6 +6012,42 @@
########################################
## <summary>
@@ -32026,7 +32330,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5704,3 +6074,370 @@
+@@ -5704,3 +6078,370 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.632
retrieving revision 1.633
diff -u -r1.632 -r1.633
--- selinux-policy.spec 13 Mar 2008 12:58:25 -0000 1.632
+++ selinux-policy.spec 14 Mar 2008 00:25:00 -0000 1.633
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 17%{?dist}
+Release: 18%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -388,6 +388,10 @@
%endif
%changelog
+* Thu Mar 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-18
+- Add cups_pdf policy
+- Add openoffice policy to run in xguest
+
* Thu Mar 13 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-17
- prewika needs to contact mysql
- Allow syslog to read system_map files
More information about the fedora-extras-commits
mailing list