rpms/selinux-policy/devel policy-20071130.patch,1.105,1.106

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Mon Mar 17 21:41:02 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31661

Modified Files:
	policy-20071130.patch 
Log Message:
* Fri Mar 14 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-20
- Fix bug in mozilla policy to allow xguest transition
- This will fix the 


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.105
retrieving revision 1.106
diff -u -r1.105 -r1.106
--- policy-20071130.patch	14 Mar 2008 21:13:24 -0000	1.105
+++ policy-20071130.patch	17 Mar 2008 21:40:53 -0000	1.106
@@ -1486,7 +1486,7 @@
 +/var/log/kismet(/.*)?			gen_context(system_u:object_r:kismet_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.3.1/policy/modules/admin/kismet.if
 --- nsaserefpolicy/policy/modules/admin/kismet.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.if	2008-03-17 15:26:30.000000000 -0400
 @@ -0,0 +1,275 @@
 +
 +## <summary>policy for kismet</summary>
@@ -1721,7 +1721,7 @@
 +
 +	kismet_domtrans($1)
 +	role $2 types kismet_t;
-+	dontaudit kismet_t $3:chr_file rw_term_perms;
++	allow kismet_t $3:chr_file rw_term_perms;
 +')
 +
 +
@@ -4405,7 +4405,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-3.3.1/policy/modules/apps/mono.te
 --- nsaserefpolicy/policy/modules/apps/mono.te	2007-12-19 05:32:09.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/mono.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/apps/mono.te	2008-03-17 17:40:05.000000000 -0400
 @@ -15,7 +15,7 @@
  # Local policy
  #
@@ -7247,7 +7247,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-03-04 17:23:42.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-03-17 11:22:13.000000000 -0400
 @@ -1266,6 +1266,24 @@
  
  ########################################
@@ -7425,7 +7425,7 @@
  # etc_runtime_t is the type of various
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.3.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-10-24 15:00:24.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if	2008-03-06 10:50:35.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.if	2008-03-17 09:11:52.000000000 -0400
 @@ -310,6 +310,25 @@
  
  ########################################
@@ -7655,7 +7655,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.3.1/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-12-19 05:32:07.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te	2008-03-17 11:03:50.000000000 -0400
 @@ -25,6 +25,8 @@
  fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
  fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
@@ -7685,6 +7685,16 @@
  
  #
  # iso9660_t is the type for CD filesystems
+@@ -231,6 +239,9 @@
+ genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
+ genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
++genfscon lustre / gen_context(system_u:object_r:nfs_t,s0)
++genfscon panfs / gen_context(system_u:object_r:nfs_t,s0)
++
+ 
+ ########################################
+ #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-10-29 18:02:31.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if	2008-02-27 16:58:04.000000000 -0500
@@ -8743,7 +8753,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-03-11 19:28:21.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-03-17 11:11:53.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -10346,7 +10356,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.3.1/policy/modules/services/bluetooth.te
 --- nsaserefpolicy/policy/modules/services/bluetooth.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/bluetooth.te	2008-03-17 08:41:36.000000000 -0400
 @@ -32,19 +32,22 @@
  type bluetooth_var_run_t;
  files_pid_file(bluetooth_var_run_t)
@@ -10372,7 +10382,15 @@
  allow bluetooth_t self:tcp_socket create_stream_socket_perms;
  allow bluetooth_t self:udp_socket create_socket_perms;
  
-@@ -110,6 +113,8 @@
+@@ -92,6 +95,7 @@
+ dev_rw_usbfs(bluetooth_t)
+ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_read_urand(bluetooth_t)
++dev_rw_input_dev(bluetooth_t)
+ 
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+@@ -110,6 +114,8 @@
  files_read_etc_runtime_files(bluetooth_t)
  files_read_usr_files(bluetooth_t)
  
@@ -10381,7 +10399,7 @@
  libs_use_ld_so(bluetooth_t)
  libs_use_shared_libs(bluetooth_t)
  
-@@ -118,19 +123,18 @@
+@@ -118,19 +124,18 @@
  miscfiles_read_localization(bluetooth_t)
  miscfiles_read_fonts(bluetooth_t)
  
@@ -10533,14 +10551,33 @@
 +/etc/rc.d/init.d/clamd-wrapper	--	gen_context(system_u:object_r:clamd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.3.1/policy/modules/services/clamav.if
 --- nsaserefpolicy/policy/modules/services/clamav.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/clamav.if	2008-02-26 08:29:22.000000000 -0500
-@@ -91,3 +91,97 @@
++++ serefpolicy-3.3.1/policy/modules/services/clamav.if	2008-03-17 09:22:39.000000000 -0400
+@@ -91,3 +91,116 @@
  
  	domtrans_pattern($1,clamscan_exec_t,clamscan_t)
  ')
 +
 +########################################
 +## <summary>
++##	Execute clamscan without a transition.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`clamav_exec_clamscan',`
++	gen_require(`
++		type clamscan_exec_t;
++	')
++
++	can_exec($1,clamscan_exec_t)
++
++')
++
++########################################
++## <summary>
 +##	Execute clamav server in the clamav domain.
 +## </summary>
 +## <param name="domain">
@@ -12632,7 +12669,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-02-26 14:09:20.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-03-17 09:13:14.000000000 -0400
 @@ -9,6 +9,7 @@
  #
  # Delcarations
@@ -12684,15 +12721,16 @@
  allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
  read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
  read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
-@@ -65,6 +80,7 @@
+@@ -65,6 +80,8 @@
  
  fs_getattr_all_fs(system_dbusd_t)
  fs_search_auto_mountpoints(system_dbusd_t)
 +fs_list_inotifyfs(system_dbusd_t)
++fs_dontaudit_list_nfs(system_dbusd_t)
  
  selinux_get_fs_mount(system_dbusd_t)
  selinux_validate_context(system_dbusd_t)
-@@ -81,7 +97,6 @@
+@@ -81,7 +98,6 @@
  corecmd_list_bin(system_dbusd_t)
  corecmd_read_bin_pipes(system_dbusd_t)
  corecmd_read_bin_sockets(system_dbusd_t)
@@ -12700,7 +12738,7 @@
  
  domain_use_interactive_fds(system_dbusd_t)
  
-@@ -91,6 +106,8 @@
+@@ -91,6 +107,8 @@
  
  init_use_fds(system_dbusd_t)
  init_use_script_ptys(system_dbusd_t)
@@ -12709,7 +12747,7 @@
  
  libs_use_ld_so(system_dbusd_t)
  libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +138,20 @@
+@@ -121,9 +139,20 @@
  ')
  
  optional_policy(`
@@ -14075,7 +14113,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.3.1/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te	2008-03-06 16:54:16.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/fail2ban.te	2008-03-17 09:28:06.000000000 -0400
 @@ -18,6 +18,9 @@
  type fail2ban_var_run_t;
  files_pid_file(fail2ban_var_run_t)
@@ -14086,6 +14124,15 @@
  ########################################
  #
  # fail2ban local policy
+@@ -25,7 +28,7 @@
+ 
+ allow fail2ban_t self:process signal;
+ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+-allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
++allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ 
+ # log files
+ allow fail2ban_t fail2ban_log_t:dir setattr;
 @@ -33,8 +36,9 @@
  logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
  
@@ -14097,9 +14144,11 @@
  
  kernel_read_system_state(fail2ban_t)
  
-@@ -47,14 +51,23 @@
+@@ -46,15 +50,25 @@
+ domain_use_interactive_fds(fail2ban_t)
  
  files_read_etc_files(fail2ban_t)
++files_read_etc_runtime_files(fail2ban_t)
  files_read_usr_files(fail2ban_t)
 +files_list_var(fail2ban_t)
 +files_search_var_lib(fail2ban_t)
@@ -14122,7 +14171,7 @@
  optional_policy(`
  	apache_read_log(fail2ban_t)
  ')
-@@ -64,5 +77,11 @@
+@@ -64,5 +78,11 @@
  ')
  
  optional_policy(`
@@ -15655,8 +15704,8 @@
  # Local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.fc serefpolicy-3.3.1/policy/modules/services/lpd.fc
 --- nsaserefpolicy/policy/modules/services/lpd.fc	2007-11-16 13:45:14.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/lpd.fc	2008-02-26 08:29:22.000000000 -0500
-@@ -22,6 +22,8 @@
++++ serefpolicy-3.3.1/policy/modules/services/lpd.fc	2008-03-17 09:33:24.000000000 -0400
+@@ -22,11 +22,15 @@
  /usr/sbin/lpinfo	--	gen_context(system_u:object_r:lpr_exec_t,s0)
  /usr/sbin/lpmove	--	gen_context(system_u:object_r:lpr_exec_t,s0)
  
@@ -15665,8 +15714,10 @@
  /usr/share/printconf/.* --	gen_context(system_u:object_r:printconf_t,s0)
  
  #
-@@ -30,3 +32,4 @@
+ # /var
+ #
  /var/spool/cups(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
++/var/spool/cups-pdf(/.*)?		gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
  /var/spool/lpd(/.*)?		gen_context(system_u:object_r:print_spool_t,s0)
  /var/run/lprng(/.*)?		gen_context(system_u:object_r:lpd_var_run_t,s0)
 +
@@ -16250,7 +16301,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/munin.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/munin.te	2008-03-17 11:21:36.000000000 -0400
 @@ -25,26 +25,33 @@
  type munin_var_run_t alias lrrd_var_run_t;
  files_pid_file(munin_var_run_t)
@@ -16288,22 +16339,24 @@
  
  manage_dirs_pattern(munin_t,munin_tmp_t,munin_tmp_t)
  manage_files_pattern(munin_t,munin_tmp_t,munin_tmp_t)
-@@ -62,8 +69,11 @@
+@@ -61,9 +68,11 @@
+ files_pid_filetrans(munin_t,munin_var_run_t,file)
  
  kernel_read_system_state(munin_t)
- kernel_read_kernel_sysctls(munin_t)
+-kernel_read_kernel_sysctls(munin_t)
 +kernel_read_network_state(munin_t)
-+kernel_read_sysctl(munin_t)
++kernel_read_all_sysctls(munin_t)
  
  corecmd_exec_bin(munin_t)
 +corecmd_exec_shell(munin_t)
  
  corenet_all_recvfrom_unlabeled(munin_t)
  corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,11 +83,15 @@
+@@ -73,27 +82,36 @@
  corenet_udp_sendrecv_all_nodes(munin_t)
  corenet_tcp_sendrecv_all_ports(munin_t)
  corenet_udp_sendrecv_all_ports(munin_t)
++corenet_tcp_bind_munin_port(munin_t)
 +corenet_tcp_connect_munin_port(munin_t)
 +corenet_tcp_connect_http_port(munin_t)
 +corenet_tcp_bind_all_nodes(munin_t)
@@ -16316,7 +16369,9 @@
  
  files_read_etc_files(munin_t)
  files_read_etc_runtime_files(munin_t)
-@@ -86,14 +100,17 @@
+ files_read_usr_files(munin_t)
++files_list_spool(munin_t)
+ 
  fs_getattr_all_fs(munin_t)
  fs_search_auto_mountpoints(munin_t)
  
@@ -16335,7 +16390,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-@@ -108,7 +125,19 @@
+@@ -108,7 +126,20 @@
  ')
  
  optional_policy(`
@@ -16348,6 +16403,7 @@
 +')
 +
 +optional_policy(`
++	mysql_read_config(munin_t)
 +	mysql_stream_connect(munin_t)
 +')
 +
@@ -16356,7 +16412,7 @@
  ')
  
  optional_policy(`
-@@ -118,3 +147,9 @@
+@@ -118,3 +149,9 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -16377,7 +16433,7 @@
 +/etc/rc\.d/init\.d/mysqld	--	gen_context(system_u:object_r:mysqld_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.3.1/policy/modules/services/mysql.if
 --- nsaserefpolicy/policy/modules/services/mysql.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mysql.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/mysql.if	2008-03-17 11:21:07.000000000 -0400
 @@ -157,3 +157,74 @@
  	logging_search_logs($1)
  	allow $1 mysqld_log_t:file { write append setattr ioctl };
@@ -17751,7 +17807,7 @@
 +/var/lib/PolicyKit-public(/.*)?			gen_context(system_u:object_r:polkit_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
 --- nsaserefpolicy/policy/modules/services/polkit.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.if	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/polkit.if	2008-03-17 17:34:40.000000000 -0400
 @@ -0,0 +1,189 @@
 +
 +## <summary>policy for polkit_auth</summary>
@@ -18292,7 +18348,7 @@
  # Local Policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.3.1/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/postfix.te	2008-03-17 09:23:03.000000000 -0400
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -18363,7 +18419,13 @@
  mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
-@@ -285,6 +306,8 @@
+@@ -280,11 +301,14 @@
+ 
+ optional_policy(`
+ 	clamav_search_lib(postfix_local_t)
++	clamav_exec_clamscan(postfix_local_t)
+ ')
+ 
  optional_policy(`
  #	for postalias
  	mailman_manage_data_files(postfix_local_t)
@@ -18372,7 +18434,7 @@
  ')
  
  optional_policy(`
-@@ -295,8 +318,7 @@
+@@ -295,8 +319,7 @@
  #
  # Postfix map local policy
  #
@@ -18382,7 +18444,7 @@
  allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
  allow postfix_map_t self:unix_dgram_socket create_socket_perms;
  allow postfix_map_t self:tcp_socket create_stream_socket_perms;
-@@ -346,8 +368,6 @@
+@@ -346,8 +369,6 @@
  
  miscfiles_read_localization(postfix_map_t)
  
@@ -18391,7 +18453,7 @@
  tunable_policy(`read_default_t',`
  	files_list_default(postfix_map_t)
  	files_read_default_files(postfix_map_t)
-@@ -360,6 +380,11 @@
+@@ -360,6 +381,11 @@
  	locallogin_dontaudit_use_fds(postfix_map_t)
  ')
  
@@ -18403,7 +18465,7 @@
  ########################################
  #
  # Postfix pickup local policy
-@@ -392,6 +417,10 @@
+@@ -392,6 +418,10 @@
  rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
  
  optional_policy(`
@@ -18414,7 +18476,7 @@
  	procmail_domtrans(postfix_pipe_t)
  ')
  
-@@ -400,6 +429,10 @@
+@@ -400,6 +430,10 @@
  ')
  
  optional_policy(`
@@ -18425,7 +18487,7 @@
  	uucp_domtrans_uux(postfix_pipe_t)
  ')
  
-@@ -532,9 +565,6 @@
+@@ -532,9 +566,6 @@
  # connect to master process
  stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
  
@@ -18435,7 +18497,7 @@
  # for prng_exch
  allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
  allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +587,10 @@
+@@ -557,6 +588,10 @@
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -18446,7 +18508,7 @@
  ########################################
  #
  # Postfix virtual local policy
-@@ -584,3 +618,4 @@
+@@ -584,3 +619,4 @@
  # For reading spamassasin
  mta_read_config(postfix_virtual_t)
  mta_manage_spool(postfix_virtual_t)
@@ -23068,7 +23130,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.3.1/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/squid.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/squid.te	2008-03-17 14:58:21.000000000 -0400
 @@ -31,12 +31,15 @@
  type squid_var_run_t;
  files_pid_file(squid_var_run_t)
@@ -23111,7 +23173,15 @@
  
  selinux_dontaudit_getattr_dir(squid_t)
  
-@@ -148,11 +155,7 @@
+@@ -128,6 +135,7 @@
+ files_getattr_home_dir(squid_t)
+ 
+ auth_use_nsswitch(squid_t)
++auth_domtrans_chkpwd(squid_t)
+ 
+ libs_use_ld_so(squid_t)
+ libs_use_shared_libs(squid_t)
+@@ -148,11 +156,7 @@
  ')
  
  optional_policy(`
@@ -23124,7 +23194,7 @@
  ')
  
  optional_policy(`
-@@ -167,7 +170,12 @@
+@@ -167,7 +171,12 @@
  	udev_read_db(squid_t)
  ')
  
@@ -26131,7 +26201,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.3.1/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2008-02-19 17:24:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-03-11 17:52:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/authlogin.te	2008-03-17 08:59:58.000000000 -0400
 @@ -59,6 +59,9 @@
  type utempter_exec_t;
  application_domain(utempter_t,utempter_exec_t)
@@ -26152,7 +26222,17 @@
  ########################################
  #
  # PAM local policy
-@@ -122,6 +128,12 @@
+@@ -111,7 +117,8 @@
+ term_use_all_user_ttys(pam_t)
+ term_use_all_user_ptys(pam_t)
+ 
+-init_dontaudit_rw_utmp(pam_t)
++init_read_utmp(pam_t)
++init_dontaudit_write_utmp(pam_t)
+ 
+ files_read_etc_files(pam_t)
+ 
+@@ -122,6 +129,12 @@
  
  userdom_use_unpriv_users_fds(pam_t)
  
@@ -26165,7 +26245,7 @@
  ifdef(`distro_ubuntu',`
  	optional_policy(`
  		unconfined_domain(pam_t)
-@@ -282,6 +294,11 @@
+@@ -282,6 +295,11 @@
  	')
  ')
  
@@ -26177,7 +26257,7 @@
  ########################################
  #
  # updpwd local policy
-@@ -297,8 +314,10 @@
+@@ -297,8 +315,10 @@
  files_manage_etc_files(updpwd_t)
  
  term_dontaudit_use_console(updpwd_t)
@@ -26189,7 +26269,7 @@
  
  auth_manage_shadow(updpwd_t)
  auth_use_nsswitch(updpwd_t)
-@@ -359,11 +378,6 @@
+@@ -359,11 +379,6 @@
  ')
  
  optional_policy(`
@@ -28401,8 +28481,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/qemu.te serefpolicy-3.3.1/policy/modules/system/qemu.te
 --- nsaserefpolicy/policy/modules/system/qemu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/qemu.te	2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,47 @@
++++ serefpolicy-3.3.1/policy/modules/system/qemu.te	2008-03-17 17:40:17.000000000 -0400
+@@ -0,0 +1,50 @@
 +policy_module(qemu,1.0.0)
 +
 +## <desc>
@@ -28450,6 +28530,9 @@
 +allow qemu_unconfined_t self:process { execstack execmem };
 +
 +
++optional_policy(`
++	xserver_xdm_rw_shm(qemu_unconfined_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.3.1/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2007-12-19 05:32:17.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/system/raid.te	2008-02-26 08:29:22.000000000 -0500
@@ -33358,8 +33441,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-03-05 18:05:21.000000000 -0500
-@@ -0,0 +1,162 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-03-17 17:37:52.000000000 -0400
+@@ -0,0 +1,179 @@
 +
 +policy_module(virt,1.0.0)
 +
@@ -33443,6 +33526,7 @@
 +filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 +
 +corecmd_exec_bin(virtd_t)
++corecmd_exec_shell(virtd_t)
 +
 +corenet_all_recvfrom_unlabeled(virtd_t)
 +corenet_all_recvfrom_netlabel(virtd_t)
@@ -33457,6 +33541,7 @@
 +corenet_rw_tun_tap_dev(virtd_t)
 +
 +dev_read_sysfs(virtd_t)
++dev_read_rand(virtd_t)
 +
 +kernel_read_system_state(virtd_t)
 +kernel_read_network_state(virtd_t)
@@ -33467,7 +33552,9 @@
 +# Init script handling
 +domain_use_interactive_fds(virtd_t)
 +
++files_read_usr_files(virtd_t)
 +files_read_etc_files(virtd_t)
++files_read_usr_files(virtd_t)
 +files_read_etc_runtime_files(virtd_t)
 +files_search_all(virtd_t)
 +
@@ -33478,9 +33565,10 @@
 +miscfiles_read_certs(virtd_t)
 +
 +auth_use_nsswitch(virtd_t)
-+
 +logging_send_syslog_msg(virtd_t)
 +
++userdom_read_all_users_state(virtd_t)
++
 +optional_policy(`
 +	brctl_domtrans(virtd_t)
 +')
@@ -33492,6 +33580,10 @@
 +	')
 +
 +	optional_policy(`
++		consolekit_dbus_chat(virtd_t)
++	')
++
++	optional_policy(`
 +		hal_dbus_chat(virtd_t)
 +	')
 +')
@@ -33507,6 +33599,10 @@
 +')
 +
 +optional_policy(`
++	polkit_domtrans_auth(virtd_t)
++')
++
++optional_policy(`
 +	qemu_domtrans(virtd_t)
 +	qemu_read_state(virtd_t)
 +	qemu_signal(virtd_t)
@@ -33522,6 +33618,10 @@
 +	xen_stream_connect_xenstore(virtd_t)
 +')
 +
++allow virtd_t unconfined_t:dir { getattr search };
++allow virtd_t unconfined_t:file read;
++allow virtd_t unconfined_t:process getattr;
++allow virtd_t usr_t:file read;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2007-06-21 09:32:04.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/system/xen.if	2008-02-26 08:29:22.000000000 -0500




More information about the fedora-extras-commits mailing list