rpms/selinux-policy/devel policy-20071130.patch, 1.107, 1.108 selinux-policy.spec, 1.638, 1.639

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Thu Mar 20 16:11:27 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20342

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Tue Mar 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-22
- Allow stunnel to transition to inetd children domains
- Make unconfined_dbusd_t an unconfined domain 


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -r1.107 -r1.108
--- policy-20071130.patch	18 Mar 2008 21:10:02 -0000	1.107
+++ policy-20071130.patch	20 Mar 2008 16:11:16 -0000	1.108
@@ -1961,7 +1961,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.3.1/policy/modules/admin/prelink.te
 --- nsaserefpolicy/policy/modules/admin/prelink.te	2007-12-19 05:32:18.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/prelink.te	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/admin/prelink.te	2008-03-20 11:58:33.000000000 -0400
 @@ -26,7 +26,7 @@
  # Local policy
  #
@@ -2021,15 +2021,17 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.3.1/policy/modules/admin/rpm.fc
 --- nsaserefpolicy/policy/modules/admin/rpm.fc	2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/rpm.fc	2008-02-26 08:29:22.000000000 -0500
-@@ -11,6 +11,7 @@
++++ serefpolicy-3.3.1/policy/modules/admin/rpm.fc	2008-03-19 15:20:22.000000000 -0400
+@@ -11,7 +11,8 @@
  
  /usr/sbin/system-install-packages --	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/sbin/yum-updatesd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
+-
 +/usr/sbin/packagekitd		--	gen_context(system_u:object_r:rpm_exec_t,s0)
- 
++/usr/libexec/yumDBUSBackend.py	--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/share/yumex/yumex		--	gen_context(system_u:object_r:rpm_exec_t,s0)
  
+ ifdef(`distro_redhat', `
 @@ -21,6 +22,9 @@
  /usr/sbin/pup			--	gen_context(system_u:object_r:rpm_exec_t,s0)
  /usr/sbin/rhn_check		--	gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -8187,7 +8189,7 @@
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.3.1/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2007-10-23 17:17:42.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-03-05 15:44:05.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/apache.if	2008-03-20 09:37:55.000000000 -0400
 @@ -13,21 +13,16 @@
  #
  template(`apache_content_template',`
@@ -10551,8 +10553,36 @@
 +/etc/rc.d/init.d/clamd-wrapper	--	gen_context(system_u:object_r:clamd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.if serefpolicy-3.3.1/policy/modules/services/clamav.if
 --- nsaserefpolicy/policy/modules/services/clamav.if	2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/clamav.if	2008-03-17 09:22:39.000000000 -0400
-@@ -91,3 +91,116 @@
++++ serefpolicy-3.3.1/policy/modules/services/clamav.if	2008-03-20 09:40:34.000000000 -0400
+@@ -38,6 +38,27 @@
+ 
+ ########################################
+ ## <summary>
++##	Allow the specified domain to append
++##	to clamav log files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`clamav_append_log',`
++	gen_require(`
++		type clamav_log_t;
++	')
++
++	logging_search_logs($1)
++	allow $1 clamav_log_t:dir list_dir_perms;
++	append_files_pattern($1,clamav_log_t,clamav_log_t)
++')
++
++########################################
++## <summary>
+ ##	Read clamav configuration files.
+ ## </summary>
+ ## <param name="domain">
+@@ -91,3 +112,116 @@
  
  	domtrans_pattern($1,clamscan_exec_t,clamscan_t)
  ')
@@ -12669,7 +12699,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
 --- nsaserefpolicy/policy/modules/services/dbus.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-03-17 09:13:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te	2008-03-19 14:48:13.000000000 -0400
 @@ -9,6 +9,7 @@
  #
  # Delcarations
@@ -12747,7 +12777,7 @@
  
  libs_use_ld_so(system_dbusd_t)
  libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +139,20 @@
+@@ -121,9 +139,26 @@
  ')
  
  optional_policy(`
@@ -12767,6 +12797,12 @@
 +	consolekit_dbus_chat(system_dbusd_t)
 +')
 +
++optional_policy(`
++	gen_require(`
++		type unconfined_dbusd_t;
++	')
++	unconfined_domain(unconfined_dbusd_t)
++')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if
 --- nsaserefpolicy/policy/modules/services/dcc.if	2007-03-26 10:39:05.000000000 -0400
@@ -14739,7 +14775,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.3.1/policy/modules/services/hal.te
 --- nsaserefpolicy/policy/modules/services/hal.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/hal.te	2008-02-27 16:57:40.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/hal.te	2008-03-20 09:19:51.000000000 -0400
 @@ -49,6 +49,9 @@
  type hald_var_lib_t;
  files_type(hald_var_lib_t)
@@ -14785,7 +14821,18 @@
  libs_use_ld_so(hald_t)
  libs_use_shared_libs(hald_t)
  libs_exec_ld_so(hald_t)
-@@ -265,6 +273,11 @@
+@@ -244,6 +252,10 @@
+ ')
+ 
+ optional_policy(`
++	gpm_dontaudit_getattr_gpmctl(hald_t)
++')
++
++optional_policy(`
+ 	hotplug_read_config(hald_t)
+ ')
+ 
+@@ -265,6 +277,11 @@
  ')
  
  optional_policy(`
@@ -14797,7 +14844,7 @@
  	rpc_search_nfs_state_data(hald_t)
  ')
  
-@@ -291,7 +304,8 @@
+@@ -291,7 +308,8 @@
  #
  
  allow hald_acl_t self:capability { dac_override fowner };
@@ -14807,7 +14854,7 @@
  
  domtrans_pattern(hald_t, hald_acl_exec_t, hald_acl_t)
  allow hald_t hald_acl_t:process signal;
-@@ -304,6 +318,7 @@
+@@ -304,6 +322,7 @@
  corecmd_exec_bin(hald_acl_t)
  
  dev_getattr_all_chr_files(hald_acl_t)
@@ -14815,7 +14862,7 @@
  dev_getattr_generic_usb_dev(hald_acl_t)
  dev_getattr_video_dev(hald_acl_t)
  dev_setattr_video_dev(hald_acl_t)
-@@ -325,6 +340,11 @@
+@@ -325,6 +344,11 @@
  
  miscfiles_read_localization(hald_acl_t)
  
@@ -14827,7 +14874,7 @@
  ########################################
  #
  # Local hald mac policy
-@@ -338,10 +358,14 @@
+@@ -338,10 +362,14 @@
  manage_files_pattern(hald_mac_t,hald_var_lib_t,hald_var_lib_t)
  files_search_var_lib(hald_mac_t)
  
@@ -14842,7 +14889,7 @@
  libs_use_ld_so(hald_mac_t)
  libs_use_shared_libs(hald_mac_t)
  
-@@ -391,3 +415,7 @@
+@@ -391,3 +419,7 @@
  libs_use_shared_libs(hald_keymap_t)
  
  miscfiles_read_localization(hald_keymap_t)
@@ -15904,6 +15951,17 @@
 +
 +type mailscanner_spool_t;
 +files_type(mailscanner_spool_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.3.1/policy/modules/services/mta.fc
+--- nsaserefpolicy/policy/modules/services/mta.fc	2006-11-16 17:15:21.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/mta.fc	2008-03-19 08:31:31.000000000 -0400
+@@ -11,6 +11,7 @@
+ /usr/lib(64)?/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+ 
+ /usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
++/bin/mail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail\.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
+ /usr/sbin/sendmail(\.sendmail)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.3.1/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-12-06 13:12:03.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/services/mta.if	2008-02-26 08:29:22.000000000 -0500
@@ -16078,7 +16136,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-03-06 11:55:52.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-03-20 09:45:38.000000000 -0400
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -16096,7 +16154,7 @@
  
  mta_base_mail_template(system)
  role system_r types system_mail_t;
-@@ -37,30 +40,47 @@
+@@ -37,30 +40,49 @@
  #
  
  # newalias required this, not sure if it is needed in 'if' file
@@ -16122,6 +16180,8 @@
 +
  init_use_script_ptys(system_mail_t)
  
++logging_append_all_logs(system_mail_t)
++
 +files_dontaudit_search_home(system_mail_t)
  userdom_use_sysadm_terms(system_mail_t)
  userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
@@ -16145,7 +16205,7 @@
  ')
  
  optional_policy(`
-@@ -73,6 +93,7 @@
+@@ -73,6 +95,7 @@
  
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
@@ -16153,7 +16213,7 @@
  	cron_dontaudit_write_pipes(system_mail_t)
  ')
  
-@@ -81,6 +102,11 @@
+@@ -81,6 +104,11 @@
  ')
  
  optional_policy(`
@@ -16165,11 +16225,12 @@
  	logrotate_read_tmp_files(system_mail_t)
  ')
  
-@@ -136,11 +162,37 @@
+@@ -136,11 +164,38 @@
  ')
  
  optional_policy(`
 +	clamav_stream_connect(system_mail_t)
++	clamav_append_log(system_mail_t)
 +')
 +
 +optional_policy(`
@@ -16204,7 +16265,7 @@
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +206,4 @@
+@@ -154,3 +209,4 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
@@ -17168,13 +17229,13 @@
  corenet_tcp_connect_all_ports(ypxfr_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.3.1/policy/modules/services/nscd.fc
 --- nsaserefpolicy/policy/modules/services/nscd.fc	2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/nscd.fc	2008-02-26 08:29:22.000000000 -0500
++++ serefpolicy-3.3.1/policy/modules/services/nscd.fc	2008-03-19 17:31:12.000000000 -0400
 @@ -9,3 +9,5 @@
  /var/run/\.nscd_socket	-s	gen_context(system_u:object_r:nscd_var_run_t,s0)
  
  /var/run/nscd(/.*)?		gen_context(system_u:object_r:nscd_var_run_t,s0)
 +
-+/etc/rc\.d/init\.d/nscd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
++/etc/rc\.d/init\.d/nscd	--	gen_context(system_u:object_r:nscd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.3.1/policy/modules/services/nscd.if
 --- nsaserefpolicy/policy/modules/services/nscd.if	2007-03-26 10:39:04.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/services/nscd.if	2008-02-26 08:29:22.000000000 -0500
@@ -27503,7 +27564,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2008-02-26 08:17:43.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te	2008-03-12 15:39:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.te	2008-03-19 15:31:11.000000000 -0400
 @@ -61,10 +61,24 @@
  logging_log_file(var_log_t)
  files_mountpoint(var_log_t)
@@ -27537,7 +27598,7 @@
  domain_read_all_domains_state(auditctl_t)
  domain_use_interactive_fds(auditctl_t)
  
-@@ -158,6 +173,7 @@
+@@ -158,9 +173,12 @@
  
  mls_file_read_all_levels(auditd_t)
  mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -27545,7 +27606,12 @@
  
  seutil_dontaudit_read_config(auditd_t)
  
-@@ -171,6 +187,10 @@
++sysnet_dns_name_resolve(auditd_t)
++
+ userdom_dontaudit_use_unpriv_user_fds(auditd_t)
+ userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
+ 
+@@ -171,6 +189,10 @@
  ')
  
  optional_policy(`
@@ -27556,7 +27622,7 @@
  	seutil_sigchld_newrole(auditd_t)
  ')
  
-@@ -208,6 +228,7 @@
+@@ -208,6 +230,7 @@
  
  fs_getattr_all_fs(klogd_t)
  fs_search_auto_mountpoints(klogd_t)
@@ -27564,7 +27630,7 @@
  
  domain_use_interactive_fds(klogd_t)
  
-@@ -252,7 +273,6 @@
+@@ -252,7 +275,6 @@
  dontaudit syslogd_t self:capability sys_tty_config;
  # setpgid for metalog
  allow syslogd_t self:process { signal_perms setpgid };
@@ -27572,7 +27638,7 @@
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -262,7 +282,7 @@
+@@ -262,7 +284,7 @@
  allow syslogd_t self:tcp_socket create_stream_socket_perms;
  
  allow syslogd_t syslog_conf_t:file read_file_perms;
@@ -27581,7 +27647,7 @@
  # Create and bind to /dev/log or /var/run/log.
  allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
  files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-@@ -274,6 +294,9 @@
+@@ -274,6 +296,9 @@
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
  
@@ -27591,7 +27657,7 @@
  # manage temporary files
  manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
  manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
-@@ -295,6 +318,7 @@
+@@ -295,6 +320,7 @@
  kernel_read_messages(syslogd_t)
  kernel_clear_ring_buffer(syslogd_t)
  kernel_change_ring_buffer_level(syslogd_t)
@@ -27599,7 +27665,7 @@
  
  dev_filetrans(syslogd_t,devlog_t,sock_file)
  dev_read_sysfs(syslogd_t)
-@@ -327,6 +351,8 @@
+@@ -327,6 +353,8 @@
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
  corenet_tcp_connect_syslogd_port(syslogd_t)
@@ -27608,7 +27674,7 @@
  
  # syslog-ng can send or receive logs
  corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -339,19 +365,20 @@
+@@ -339,19 +367,20 @@
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
@@ -27631,25 +27697,25 @@
  miscfiles_read_localization(syslogd_t)
  
  userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
-@@ -380,15 +407,11 @@
+@@ -380,15 +409,11 @@
  ')
  
  optional_policy(`
 -	nis_use_ypbind(syslogd_t)
--')
--
--optional_policy(`
--	nscd_socket_use(syslogd_t)
 +	seutil_sigchld_newrole(syslogd_t)
  ')
  
  optional_policy(`
+-	nscd_socket_use(syslogd_t)
+-')
+-
+-optional_policy(`
 -	seutil_sigchld_newrole(syslogd_t)
 +	postgresql_stream_connect(syslogd_t)
  ')
  
  optional_policy(`
-@@ -399,3 +422,37 @@
+@@ -399,3 +424,37 @@
  	# log to the xconsole
  	xserver_rw_console(syslogd_t)
  ')
@@ -27963,7 +28029,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.3.1/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2008-02-06 10:33:22.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-03-10 12:26:24.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/modutils.te	2008-03-20 12:07:47.000000000 -0400
 @@ -22,6 +22,8 @@
  type insmod_exec_t;
  application_domain(insmod_t,insmod_exec_t)
@@ -27982,7 +28048,15 @@
  allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
  
  allow insmod_t self:udp_socket create_socket_perms; 
-@@ -63,6 +65,7 @@
+@@ -55,6 +57,7 @@
+ 
+ kernel_load_module(insmod_t)
+ kernel_read_system_state(insmod_t)
++kernel_read_network_state(insmod_t)
+ kernel_write_proc_files(insmod_t)
+ kernel_mount_debugfs(insmod_t)
+ kernel_mount_kvmfs(insmod_t)
+@@ -63,6 +66,7 @@
  kernel_read_kernel_sysctls(insmod_t)
  kernel_rw_kernel_sysctl(insmod_t)
  kernel_read_hotplug_sysctls(insmod_t)
@@ -27990,7 +28064,7 @@
  
  files_read_kernel_modules(insmod_t)
  # for locking: (cjp: ????)
-@@ -76,9 +79,7 @@
+@@ -76,9 +80,7 @@
  dev_read_sound(insmod_t)
  dev_write_sound(insmod_t)
  dev_rw_apm_bios(insmod_t)
@@ -28001,16 +28075,25 @@
  
  fs_getattr_xattr_fs(insmod_t)
  
-@@ -101,6 +102,7 @@
+@@ -101,6 +103,8 @@
  init_use_fds(insmod_t)
  init_use_script_fds(insmod_t)
  init_use_script_ptys(insmod_t)
 +init_spec_domtrans_script(insmod_t)
++init_rw_script_tmp_files(insmod_t)
  
  libs_use_ld_so(insmod_t)
  libs_use_shared_libs(insmod_t)
-@@ -118,11 +120,28 @@
- 	')
+@@ -112,17 +116,32 @@
+ 
+ seutil_read_file_contexts(insmod_t)
+ 
+-ifdef(`distro_ubuntu',`
+-	optional_policy(`
+-		unconfined_domain(insmod_t)
+-	')
++optional_policy(`
++	unconfined_domain(insmod_t)
  ')
  
 +term_dontaudit_use_unallocated_ttys(insmod_t)
@@ -29837,7 +29920,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.3.1/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2008-02-13 16:26:06.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-03-18 09:14:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.te	2008-03-19 14:42:24.000000000 -0400
 @@ -6,35 +6,67 @@
  # Declarations
  #
@@ -30117,7 +30200,7 @@
  ')
  
  ########################################
-@@ -219,14 +278,41 @@
+@@ -219,14 +278,34 @@
  
  allow unconfined_execmem_t self:process { execstack execmem };
  unconfined_domain_noaudit(unconfined_execmem_t)
@@ -30125,13 +30208,7 @@
  
  optional_policy(`
 -	dbus_stub(unconfined_execmem_t)
-+	gen_require(`
-+		type unconfined_dbusd_t;
-+	')
-+	unconfined_domain(unconfined_dbusd_t)
-+')
- 
-+optional_policy(`
+-
  	init_dbus_chat_script(unconfined_execmem_t)
 +	dbus_system_bus_client_template(unconfined_execmem, unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)
@@ -30178,7 +30255,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-02-15 09:52:56.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-18 14:56:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-03-18 17:07:34.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  
@@ -33545,8 +33622,8 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-03-17 17:37:52.000000000 -0400
-@@ -0,0 +1,179 @@
++++ serefpolicy-3.3.1/policy/modules/system/virt.te	2008-03-19 14:54:18.000000000 -0400
+@@ -0,0 +1,173 @@
 +
 +policy_module(virt,1.0.0)
 +
@@ -33571,7 +33648,6 @@
 +
 +type virtd_t;
 +type virtd_exec_t;
-+domain_type(virtd_t)
 +init_daemon_domain(virtd_t, virtd_exec_t)
 +
 +type virtd_script_exec_t;
@@ -33721,11 +33797,6 @@
 +	xen_stream_connect(virtd_t)
 +	xen_stream_connect_xenstore(virtd_t)
 +')
-+
-+allow virtd_t unconfined_t:dir { getattr search };
-+allow virtd_t unconfined_t:file read;
-+allow virtd_t unconfined_t:process getattr;
-+allow virtd_t usr_t:file read;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.3.1/policy/modules/system/xen.if
 --- nsaserefpolicy/policy/modules/system/xen.if	2007-06-21 09:32:04.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/system/xen.if	2008-02-26 08:29:22.000000000 -0500
@@ -34129,8 +34200,8 @@
 +## <summary>Policy for staff user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/staff.te serefpolicy-3.3.1/policy/modules/users/staff.te
 --- nsaserefpolicy/policy/modules/users/staff.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/staff.te	2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.3.1/policy/modules/users/staff.te	2008-03-19 11:13:19.000000000 -0400
+@@ -0,0 +1,18 @@
 +policy_module(staff,1.0.1)
 +userdom_admin_login_user_template(staff)
 +
@@ -34142,6 +34213,13 @@
 +	xserver_domtrans_xdm_xserver(staff_t)
 +')
 +
++ifndef(`enable_mls',`
++optional_policy(`
++userdom_role_change_template(staff, unconfined)
++')
++')
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/user.fc serefpolicy-3.3.1/policy/modules/users/user.fc
 --- nsaserefpolicy/policy/modules/users/user.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/users/user.fc	2008-02-26 08:29:22.000000000 -0500
@@ -34185,8 +34263,8 @@
 +## <summary>Policy for webadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.3.1/policy/modules/users/webadm.te
 --- nsaserefpolicy/policy/modules/users/webadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/webadm.te	2008-02-26 08:29:22.000000000 -0500
-@@ -0,0 +1,42 @@
++++ serefpolicy-3.3.1/policy/modules/users/webadm.te	2008-03-19 11:13:33.000000000 -0400
+@@ -0,0 +1,41 @@
 +policy_module(webadm,1.0.0)
 +
 +########################################
@@ -34227,8 +34305,7 @@
 +gen_require(`
 +	type staff_t;
 +')
-+allow staff_t webadm_t:process transition;
-+allow webadm_t staff_t:dir getattr;
++userdom_role_change_template(staff, webadm)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.3.1/policy/modules/users/xguest.fc
 --- nsaserefpolicy/policy/modules/users/xguest.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.3.1/policy/modules/users/xguest.fc	2008-02-26 08:29:22.000000000 -0500


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.638
retrieving revision 1.639
diff -u -r1.638 -r1.639
--- selinux-policy.spec	18 Mar 2008 21:10:02 -0000	1.638
+++ selinux-policy.spec	20 Mar 2008 16:11:16 -0000	1.639
@@ -388,6 +388,8 @@
 
 %changelog
 * Tue Mar 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-22
+- Allow stunnel to transition to inetd children domains
+- Make unconfined_dbusd_t an unconfined domain 
 
 * Mon Mar 17 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-21
 - Fixes for qemu/virtd




More information about the fedora-extras-commits mailing list