rpms/selinux-policy/devel policy-20071130.patch, 1.112, 1.113 selinux-policy.spec, 1.642, 1.643
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sat Mar 29 18:36:17 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14165
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Sat Mar 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-26
- Allow initrc_t to dbus chat with consolekit.
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.112
retrieving revision 1.113
diff -u -r1.112 -r1.113
--- policy-20071130.patch 28 Mar 2008 22:07:45 -0000 1.112
+++ policy-20071130.patch 29 Mar 2008 18:36:09 -0000 1.113
@@ -5454,8 +5454,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.3.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-28 09:20:56.000000000 +0100
-@@ -0,0 +1,179 @@
++++ serefpolicy-3.3.1/policy/modules/apps/nsplugin.te 2008-03-29 12:28:11.000000000 +0100
+@@ -0,0 +1,183 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -5587,6 +5587,10 @@
+')
+
+optional_policy(`
++ unconfined_execmem_signull(nsplugin_t)
++')
++
++optional_policy(`
+ xserver_stream_connect_xdm_xserver(nsplugin_t)
+ xserver_xdm_rw_shm(nsplugin_t)
+ xserver_read_xdm_tmp_files(nsplugin_t)
@@ -6817,7 +6821,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.3.1/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 23:02:31.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-02-26 20:19:56.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/kernel/devices.if 2008-03-29 13:08:46.000000000 +0100
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -7741,7 +7745,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 23:02:31.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-02-27 22:58:04.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-03-29 13:06:34.000000000 +0100
@@ -851,9 +851,8 @@
type proc_t, proc_afs_t;
')
@@ -12733,7 +12737,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-3.3.1/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2007-12-19 11:32:17.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-19 19:48:13.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/dbus.te 2008-03-29 13:18:18.000000000 +0100
@@ -9,6 +9,7 @@
#
# Delcarations
@@ -12811,7 +12815,7 @@
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
-@@ -121,9 +139,26 @@
+@@ -121,9 +139,28 @@
')
optional_policy(`
@@ -12834,8 +12838,10 @@
+optional_policy(`
+ gen_require(`
+ type unconfined_dbusd_t;
++ attribute domain;
+ ')
+ unconfined_domain(unconfined_dbusd_t)
++ allow dbusd_unconfined domain:consolekit_t:dbus send_msg;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.if serefpolicy-3.3.1/policy/modules/services/dcc.if
@@ -13746,7 +13752,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.3.1/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2008-02-26 14:17:43.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2008-02-26 14:29:22.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/services/dovecot.te 2008-03-29 12:22:39.000000000 +0100
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -13838,7 +13844,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -184,5 +205,49 @@
+@@ -184,5 +205,53 @@
')
optional_policy(`
@@ -13876,6 +13882,8 @@
+files_read_etc_files(dovecot_deliver_t)
+files_read_etc_runtime_files(dovecot_deliver_t)
+
++auth_use_nsswitch(dovecot_deliver_t)
++
+libs_use_ld_so(dovecot_deliver_t)
+libs_use_shared_libs(dovecot_deliver_t)
+
@@ -13885,6 +13893,8 @@
+
+dovecot_auth_stream_connect(dovecot_deliver_t)
+
++userdom_priveleged_home_dir_manager(dovecot_deliver_t)
++
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
')
@@ -23614,8 +23624,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.if serefpolicy-3.3.1/policy/modules/services/stunnel.if
--- nsaserefpolicy/policy/modules/services/stunnel.if 2006-11-16 23:15:20.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/services/stunnel.if 2008-03-18 19:31:14.000000000 +0100
-@@ -1 +1,24 @@
++++ serefpolicy-3.3.1/policy/modules/services/stunnel.if 2008-03-29 17:44:16.000000000 +0100
+@@ -1 +1,25 @@
## <summary>SSL Tunneling Proxy</summary>
+
+########################################
@@ -23639,6 +23649,7 @@
+ ')
+
+ domtrans_pattern(stunnel_t,$2,$1)
++ allow $1 stunnel_t:tcp_socket rw_socket_perms;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-3.3.1/policy/modules/services/telnet.te
--- nsaserefpolicy/policy/modules/services/telnet.te 2007-12-19 11:32:17.000000000 +0100
@@ -26939,7 +26950,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-02-26 14:17:43.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-12 13:37:59.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-03-29 13:15:04.000000000 +0100
@@ -10,6 +10,20 @@
# Declarations
#
@@ -27142,22 +27153,28 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -559,14 +622,6 @@
- ')
+@@ -554,16 +617,12 @@
+ dbus_read_config(initrc_t)
- optional_policy(`
+ optional_policy(`
+- networkmanager_dbus_chat(initrc_t)
++ consolekit_dbus_chat(initrc_t)
+ ')
+-')
+
+-optional_policy(`
- # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
- # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
- # the directory. But we do not want to allow this.
- # The master process of dovecot will manage this file.
- dovecot_dontaudit_unlink_lib_files(initrc_t)
--')
--
--optional_policy(`
- ftp_read_config(initrc_t)
++ optional_policy(`
++ networkmanager_dbus_chat(initrc_t)
++ ')
')
-@@ -639,12 +694,6 @@
+ optional_policy(`
+@@ -639,12 +698,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -27170,7 +27187,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -705,6 +754,9 @@
+@@ -705,6 +758,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -27180,7 +27197,7 @@
')
optional_policy(`
-@@ -717,9 +769,11 @@
+@@ -717,9 +773,11 @@
squid_manage_logs(initrc_t)
')
@@ -27195,7 +27212,7 @@
')
optional_policy(`
-@@ -738,6 +792,11 @@
+@@ -738,6 +796,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -27207,7 +27224,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -752,6 +811,10 @@
+@@ -752,6 +815,10 @@
')
optional_policy(`
@@ -27218,7 +27235,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -774,3 +837,4 @@
+@@ -774,3 +841,4 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -29744,7 +29761,7 @@
+/usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.3.1/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-11-16 21:30:49.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-03-04 23:26:54.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/unconfined.if 2008-03-29 12:26:49.000000000 +0100
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -29806,7 +29823,32 @@
')
########################################
-@@ -581,7 +587,6 @@
+@@ -372,6 +378,24 @@
+
+ ########################################
+ ## <summary>
++## Send a SIGNULL signal to the unconfined execmem domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_execmem_signull',`
++ gen_require(`
++ type unconfined_execmem_t;
++ ')
++
++ allow $1 unconfined_execmem_t:process signull;
++')
++
++########################################
++## <summary>
+ ## Send generic signals to the unconfined domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -581,7 +605,6 @@
interface(`unconfined_dbus_connect',`
gen_require(`
type unconfined_t;
@@ -29814,7 +29856,7 @@
')
allow $1 unconfined_t:dbus acquire_svc;
-@@ -589,7 +594,139 @@
+@@ -589,7 +612,120 @@
########################################
## <summary>
@@ -29933,34 +29975,15 @@
+########################################
+## <summary>
+## Allow apps to set rlimits on userdomain
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`unconfined_set_rlimitnh',`
-+ gen_require(`
-+ type unconfined_t;
-+ ')
-+
-+ allow $1 unconfined_t:process rlimitinh;
-+')
-+
-+########################################
-+## <summary>
-+## Allow the specified domain to read/write to
-+## unconfined with a unix domain stream sockets.
## </summary>
## <param name="domain">
## <summary>
-@@ -597,41 +734,43 @@
+@@ -597,20 +733,18 @@
## </summary>
## </param>
#
-interface(`unconfined_read_home_content_files',`
-+interface(`unconfined_rw_stream_sockets',`
++interface(`unconfined_set_rlimitnh',`
gen_require(`
- type unconfined_home_dir_t, unconfined_home_t;
+ type unconfined_t;
@@ -29970,57 +29993,76 @@
- allow $1 { unconfined_home_dir_t unconfined_home_t }:dir list_dir_perms;
- read_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
- read_lnk_files_pattern($1, { unconfined_home_dir_t unconfined_home_t }, unconfined_home_t)
-+ allow $1 unconfined_t:unix_stream_socket { read write };
++ allow $1 unconfined_t:process rlimitinh;
')
########################################
## <summary>
-## Read unconfined users temporary files.
-+## Read/write unconfined tmpfs files.
++## Allow the specified domain to read/write to
++## unconfined with a unix domain stream sockets.
## </summary>
-+## <desc>
-+## <p>
-+## Read/write unconfined tmpfs files.
-+## </p>
-+## </desc>
## <param name="domain">
## <summary>
- ## Domain allowed access.
+@@ -618,31 +752,54 @@
## </summary>
## </param>
#
-interface(`unconfined_read_tmp_files',`
-+interface(`unconfined_rw_tmpfs_files',`
++interface(`unconfined_rw_stream_sockets',`
gen_require(`
- type unconfined_tmp_t;
-+ type unconfined_tmpfs_t;
++ type unconfined_t;
')
- files_search_tmp($1)
- allow $1 unconfined_tmp_t:dir list_dir_perms;
- read_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
- read_lnk_files_pattern($1, unconfined_tmp_t, unconfined_tmp_t)
-+ fs_search_tmpfs($1)
-+ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
-+ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
-+ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
++ allow $1 unconfined_t:unix_stream_socket { read write };
')
########################################
## <summary>
-## Write unconfined users temporary files.
-+## Get the process group of unconfined.
++## Read/write unconfined tmpfs files.
## </summary>
++## <desc>
++## <p>
++## Read/write unconfined tmpfs files.
++## </p>
++## </desc>
## <param name="domain">
## <summary>
-@@ -639,10 +778,10 @@
+ ## Domain allowed access.
## </summary>
## </param>
#
-interface(`unconfined_write_tmp_files',`
-+interface(`unconfined_getpgid',`
++interface(`unconfined_rw_tmpfs_files',`
gen_require(`
- type unconfined_tmp_t;
++ type unconfined_tmpfs_t;
++ ')
++
++ fs_search_tmpfs($1)
++ allow $1 unconfined_tmpfs_t:dir list_dir_perms;
++ rw_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
++ read_lnk_files_pattern($1,unconfined_tmpfs_t,unconfined_tmpfs_t)
++')
++
++########################################
++## <summary>
++## Get the process group of unconfined.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`unconfined_getpgid',`
++ gen_require(`
+ type unconfined_t;
')
@@ -30364,7 +30406,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-02-15 15:52:56.000000000 +0100
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-27 23:47:44.000000000 +0100
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-03-29 13:10:01.000000000 +0100
@@ -29,9 +29,14 @@
')
@@ -30381,7 +30423,7 @@
corecmd_shell_entry_type($1_t)
corecmd_bin_entry_type($1_t)
domain_user_exemption_target($1_t)
-@@ -45,66 +50,76 @@
+@@ -45,66 +50,78 @@
type $1_tty_device_t;
term_user_tty($1_t,$1_tty_device_t)
@@ -30442,6 +30484,7 @@
+ kernel_dontaudit_getattr_unlabeled_sockets($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_blk_files($1_usertype)
+ kernel_dontaudit_getattr_unlabeled_chr_files($1_usertype)
++ kernel_dontaudit_list_proc($1_usertype)
# When the user domain runs ps, there will be a number of access
# denials when ps tries to search /proc. Do not audit these denials.
@@ -30491,23 +30534,23 @@
+
+ dev_dontaudit_getattr_all_blk_files($1_usertype)
+ dev_dontaudit_getattr_all_chr_files($1_usertype)
-+
-+ auth_use_nsswitch($1_usertype)
-+
-+ libs_use_ld_so($1_usertype)
-+ libs_use_shared_libs($1_usertype)
-+ libs_exec_ld_so($1_usertype)
++ dev_getattr_mtrr_dev($1_t)
- miscfiles_read_localization($1_t)
- miscfiles_read_certs($1_t)
--
++ auth_use_nsswitch($1_usertype)
+
- sysnet_read_config($1_t)
++ libs_use_ld_so($1_usertype)
++ libs_use_shared_libs($1_usertype)
++ libs_exec_ld_so($1_usertype)
++
+ miscfiles_read_localization($1_usertype)
+ miscfiles_read_certs($1_usertype)
tunable_policy(`allow_execmem',`
# Allow loading DSOs that require executable stack.
-@@ -115,6 +130,10 @@
+@@ -115,6 +132,10 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
')
@@ -30518,7 +30561,7 @@
')
#######################################
-@@ -141,33 +160,13 @@
+@@ -141,33 +162,13 @@
#
template(`userdom_ro_home_template',`
gen_require(`
@@ -30557,7 +30600,7 @@
##############################
#
-@@ -175,13 +174,14 @@
+@@ -175,13 +176,14 @@
#
# read-only home directory
@@ -30579,7 +30622,7 @@
files_list_home($1_t)
tunable_policy(`use_nfs_home_dirs',`
-@@ -231,30 +231,14 @@
+@@ -231,30 +233,14 @@
#
template(`userdom_manage_home_template',`
gen_require(`
@@ -30616,7 +30659,7 @@
##############################
#
-@@ -262,43 +246,46 @@
+@@ -262,43 +248,46 @@
#
# full control of the home directory
@@ -30691,7 +30734,7 @@
')
')
-@@ -316,14 +303,20 @@
+@@ -316,14 +305,20 @@
## <rolebase/>
#
template(`userdom_exec_home_template',`
@@ -30717,7 +30760,7 @@
')
')
-@@ -341,11 +334,10 @@
+@@ -341,11 +336,10 @@
## <rolebase/>
#
template(`userdom_poly_home_template',`
@@ -30733,7 +30776,7 @@
')
#######################################
-@@ -369,18 +361,18 @@
+@@ -369,18 +363,18 @@
#
template(`userdom_manage_tmp_template',`
gen_require(`
@@ -30762,7 +30805,7 @@
')
#######################################
-@@ -396,7 +388,13 @@
+@@ -396,7 +390,13 @@
## <rolebase/>
#
template(`userdom_exec_tmp_template',`
@@ -30777,7 +30820,7 @@
')
#######################################
-@@ -445,12 +443,12 @@
+@@ -445,12 +445,12 @@
type $1_tmpfs_t, $1_file_type;
files_tmpfs_file($1_tmpfs_t)
@@ -30796,7 +30839,7 @@
')
#######################################
-@@ -510,10 +508,6 @@
+@@ -510,10 +510,6 @@
## <rolebase/>
#
template(`userdom_exec_generic_pgms_template',`
@@ -30807,7 +30850,7 @@
corecmd_exec_bin($1_t)
')
-@@ -531,27 +525,20 @@
+@@ -531,27 +527,20 @@
## <rolebase/>
#
template(`userdom_basic_networking_template',`
@@ -30847,7 +30890,7 @@
')
#######################################
-@@ -568,30 +555,32 @@
+@@ -568,30 +557,32 @@
#
template(`userdom_xwindows_client_template',`
gen_require(`
@@ -30896,7 +30939,7 @@
')
#######################################
-@@ -622,13 +611,7 @@
+@@ -622,13 +613,7 @@
## <summary>
## The template for allowing the user to change roles.
## </summary>
@@ -30911,7 +30954,7 @@
## <summary>
## The prefix of the user domain (e.g., user
## is the prefix for user_t).
-@@ -692,183 +675,194 @@
+@@ -692,183 +677,194 @@
dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown };
dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
@@ -31187,7 +31230,7 @@
')
optional_policy(`
-@@ -895,6 +889,8 @@
+@@ -895,6 +891,8 @@
## </param>
#
template(`userdom_login_user_template', `
@@ -31196,7 +31239,7 @@
userdom_base_user_template($1)
userdom_manage_home_template($1)
-@@ -923,70 +919,68 @@
+@@ -923,70 +921,68 @@
allow $1_t self:context contains;
@@ -31299,7 +31342,7 @@
')
')
-@@ -1020,9 +1014,6 @@
+@@ -1020,9 +1016,6 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
@@ -31309,7 +31352,7 @@
typeattribute $1_tty_device_t user_ttynode;
##############################
-@@ -1031,16 +1022,29 @@
+@@ -1031,16 +1024,29 @@
#
# privileged home directory writers
@@ -31345,7 +31388,7 @@
')
#######################################
-@@ -1068,6 +1072,13 @@
+@@ -1068,6 +1074,13 @@
userdom_restricted_user_template($1)
@@ -31359,7 +31402,7 @@
userdom_xwindows_client_template($1)
##############################
-@@ -1076,14 +1087,16 @@
+@@ -1076,14 +1089,16 @@
#
authlogin_per_role_template($1, $1_t, $1_r)
@@ -31381,7 +31424,7 @@
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
-@@ -1091,32 +1104,29 @@
+@@ -1091,32 +1106,29 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@@ -31425,7 +31468,7 @@
')
')
-@@ -1127,10 +1137,10 @@
+@@ -1127,10 +1139,10 @@
## </summary>
## <desc>
## <p>
@@ -31440,7 +31483,7 @@
## This template creates a user domain, types, and
## rules for the user's tty, pty, home directories,
## tmp, and tmpfs files.
-@@ -1164,7 +1174,6 @@
+@@ -1164,7 +1176,6 @@
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
@@ -31448,7 +31491,7 @@
# cjp: why?
files_read_kernel_symbol_table($1_t)
-@@ -1193,12 +1202,11 @@
+@@ -1193,12 +1204,11 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -31463,7 +31506,7 @@
')
# Run pppd in pppd_t by default for user
-@@ -1207,7 +1215,27 @@
+@@ -1207,7 +1217,27 @@
')
optional_policy(`
@@ -31492,7 +31535,7 @@
')
')
-@@ -1284,8 +1312,6 @@
+@@ -1284,8 +1314,6 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -31501,6 +31544,15 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
kernel_getattr_message_if($1_t)
+@@ -1307,8 +1335,6 @@
+
+ dev_getattr_generic_blk_files($1_t)
+ dev_getattr_generic_chr_files($1_t)
+- # for lsof
+- dev_getattr_mtrr_dev($1_t)
+ # Allow MAKEDEV to work
+ dev_create_all_blk_files($1_t)
+ dev_create_all_chr_files($1_t)
@@ -1363,13 +1389,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.642
retrieving revision 1.643
diff -u -r1.642 -r1.643
--- selinux-policy.spec 28 Mar 2008 21:09:45 -0000 1.642
+++ selinux-policy.spec 29 Mar 2008 18:36:09 -0000 1.643
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 25%{?dist}
+Release: 26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
%endif
%changelog
+* Sat Mar 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-26
+- Allow initrc_t to dbus chat with consolekit.
+
* Thu Mar 27 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-25
- Additional access for nsplugin
- Allow xdm setcap/getcap until pulseaudio is fixed
More information about the fedora-extras-commits
mailing list