rpms/selinux-policy/devel policy-20080509.patch,1.2,1.3
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri May 30 20:13:46 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30162
Modified Files:
policy-20080509.patch
Log Message:
* Fri May 9 2008 Dan Walsh <dwalsh at redhat.com> 3.4.1-1
- Merge Upstream
policy-20080509.patch:
Index: policy-20080509.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080509.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20080509.patch 30 May 2008 19:45:39 -0000 1.2
+++ policy-20080509.patch 30 May 2008 20:12:46 -0000 1.3
@@ -4439,8 +4439,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.4.1/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 14:08:10.632900000 -0400
-@@ -0,0 +1,204 @@
++++ serefpolicy-3.4.1/policy/modules/apps/nsplugin.te 2008-05-30 16:08:40.343792000 -0400
+@@ -0,0 +1,207 @@
+
+policy_module(nsplugin,1.0.0)
+
@@ -4541,7 +4541,6 @@
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
-+miscfiles_manage_home_fonts(nsplugin_t)
+
+unprivuser_manage_tmp_dirs(nsplugin_t)
+unprivuser_manage_tmp_files(nsplugin_t)
@@ -4588,6 +4587,7 @@
+ xserver_read_xdm_pid(nsplugin_t)
+ xserver_read_user_xauth(user, nsplugin_t)
+ xserver_use_user_fonts(user, nsplugin_t)
++ xserver_manage_home_fonts(nsplugin_t)
+')
+
+########################################
@@ -4628,7 +4628,6 @@
+
+miscfiles_read_localization(nsplugin_config_t)
+miscfiles_read_fonts(nsplugin_config_t)
-+miscfiles_read_home_fonts(nsplugin_config_t)
+
+userdom_search_all_users_home_content(nsplugin_config_t)
+
@@ -4643,6 +4642,10 @@
+nsplugin_domtrans(nsplugin_config_t)
+
+optional_policy(`
++ xserver_read_home_fonts(nsplugin_config_t)
++')
++
++optional_policy(`
+ mozilla_read_user_home_files(user, nsplugin_config_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.4.1/policy/modules/apps/openoffice.fc
@@ -25721,8 +25724,8 @@
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.4.1/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-05-19 10:26:37.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 15:38:19.179414000 -0400
-@@ -1,13 +1,13 @@
++++ serefpolicy-3.4.1/policy/modules/services/xserver.fc 2008-05-30 16:00:19.268636000 -0400
+@@ -1,13 +1,12 @@
#
# HOME_DIR
#
@@ -25734,7 +25737,6 @@
-HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
-HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:ROLE_xauth_home_t,s0)
+HOME_DIR/\.fonts\.conf -- gen_context(system_u:object_r:fonts_config_home_t,s0)
-+HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
+HOME_DIR/\.fonts/auto(/.*)? gen_context(system_u:object_r:fonts_cache_home_t,s0)
+HOME_DIR/\.fonts\.cache-.* -- gen_context(system_u:object_r:fonts_cache_home_t,s0)
+HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
@@ -25743,7 +25745,7 @@
#
# /dev
-@@ -32,11 +32,6 @@
+@@ -32,11 +31,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -25755,7 +25757,7 @@
#
# /opt
#
-@@ -58,7 +53,8 @@
+@@ -58,7 +52,8 @@
#
/usr/(s)?bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -25765,7 +25767,7 @@
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -78,7 +74,7 @@
+@@ -78,7 +73,7 @@
/usr/X11R6/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
/usr/X11R6/bin/XFree86 -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/X11R6/bin/Xipaq -- gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -25774,7 +25776,7 @@
/usr/X11R6/bin/Xwrapper -- gen_context(system_u:object_r:xserver_exec_t,s0)
/usr/X11R6/lib/X11/xkb -d gen_context(system_u:object_r:xkb_var_lib_t,s0)
/usr/X11R6/lib/X11/xkb/.* -- gen_context(system_u:object_r:xkb_var_lib_t,s0)
-@@ -89,16 +85,23 @@
+@@ -89,17 +84,26 @@
/var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
@@ -25800,9 +25802,12 @@
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ ')
++HOME_DIR/\.fonts(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:fonts_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.4.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-05-19 10:26:38.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 15:21:13.276047000 -0400
++++ serefpolicy-3.4.1/policy/modules/services/xserver.if 2008-05-30 16:01:24.987195000 -0400
@@ -128,18 +128,24 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
@@ -25850,7 +25855,17 @@
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -280,35 +290,25 @@
+@@ -270,6 +280,9 @@
+ gen_require(`
+ type iceauth_exec_t, xauth_exec_t;
+ attribute fonts_type, fonts_cache_type, fonts_config_type;
++ type fonts_home_t;
++ type fonts_cache_home_t;
++ type fonts_config_home_t;
+ ')
+
+ ##############################
+@@ -280,35 +293,25 @@
xserver_common_domain_template($1)
role $3 types $1_xserver_t;
@@ -25893,7 +25908,7 @@
##############################
#
-@@ -317,24 +317,24 @@
+@@ -317,24 +320,24 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
@@ -25928,7 +25943,7 @@
stream_connect_pattern($2,$1_xserver_tmp_t,$1_xserver_tmp_t,$1_xserver_t)
-@@ -375,12 +375,12 @@
+@@ -375,12 +378,12 @@
allow $1_xauth_t self:process signal;
allow $1_xauth_t self:unix_stream_socket create_stream_socket_perms;
@@ -25946,7 +25961,7 @@
domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
-@@ -389,11 +389,11 @@
+@@ -389,11 +392,11 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -25962,7 +25977,7 @@
domain_use_interactive_fds($1_xauth_t)
-@@ -435,16 +435,16 @@
+@@ -435,16 +438,16 @@
domtrans_pattern($2, iceauth_exec_t, $1_iceauth_t)
@@ -25984,7 +25999,7 @@
fs_search_auto_mountpoints($1_iceauth_t)
-@@ -610,7 +610,7 @@
+@@ -610,7 +613,7 @@
# refpolicywarn(`$0() has been deprecated, please use xserver_user_x_domain_template instead.')
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -25993,7 +26008,7 @@
')
allow $2 self:shm create_shm_perms;
-@@ -618,8 +618,8 @@
+@@ -618,8 +621,8 @@
allow $2 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26004,7 +26019,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -880,7 +880,7 @@
+@@ -880,7 +883,7 @@
template(`xserver_user_x_domain_template',`
gen_require(`
type xdm_t, xdm_tmp_t;
@@ -26013,7 +26028,7 @@
')
allow $3 self:shm create_shm_perms;
-@@ -888,8 +888,8 @@
+@@ -888,8 +891,8 @@
allow $3 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -26024,19 +26039,18 @@
# for when /tmp/.X11-unix is created by the system
allow $3 xdm_t:fd use;
-@@ -952,26 +952,44 @@
+@@ -952,26 +955,43 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
- type $1_fonts_t, $1_fonts_cache_t, $1_fonts_config_t;
-+ type fonts_home_t, fonts_cache_home_t, fonts_config_home_t;
++ type fonts_cache_home_t, fonts_config_home_t;
')
# Read per user fonts
- allow $2 $1_fonts_t:dir list_dir_perms;
- allow $2 $1_fonts_t:file read_file_perms;
-+ allow $2 fonts_home_t:dir list_dir_perms;
-+ allow $2 fonts_home_t:file read_file_perms;
++ read_files_pattern($2, fonts_home_t, fonts_home_t)
# Manipulate the global font cache
- manage_dirs_pattern($2,$1_fonts_cache_t,$1_fonts_cache_t)
@@ -26076,7 +26090,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -1005,6 +1023,73 @@
+@@ -1005,6 +1025,73 @@
########################################
## <summary>
@@ -26150,7 +26164,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -1030,10 +1115,10 @@
+@@ -1030,10 +1117,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -26163,7 +26177,7 @@
')
########################################
-@@ -1219,6 +1304,25 @@
+@@ -1219,6 +1306,25 @@
########################################
## <summary>
@@ -26189,7 +26203,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -1273,6 +1377,7 @@
+@@ -1273,6 +1379,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -26197,7 +26211,7 @@
')
########################################
-@@ -1291,7 +1396,7 @@
+@@ -1291,7 +1398,7 @@
')
files_search_pids($1)
@@ -26206,7 +26220,7 @@
')
########################################
-@@ -1314,6 +1419,24 @@
+@@ -1314,6 +1421,24 @@
########################################
## <summary>
@@ -26231,7 +26245,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -1324,15 +1447,47 @@
+@@ -1324,15 +1449,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -26280,7 +26294,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1482,7 +1637,7 @@
+@@ -1482,7 +1639,7 @@
type xdm_xserver_tmp_t;
')
@@ -26289,7 +26303,7 @@
')
########################################
-@@ -1674,6 +1829,65 @@
+@@ -1674,6 +1831,65 @@
########################################
## <summary>
@@ -26355,7 +26369,7 @@
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1691,3 +1905,41 @@
+@@ -1691,3 +1907,82 @@
typeattribute $1 xserver_unconfined_type;
')
@@ -26397,9 +26411,50 @@
+ files_search_pids($1)
+ write_files_pattern($1,xserver_var_run_t,xserver_var_run_t)
+')
++
++########################################
++## <summary>
++## Read user homedir fonts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`xserver_manage_home_fonts',`
++ gen_require(`
++ type fonts_home_t;
++ ')
++
++ manage_dirs_pattern($1, fonts_home_t, fonts_home_t)
++ manage_files_pattern($1, fonts_home_t, fonts_home_t)
++ manage_lnk_files_pattern($1, fonts_home_t, fonts_home_t)
++')
++
++########################################
++## <summary>
++## Read user homedir fonts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`xserver_read_home_fonts',`
++ gen_require(`
++ type fonts_home_t;
++ ')
++
++ read_files_pattern($1,fonts_home_t,fonts_home_t)
++ read_lnk_files_pattern($1,fonts_home_t,fonts_home_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.4.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-05-19 10:26:37.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 15:12:02.166012000 -0400
++++ serefpolicy-3.4.1/policy/modules/services/xserver.te 2008-05-30 16:11:13.428347000 -0400
@@ -8,6 +8,14 @@
## <desc>
@@ -26451,13 +26506,10 @@
type xdm_tmp_t;
files_tmp_file(xdm_tmp_t)
typealias xdm_tmp_t alias ice_tmp_t;
-@@ -122,6 +143,27 @@
+@@ -122,6 +143,24 @@
type xserver_log_t;
logging_log_file(xserver_log_t)
-+type fonts_home_t, fonts_type;
-+userdom_user_home_content(user,fonts_home_t)
-+
+type fonts_cache_home_t, fonts_cache_type;
+userdom_user_home_content(user,fonts_cache_home_t)
+
@@ -26479,7 +26531,7 @@
xserver_common_domain_template(xdm)
xserver_common_x_domain_template(xdm,xdm,xdm_t)
init_system_domain(xdm_xserver_t,xserver_exec_t)
-@@ -142,6 +184,7 @@
+@@ -142,6 +181,7 @@
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
@@ -26487,7 +26539,7 @@
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -154,6 +197,8 @@
+@@ -154,6 +194,8 @@
allow xdm_t self:key { search link write };
allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
@@ -26496,7 +26548,7 @@
# Allow gdm to run gdm-binary
can_exec(xdm_t, xdm_exec_t)
-@@ -169,6 +214,8 @@
+@@ -169,6 +211,8 @@
manage_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
manage_sock_files_pattern(xdm_t,xdm_tmp_t,xdm_tmp_t)
files_tmp_filetrans(xdm_t, xdm_tmp_t, { file dir sock_file })
@@ -26505,7 +26557,7 @@
manage_dirs_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
-@@ -176,15 +223,22 @@
+@@ -176,15 +220,24 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -26513,6 +26565,8 @@
+fs_getattr_all_fs(xdm_t)
+fs_search_inotifyfs(xdm_t)
+fs_list_all(xdm_t)
++
++manage_files_pattern(xdm_t, fonts_home_t, fonts_home_t)
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
@@ -26530,7 +26584,7 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -198,6 +252,7 @@
+@@ -198,6 +251,7 @@
allow xdm_t xdm_xserver_t:process { noatsecure siginh rlimitinh signal sigkill };
allow xdm_t xdm_xserver_t:shm rw_shm_perms;
@@ -26538,7 +26592,7 @@
# connect to xdm xserver over stream socket
stream_connect_pattern(xdm_t,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
-@@ -229,6 +284,7 @@
+@@ -229,6 +283,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -26546,7 +26600,7 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -241,6 +297,7 @@
+@@ -241,6 +296,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -26554,7 +26608,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -253,14 +310,15 @@
+@@ -253,14 +309,15 @@
dev_setattr_video_dev(xdm_t)
dev_getattr_scanner_dev(xdm_t)
dev_setattr_scanner_dev(xdm_t)
@@ -26572,7 +26626,7 @@
files_read_etc_files(xdm_t)
files_read_var_files(xdm_t)
-@@ -271,9 +329,13 @@
+@@ -271,9 +328,13 @@
files_read_usr_files(xdm_t)
# Poweroff wants to create the /poweroff file when run from xdm
files_create_boot_flag(xdm_t)
@@ -26586,7 +26640,7 @@
storage_dontaudit_read_fixed_disk(xdm_t)
storage_dontaudit_write_fixed_disk(xdm_t)
-@@ -282,6 +344,7 @@
+@@ -282,6 +343,7 @@
storage_dontaudit_raw_write_removable_device(xdm_t)
storage_dontaudit_setattr_removable_dev(xdm_t)
storage_dontaudit_rw_scsi_generic(xdm_t)
@@ -26594,7 +26648,7 @@
term_setattr_console(xdm_t)
term_use_unallocated_ttys(xdm_t)
-@@ -290,6 +353,7 @@
+@@ -290,6 +352,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -26602,18 +26656,17 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -301,21 +365,25 @@
+@@ -301,21 +364,25 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
+logging_send_audit_msgs(xdm_t)
miscfiles_read_localization(xdm_t)
--miscfiles_read_fonts(xdm_t)
+ miscfiles_read_fonts(xdm_t)
-
-sysnet_read_config(xdm_t)
-+miscfiles_manage_fonts(xdm_t)
-+miscfiles_dontaudit_write_locale(xdm_t)
++miscfiles_manage_localization(xdm_t)
userdom_dontaudit_use_unpriv_user_fds(xdm_t)
userdom_create_all_users_keys(xdm_t)
@@ -26634,24 +26687,20 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
xserver_unconfined(xdm_t)
-@@ -348,10 +416,15 @@
+@@ -348,10 +415,12 @@
optional_policy(`
alsa_domtrans(xdm_t)
+ alsa_read_rw_config(xdm_t)
-+')
-+
-+optional_policy(`
-+ bootloader_domtrans(xdm_t)
')
optional_policy(`
-- consolekit_dbus_chat(xdm_t)
+ consolekit_dbus_chat(xdm_t)
+ consolekit_read_log(xdm_t)
')
optional_policy(`
-@@ -359,6 +432,23 @@
+@@ -359,6 +428,19 @@
')
optional_policy(`
@@ -26659,10 +26708,6 @@
+ dbus_system_bus_client_template(xdm, xdm_t)
+
+ optional_policy(`
-+ consolekit_dbus_chat(xdm_t)
-+ ')
-+
-+ optional_policy(`
+ hal_dbus_chat(xdm_t)
+ ')
+
@@ -26675,7 +26720,7 @@
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
-@@ -369,6 +459,10 @@
+@@ -369,6 +451,10 @@
')
optional_policy(`
@@ -26686,7 +26731,7 @@
loadkeys_exec(xdm_t)
')
-@@ -382,16 +476,25 @@
+@@ -382,16 +468,25 @@
')
optional_policy(`
@@ -26713,7 +26758,7 @@
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -427,7 +530,7 @@
+@@ -427,7 +522,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -26722,7 +26767,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -439,6 +542,15 @@
+@@ -439,6 +534,15 @@
can_exec(xdm_xserver_t, xkb_var_lib_t)
files_search_var_lib(xdm_xserver_t)
@@ -26738,7 +26783,7 @@
# VNC v4 module in X server
corenet_tcp_bind_vnc_port(xdm_xserver_t)
-@@ -450,10 +562,19 @@
+@@ -450,10 +554,19 @@
# xdm_xserver_t may no longer have any reason
# to read ROLE_home_t - examine this in more detail
# (xauth?)
@@ -26759,7 +26804,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xdm_xserver_t)
fs_manage_nfs_files(xdm_xserver_t)
-@@ -467,6 +588,22 @@
+@@ -467,6 +580,22 @@
')
optional_policy(`
@@ -26782,7 +26827,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -476,16 +613,32 @@
+@@ -476,16 +605,32 @@
')
optional_policy(`
@@ -29095,7 +29140,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.4.1/policy/modules/system/miscfiles.fc
--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2008-05-19 10:26:42.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 14:08:12.108651000 -0400
++++ serefpolicy-3.4.1/policy/modules/system/miscfiles.fc 2008-05-30 16:00:01.493565000 -0400
@@ -11,6 +11,7 @@
/etc/avahi/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
@@ -29104,98 +29149,6 @@
#
# /opt
-@@ -80,3 +81,4 @@
- /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
- ')
-+HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.4.1/policy/modules/system/miscfiles.if
---- nsaserefpolicy/policy/modules/system/miscfiles.if 2008-05-19 10:26:42.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.if 2008-05-30 14:08:12.112653000 -0400
-@@ -490,3 +490,65 @@
- manage_lnk_files_pattern($1,locale_t,locale_t)
- ')
-
-+########################################
-+## <summary>
-+## Read user homedir fonts.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_read_home_fonts',`
-+ gen_require(`
-+ type user_fonts_home_t;
-+ ')
-+
-+ read_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
-+ read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
-+')
-+
-+########################################
-+## <summary>
-+## Read user homedir fonts.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_manage_home_fonts',`
-+ gen_require(`
-+ type user_fonts_home_t;
-+ ')
-+
-+ manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t)
-+ manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
-+ manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## dontaudit_attempts to write locale files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`miscfiles_dontaudit_write_locale',`
-+ gen_require(`
-+ type locale_t;
-+ ')
-+
-+ dontaudit $1 locale_t:dir write;
-+ dontaudit $1 locale_t:file write;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.4.1/policy/modules/system/miscfiles.te
---- nsaserefpolicy/policy/modules/system/miscfiles.te 2008-05-19 10:26:42.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/system/miscfiles.te 2008-05-30 14:08:12.127651000 -0400
-@@ -20,6 +20,14 @@
- files_type(fonts_t)
-
- #
-+# fonts_t is the type of various font
-+# files in /usr
-+#
-+type user_fonts_home_t;
-+userdom_user_home_type(user_fonts_home_t)
-+files_type(user_fonts_home_t)
-+
-+#
- # type for /usr/share/hwdata
- #
- type hwdata_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.4.1/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2008-05-19 10:26:42.000000000 -0400
+++ serefpolicy-3.4.1/policy/modules/system/modutils.if 2008-05-30 14:08:12.131651000 -0400
@@ -30477,7 +30430,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.4.1/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-05-29 15:55:43.000000000 -0400
-+++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:07:02.678597000 -0400
++++ serefpolicy-3.4.1/policy/modules/system/selinuxutil.te 2008-05-30 15:45:01.953760000 -0400
@@ -1,5 +1,5 @@
-policy_module(selinuxutil, 1.9.2)
@@ -30678,14 +30631,13 @@
',`
# Handle pp files created in homedir and /tmp
- sysadm_read_home_content_files(semanage_t)
-- sysadm_read_tmp_files(semanage_t)
++ userdom_read_sysadm_home_content_files(semanage_t)
+ sysadm_read_tmp_files(semanage_t)
-
- optional_policy(`
- unconfined_read_home_content_files(semanage_t)
- unconfined_read_tmp_files(semanage_t)
- ')
-+ userdom_read_sysadm_home_content_files(semanage_t)
-+ userdom_read_sysadm_tmp_files(semanage_t)
+ userdom_read_unpriv_users_home_content_files(semanage_t)
+ userdom_read_unpriv_users_tmp_files(semanage_t)
')
More information about the fedora-extras-commits
mailing list