rpms/selinux-policy/F-10 modules-targeted.conf, 1.109, 1.110 policy-20080710.patch, 1.97, 1.98
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Nov 17 21:13:17 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13196
Modified Files:
modules-targeted.conf policy-20080710.patch
Log Message:
* Fri Nov 14 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-21
- Allow sambagui to use nsswitch
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/modules-targeted.conf,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -r1.109 -r1.110
--- modules-targeted.conf 13 Nov 2008 19:15:40 -0000 1.109
+++ modules-targeted.conf 17 Nov 2008 21:12:45 -0000 1.110
@@ -1710,3 +1710,9 @@
#
#
pki = module
+
+# Layer: services
+# Module: pingd
+#
+#
+pingd = module
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- policy-20080710.patch 14 Nov 2008 16:08:52 -0000 1.97
+++ policy-20080710.patch 17 Nov 2008 21:12:45 -0000 1.98
@@ -564,7 +564,7 @@
cron_search_spool(logrotate_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.13/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te 2008-11-11 16:22:02.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/admin/logwatch.te 2008-11-17 10:22:55.000000000 -0500
@@ -54,18 +54,19 @@
domain_read_all_domains_state(logwatch_t)
@@ -588,7 +588,15 @@
term_dontaudit_getattr_pty_dirs(logwatch_t)
term_dontaudit_list_ptys(logwatch_t)
-@@ -131,4 +132,5 @@
+@@ -87,6 +88,7 @@
+ selinux_dontaudit_getattr_dir(logwatch_t)
+
+ sysnet_dns_name_resolve(logwatch_t)
++sysnet_exec_ifconfig(logwatch_t)
+
+ mta_send_mail(logwatch_t)
+
+@@ -131,4 +133,5 @@
optional_policy(`
samba_read_log(logwatch_t)
@@ -4997,7 +5005,7 @@
+/var/cache/libvirt(/.*)? -- gen_context(system_u:object_r:qemu_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.5.13/policy/modules/apps/qemu.if
--- nsaserefpolicy/policy/modules/apps/qemu.if 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-11-14 10:55:17.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.if 2008-11-17 15:59:46.000000000 -0500
@@ -46,6 +46,96 @@
qemu_domtrans($1)
role $2 types qemu_t;
@@ -5160,7 +5168,7 @@
## Send a signal to qemu.
## </summary>
## <param name="domain">
-@@ -104,114 +252,194 @@
+@@ -104,114 +252,190 @@
########################################
## <summary>
@@ -5194,10 +5202,6 @@
- domtrans_pattern($1, qemu_exec_t, qemu_unconfined_t)
+ qemu_domtrans($1)
+ allow qemu_t $3:chr_file rw_file_perms;
-+
-+ optional_policy(`
-+ samba_domtrans_smb(qemu_t)
-+ ')
')
########################################
@@ -5428,7 +5432,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.5.13/policy/modules/apps/qemu.te
--- nsaserefpolicy/policy/modules/apps/qemu.te 2008-10-17 08:49:14.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-14 10:33:08.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/qemu.te 2008-11-17 16:00:21.000000000 -0500
@@ -6,6 +6,9 @@
# Declarations
#
@@ -5542,7 +5546,7 @@
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
-@@ -35,6 +124,26 @@
+@@ -35,6 +124,30 @@
corenet_tcp_connect_all_ports(qemu_t)
')
@@ -5555,6 +5559,10 @@
+')
+
+optional_policy(`
++ samba_domtrans_smb(qemu_t)
++')
++
++optional_policy(`
+ virt_manage_images(qemu_t)
+')
+
@@ -6480,8 +6488,15 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-13 17:54:07.000000000 -0500
-@@ -79,26 +79,31 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-17 14:37:16.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(corenetwork, 1.10.0)
++policy_module(corenetwork, 1.10.2)
+
+ ########################################
+ #
+@@ -79,26 +79,30 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -6497,7 +6512,7 @@
network_port(dbskkd, tcp,1178,s0)
network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
-+network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp, 7911,s0)
++network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
@@ -6510,10 +6525,17 @@
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
+portcon tcp 10001-10010 gen_context(system_u:object_r:http_cache_port_t, s0)
-+
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
+@@ -109,6 +113,7 @@
+ network_port(ipp, tcp,631,s0, udp,631,s0)
+ network_port(ipsecnat, tcp,4500,s0, udp,4500,s0)
+ network_port(ircd, tcp,6667,s0)
++network_port(ipmi, udp,623,s0, udp,664,s0)
+ network_port(isakmp, udp,500,s0)
+ network_port(iscsi, tcp,3260,s0)
+ network_port(isns, tcp,3205,s0, udp,3205,s0)
@@ -117,6 +122,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
@@ -6531,10 +6553,11 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -136,12 +144,20 @@
+@@ -136,12 +144,21 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
++network_port(pingd, tcp,9125,s0)
+network_port(pki_ca, tcp, 9180, s0, tcp, 9701, s0, tcp, 9443, s0, tcp, 9444, s0, tcp, 9445, s0)
+network_port(pki_kra, tcp, 10180, s0, tcp, 10701, s0, tcp, 10443, s0, tcp, 10444, s0, tcp, 10445, s0)
+network_port(pki_ocsp, tcp, 11180, s0, tcp, 11701, s0, tcp, 11443, s0, tcp, 11444, s0, tcp, 11445, s0)
@@ -6552,7 +6575,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -159,9 +175,10 @@
+@@ -159,9 +176,10 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6564,7 +6587,7 @@
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +187,16 @@
+@@ -170,13 +188,16 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -16906,7 +16929,7 @@
-#')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.5.13/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/mta.if 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/mta.if 2008-11-17 14:03:15.000000000 -0500
@@ -133,6 +133,15 @@
sendmail_create_log($1_mail_t)
')
@@ -17693,7 +17716,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-11-17 14:48:12.000000000 -0500
@@ -1,8 +1,12 @@
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+
@@ -17707,11 +17730,12 @@
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
-@@ -10,3 +14,4 @@
+@@ -10,3 +14,5 @@
/var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
/var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
++/usr/libexec/nm-openconnect-service -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-10-17 08:49:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if 2008-11-11 16:22:03.000000000 -0500
@@ -17742,7 +17766,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-17 15:44:33.000000000 -0500
@@ -33,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed
@@ -17807,7 +17831,7 @@
libs_use_ld_so(NetworkManager_t)
libs_use_shared_libs(NetworkManager_t)
-@@ -119,27 +129,40 @@
+@@ -119,27 +129,41 @@
seutil_read_config(NetworkManager_t)
@@ -17820,6 +17844,7 @@
+sysnet_kill_dhcpc(NetworkManager_t)
+sysnet_manage_config(NetworkManager_t)
+sysnet_read_dhcp_config(NetworkManager_t)
++sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
-sysnet_delete_dhcpc_pid(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -17854,13 +17879,17 @@
')
optional_policy(`
-@@ -151,8 +174,21 @@
+@@ -151,8 +175,25 @@
')
optional_policy(`
- dbus_system_bus_client_template(NetworkManager, NetworkManager_t)
- dbus_connect_system_bus(NetworkManager_t)
+ dbus_system_domain(NetworkManager_t, NetworkManager_exec_t)
++
++ optional_policy(`
++ consolekit_dbus_chat(NetworkManager_t)
++ ')
+')
+
+optional_policy(`
@@ -17878,7 +17907,7 @@
')
optional_policy(`
-@@ -160,23 +196,48 @@
+@@ -160,23 +201,48 @@
')
optional_policy(`
@@ -17929,7 +17958,7 @@
')
optional_policy(`
-@@ -194,7 +255,9 @@
+@@ -194,7 +260,9 @@
optional_policy(`
vpn_domtrans(NetworkManager_t)
@@ -18961,6 +18990,182 @@
+ xen_stream_connect(pegasus_t)
+ xen_stream_connect_xenstore(pegasus_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.fc serefpolicy-3.5.13/policy/modules/services/pingd.fc
+--- nsaserefpolicy/policy/modules/services/pingd.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pingd.fc 2008-11-17 14:36:38.000000000 -0500
+@@ -0,0 +1,11 @@
++
++/etc/pingd.conf -- gen_context(system_u:object_r:pingd_etc_t,s0)
++
++/etc/rc\.d/init\.d/whatsup-pingd -- gen_context(system_u:object_r:pingd_initrc_exec_t,s0)
++
++/usr/lib/pingd(/.*)? gen_context(system_u:object_r:pingd_modules_t,s0)
++
++/usr/sbin/pingd -- gen_context(system_u:object_r:pingd_exec_t,s0)
++
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.if serefpolicy-3.5.13/policy/modules/services/pingd.if
+--- nsaserefpolicy/policy/modules/services/pingd.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pingd.if 2008-11-17 14:36:38.000000000 -0500
+@@ -0,0 +1,99 @@
++## <summary>policy for pingd</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run pingd.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`pingd_domtrans',`
++ gen_require(`
++ type pingd_t, pingd_exec_t;
++ ')
++
++ domtrans_pattern($1,pingd_exec_t,pingd_t)
++')
++
++#######################################
++## <summary>
++## Read pingd etc configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pingd_read_etc',`
++ gen_require(`
++ type pingd_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, pingd_etc_t, pingd_etc_t)
++')
++
++#######################################
++## <summary>
++## Manage pingd etc configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`pingd_manage_etc',`
++ gen_require(`
++ type pingd_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_dirs_pattern($1, pingd_etc_t, pingd_etc_t)
++ manage_files_pattern($1, pingd_etc_t, pingd_etc_t)
++
++')
++
++#######################################
++## <summary>
++## All of the rules required to administrate
++## an pingd environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the pingd domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`pingd_admin',`
++ gen_require(`
++ type pingd_t, pingd_etc_t;
++ type pingd_initrc_exec_t, pingd_modules_t;
++ ')
++
++ allow $1 pingd_t:process { ptrace signal_perms };
++ ps_process_pattern($1, pingd_t)
++
++ init_labeled_script_domtrans($1, pingd_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 pingd_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_list_etc($1)
++ admin_pattern($1, pingd_etc_t)
++
++ files_list_usr($1)
++ admin_pattern($1, pingd_modules_t)
++
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pingd.te serefpolicy-3.5.13/policy/modules/services/pingd.te
+--- nsaserefpolicy/policy/modules/services/pingd.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/pingd.te 2008-11-17 14:36:38.000000000 -0500
+@@ -0,0 +1,54 @@
++policy_module(pingd,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type pingd_t;
++type pingd_exec_t;
++init_daemon_domain(pingd_t, pingd_exec_t)
++
++type pingd_initrc_exec_t;
++init_script_file(pingd_initrc_exec_t)
++
++# type for config
++type pingd_etc_t;
++files_type(pingd_etc_t);
++
++# type for pingd modules
++type pingd_modules_t;
++files_type(pingd_modules_t)
++
++########################################
++#
++# pingd local policy
++#
++
++allow pingd_t self:capability net_raw;
++allow pingd_t self:tcp_socket create_stream_socket_perms;
++allow pingd_t self:rawip_socket { write read create bind };
++
++read_files_pattern(pingd_t, pingd_etc_t, pingd_etc_t)
++
++read_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
++mmap_files_pattern(pingd_t, pingd_modules_t, pingd_modules_t)
++
++corenet_raw_bind_all_nodes(pingd_t)
++corenet_tcp_bind_all_nodes(pingd_t)
++corenet_tcp_bind_pingd_port(pingd_t)
++
++auth_use_nsswitch(pingd_t)
++
++files_search_usr(pingd_t)
++
++libs_use_ld_so(pingd_t)
++libs_use_shared_libs(pingd_t)
++miscfiles_read_localization(pingd_t)
++
++logging_send_syslog_msg(pingd_t)
++
++permissive pingd_t;
++
++
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pki.fc serefpolicy-3.5.13/policy/modules/services/pki.fc
--- nsaserefpolicy/policy/modules/services/pki.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/services/pki.fc 2008-11-13 18:17:36.000000000 -0500
@@ -22022,8 +22227,8 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.te serefpolicy-3.5.13/policy/modules/services/pyzor.te
--- nsaserefpolicy/policy/modules/services/pyzor.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2008-11-11 16:22:03.000000000 -0500
-@@ -6,6 +6,37 @@
++++ serefpolicy-3.5.13/policy/modules/services/pyzor.te 2008-11-14 15:44:34.000000000 -0500
+@@ -6,6 +6,38 @@
# Declarations
#
@@ -22055,13 +22260,14 @@
+ typealias spamd_var_lib_t alias pyzor_var_lib_t;
+ typealias spamd_etc_t alias pyzor_etc_t;
+ typealias spamc_home_t alias pyzor_home_t;
++ typealias spamc_home_t alias user_pyzor_home_t;
+
+',`
+
type pyzor_t;
type pyzor_exec_t;
application_domain(pyzor_t, pyzor_exec_t)
-@@ -17,7 +48,7 @@
+@@ -17,7 +49,7 @@
init_daemon_domain(pyzord_t, pyzord_exec_t)
type pyzor_etc_t;
@@ -22070,7 +22276,7 @@
type pyzord_log_t;
logging_log_file(pyzord_log_t)
-@@ -28,6 +59,14 @@
+@@ -28,6 +60,14 @@
type pyzor_var_lib_t;
files_type(pyzor_var_lib_t)
@@ -22085,7 +22291,7 @@
########################################
#
# Pyzor local policy
-@@ -68,6 +107,8 @@
+@@ -68,6 +108,8 @@
miscfiles_read_localization(pyzor_t)
@@ -22094,7 +22300,7 @@
sysadm_dontaudit_search_home_dirs(pyzor_t)
optional_policy(`
-@@ -76,8 +117,13 @@
+@@ -76,8 +118,13 @@
')
optional_policy(`
@@ -23644,7 +23850,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.5.13/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/sendmail.if 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/sendmail.if 2008-11-17 14:01:56.000000000 -0500
@@ -89,7 +89,7 @@
type sendmail_t;
')
@@ -24912,7 +25118,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-10-17 08:49:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2008-11-17 14:00:06.000000000 -0500
@@ -21,16 +21,24 @@
gen_tunable(spamd_enable_home_dirs, true)
@@ -25118,7 +25324,7 @@
+manage_lnk_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_fifo_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
+manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
-+userdom_user_home_dir_filetrans($1, spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
++userdom_user_home_dir_filetrans(user, spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
+
+manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
+manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
@@ -26274,7 +26480,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-11-11 16:22:03.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-11-17 09:25:42.000000000 -0500
@@ -16,6 +16,7 @@
gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@@ -26283,6 +26489,15 @@
attribute x_server_domain;
class x_drawable all_x_drawable_perms;
class x_colormap all_x_colormap_perms;
+@@ -99,7 +100,7 @@
+ # Labeling rules for default windows and colormaps
+ type_transition $1_xserver_t $1_xserver_t:{ x_drawable x_colormap } $1_rootwindow_t;
+ ifdef(`enable_mls',`
+- range_transition $1_xserver_t $1_rootwindow_t:x_drawable s0 - mls_systemhigh;
++ range_transition $1_xserver_t $1_xserver_t:x_drawable s0 - mls_systemhigh;
+ ')
+
+ kernel_read_system_state($1_xserver_t)
@@ -134,18 +135,24 @@
dev_rw_agp($1_xserver_t)
dev_rw_framebuffer($1_xserver_t)
@@ -31233,8 +31448,35 @@
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.5.13/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-11-13 17:40:46.000000000 -0500
-@@ -553,6 +553,7 @@
++++ serefpolicy-3.5.13/policy/modules/system/sysnetwork.if 2008-11-17 10:48:10.000000000 -0500
+@@ -198,7 +198,25 @@
+ type dhcpc_state_t;
+ ')
+
+- allow $1 dhcpc_state_t:file { getattr read };
++ read_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
++')
++
++#######################################
++## <summary>
++## Delete the dhcp client state files.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`sysnet_delete_dhcpc_state',`
++ gen_require(`
++ type dhcpc_state_t;
++ ')
++
++ delete_files_pattern($1, dhcpc_state_t, dhcpc_state_t)
+ ')
+
+ #######################################
+@@ -553,6 +571,7 @@
type net_conf_t;
')
@@ -31242,7 +31484,7 @@
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
-@@ -569,6 +570,14 @@
+@@ -569,6 +588,14 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -31257,7 +31499,7 @@
')
########################################
-@@ -598,6 +607,8 @@
+@@ -598,6 +625,8 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
@@ -31266,7 +31508,7 @@
')
########################################
-@@ -632,3 +643,49 @@
+@@ -632,3 +661,49 @@
files_search_etc($1)
allow $1 net_conf_t:file read_file_perms;
')
@@ -32385,7 +32627,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 08:49:13.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-13 14:05:51.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2008-11-17 14:00:40.000000000 -0500
@@ -28,10 +28,14 @@
class context contains;
')
More information about the fedora-extras-commits
mailing list