rpms/selinux-policy/F-9 policy-20071130.patch, 1.231, 1.232 selinux-policy.spec, 1.721, 1.722

Daniel J Walsh dwalsh at fedoraproject.org
Wed Oct 29 18:41:22 UTC 2008


Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21991

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Tue Oct 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-105
- Allow spamd to manage exim spool


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.231
retrieving revision 1.232
diff -u -r1.231 -r1.232
--- policy-20071130.patch	21 Oct 2008 18:32:05 -0000	1.231
+++ policy-20071130.patch	29 Oct 2008 18:40:50 -0000	1.232
@@ -7654,7 +7654,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in	2008-10-29 11:08:45.000000000 -0400
 @@ -1441,10 +1441,11 @@
  #
  interface(`corenet_tcp_bind_all_unreserved_ports',`
@@ -7665,15 +7665,16 @@
  	')
  
 -	allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
-+	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
++	allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
  ')
  
  ########################################
-@@ -1459,10 +1460,10 @@
+@@ -1459,10 +1460,11 @@
  #
  interface(`corenet_udp_bind_all_unreserved_ports',`
  	gen_require(`
 -		attribute port_type, reserved_port_type;
++		attribute port_type;
 +		type hi_reserved_port_t, reserved_port_t;
  	')
  
@@ -8549,7 +8550,7 @@
  # /emul
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if	2008-10-24 08:41:54.000000000 -0400
 @@ -110,6 +110,11 @@
  ## </param>
  #
@@ -8562,7 +8563,32 @@
  	files_type($1)
  ')
  
-@@ -1266,6 +1271,24 @@
+@@ -1023,6 +1028,24 @@
+ ##	</summary>
+ ## </param>
+ #
++interface(`files_relabel_all_file_type_fs',`
++	gen_require(`
++		attribute file_type;
++	')
++
++	allow $1 file_type:filesystem { relabelfrom relabelto };
++')
++
++########################################
++## <summary>
++##	Relabel a filesystem to the type of a file.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
+ interface(`files_relabelto_all_file_type_fs',`
+ 	gen_require(`
+ 		attribute file_type;
+@@ -1266,6 +1289,24 @@
  
  ########################################
  ## <summary>
@@ -8587,7 +8613,7 @@
  ##	Unmount a rootfs filesystem.
  ## </summary>
  ## <param name="domain">
-@@ -1852,6 +1875,26 @@
+@@ -1852,6 +1893,26 @@
  
  ########################################
  ## <summary>
@@ -8614,7 +8640,7 @@
  ##	Do not audit attempts to write generic files in /etc.
  ## </summary>
  ## <param name="domain">
-@@ -2072,7 +2115,8 @@
+@@ -2072,7 +2133,8 @@
  #
  interface(`files_read_etc_runtime_files',`
  	gen_require(`
@@ -8624,7 +8650,7 @@
  	')
  
  	allow $1 etc_t:dir list_dir_perms;
-@@ -2114,7 +2158,8 @@
+@@ -2114,7 +2176,8 @@
  #
  interface(`files_rw_etc_runtime_files',`
  	gen_require(`
@@ -8634,7 +8660,7 @@
  	')
  
  	allow $1 etc_t:dir list_dir_perms;
-@@ -2136,7 +2181,8 @@
+@@ -2136,7 +2199,8 @@
  #
  interface(`files_manage_etc_runtime_files',`
  	gen_require(`
@@ -8644,7 +8670,7 @@
  	')
  
  	manage_files_pattern($1,{ etc_t etc_runtime_t },etc_runtime_t)
-@@ -2160,7 +2206,8 @@
+@@ -2160,7 +2224,8 @@
  #
  interface(`files_etc_filetrans_etc_runtime',`
  	gen_require(`
@@ -8654,7 +8680,7 @@
  	')
  
  	filetrans_pattern($1,etc_t,etc_runtime_t,$2)
-@@ -2187,6 +2234,49 @@
+@@ -2187,6 +2252,49 @@
  
  ########################################
  ## <summary>
@@ -8704,7 +8730,7 @@
  ##	Do not audit attempts to search directories on new filesystems
  ##	that have not yet been labeled.
  ## </summary>
-@@ -2707,6 +2797,24 @@
+@@ -2707,6 +2815,24 @@
  
  ########################################
  ## <summary>
@@ -8729,7 +8755,7 @@
  ##	Create, read, write, and delete symbolic links in /mnt.
  ## </summary>
  ## <param name="domain">
-@@ -3357,6 +3465,8 @@
+@@ -3357,6 +3483,8 @@
  	delete_lnk_files_pattern($1,tmpfile,tmpfile)
  	delete_fifo_files_pattern($1,tmpfile,tmpfile)
  	delete_sock_files_pattern($1,tmpfile,tmpfile)
@@ -8738,7 +8764,7 @@
  ')
  
  ########################################
-@@ -3492,6 +3602,47 @@
+@@ -3492,6 +3620,47 @@
  
  ########################################
  ## <summary>
@@ -8786,7 +8812,7 @@
  ##	Create, read, write, and delete files in the /usr directory.
  ## </summary>
  ## <param name="domain">
-@@ -3510,6 +3661,24 @@
+@@ -3510,6 +3679,24 @@
  
  ########################################
  ## <summary>
@@ -8811,7 +8837,7 @@
  ##	Relabel a file to the type used in /usr.
  ## </summary>
  ## <param name="domain">
-@@ -4712,12 +4881,14 @@
+@@ -4712,12 +4899,14 @@
  	allow $1 poly_t:dir { create mounton };
  	fs_unmount_xattr_fs($1)
  
@@ -8827,7 +8853,7 @@
  	')
  ')
  
-@@ -4756,3 +4927,71 @@
+@@ -4756,3 +4945,71 @@
  
  	allow $1 { file_type -security_file_type }:dir manage_dir_perms;
  ')
@@ -11329,7 +11355,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-10-21 09:36:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-10-27 16:01:19.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -12701,7 +12727,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.3.1/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/avahi.te	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/avahi.te	2008-10-27 15:27:01.000000000 -0400
 @@ -10,6 +10,12 @@
  type avahi_exec_t;
  init_daemon_domain(avahi_t,avahi_exec_t)
@@ -13944,12 +13970,12 @@
  # Calendar (PCP) local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.3.1/policy/modules/services/cron.fc
 --- nsaserefpolicy/policy/modules/services/cron.fc	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.fc	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.fc	2008-10-28 08:37:49.000000000 -0400
 @@ -17,6 +17,8 @@
  /var/run/fcron\.fifo		-s	gen_context(system_u:object_r:crond_var_run_t,s0)
  /var/run/fcron\.pid		--	gen_context(system_u:object_r:crond_var_run_t,s0)
  
-+/var/spool/anacron(/.*)			gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/anacron(/.*)?		gen_context(system_u:object_r:system_cron_spool_t,s0)
 +
  /var/spool/at			-d	gen_context(system_u:object_r:cron_spool_t,s0)
  /var/spool/at/spool		-d	gen_context(system_u:object_r:cron_spool_t,s0)
@@ -19167,8 +19193,8 @@
 +/etc/rc\.d/init\.d/kerneloops	--	gen_context(system_u:object_r:kerneloops_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.3.1/policy/modules/services/kerneloops.if
 --- nsaserefpolicy/policy/modules/services/kerneloops.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if	2008-10-14 11:43:20.000000000 -0400
-@@ -0,0 +1,125 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if	2008-10-22 16:50:48.000000000 -0400
+@@ -0,0 +1,140 @@
 +
 +## <summary>policy for kerneloops</summary>
 +
@@ -19191,6 +19217,24 @@
 +	domtrans_pattern($1,kerneloops_exec_t,kerneloops_t)
 +')
 +
++########################################
++## <summary>
++##	Allow domain to manage kerneloops tmp files
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain to not audit.
++##	</summary>
++## </param>
++#
++interface(`kerneloops_manage_tmp_files',`
++	gen_require(`
++		type kerneloops_tmp_t;
++	')
++
++	manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
++	files_search_tmp($1)
++')
 +
 +########################################
 +## <summary>
@@ -19276,28 +19320,25 @@
 +#
 +interface(`kerneloops_admin',`
 +	gen_require(`
-+		type kerneloops_t;
++		type kerneloops_t, kerneloops_initrc_exec_t;
++		type kerneloops_tmp_t;
 +	')
 +
 +	allow $1 kerneloops_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, kerneloops_t, kerneloops_t)
 +	        
-+
-+	gen_require(`
-+		type kerneloops_script_exec_t;
-+	')
-+
 +	# Allow kerneloops_t to restart the apache service
 +	kerneloops_script_domtrans($1)
 +	domain_system_change_exemption($1)
 +	role_transition $2 kerneloops_script_exec_t system_r;
 +	allow $2 system_r;
 +
++	admin_pattern($1, kerneloops_tmp_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.3.1/policy/modules/services/kerneloops.te
 --- nsaserefpolicy/policy/modules/services/kerneloops.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerneloops.te	2008-10-14 11:43:20.000000000 -0400
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerneloops.te	2008-10-22 16:49:51.000000000 -0400
+@@ -0,0 +1,63 @@
 +policy_module(kerneloops,1.0.0)
 +
 +########################################
@@ -19313,6 +19354,9 @@
 +type kerneloops_script_exec_t;
 +init_script_file(kerneloops_script_exec_t)
 +
++type kerneloops_tmp_t;
++files_tmp_file(kerneloops_tmp_t)
++
 +########################################
 +#
 +# kerneloops local policy
@@ -19336,6 +19380,9 @@
 +corenet_tcp_bind_http_port(kerneloops_t)
 +corenet_tcp_connect_http_port(kerneloops_t)
 +
++manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
++files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
++
 +files_read_etc_files(kerneloops_t)
 +
 +kernel_read_ring_buffer(kerneloops_t)
@@ -20180,7 +20227,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/munin.te	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/munin.te	2008-10-28 19:45:45.000000000 -0400
 @@ -25,26 +25,33 @@
  type munin_var_run_t alias lrrd_var_run_t;
  files_pid_file(munin_var_run_t)
@@ -20231,7 +20278,7 @@
  
  corenet_all_recvfrom_unlabeled(munin_t)
  corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,27 +82,37 @@
+@@ -73,27 +82,38 @@
  corenet_udp_sendrecv_all_nodes(munin_t)
  corenet_tcp_sendrecv_all_ports(munin_t)
  corenet_udp_sendrecv_all_ports(munin_t)
@@ -20244,7 +20291,7 @@
  dev_read_urand(munin_t)
  
  domain_use_interactive_fds(munin_t)
-+domain_dontaudit_read_all_domains_state(munin_t)
++domain_read_all_domains_state(munin_t)
  
  files_read_etc_files(munin_t)
  files_read_etc_runtime_files(munin_t)
@@ -20253,9 +20300,10 @@
  
  fs_getattr_all_fs(munin_t)
  fs_search_auto_mountpoints(munin_t)
- 
-+auth_use_nsswitch(munin_t)
++fs_list_inotifyfs(munin_t)
 +
++auth_use_nsswitch(munin_t)
+ 
  libs_use_ld_so(munin_t)
  libs_use_shared_libs(munin_t)
  
@@ -20270,7 +20318,7 @@
  
  userdom_dontaudit_use_unpriv_user_fds(munin_t)
  userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-@@ -108,7 +127,21 @@
+@@ -108,7 +128,21 @@
  ')
  
  optional_policy(`
@@ -20293,7 +20341,7 @@
  ')
  
  optional_policy(`
-@@ -118,3 +151,9 @@
+@@ -118,3 +152,9 @@
  optional_policy(`
  	udev_read_db(munin_t)
  ')
@@ -24230,7 +24278,7 @@
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te
 --- nsaserefpolicy/policy/modules/services/ppp.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/ppp.te	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ppp.te	2008-10-29 10:47:47.000000000 -0400
 @@ -71,7 +71,7 @@
  # PPPD Local policy
  #
@@ -24321,7 +24369,7 @@
  miscfiles_read_localization(pptp_t)
  
  sysnet_read_config(pptp_t)
-+sysnet_exec_ifconfig(pppd_t)
++sysnet_exec_ifconfig(pptp_t)
  
  userdom_dontaudit_use_unpriv_user_fds(pptp_t)
  userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
@@ -24565,8 +24613,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-10-14 11:43:20.000000000 -0400
-@@ -0,0 +1,325 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-10-24 09:28:40.000000000 -0400
+@@ -0,0 +1,338 @@
 +
 +policy_module(prelude, 1.0.0)
 +
@@ -24638,7 +24686,7 @@
 +# prelude local policy
 +#
 +
-+allow prelude_t self:capability sys_tty_config;
++allow prelude_t self:capability { dac_override sys_tty_config };
 +allow prelude_t self:fifo_file rw_file_perms;
 +allow prelude_t self:unix_stream_socket create_stream_socket_perms;
 +allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
@@ -24707,7 +24755,7 @@
 +#
 +# prelude_audisp local policy
 +#
-+
++allow prelude_audisp_t self:capability dac_override;
 +allow prelude_audisp_t self:fifo_file rw_file_perms;
 +allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
 +allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
@@ -24755,15 +24803,17 @@
 +# prelude_correlator local policy
 +#
 +
++allow prelude_correlator_t self:capability dac_override;
 +allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
 +allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
 +allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
 +
++allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
 +read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
 +
 +prelude_manage_spool(prelude_correlator_t)
 +
-+corecmd_search_sbin(prelude_correlator_t)
++corecmd_search_bin(prelude_correlator_t)
 +
 +corenet_all_recvfrom_unlabeled(prelude_correlator_t)
 +corenet_all_recvfrom_netlabel(prelude_correlator_t)
@@ -24771,6 +24821,8 @@
 +corenet_tcp_sendrecv_all_nodes(prelude_correlator_t)
 +corenet_tcp_connect_prelude_port(prelude_correlator_t)
 +
++kernel_read_sysctl(prelude_correlator_t)
++
 +dev_read_rand(prelude_correlator_t)
 +dev_read_urand(prelude_correlator_t)
 +
@@ -24818,7 +24870,7 @@
 +manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
 +files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
 +
-+corecmd_search_bin(prelude_lml_t)
++corecmd_exec_bin(prelude_lml_t)
 +
 +corenet_tcp_sendrecv_generic_if(prelude_lml_t)
 +corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
@@ -24830,6 +24882,8 @@
 +dev_read_rand(prelude_lml_t)
 +dev_read_urand(prelude_lml_t)
 +
++kernel_read_sysctl(prelude_lml_t)
++
 +files_list_etc(prelude_lml_t)
 +files_read_etc_files(prelude_lml_t)
 +files_read_etc_runtime_files(prelude_lml_t)
@@ -24839,6 +24893,8 @@
 +files_search_var_lib(prelude_lml_t)
 +
 +fs_list_inotifyfs(prelude_lml_t)
++fs_read_anon_inodefs_files(prelude_lml_t)
++fs_rw_anon_inodefs_files(prelude_lml_t)
 +
 +auth_use_nsswitch(prelude_lml_t)
 +
@@ -24854,6 +24910,8 @@
 +
 +sysnet_dns_name_resolve(prelude_lml_t)
 +
++userdom_read_all_users_state(prelude_lml_t)
++
 +optional_policy(`
 +	gamin_exec(prelude_lml_t)
 +')
@@ -24870,10 +24928,13 @@
 +
 +optional_policy(`
 +	apache_content_template(prewikka)
-+	files_search_tmp(httpd_prewikka_script_t)
 +	files_read_etc_files(httpd_prewikka_script_t)
++	files_search_tmp(httpd_prewikka_script_t)
 +
-+	apache_search_sys_content(httpd_prewikka_script_t)
++	kernel_read_sysctl(httpd_prewikka_script_t)
++	kernel_search_network_sysctl(httpd_prewikka_script_t)
++
++	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
 +
 +	corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
 +
@@ -24881,7 +24942,7 @@
 +
 +	logging_send_syslog_msg(httpd_prewikka_script_t)
 +
-+	can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++	apache_search_sys_content(httpd_prewikka_script_t)
 +
 +	optional_policy(`
 +		mysql_search_db(httpd_prewikka_script_t)
@@ -26840,7 +26901,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te	2008-10-21 13:55:35.000000000 -0400
 @@ -17,6 +17,13 @@
  
  ## <desc>
@@ -26985,16 +27046,18 @@
  
  kernel_getattr_core_if(smbd_t)
  kernel_getattr_message_if(smbd_t)
-@@ -320,6 +346,8 @@
+@@ -320,6 +346,10 @@
  userdom_dontaudit_use_unpriv_user_fds(smbd_t)
  userdom_use_unpriv_users_fds(smbd_t)
  
++usermanage_read_crack_db(smbd_t)
++
 +term_use_ptmx(smbd_t)
 +
  ifdef(`hide_broken_symptoms', `
  	files_dontaudit_getattr_default_dirs(smbd_t)
  	files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -340,6 +368,25 @@
+@@ -340,6 +370,25 @@
  tunable_policy(`samba_share_nfs',`
  	fs_manage_nfs_dirs(smbd_t)
  	fs_manage_nfs_files(smbd_t)
@@ -27020,7 +27083,7 @@
  ')
  
  optional_policy(`
-@@ -363,6 +410,12 @@
+@@ -363,6 +412,12 @@
  	udev_read_db(smbd_t)
  ')
  
@@ -27033,7 +27096,7 @@
  tunable_policy(`samba_export_all_ro',`
  	fs_read_noxattr_fs_files(smbd_t) 
  	auth_read_all_files_except_shadow(smbd_t)
-@@ -391,7 +444,7 @@
+@@ -391,7 +446,7 @@
  allow nmbd_t self:msgq create_msgq_perms;
  allow nmbd_t self:sem create_sem_perms;
  allow nmbd_t self:shm create_shm_perms;
@@ -27042,7 +27105,7 @@
  allow nmbd_t self:tcp_socket create_stream_socket_perms;
  allow nmbd_t self:udp_socket create_socket_perms;
  allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +456,7 @@
+@@ -403,8 +458,7 @@
  read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
  
  manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -27052,7 +27115,7 @@
  
  read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
  create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +491,7 @@
+@@ -439,6 +493,7 @@
  dev_getattr_mtrr_dev(nmbd_t)
  
  fs_getattr_all_fs(nmbd_t)
@@ -27060,7 +27123,7 @@
  fs_search_auto_mountpoints(nmbd_t)
  
  domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +575,7 @@
+@@ -522,6 +577,7 @@
  storage_raw_write_fixed_disk(smbmount_t)
  
  term_list_ptys(smbmount_t)
@@ -27068,7 +27131,7 @@
  
  corecmd_list_bin(smbmount_t)
  
-@@ -533,41 +587,50 @@
+@@ -533,41 +589,50 @@
  
  auth_use_nsswitch(smbmount_t)
  
@@ -27129,7 +27192,7 @@
  allow swat_t smbd_var_run_t:file read;
  
  manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +640,9 @@
+@@ -577,7 +642,9 @@
  manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
  files_pid_filetrans(swat_t,swat_var_run_t,file)
  
@@ -27140,7 +27203,7 @@
  
  kernel_read_kernel_sysctls(swat_t)
  kernel_read_system_state(swat_t)
-@@ -602,10 +667,12 @@
+@@ -602,10 +669,12 @@
  
  dev_read_urand(swat_t)
  
@@ -27153,7 +27216,7 @@
  
  auth_domtrans_chk_passwd(swat_t)
  auth_use_nsswitch(swat_t)
-@@ -614,6 +681,7 @@
+@@ -614,6 +683,7 @@
  libs_use_shared_libs(swat_t)
  
  logging_send_syslog_msg(swat_t)
@@ -27161,7 +27224,7 @@
  logging_search_logs(swat_t)
  
  miscfiles_read_localization(swat_t)
-@@ -631,6 +699,17 @@
+@@ -631,6 +701,17 @@
  	kerberos_use(swat_t)
  ')
  
@@ -27179,7 +27242,7 @@
  ########################################
  #
  # Winbind local policy
-@@ -673,12 +752,15 @@
+@@ -673,12 +754,15 @@
  
  manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
  manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
@@ -27195,7 +27258,7 @@
  kernel_read_kernel_sysctls(winbind_t)
  kernel_list_proc(winbind_t)
  kernel_read_proc_symlinks(winbind_t)
-@@ -764,8 +846,13 @@
+@@ -764,8 +848,13 @@
  miscfiles_read_localization(winbind_helper_t) 
  
  optional_policy(`
@@ -27209,7 +27272,7 @@
  ')
  
  ########################################
-@@ -774,19 +861,64 @@
+@@ -774,19 +863,64 @@
  #
  
  optional_policy(`
@@ -29106,7 +29169,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te	2008-10-28 08:44:03.000000000 -0400
 @@ -21,8 +21,10 @@
  gen_tunable(spamd_enable_home_dirs,true)
  
@@ -29222,7 +29285,7 @@
  	fs_manage_cifs_files(spamd_t)
  ')
  
-@@ -171,6 +219,7 @@
+@@ -171,10 +219,15 @@
  
  optional_policy(`
  	dcc_domtrans_client(spamd_t)
@@ -29230,7 +29293,15 @@
  	dcc_stream_connect_dccifd(spamd_t)
  ')
  
-@@ -198,6 +247,11 @@
+ optional_policy(`
++	exim_manage_spool(spamd_t)
++')
++
++optional_policy(`
+ 	mysql_search_db(spamd_t)
+ 	mysql_stream_connect(spamd_t)
+ ')
+@@ -198,6 +251,11 @@
  
  optional_policy(`
  	razor_domtrans(spamd_t)
@@ -29242,7 +29313,7 @@
  ')
  
  optional_policy(`
-@@ -212,3 +266,216 @@
+@@ -212,3 +270,216 @@
  optional_policy(`
  	udev_read_db(spamd_t)
  ')
@@ -30265,7 +30336,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.3.1/policy/modules/services/tor.te
 --- nsaserefpolicy/policy/modules/services/tor.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/tor.te	2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/tor.te	2008-10-24 08:19:23.000000000 -0400
 @@ -26,11 +26,15 @@
  type tor_var_run_t;
  files_pid_file(tor_var_run_t)
@@ -30278,7 +30349,7 @@
  # tor local policy
  #
  
-+allow tor_t self:capability { setgid setuid };
++allow tor_t self:capability { setgid setuid sys_tty_config };
  allow tor_t self:fifo_file { read write };
  allow tor_t self:unix_stream_socket create_stream_socket_perms;
  allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -33786,7 +33857,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-10-20 14:36:17.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te	2008-10-29 14:03:49.000000000 -0400
 @@ -10,6 +10,20 @@
  # Declarations
  #
@@ -33982,7 +34053,19 @@
  logging_send_syslog_msg(initrc_t)
  logging_manage_generic_logs(initrc_t)
  logging_read_all_logs(initrc_t)
-@@ -478,6 +518,7 @@
+@@ -414,6 +454,11 @@
+ 	# happens during boot (/sbin/rc execs init scripts)
+ 	seutil_read_default_contexts(initrc_t)
+ 
++	# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
++	sysnet_create_config(initrc_t)
++	sysnet_write_config(initrc_t)
++	sysnet_setattr_config(initrc_t)	
++
+ 	optional_policy(`
+ 		arpwatch_manage_data_files(initrc_t)
+ 	')
+@@ -478,6 +523,7 @@
  	optional_policy(`
  		#for /etc/rc.d/init.d/nfs to create /etc/exports
  		rpc_write_exports(initrc_t)
@@ -33990,7 +34073,7 @@
  	')
  
  	optional_policy(`
-@@ -496,6 +537,31 @@
+@@ -496,6 +542,31 @@
  	')
  ')
  
@@ -34022,7 +34105,7 @@
  optional_policy(`
  	amavis_search_lib(initrc_t)
  	amavis_setattr_pid_files(initrc_t)
-@@ -554,16 +620,12 @@
+@@ -554,16 +625,12 @@
  	dbus_read_config(initrc_t)
  
  	optional_policy(`
@@ -34043,7 +34126,7 @@
  ')
  
  optional_policy(`
-@@ -639,12 +701,6 @@
+@@ -639,12 +706,6 @@
  	mta_read_config(initrc_t)
  	mta_dontaudit_read_spool_symlinks(initrc_t)
  ')
@@ -34056,7 +34139,7 @@
  
  optional_policy(`
  	ifdef(`distro_redhat',`
-@@ -705,6 +761,9 @@
+@@ -705,6 +766,9 @@
  
  	# why is this needed:
  	rpm_manage_db(initrc_t)
@@ -34066,7 +34149,7 @@
  ')
  
  optional_policy(`
-@@ -717,9 +776,11 @@
+@@ -717,9 +781,11 @@
  	squid_manage_logs(initrc_t)
  ')
  
@@ -34081,7 +34164,7 @@
  ')
  
  optional_policy(`
-@@ -738,6 +799,11 @@
+@@ -738,6 +804,11 @@
  	uml_setattr_util_sockets(initrc_t)
  ')
  
@@ -34093,7 +34176,7 @@
  optional_policy(`
  	unconfined_domain(initrc_t)
  
-@@ -752,6 +818,10 @@
+@@ -752,6 +823,10 @@
  ')
  
  optional_policy(`
@@ -34104,7 +34187,7 @@
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
  ')
-@@ -774,3 +844,4 @@
+@@ -774,3 +849,4 @@
  optional_policy(`
  	zebra_read_config(initrc_t)
  ')
@@ -34786,7 +34869,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te	2008-10-15 17:44:59.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.te	2008-10-27 14:56:48.000000000 -0400
 @@ -61,10 +61,29 @@
  logging_log_file(var_log_t)
  files_mountpoint(var_log_t)
@@ -34817,15 +34900,7 @@
  ########################################
  #
  # Auditctl local policy
-@@ -84,6 +103,7 @@
- kernel_read_kernel_sysctls(auditctl_t)
- kernel_read_proc_symlinks(auditctl_t)
- 
-+
- domain_read_all_domains_state(auditctl_t)
- domain_use_interactive_fds(auditctl_t)
- 
-@@ -112,6 +132,7 @@
+@@ -112,6 +131,7 @@
  allow auditd_t self:file { getattr read write };
  allow auditd_t self:unix_dgram_socket create_socket_perms;
  allow auditd_t self:fifo_file rw_file_perms;
@@ -34833,7 +34908,7 @@
  
  allow auditd_t auditd_etc_t:dir list_dir_perms;
  allow auditd_t auditd_etc_t:file read_file_perms;
-@@ -133,9 +154,18 @@
+@@ -133,9 +153,18 @@
  
  fs_getattr_all_fs(auditd_t)
  fs_search_auto_mountpoints(auditd_t)
@@ -34852,7 +34927,7 @@
  # Needs to be able to run dispatcher.  see /etc/audit/auditd.conf
  # Probably want a transition, and a new auditd_helper app
  corecmd_exec_bin(auditd_t)
-@@ -150,6 +180,8 @@
+@@ -150,6 +179,8 @@
  
  logging_set_audit_parameters(auditd_t)
  logging_send_syslog_msg(auditd_t)
@@ -34861,7 +34936,7 @@
  
  libs_use_ld_so(auditd_t)
  libs_use_shared_libs(auditd_t)
-@@ -158,9 +190,12 @@
+@@ -158,9 +189,12 @@
  
  mls_file_read_all_levels(auditd_t)
  mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -34874,7 +34949,7 @@
  userdom_dontaudit_use_unpriv_user_fds(auditd_t)
  userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
  
-@@ -171,6 +206,10 @@
+@@ -171,6 +205,10 @@
  ')
  
  optional_policy(`
@@ -34885,7 +34960,7 @@
  	seutil_sigchld_newrole(auditd_t)
  ')
  
-@@ -208,6 +247,7 @@
+@@ -208,6 +246,7 @@
  
  fs_getattr_all_fs(klogd_t)
  fs_search_auto_mountpoints(klogd_t)
@@ -34893,7 +34968,7 @@
  
  domain_use_interactive_fds(klogd_t)
  
-@@ -252,7 +292,6 @@
+@@ -252,7 +291,6 @@
  dontaudit syslogd_t self:capability sys_tty_config;
  # setpgid for metalog
  allow syslogd_t self:process { signal_perms setpgid };
@@ -34901,16 +34976,7 @@
  # receive messages to be logged
  allow syslogd_t self:unix_dgram_socket create_socket_perms;
  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -262,7 +301,7 @@
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
- 
- allow syslogd_t syslog_conf_t:file read_file_perms;
--
-+ 
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
- files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-@@ -274,6 +313,9 @@
+@@ -274,6 +312,9 @@
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
  
@@ -34920,7 +34986,7 @@
  # manage temporary files
  manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
  manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
-@@ -289,12 +331,14 @@
+@@ -289,6 +330,7 @@
  manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
  files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
  
@@ -34928,13 +34994,15 @@
  kernel_read_kernel_sysctls(syslogd_t)
  kernel_read_proc_symlinks(syslogd_t)
  # Allow access to /proc/kmsg for syslog-ng
- kernel_read_messages(syslogd_t)
+@@ -296,6 +338,8 @@
  kernel_clear_ring_buffer(syslogd_t)
  kernel_change_ring_buffer_level(syslogd_t)
-+files_read_kernel_symbol_table(syslogd_t)
  
++files_read_kernel_symbol_table(syslogd_t)
++
  dev_filetrans(syslogd_t,devlog_t,sock_file)
  dev_read_sysfs(syslogd_t)
+ 
 @@ -327,6 +371,8 @@
  # Allow users to define additional syslog ports to connect to
  corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -35003,6 +35071,7 @@
 +
 +## internal communication is often done using fifo and unix sockets.
 +allow audisp_t self:fifo_file rw_file_perms;
++allow audisp_t self:unix_dgram_socket create_socket_perms;
 +allow audisp_t self:unix_stream_socket create_stream_socket_perms;
 +allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
 +
@@ -35021,7 +35090,6 @@
 +mls_file_write_all_levels(audisp_t) 
 +
 +corecmd_search_bin(audisp_t)
-+allow audisp_t self:unix_dgram_socket create_socket_perms;
 +
 +sysnet_dns_name_resolve(audisp_t)
 +
@@ -35558,7 +35626,7 @@
  		samba_run_smbmount($1, $2, $3)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/mount.te	2008-10-20 11:20:36.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/mount.te	2008-10-24 08:41:12.000000000 -0400
 @@ -18,17 +18,18 @@
  init_system_domain(mount_t,mount_exec_t)
  role system_r types mount_t;
@@ -35634,6 +35702,15 @@
  
  term_use_all_terms(mount_t)
  
+@@ -87,7 +95,7 @@
+ files_mounton_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
+ # These rules need to be generalized.  Only admin, initrc should have it:
+-files_relabelto_all_file_type_fs(mount_t)
++files_relabel_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+ files_unmount_all_file_type_fs(mount_t)
+ # for when /etc/mtab loses its type
 @@ -100,6 +108,8 @@
  init_use_fds(mount_t)
  init_use_script_ptys(mount_t)
@@ -38299,7 +38376,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-10-15 11:50:09.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-10-28 09:54:16.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.721
retrieving revision 1.722
diff -u -r1.721 -r1.722
--- selinux-policy.spec	21 Oct 2008 18:32:06 -0000	1.721
+++ selinux-policy.spec	29 Oct 2008 18:40:51 -0000	1.722
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 104%{?dist}
+Release: 105%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -309,11 +309,6 @@
 [ "${SELINUXTYPE}" != "targeted" ] && exit 0
 setsebool -P use_nfs_home_dirs=1
 semanage user -l | grep -s unconfined_u 
-if [ $? -eq 0 ]; then
-   semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
-else
-   semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u  2> /dev/null
-fi
 seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
 [ "$seuser" != "unconfined_u" ]  && semanage login -m -s "unconfined_u"  -r s0-s0:c0.c1023 __default__
 seuser=`semanage login -l | grep root | awk '{ print $2 }'`
@@ -387,6 +382,9 @@
 %endif
 
 %changelog
+* Tue Oct 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-105
+- Allow spamd to manage exim spool
+
 * Mon Oct 20 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-104
 - Remove mod_fcgid-selinux package
 




More information about the fedora-extras-commits mailing list