rpms/selinux-policy/F-9 policy-20071130.patch, 1.209, 1.210 selinux-policy.spec, 1.708, 1.709
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Sep 19 13:54:22 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5547
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Sep 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-92
- Dontaudit attempts to write user_tmp_t by gssd_t
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.209
retrieving revision 1.210
diff -u -r1.209 -r1.210
--- policy-20071130.patch 16 Sep 2008 17:37:55 -0000 1.209
+++ policy-20071130.patch 19 Sep 2008 13:54:21 -0000 1.210
@@ -5332,7 +5332,7 @@
+/usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.3.1/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/apps/mozilla.if 2008-09-17 07:36:20.000000000 -0400
@@ -35,7 +35,10 @@
template(`mozilla_per_role_template',`
gen_require(`
@@ -5344,7 +5344,7 @@
########################################
#
-@@ -45,20 +48,26 @@
+@@ -45,36 +48,46 @@
application_domain($1_mozilla_t,mozilla_exec_t)
role $3 types $1_mozilla_t;
@@ -5372,15 +5372,16 @@
allow $1_mozilla_t self:capability { sys_nice setgid setuid };
- allow $1_mozilla_t self:process { sigkill signal setsched getsched setrlimit };
-+ allow $1_mozilla_t self:process { ptrace sigkill signal setsched getsched setrlimit };
++ allow $1_mozilla_t self:process { ptrace sigkill signal signull setsched getsched setrlimit };
allow $1_mozilla_t self:fifo_file rw_fifo_file_perms;
allow $1_mozilla_t self:shm { unix_read unix_write read write destroy create };
allow $1_mozilla_t self:sem create_sem_perms;
-@@ -66,15 +75,19 @@
+ allow $1_mozilla_t self:socket create_socket_perms;
allow $1_mozilla_t self:unix_stream_socket { listen accept };
# Browse the web, connect to printer
- allow $1_mozilla_t self:tcp_socket create_socket_perms;
+- allow $1_mozilla_t self:tcp_socket create_socket_perms;
- allow $1_mozilla_t self:netlink_route_socket r_netlink_socket_perms;
++ allow $1_mozilla_t self:tcp_socket create_stream_socket_perms;
# for bash - old mozilla binary
can_exec($1_mozilla_t, mozilla_exec_t)
@@ -5485,15 +5486,16 @@
# Browse the web, connect to printer
corenet_all_recvfrom_unlabeled($1_mozilla_t)
-@@ -139,7 +181,6 @@
+@@ -139,7 +181,7 @@
corenet_tcp_connect_http_cache_port($1_mozilla_t)
corenet_tcp_connect_ftp_port($1_mozilla_t)
corenet_tcp_connect_ipp_port($1_mozilla_t)
- corenet_tcp_connect_generic_port($1_mozilla_t)
++ corenet_tcp_connect_flash_port($1_mozilla_t)
corenet_sendrecv_http_client_packets($1_mozilla_t)
corenet_sendrecv_http_cache_client_packets($1_mozilla_t)
corenet_sendrecv_ftp_client_packets($1_mozilla_t)
-@@ -151,6 +192,7 @@
+@@ -151,6 +193,7 @@
dev_read_urand($1_mozilla_t)
dev_read_rand($1_mozilla_t)
@@ -5501,7 +5503,7 @@
dev_write_sound($1_mozilla_t)
dev_read_sound($1_mozilla_t)
dev_dontaudit_rw_dri($1_mozilla_t)
-@@ -165,13 +207,28 @@
+@@ -165,13 +208,28 @@
files_read_var_files($1_mozilla_t)
files_read_var_symlinks($1_mozilla_t)
files_dontaudit_getattr_boot_dirs($1_mozilla_t)
@@ -5530,7 +5532,7 @@
libs_use_ld_so($1_mozilla_t)
libs_use_shared_libs($1_mozilla_t)
-@@ -180,18 +237,10 @@
+@@ -180,18 +238,11 @@
miscfiles_read_fonts($1_mozilla_t)
miscfiles_read_localization($1_mozilla_t)
@@ -5548,11 +5550,12 @@
+ userdom_dontaudit_use_user_terminals($1,$1_mozilla_t)
- xserver_user_client_template($1,$1_mozilla_t,$1_mozilla_tmpfs_t)
++ xserver_read_xdm_pid($1_mozilla_t)
+ xserver_user_x_domain_template($1,$1_mozilla,$1_mozilla_t,$1_mozilla_tmpfs_t)
xserver_dontaudit_read_xdm_tmp_files($1_mozilla_t)
xserver_dontaudit_getattr_xdm_tmp_sockets($1_mozilla_t)
-@@ -211,131 +260,8 @@
+@@ -211,131 +262,8 @@
fs_manage_cifs_symlinks($1_mozilla_t)
')
@@ -5686,7 +5689,7 @@
')
optional_policy(`
-@@ -350,57 +276,58 @@
+@@ -350,57 +278,58 @@
optional_policy(`
cups_read_rw_config($1_mozilla_t)
cups_dbus_chat($1_mozilla_t)
@@ -5769,7 +5772,7 @@
')
########################################
-@@ -430,11 +357,11 @@
+@@ -430,11 +359,11 @@
#
template(`mozilla_read_user_home_files',`
gen_require(`
@@ -5784,7 +5787,7 @@
')
########################################
-@@ -464,11 +391,10 @@
+@@ -464,11 +393,10 @@
#
template(`mozilla_write_user_home_files',`
gen_require(`
@@ -5798,7 +5801,7 @@
')
########################################
-@@ -573,3 +499,27 @@
+@@ -573,3 +501,27 @@
allow $2 $1_mozilla_t:tcp_socket rw_socket_perms;
')
@@ -5858,8 +5861,17 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.fc serefpolicy-3.3.1/policy/modules/apps/mplayer.fc
--- nsaserefpolicy/policy/modules/apps/mplayer.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/apps/mplayer.fc 2008-09-08 11:45:12.000000000 -0400
-@@ -10,4 +10,4 @@
++++ serefpolicy-3.3.1/policy/modules/apps/mplayer.fc 2008-09-17 07:30:29.000000000 -0400
+@@ -1,13 +1,8 @@
+ #
+-# /etc
+-#
+-/etc/mplayer(/.*)? gen_context(system_u:object_r:mplayer_etc_t,s0)
+-
+-#
+ # /usr
+ #
+ /usr/bin/mplayer -- gen_context(system_u:object_r:mplayer_exec_t,s0)
/usr/bin/mencoder -- gen_context(system_u:object_r:mencoder_exec_t,s0)
/usr/bin/xine -- gen_context(system_u:object_r:mplayer_exec_t,s0)
@@ -6644,8 +6656,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.if serefpolicy-3.3.1/policy/modules/apps/openoffice.if
--- nsaserefpolicy/policy/modules/apps/openoffice.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/apps/openoffice.if 2008-09-08 11:45:12.000000000 -0400
-@@ -0,0 +1,97 @@
++++ serefpolicy-3.3.1/policy/modules/apps/openoffice.if 2008-09-17 07:25:54.000000000 -0400
+@@ -0,0 +1,98 @@
+## <summary>Openoffice</summary>
+
+#######################################
@@ -6687,6 +6699,7 @@
+ ')
+
+ domtrans_pattern($2, openoffice_exec_t, $1_openoffice_t)
++ allow $2 $1_openoffice_t:process { signal sigkill };
+')
+
+#######################################
@@ -10427,7 +10440,7 @@
read_files_pattern(amavis_t,amavis_etc_t,amavis_etc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-09-16 15:29:46.000000000 -0400
@@ -1,10 +1,9 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-
@@ -10480,9 +10493,11 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +69,21 @@
+@@ -65,11 +68,23 @@
+ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
++/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
@@ -11148,7 +11163,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-09-19 09:53:01.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -11310,7 +11325,15 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -315,9 +364,7 @@
+@@ -299,6 +348,7 @@
+ corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_all_nodes(httpd_t)
++corenet_udp_bind_all_nodes(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
+@@ -315,9 +365,7 @@
auth_use_nsswitch(httpd_t)
@@ -11321,7 +11344,7 @@
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +382,10 @@
+@@ -335,6 +383,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -11332,7 +11355,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,25 +402,50 @@
+@@ -351,25 +403,50 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -11387,7 +11410,7 @@
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,12 +458,26 @@
+@@ -382,12 +459,26 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -11419,7 +11442,7 @@
')
tunable_policy(`httpd_enable_ftp_server',`
-@@ -399,11 +489,21 @@
+@@ -399,11 +490,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -11441,7 +11464,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +537,13 @@
+@@ -437,8 +538,13 @@
')
optional_policy(`
@@ -11457,7 +11480,7 @@
')
optional_policy(`
-@@ -450,19 +555,13 @@
+@@ -450,19 +556,13 @@
')
optional_policy(`
@@ -11478,7 +11501,7 @@
')
optional_policy(`
-@@ -472,13 +571,22 @@
+@@ -472,13 +572,22 @@
openca_kill(httpd_t)
')
@@ -11505,7 +11528,7 @@
')
optional_policy(`
-@@ -486,6 +594,7 @@
+@@ -486,6 +595,7 @@
')
optional_policy(`
@@ -11513,7 +11536,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +630,22 @@
+@@ -521,6 +631,22 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -11536,7 +11559,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +675,26 @@
+@@ -550,18 +676,26 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -11566,7 +11589,7 @@
')
########################################
-@@ -585,6 +718,8 @@
+@@ -585,6 +719,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -11575,7 +11598,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +728,7 @@
+@@ -593,9 +729,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -11586,15 +11609,18 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +761,7 @@
+@@ -626,8 +760,10 @@
+ corenet_udp_sendrecv_all_ports(httpd_suexec_t)
+ corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
++ sysnet_dns_name_resolve(httpd_suexec_t)
')
+domain_entry_file(httpd_sys_script_t,httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +772,12 @@
+@@ -638,6 +774,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -11607,7 +11633,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +795,6 @@
+@@ -655,10 +797,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11618,7 +11644,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +804,8 @@
+@@ -668,7 +806,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -11628,7 +11654,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +819,44 @@
+@@ -682,15 +821,45 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11663,6 +11689,7 @@
+ corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
+ corenet_tcp_connect_all_ports(httpd_sys_script_t)
+ corenet_sendrecv_all_client_packets(httpd_sys_script_t)
++ sysnet_dns_name_resolve(httpd_sys_script_t)
+')
+
+
@@ -11674,7 +11701,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +869,10 @@
+@@ -703,6 +872,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11685,7 +11712,7 @@
')
########################################
-@@ -724,3 +894,71 @@
+@@ -724,3 +897,71 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -13614,7 +13641,7 @@
+/var/lib/misc(/.*)? gen_context(system_u:object_r:system_crond_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.3.1/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-09-12 13:45:31.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.if 2008-09-16 14:09:57.000000000 -0400
@@ -35,38 +35,24 @@
#
template(`cron_per_role_template',`
@@ -13905,7 +13932,7 @@
')
########################################
-@@ -583,3 +502,62 @@
+@@ -583,3 +502,61 @@
dontaudit $1 system_crond_tmp_t:file append;
')
@@ -13924,8 +13951,7 @@
+#
+interface(`cron_dontaudit_write_system_job_tmp_files',`
+ gen_require(`
-+ type system_crond_tmp_t;
-+ type system_crond_var_run_t;
++ type system_crond_tmp_t, cron_var_run_t;
+ ')
+
+ dontaudit $1 system_crond_tmp_t:file write_file_perms;
@@ -14318,7 +14344,7 @@
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.3.1/policy/modules/services/cups.if
--- nsaserefpolicy/policy/modules/services/cups.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cups.if 2008-09-17 07:27:09.000000000 -0400
@@ -20,6 +20,30 @@
########################################
@@ -21605,8 +21631,8 @@
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.3.1/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-09-08 11:45:12.000000000 -0400
-@@ -0,0 +1,212 @@
++++ serefpolicy-3.3.1/policy/modules/services/polkit.if 2008-09-16 15:04:48.000000000 -0400
+@@ -0,0 +1,213 @@
+
+## <summary>policy for polkit_auth</summary>
+
@@ -21710,6 +21736,7 @@
+ allow polkit_resolve_t $1:dir list_dir_perms;
+ read_files_pattern(polkit_resolve_t, $1, $1)
+ read_lnk_files_pattern(polkit_resolve_t, $1, $1)
++ allow polkit_resolve_t $1:process getattr;
+')
+
+########################################
@@ -23737,8 +23764,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-09-08 11:45:12.000000000 -0400
-@@ -0,0 +1,257 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-09-19 09:41:26.000000000 -0400
+@@ -0,0 +1,260 @@
+
+policy_module(prelude, 1.0.0)
+
@@ -23905,6 +23932,8 @@
+# prelude_lml local declarations
+#
+
++allow prelude_lml_t self:capability dac_override;
++
+# Init script handling
+# Test me
+domain_use_interactive_fds(prelude_lml_t)
@@ -23969,6 +23998,7 @@
+')
+
+optional_policy(`
++ apache_search_sys_content(httpd_lml_t)
+ apache_read_log(prelude_lml_t)
+')
+
@@ -25080,7 +25110,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.3.1/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-09-08 11:45:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rpc.te 2008-09-18 16:54:48.000000000 -0400
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write,false)
@@ -25175,9 +25205,9 @@
+
miscfiles_read_certs(gssd_t)
-+userdom_dontaudit_search_users_home_dirs(rpcd_t)
-+userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
-+userdom_dontaudit_write_user_tmp_files(user, rpcd_t)
++userdom_dontaudit_search_users_home_dirs(gssd_t)
++userdom_dontaudit_search_sysadm_home_dirs(gssd_t)
++userdom_dontaudit_manage_user_tmp_files(user, gssd_t)
+
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
@@ -41493,8 +41523,8 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.3.1/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/users/guest.te 2008-09-08 11:45:13.000000000 -0400
-@@ -0,0 +1,31 @@
++++ serefpolicy-3.3.1/policy/modules/users/guest.te 2008-09-17 09:08:26.000000000 -0400
+@@ -0,0 +1,33 @@
+policy_module(guest,1.0.1)
+userdom_restricted_user_template(guest)
+
@@ -41525,6 +41555,8 @@
+ ')
+
+ domtrans_pattern(xguest_mozilla_t, openoffice_exec_t, xguest_openoffice_t)
++ allow xguest_mozilla_t xguest_openoffice_t:process { signal sigkill };
++ allow xguest_openoffice_t xguest_mozilla_t:unix_stream_socket connectto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.3.1/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.708
retrieving revision 1.709
diff -u -r1.708 -r1.709
--- selinux-policy.spec 16 Sep 2008 16:54:43 -0000 1.708
+++ selinux-policy.spec 19 Sep 2008 13:54:22 -0000 1.709
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 91%{?dist}
+Release: 92%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@
%endif
%changelog
+* Tue Sep 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-92
+- Dontaudit attempts to write user_tmp_t by gssd_t
+
* Mon Sep 15 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-91
- Allow nsplugin_cong dac capabilities.
More information about the fedora-extras-commits
mailing list