rpms/selinux-policy/devel policy-20080710.patch, 1.40, 1.41 selinux-policy.spec, 1.707, 1.708
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Sep 22 12:33:04 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20236
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
* Sun Sep 21 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-4
- Fix transition to nsplugin
'
* Thu Sep 18 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-3
- Fix labeling on new pm*log
- Allow ssh to bind to all nodes
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- policy-20080710.patch 18 Sep 2008 21:02:12 -0000 1.40
+++ policy-20080710.patch 22 Sep 2008 12:33:03 -0000 1.41
@@ -4268,8 +4268,8 @@
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.8/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-17 19:08:43.000000000 -0400
-@@ -0,0 +1,495 @@
++++ serefpolicy-3.5.8/policy/modules/apps/nsplugin.if 2008-09-21 07:27:44.000000000 -0400
+@@ -0,0 +1,493 @@
+
+## <summary>policy for nsplugin</summary>
+
@@ -4348,8 +4348,6 @@
+template(`nsplugin_per_role_template_notrans',`
+ gen_require(`
+ type nsplugin_rw_t;
-+ type nsplugin_t;
-+ type nsplugin_config_t;
+ type nsplugin_home_t;
+ type nsplugin_exec_t;
+ type nsplugin_config_exec_t;
@@ -4419,80 +4417,80 @@
+ allow $1_nsplugin_config_t self:process { execstack execmem };
+')
+
-+manage_dirs_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+exec_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+manage_lnk_files_pattern(nsplugin_t, nsplugin_home_t, nsplugin_home_t)
-+userdom_user_home_dir_filetrans(user, nsplugin_t, nsplugin_home_t, {file dir})
-+unprivuser_dontaudit_write_home_content_files(nsplugin_t)
-+
-+corecmd_exec_bin(nsplugin_t)
-+corecmd_exec_shell(nsplugin_t)
-+
-+corenet_all_recvfrom_unlabeled(nsplugin_t)
-+corenet_all_recvfrom_netlabel(nsplugin_t)
-+corenet_tcp_connect_flash_port(nsplugin_t)
-+corenet_tcp_connect_pulseaudio_port(nsplugin_t)
-+corenet_tcp_connect_http_port(nsplugin_t)
-+corenet_tcp_sendrecv_generic_if(nsplugin_t)
-+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
-+
-+domain_dontaudit_read_all_domains_state(nsplugin_t)
-+
-+dev_read_rand(nsplugin_t)
-+dev_read_sound(nsplugin_t)
-+dev_write_sound(nsplugin_t)
-+dev_read_video_dev(nsplugin_t)
-+dev_write_video_dev(nsplugin_t)
-+dev_getattr_dri_dev(nsplugin_t)
-+dev_rwx_zero(nsplugin_t)
-+
-+kernel_read_kernel_sysctls(nsplugin_t)
-+kernel_read_system_state(nsplugin_t)
-+
-+files_read_usr_files(nsplugin_t)
-+files_read_etc_files(nsplugin_t)
-+files_read_config_files(nsplugin_t)
-+
-+fs_list_inotifyfs(nsplugin_t)
-+fs_manage_tmpfs_files(nsplugin_t)
-+fs_getattr_tmpfs(nsplugin_t)
-+fs_getattr_xattr_fs(nsplugin_t)
-+
-+term_dontaudit_getattr_all_user_ptys(nsplugin_t)
-+term_dontaudit_getattr_all_user_ttys(nsplugin_t)
-+
-+auth_use_nsswitch(nsplugin_t)
-+
-+libs_use_ld_so(nsplugin_t)
-+libs_use_shared_libs(nsplugin_t)
-+libs_exec_ld_so(nsplugin_t)
-+
-+miscfiles_read_localization(nsplugin_t)
-+miscfiles_read_fonts(nsplugin_t)
-+
-+unprivuser_manage_tmp_dirs(nsplugin_t)
-+unprivuser_manage_tmp_files(nsplugin_t)
-+unprivuser_manage_tmp_sockets(nsplugin_t)
++manage_dirs_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++exec_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern($1_nsplugin_t, nsplugin_home_t, nsplugin_home_t)
++userdom_user_home_dir_filetrans(user, $1_nsplugin_t, nsplugin_home_t, {file dir})
++unprivuser_dontaudit_write_home_content_files($1_nsplugin_t)
++
++corecmd_exec_bin($1_nsplugin_t)
++corecmd_exec_shell($1_nsplugin_t)
++
++corenet_all_recvfrom_unlabeled($1_nsplugin_t)
++corenet_all_recvfrom_netlabel($1_nsplugin_t)
++corenet_tcp_connect_flash_port($1_nsplugin_t)
++corenet_tcp_connect_pulseaudio_port($1_nsplugin_t)
++corenet_tcp_connect_http_port($1_nsplugin_t)
++corenet_tcp_sendrecv_generic_if($1_nsplugin_t)
++corenet_tcp_sendrecv_all_nodes($1_nsplugin_t)
++
++domain_dontaudit_read_all_domains_state($1_nsplugin_t)
++
++dev_read_rand($1_nsplugin_t)
++dev_read_sound($1_nsplugin_t)
++dev_write_sound($1_nsplugin_t)
++dev_read_video_dev($1_nsplugin_t)
++dev_write_video_dev($1_nsplugin_t)
++dev_getattr_dri_dev($1_nsplugin_t)
++dev_rwx_zero($1_nsplugin_t)
++
++kernel_read_kernel_sysctls($1_nsplugin_t)
++kernel_read_system_state($1_nsplugin_t)
++
++files_read_usr_files($1_nsplugin_t)
++files_read_etc_files($1_nsplugin_t)
++files_read_config_files($1_nsplugin_t)
++
++fs_list_inotifyfs($1_nsplugin_t)
++fs_manage_tmpfs_files($1_nsplugin_t)
++fs_getattr_tmpfs($1_nsplugin_t)
++fs_getattr_xattr_fs($1_nsplugin_t)
++
++term_dontaudit_getattr_all_user_ptys($1_nsplugin_t)
++term_dontaudit_getattr_all_user_ttys($1_nsplugin_t)
++
++auth_use_nsswitch($1_nsplugin_t)
++
++libs_use_ld_so($1_nsplugin_t)
++libs_use_shared_libs($1_nsplugin_t)
++libs_exec_ld_so($1_nsplugin_t)
++
++miscfiles_read_localization($1_nsplugin_t)
++miscfiles_read_fonts($1_nsplugin_t)
++
++unprivuser_manage_tmp_dirs($1_nsplugin_t)
++unprivuser_manage_tmp_files($1_nsplugin_t)
++unprivuser_manage_tmp_sockets($1_nsplugin_t)
+userdom_tmp_filetrans_user_tmp(user, $1_nsplugin_t, { file dir sock_file })
-+unprivuser_read_tmpfs_files(nsplugin_t)
-+unprivuser_rw_semaphores(nsplugin_t)
-+unprivuser_delete_tmpfs_files(nsplugin_t)
-+
-+unprivuser_read_home_content_symlinks(nsplugin_t)
-+unprivuser_read_home_content_files(nsplugin_t)
-+unprivuser_read_tmp_files(nsplugin_t)
++unprivuser_read_tmpfs_files($1_nsplugin_t)
++unprivuser_rw_semaphores($1_nsplugin_t)
++unprivuser_delete_tmpfs_files($1_nsplugin_t)
++
++unprivuser_read_home_content_symlinks($1_nsplugin_t)
++unprivuser_read_home_content_files($1_nsplugin_t)
++unprivuser_read_tmp_files($1_nsplugin_t)
+userdom_write_user_tmp_sockets(user, $1_nsplugin_t)
-+unprivuser_dontaudit_append_home_content_files(nsplugin_t)
-+userdom_dontaudit_unlink_unpriv_home_content_files(nsplugin_t)
++unprivuser_dontaudit_append_home_content_files($1_nsplugin_t)
++userdom_dontaudit_unlink_unpriv_home_content_files($1_nsplugin_t)
+userdom_dontaudit_manage_user_tmp_files(user, $1_nsplugin_t)
+
+optional_policy(`
-+ alsa_read_rw_config(nsplugin_t)
++ alsa_read_rw_config($1_nsplugin_t)
+')
+
+optional_policy(`
-+ gnome_exec_gconf(nsplugin_t)
++ gnome_exec_gconf($1_nsplugin_t)
+ gnome_manage_user_gnome_config(user, $1_nsplugin_t)
+ allow $1_nsplugin_t gnome_home_t:sock_file write;
+')
@@ -4503,25 +4501,25 @@
+')
+
+optional_policy(`
-+ mplayer_exec(nsplugin_t)
++ mplayer_exec($1_nsplugin_t)
+ mplayer_read_user_home_files(user, $1_nsplugin_t)
+')
+
+optional_policy(`
-+ unconfined_execmem_signull(nsplugin_t)
-+ unconfined_delete_tmpfs_files(nsplugin_t)
++ unconfined_execmem_signull($1_nsplugin_t)
++ unconfined_delete_tmpfs_files($1_nsplugin_t)
+')
+
+optional_policy(`
-+ xserver_stream_connect_xdm_xserver(nsplugin_t)
-+ xserver_xdm_rw_shm(nsplugin_t)
-+ xserver_read_xdm_tmp_files(nsplugin_t)
-+ xserver_read_xdm_pid(nsplugin_t)
++ xserver_stream_connect_xdm_xserver($1_nsplugin_t)
++ xserver_xdm_rw_shm($1_nsplugin_t)
++ xserver_read_xdm_tmp_files($1_nsplugin_t)
++ xserver_read_xdm_pid($1_nsplugin_t)
+ xserver_read_user_xauth(user, $1_nsplugin_t)
+ xserver_read_user_iceauth(user, $1_nsplugin_t)
+ xserver_use_user_fonts(user, $1_nsplugin_t)
-+ xserver_manage_home_fonts(nsplugin_t)
-+ xserver_dontaudit_rw_xdm_home_files(nsplugin_t)
++ xserver_manage_home_fonts($1_nsplugin_t)
++ xserver_dontaudit_rw_xdm_home_files($1_nsplugin_t)
+')
+
+########################################
@@ -4537,55 +4535,55 @@
+allow $1_nsplugin_config_t self:fifo_file rw_file_perms;
+allow $1_nsplugin_config_t self:unix_stream_socket create_stream_socket_perms;
+
-+fs_list_inotifyfs(nsplugin_config_t)
++fs_list_inotifyfs($1_nsplugin_config_t)
+
-+can_exec(nsplugin_config_t, nsplugin_rw_t)
-+manage_dirs_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+manage_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
-+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++can_exec($1_nsplugin_config_t, nsplugin_rw_t)
++manage_dirs_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
++manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_rw_t, nsplugin_rw_t)
+
-+manage_dirs_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+manage_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
-+manage_lnk_files_pattern(nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_dirs_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
++manage_lnk_files_pattern($1_nsplugin_config_t, nsplugin_home_t, nsplugin_home_t)
+
-+corecmd_exec_bin(nsplugin_config_t)
-+corecmd_exec_shell(nsplugin_config_t)
++corecmd_exec_bin($1_nsplugin_config_t)
++corecmd_exec_shell($1_nsplugin_config_t)
+
-+kernel_read_system_state(nsplugin_config_t)
++kernel_read_system_state($1_nsplugin_config_t)
+
-+files_read_etc_files(nsplugin_config_t)
-+files_read_usr_files(nsplugin_config_t)
-+files_dontaudit_search_home(nsplugin_config_t)
-+files_list_tmp(nsplugin_config_t)
++files_read_etc_files($1_nsplugin_config_t)
++files_read_usr_files($1_nsplugin_config_t)
++files_dontaudit_search_home($1_nsplugin_config_t)
++files_list_tmp($1_nsplugin_config_t)
+
-+auth_use_nsswitch(nsplugin_config_t)
++auth_use_nsswitch($1_nsplugin_config_t)
+
-+libs_use_ld_so(nsplugin_config_t)
-+libs_use_shared_libs(nsplugin_config_t)
++libs_use_ld_so($1_nsplugin_config_t)
++libs_use_shared_libs($1_nsplugin_config_t)
+
-+miscfiles_read_localization(nsplugin_config_t)
-+miscfiles_read_fonts(nsplugin_config_t)
++miscfiles_read_localization($1_nsplugin_config_t)
++miscfiles_read_fonts($1_nsplugin_config_t)
+
-+userdom_search_all_users_home_content(nsplugin_config_t)
++userdom_search_all_users_home_content($1_nsplugin_config_t)
+
+tunable_policy(`use_nfs_home_dirs',`
-+ fs_manage_nfs_dirs(nsplugin_t)
-+ fs_manage_nfs_files(nsplugin_t)
-+ fs_manage_nfs_dirs(nsplugin_config_t)
-+ fs_manage_nfs_files(nsplugin_config_t)
++ fs_manage_nfs_dirs($1_nsplugin_t)
++ fs_manage_nfs_files($1_nsplugin_t)
++ fs_manage_nfs_dirs($1_nsplugin_config_t)
++ fs_manage_nfs_files($1_nsplugin_config_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
-+ fs_manage_cifs_dirs(nsplugin_t)
-+ fs_manage_cifs_files(nsplugin_t)
-+ fs_manage_cifs_dirs(nsplugin_config_t)
-+ fs_manage_cifs_files(nsplugin_config_t)
++ fs_manage_cifs_dirs($1_nsplugin_t)
++ fs_manage_cifs_files($1_nsplugin_t)
++ fs_manage_cifs_dirs($1_nsplugin_config_t)
++ fs_manage_cifs_files($1_nsplugin_config_t)
+')
+
-+domtrans_pattern(nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
++domtrans_pattern($1_nsplugin_config_t, nsplugin_exec_t, $1_nsplugin_t)
+
+optional_policy(`
-+ xserver_read_home_fonts(nsplugin_config_t)
++ xserver_read_home_fonts($1_nsplugin_config_t)
+')
+
+optional_policy(`
@@ -10745,7 +10743,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/apache.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/apache.te 2008-09-19 10:06:15.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10896,7 +10894,15 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -312,12 +361,11 @@
+@@ -299,6 +348,7 @@
+ corenet_tcp_sendrecv_all_ports(httpd_t)
+ corenet_udp_sendrecv_all_ports(httpd_t)
+ corenet_tcp_bind_all_nodes(httpd_t)
++corenet_udp_bind_all_nodes(httpd_t)
+ corenet_tcp_bind_http_port(httpd_t)
+ corenet_tcp_bind_http_cache_port(httpd_t)
+ corenet_sendrecv_http_server_packets(httpd_t)
+@@ -312,12 +362,11 @@
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -10911,7 +10917,7 @@
domain_use_interactive_fds(httpd_t)
-@@ -335,6 +383,10 @@
+@@ -335,6 +384,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -10922,7 +10928,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,18 +403,33 @@
+@@ -351,18 +404,33 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -10960,7 +10966,7 @@
')
')
-@@ -370,20 +437,45 @@
+@@ -370,20 +438,45 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -11007,7 +11013,7 @@
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,11 +486,12 @@
+@@ -394,11 +487,12 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -11023,7 +11029,7 @@
fs_read_nfs_files(httpd_t)
fs_read_nfs_symlinks(httpd_t)
')
-@@ -408,6 +501,11 @@
+@@ -408,6 +502,11 @@
fs_read_cifs_symlinks(httpd_t)
')
@@ -11035,7 +11041,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +539,13 @@
+@@ -441,8 +540,13 @@
')
optional_policy(`
@@ -11051,7 +11057,7 @@
')
optional_policy(`
-@@ -454,18 +557,13 @@
+@@ -454,18 +558,13 @@
')
optional_policy(`
@@ -11071,7 +11077,7 @@
')
optional_policy(`
-@@ -475,6 +573,12 @@
+@@ -475,6 +574,12 @@
openca_kill(httpd_t)
')
@@ -11084,7 +11090,7 @@
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -482,6 +586,7 @@
+@@ -482,6 +587,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -11092,7 +11098,7 @@
')
')
-@@ -490,6 +595,7 @@
+@@ -490,6 +596,7 @@
')
optional_policy(`
@@ -11100,7 +11106,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -519,9 +625,28 @@
+@@ -519,9 +626,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -11129,7 +11135,7 @@
########################################
#
# Apache PHP script local policy
-@@ -551,22 +676,27 @@
+@@ -551,22 +677,27 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -11163,7 +11169,7 @@
')
########################################
-@@ -590,6 +720,8 @@
+@@ -590,6 +721,8 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -11172,7 +11178,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -598,9 +730,7 @@
+@@ -598,9 +731,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -11183,7 +11189,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -633,12 +763,25 @@
+@@ -633,12 +764,25 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -11212,7 +11218,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +790,12 @@
+@@ -647,6 +791,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -11225,7 +11231,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,10 +813,6 @@
+@@ -664,10 +814,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -11236,7 +11242,7 @@
########################################
#
# Apache system script local policy
-@@ -677,7 +822,8 @@
+@@ -677,7 +823,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -11246,7 +11252,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +837,15 @@
+@@ -691,12 +838,15 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -11264,7 +11270,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +853,28 @@
+@@ -704,6 +854,30 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -11272,6 +11278,8 @@
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
+
++ corenet_tcp_bind_all_nodes(httpd_sys_script_t)
++ corenet_udp_bind_all_nodes(httpd_sys_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
+ corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
@@ -11293,7 +11301,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +887,10 @@
+@@ -716,10 +890,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -11308,7 +11316,7 @@
')
########################################
-@@ -727,6 +898,8 @@
+@@ -727,6 +901,8 @@
# httpd_rotatelogs local policy
#
@@ -11317,7 +11325,7 @@
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +914,56 @@
+@@ -741,3 +917,56 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -16314,6 +16322,17 @@
+ spamassassin_exec(exim_t)
+ spamassassin_exec_client(exim_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.5.8/policy/modules/services/fail2ban.fc
+--- nsaserefpolicy/policy/modules/services/fail2ban.fc 2008-09-08 10:18:37.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/fail2ban.fc 2008-09-19 11:19:25.000000000 -0400
+@@ -3,5 +3,5 @@
+ /usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /var/log/fail2ban\.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+-/var/run/fail2ban\.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
+-/var/run/fail2ban\.sock -s gen_context(system_u:object_r:fail2ban_var_run_t,s0)
++
++/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.5.8/policy/modules/services/fail2ban.if
--- nsaserefpolicy/policy/modules/services/fail2ban.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/fail2ban.if 2008-09-17 08:49:08.000000000 -0400
@@ -16385,6 +16404,21 @@
+ files_list_pids($1)
+ admin_pattern($1, fail2ban_var_run_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.5.8/policy/modules/services/fail2ban.te
+--- nsaserefpolicy/policy/modules/services/fail2ban.te 2008-09-05 10:28:20.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/fail2ban.te 2008-09-19 11:19:16.000000000 -0400
+@@ -37,9 +37,10 @@
+ logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
+ # pid file
++manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+ manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+-files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { file sock_file })
++files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
+
+ kernel_read_system_state(fail2ban_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.if serefpolicy-3.5.8/policy/modules/services/fetchmail.if
--- nsaserefpolicy/policy/modules/services/fetchmail.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/fetchmail.if 2008-09-17 08:49:08.000000000 -0400
@@ -18031,8 +18065,21 @@
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.5.8/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/mailman.if 2008-09-17 08:49:08.000000000 -0400
-@@ -211,6 +211,7 @@
++++ serefpolicy-3.5.8/policy/modules/services/mailman.if 2008-09-19 10:41:48.000000000 -0400
+@@ -31,6 +31,12 @@
+ allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
+ allow mailman_$1_t self:udp_socket create_socket_perms;
+
++ files_search_spool(mailman_$1_t)
++
++ manage_dirs_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
++ manage_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
++ manage_lnk_files_pattern(mailman_$1_t, mailman_archive_t, mailman_archive_t)
++
+ manage_dirs_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ manage_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+ manage_lnk_files_pattern(mailman_$1_t, mailman_data_t, mailman_data_t)
+@@ -211,6 +217,7 @@
type mailman_data_t;
')
@@ -18040,7 +18087,7 @@
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
-@@ -252,6 +253,25 @@
+@@ -252,6 +259,25 @@
#######################################
## <summary>
@@ -18068,7 +18115,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.8/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/mailman.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/mailman.te 2008-09-19 10:39:55.000000000 -0400
@@ -53,10 +53,9 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -18110,11 +18157,15 @@
########################################
#
-@@ -104,6 +106,7 @@
+@@ -104,6 +106,11 @@
# some of the following could probably be changed to dontaudit, someone who
# knows mailman well should test this out and send the changes
sysadm_search_home_dirs(mailman_queue_t)
+sysadm_getattr_home_dirs(mailman_queue_t)
++
++optional_policy(`
++ apache_read_config(mailman_queue_t)
++')
optional_policy(`
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
@@ -21509,7 +21560,7 @@
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.5.8/policy/modules/services/postgrey.if
--- nsaserefpolicy/policy/modules/services/postgrey.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/postgrey.if 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/postgrey.if 2008-09-19 10:23:31.000000000 -0400
@@ -12,10 +12,80 @@
#
interface(`postgrey_stream_connect',`
@@ -21519,8 +21570,9 @@
')
allow $1 postgrey_t:unix_stream_socket connectto;
- allow $1 postgrey_var_run_t:sock_file write;
-+ allow $1 postgrey_spool_t:sock_file write;
+- allow $1 postgrey_var_run_t:sock_file write;
++ write_sock_files_pattern($1, postgrey_var_run_t, postgrey_var_run_t)
++ write_sock_files_pattern($1, postgrey_spool_t, postgrey_spool_t)
files_search_pids($1)
')
+
@@ -21954,7 +22006,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.8/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-17 08:49:08.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/prelude.te 2008-09-19 10:06:36.000000000 -0400
@@ -13,18 +13,56 @@
type prelude_spool_t;
files_type(prelude_spool_t)
@@ -22052,7 +22104,7 @@
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
-@@ -123,9 +173,119 @@
+@@ -123,9 +173,122 @@
libs_use_shared_libs(prelude_audisp_t)
logging_send_syslog_msg(prelude_audisp_t)
@@ -22104,6 +22156,8 @@
+# prelude_lml local declarations
+#
+
++allow prelude_lml_t self:capability dac_override;
++
+# Init script handling
+domain_use_interactive_fds(prelude_lml_t)
+
@@ -22166,13 +22220,14 @@
+sysnet_dns_name_resolve(prelude_lml_t)
+
+optional_policy(`
++ apache_search_sys_content(prelude_lml_t)
+ apache_read_log(prelude_lml_t)
+')
+
########################################
#
# prewikka_cgi Declarations
-@@ -133,8 +293,19 @@
+@@ -133,8 +296,19 @@
optional_policy(`
apache_content_template(prewikka)
@@ -30386,8 +30441,15 @@
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/libraries.fc 2008-09-17 08:49:09.000000000 -0400
-@@ -66,6 +66,8 @@
++++ serefpolicy-3.5.8/policy/modules/system/libraries.fc 2008-09-21 08:23:42.000000000 -0400
+@@ -60,12 +60,15 @@
+ #
+ # /opt
+ #
++/opt/.*\.so gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?lib64(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/(.*/)?jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
@@ -30396,7 +30458,7 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0)
-@@ -84,7 +86,8 @@
+@@ -84,7 +87,8 @@
ifdef(`distro_redhat',`
/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30406,7 +30468,7 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -133,6 +136,7 @@
+@@ -133,6 +137,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30414,7 +30476,7 @@
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -168,7 +172,8 @@
+@@ -168,7 +173,8 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30424,7 +30486,7 @@
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -187,6 +192,7 @@
+@@ -187,6 +193,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30432,7 +30494,7 @@
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -246,7 +252,7 @@
+@@ -246,7 +253,7 @@
# Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30441,7 +30503,7 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -267,6 +273,8 @@
+@@ -267,6 +274,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30450,7 +30512,7 @@
# Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -291,6 +299,8 @@
+@@ -291,6 +300,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -30459,7 +30521,7 @@
') dnl end distro_redhat
#
-@@ -310,3 +320,13 @@
+@@ -310,3 +321,13 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -33302,7 +33364,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-08-07 11:15:12.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-17 09:11:15.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/system/userdomain.if 2008-09-21 07:04:00.000000000 -0400
@@ -28,10 +28,14 @@
class context contains;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.707
retrieving revision 1.708
diff -u -r1.707 -r1.708
--- selinux-policy.spec 18 Sep 2008 20:46:41 -0000 1.707
+++ selinux-policy.spec 22 Sep 2008 12:33:03 -0000 1.708
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.8
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Sun Sep 21 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-4
+- Fix transition to nsplugin
+'
* Thu Sep 18 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-3
- Fix labeling on new pm*log
- Allow ssh to bind to all nodes
More information about the fedora-extras-commits
mailing list