rpms/selinux-policy/devel policy-F12.patch,1.40,1.41
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Aug 4 08:54:57 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24239
Modified Files:
policy-F12.patch
Log Message:
* Fri Jul 31 2009 Dan Walsh <dwalsh at redhat.com> 3.6.26-3
- Allow svirt_t to stream_connect to virtd_t
policy-F12.patch:
Makefile | 2
Rules.modular | 8
config/appconfig-mcs/default_contexts | 19
config/appconfig-mcs/failsafe_context | 2
config/appconfig-mcs/root_default_contexts | 8
config/appconfig-mcs/securetty_types | 5
config/appconfig-mcs/seusers | 4
config/appconfig-mcs/staff_u_default_contexts | 4
config/appconfig-mcs/unconfined_u_default_contexts | 4
config/appconfig-mcs/user_u_default_contexts | 5
config/appconfig-mcs/userhelper_context | 2
config/appconfig-mcs/virtual_domain_context | 1
config/appconfig-mcs/virtual_image_context | 2
config/appconfig-mls/default_contexts | 19
config/appconfig-mls/root_default_contexts | 12
config/appconfig-mls/virtual_domain_context | 1
config/appconfig-mls/virtual_image_context | 2
config/appconfig-standard/securetty_types | 5
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/anaconda.te | 1
policy/modules/admin/certwatch.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 7
policy/modules/admin/kismet.if | 1
policy/modules/admin/kismet.te | 17
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 3
policy/modules/admin/prelink.if | 19
policy/modules/admin/readahead.te | 3
policy/modules/admin/rpm.fc | 15
policy/modules/admin/rpm.if | 176 ++
policy/modules/admin/rpm.te | 61
policy/modules/admin/sudo.if | 8
policy/modules/admin/tmpreaper.te | 4
policy/modules/admin/usermanage.te | 9
policy/modules/admin/vbetool.te | 8
policy/modules/apps/awstats.te | 2
policy/modules/apps/cpufreqselector.te | 4
policy/modules/apps/gitosis.fc | 4
policy/modules/apps/gitosis.if | 96 +
policy/modules/apps/gitosis.te | 36
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 ++
policy/modules/apps/gnome.te | 92 +
policy/modules/apps/gpg.te | 15
policy/modules/apps/java.fc | 17
policy/modules/apps/java.if | 129 ++
policy/modules/apps/java.te | 17
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50
policy/modules/apps/livecd.te | 26
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.if | 13
policy/modules/apps/mozilla.te | 21
policy/modules/apps/nsplugin.fc | 12
policy/modules/apps/nsplugin.if | 313 +++++
policy/modules/apps/nsplugin.te | 287 ++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 14
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 270 +++-
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 57
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 145 ++
policy/modules/apps/sandbox.te | 274 ++++
policy/modules/apps/screen.if | 21
policy/modules/apps/vmware.fc | 1
policy/modules/apps/vmware.te | 1
policy/modules/apps/webalizer.te | 1
policy/modules/apps/wine.fc | 23
policy/modules/apps/wine.if | 60
policy/modules/apps/wine.te | 23
policy/modules/kernel/corecommands.fc | 21
policy/modules/kernel/corecommands.if | 1
policy/modules/kernel/corenetwork.te.in | 28
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.if | 164 ++
policy/modules/kernel/devices.te | 19
policy/modules/kernel/domain.if | 132 +-
policy/modules/kernel/domain.te | 85 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 279 ++++
policy/modules/kernel/files.te | 5
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 20
policy/modules/kernel/kernel.if | 39
policy/modules/kernel/kernel.te | 31
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 -
policy/modules/roles/sysadm.te | 125 --
policy/modules/roles/unconfineduser.fc | 37
policy/modules/roles/unconfineduser.if | 638 ++++++++++
policy/modules/roles/unconfineduser.te | 395 ++++++
policy/modules/roles/unprivuser.te | 131 --
policy/modules/roles/webadm.te | 2
policy/modules/roles/xguest.te | 18
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 35
policy/modules/services/apache.if | 327 +++--
policy/modules/services/apache.te | 409 +++++-
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 19
policy/modules/services/bluetooth.te | 6
policy/modules/services/certmaster.te | 2
policy/modules/services/clamav.te | 12
policy/modules/services/consolekit.if | 20
policy/modules/services/consolekit.te | 18
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 13
policy/modules/services/cron.if | 202 ++-
policy/modules/services/cron.te | 132 +-
policy/modules/services/cups.fc | 7
policy/modules/services/cups.te | 13
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 22
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 41
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.te | 7
policy/modules/services/exim.te | 4
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 2
policy/modules/services/ftp.te | 50
policy/modules/services/gnomeclock.fc | 3
policy/modules/services/gnomeclock.if | 69 +
policy/modules/services/gnomeclock.te | 50
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 12
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 38
policy/modules/services/kerberos.te | 13
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.te | 11
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/modemmanager.fc | 2
policy/modules/services/modemmanager.if | 43
policy/modules/services/modemmanager.te | 41
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 5
policy/modules/services/mta.te | 52
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 -
policy/modules/services/nagios.te | 55
policy/modules/services/networkmanager.fc | 13
policy/modules/services/networkmanager.if | 45
policy/modules/services/networkmanager.te | 113 +
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 11
policy/modules/services/nslcd.fc | 4
policy/modules/services/nslcd.if | 142 ++
policy/modules/services/nslcd.te | 50
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 7
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 1
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/policykit.fc | 4
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 42
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 136 +-
policy/modules/services/postgresql.fc | 1
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 7
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 14
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/ricci.te | 5
policy/modules/services/rpc.if | 6
policy/modules/services/rpc.te | 8
policy/modules/services/rpcbind.if | 20
policy/modules/services/rsync.te | 22
policy/modules/services/rtkit_daemon.fc | 2
policy/modules/services/rtkit_daemon.if | 64 +
policy/modules/services/rtkit_daemon.te | 36
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 +
policy/modules/services/samba.te | 78 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 63 -
policy/modules/services/setroubleshoot.te | 59
policy/modules/services/shorewall.fc | 12
policy/modules/services/shorewall.if | 166 ++
policy/modules/services/shorewall.te | 97 +
policy/modules/services/smartmon.te | 12
policy/modules/services/spamassassin.fc | 14
policy/modules/services/spamassassin.if | 68 +
policy/modules/services/spamassassin.te | 129 +-
policy/modules/services/squid.te | 7
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 163 ++
policy/modules/services/ssh.te | 66 -
policy/modules/services/sssd.fc | 2
policy/modules/services/sssd.if | 43
policy/modules/services/uucp.te | 3
policy/modules/services/virt.fc | 11
policy/modules/services/virt.if | 106 +
policy/modules/services/virt.te | 263 ++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 28
policy/modules/services/xserver.if | 536 ++++++++
policy/modules/services/xserver.te | 308 ++++
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 203 ++-
policy/modules/system/authlogin.te | 9
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 9
policy/modules/system/hostname.te | 4
policy/modules/system/init.fc | 6
policy/modules/system/init.if | 138 ++
policy/modules/system/init.te | 166 ++
policy/modules/system/ipsec.fc | 2
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 28
policy/modules/system/iptables.fc | 11
policy/modules/system/iptables.te | 5
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 152 +-
policy/modules/system/libraries.if | 4
policy/modules/system/libraries.te | 16
policy/modules/system/locallogin.te | 28
policy/modules/system/logging.fc | 11
policy/modules/system/logging.if | 4
policy/modules/system/logging.te | 32
policy/modules/system/lvm.te | 17
policy/modules/system/miscfiles.if | 19
policy/modules/system/modutils.te | 35
policy/modules/system/mount.fc | 7
policy/modules/system/mount.te | 76 +
policy/modules/system/selinuxutil.fc | 16
policy/modules/system/selinuxutil.if | 288 ++++
policy/modules/system/selinuxutil.te | 227 +--
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 116 +
policy/modules/system/sysnetwork.te | 72 -
policy/modules/system/udev.fc | 3
policy/modules/system/udev.te | 34
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 439 -------
policy/modules/system/unconfined.te | 226 ---
policy/modules/system/userdomain.fc | 5
policy/modules/system/userdomain.if | 1299 +++++++++++++++------
policy/modules/system/userdomain.te | 50
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 127 +-
policy/support/obj_perm_sets.spt | 14
policy/users | 13
support/Makefile.devel | 3
290 files changed, 12858 insertions(+), 2598 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-F12.patch,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -p -r1.40 -r1.41
--- policy-F12.patch 31 Jul 2009 19:05:34 -0000 1.40
+++ policy-F12.patch 4 Aug 2009 08:54:56 -0000 1.41
@@ -4272,7 +4272,7 @@ diff -b -B --ignore-all-space --exclude-
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.26/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/devices.fc 2009-08-03 06:30:31.000000000 -0400
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -4284,9 +4284,17 @@ diff -b -B --ignore-all-space --exclude-
/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+@@ -82,6 +84,7 @@
+ /dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+ /dev/random -c gen_context(system_u:object_r:random_device_t,s0)
+ /dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
++/dev/rfkill -c gen_context(system_u:object_r:wireless_device_t,s0)
+ /dev/(misc/)?rtc[0-9]* -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.26/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/devices.if 2009-08-03 06:30:19.000000000 -0400
@@ -1655,6 +1655,78 @@
########################################
@@ -4428,7 +4436,32 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## Read the lvm comtrol device.
-@@ -2268,6 +2395,25 @@
+@@ -2232,6 +2359,24 @@
+
+ ########################################
+ ## <summary>
++## Read and write the the wireless device.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_wireless',`
++ gen_require(`
++ type device_t, wireless_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, wireless_device_t)
++')
++
++########################################
++## <summary>
+ ## Get the attributes of the null device nodes.
+ ## </summary>
+ ## <param name="domain">
+@@ -2268,6 +2413,25 @@
########################################
## <summary>
@@ -4456,7 +4489,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.26/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/devices.te 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/devices.te 2009-08-03 06:30:00.000000000 -0400
@@ -84,6 +84,13 @@
dev_node(kmsg_device_t)
@@ -4484,9 +4517,22 @@ diff -b -B --ignore-all-space --exclude-
# Type for /dev/mapper/control
#
type lvm_control_t;
+@@ -224,6 +237,12 @@
+ type watchdog_device_t;
+ dev_node(watchdog_device_t)
+
++#
++# wireless control devices
++#
++type wireless_device_t;
++dev_node(wireless_device_t)
++
+ type xen_device_t;
+ dev_node(xen_device_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.26/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/kernel/domain.if 2009-08-03 08:04:07.000000000 -0400
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -8774,7 +8820,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.26/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te 2009-07-30 15:33:08.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/bluetooth.te 2009-08-03 06:30:22.000000000 -0400
@@ -64,6 +64,7 @@
allow bluetooth_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow bluetooth_t self:tcp_socket create_stream_socket_perms;
@@ -8783,6 +8829,25 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
+@@ -111,6 +112,7 @@
+ dev_rw_generic_usb_dev(bluetooth_t)
+ dev_read_urand(bluetooth_t)
+ dev_rw_input_dev(bluetooth_t)
++dev_rw_wireless(bluetooth_t)
+
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
+@@ -154,6 +156,10 @@
+ ')
+
+ optional_policy(`
++ networkmanager_dbus_chat(bluetooth_t)
++ ')
++
++ optional_policy(`
+ pulseaudio_dbus_chat(bluetooth_t)
+ ')
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.te serefpolicy-3.6.26/policy/modules/services/certmaster.te
--- nsaserefpolicy/policy/modules/services/certmaster.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.26/policy/modules/services/certmaster.te 2009-07-30 15:33:08.000000000 -0400
@@ -11092,17 +11157,21 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.26/policy/modules/services/mysql.te
--- nsaserefpolicy/policy/modules/services/mysql.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/mysql.te 2009-07-30 15:33:09.000000000 -0400
-@@ -136,6 +136,8 @@
++++ serefpolicy-3.6.26/policy/modules/services/mysql.te 2009-08-03 08:06:57.000000000 -0400
+@@ -136,7 +136,12 @@
domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t)
+allow mysqld_safe_t mysqld_var_run_t:sock_file unlink;
+
allow mysqld_safe_t mysqld_log_t:file manage_file_perms;
++
++domain_getattr_all_domains(mysqld_safe_t)
++
logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file)
-@@ -152,7 +154,7 @@
+ kernel_read_system_state(mysqld_safe_t)
+@@ -152,7 +157,7 @@
miscfiles_read_localization(mysqld_safe_t)
@@ -12408,7 +12477,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/PolicyKit(/.*)? gen_context(system_u:object_r:policykit_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.if serefpolicy-3.6.26/policy/modules/services/policykit.if
--- nsaserefpolicy/policy/modules/services/policykit.if 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/policykit.if 2009-08-03 06:44:10.000000000 -0400
@@ -17,6 +17,8 @@
class dbus send_msg;
')
@@ -12418,7 +12487,15 @@ diff -b -B --ignore-all-space --exclude-
allow $1 policykit_t:dbus send_msg;
allow policykit_t $1:dbus send_msg;
')
-@@ -167,7 +169,7 @@
+@@ -41,7 +43,6 @@
+
+ ########################################
+ ## <summary>
+-## Execute a policy_auth in the policy_auth domain, and
+ ## allow the specified role the policy_auth domain,
+ ## </summary>
+ ## <param name="domain">
+@@ -167,7 +168,7 @@
domtrans_pattern($1, policykit_resolve_exec_t, policykit_resolve_t)
@@ -12427,7 +12504,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -206,4 +208,30 @@
+@@ -206,4 +207,47 @@
files_search_var_lib($1)
read_files_pattern($1, policykit_var_lib_t, policykit_var_lib_t)
@@ -12457,10 +12534,27 @@ diff -b -B --ignore-all-space --exclude-
+ policykit_read_lib($2)
+ policykit_read_reload($2)
+ policykit_dbus_chat($2)
++')
++########################################
++## <summary>
++## Send generic signal to policy_auth
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`policykit_signal_auth',`
++ gen_require(`
++ type policykit_auth_t;
++ ')
++
++ allow $1 policykit_auth_t:process signal;
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.26/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/policykit.te 2009-08-03 06:50:17.000000000 -0400
@@ -38,9 +38,10 @@
allow policykit_t self:capability { setgid setuid };
@@ -12500,7 +12594,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# polkit_auth local policy
-@@ -77,7 +89,8 @@
+@@ -77,12 +89,15 @@
allow policykit_auth_t self:capability setgid;
allow policykit_auth_t self:process getattr;
@@ -12510,27 +12604,37 @@ diff -b -B --ignore-all-space --exclude-
allow policykit_auth_t self:unix_dgram_socket create_socket_perms;
allow policykit_auth_t self:unix_stream_socket create_stream_socket_perms;
-@@ -104,6 +117,8 @@
++policykit_dbus_chat(policykit_auth_t)
++
+ can_exec(policykit_auth_t, policykit_auth_exec_t)
+-corecmd_search_bin(policykit_auth_t)
++corecmd_exec_bin(policykit_auth_t)
+
+ rw_files_pattern(policykit_auth_t, policykit_reload_t, policykit_reload_t)
+
+@@ -104,6 +119,7 @@
userdom_dontaudit_read_user_home_content_files(policykit_auth_t)
optional_policy(`
+ dbus_system_domain( policykit_auth_t, policykit_auth_exec_t)
-+
dbus_session_bus_client(policykit_auth_t)
optional_policy(`
-@@ -116,6 +131,10 @@
+@@ -116,6 +132,13 @@
hal_read_state(policykit_auth_t)
')
+optional_policy(`
++ xserver_stream_connect(policykit_auth_t)
+ xserver_xdm_append_log(policykit_auth_t)
++ xserver_read_xdm_pid(policykit_auth_t)
++ xserver_search_xdm_lib(policykit_auth_t)
+')
+
########################################
#
# polkit_grant local policy
-@@ -123,7 +142,8 @@
+@@ -123,7 +146,8 @@
allow policykit_grant_t self:capability setuid;
allow policykit_grant_t self:process getattr;
@@ -12540,7 +12644,7 @@ diff -b -B --ignore-all-space --exclude-
allow policykit_grant_t self:unix_dgram_socket create_socket_perms;
allow policykit_grant_t self:unix_stream_socket create_stream_socket_perms;
-@@ -153,9 +173,12 @@
+@@ -153,9 +177,12 @@
userdom_read_all_users_state(policykit_grant_t)
optional_policy(`
@@ -12554,7 +12658,7 @@ diff -b -B --ignore-all-space --exclude-
consolekit_dbus_chat(policykit_grant_t)
')
')
-@@ -167,7 +190,8 @@
+@@ -167,7 +194,8 @@
allow policykit_resolve_t self:capability { setuid sys_nice sys_ptrace };
allow policykit_resolve_t self:process getattr;
@@ -13686,8 +13790,16 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.6.26/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 2009-07-23 14:11:04.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/ricci.te 2009-07-30 15:33:09.000000000 -0400
-@@ -440,6 +440,10 @@
++++ serefpolicy-3.6.26/policy/modules/services/ricci.te 2009-08-03 07:21:27.000000000 -0400
+@@ -264,6 +264,7 @@
+ allow ricci_modclusterd_t self:socket create_socket_perms;
+
+ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto;
++allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms;
+
+ # log files
+ allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr;
+@@ -440,6 +441,10 @@
files_read_usr_files(ricci_modstorage_t)
files_read_kernel_modules(ricci_modstorage_t)
@@ -16957,7 +17069,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.26/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/xserver.if 2009-08-03 06:49:41.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -17105,7 +17217,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -756,7 +757,26 @@
+@@ -756,7 +757,44 @@
')
files_search_pids($1)
@@ -17130,10 +17242,28 @@ diff -b -B --ignore-all-space --exclude-
+
+ files_search_pids($1)
+ manage_files_pattern($1, xdm_var_run_t, xdm_var_run_t)
++')
++
++########################################
++## <summary>
++## Search XDM var lib dirs.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_search_xdm_lib',`
++ gen_require(`
++ type xdm_var_lib_t;
++ ')
++
++ allow $1 xdm_var_lib_t:dir search_dir_perms;
')
########################################
-@@ -779,6 +799,50 @@
+@@ -779,6 +817,50 @@
########################################
## <summary>
@@ -17184,7 +17314,7 @@ diff -b -B --ignore-all-space --exclude-
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -797,6 +861,24 @@
+@@ -797,6 +879,24 @@
########################################
## <summary>
@@ -17209,7 +17339,7 @@ diff -b -B --ignore-all-space --exclude-
## Execute an X session in the target domain. This
## is an explicit transition, requiring the
## caller to use setexeccon().
-@@ -872,6 +954,27 @@
+@@ -872,6 +972,27 @@
########################################
## <summary>
@@ -17237,7 +17367,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write the X server
## log files.
## </summary>
-@@ -1018,10 +1121,11 @@
+@@ -1018,10 +1139,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -17250,7 +17380,7 @@ diff -b -B --ignore-all-space --exclude-
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1263,276 @@
+@@ -1159,6 +1281,276 @@
########################################
## <summary>
@@ -17527,7 +17657,7 @@ diff -b -B --ignore-all-space --exclude-
## Interface to provide X object permissions on a given X server to
## an X client domain. Gives the domain complete control over the
## display.
-@@ -1172,7 +1546,103 @@
+@@ -1172,7 +1564,103 @@
interface(`xserver_unconfined',`
gen_require(`
attribute xserver_unconfined_type;
@@ -17564,7 +17694,7 @@ diff -b -B --ignore-all-space --exclude-
+ allow $2 $1:x_drawable all_x_drawable_perms;
+ allow $1 $2:x_resource all_x_resource_perms;
+ allow $2 $1:x_resource all_x_resource_perms;
-+')
+ ')
+
+#######################################
+## <summary>
@@ -17589,7 +17719,7 @@ diff -b -B --ignore-all-space --exclude-
+ class x_selection all_x_selection_perms;
+ class x_event all_x_event_perms;
+ class x_synthetic_event all_x_synthetic_event_perms;
- ')
++')
+
+ # Type attributes
+ typeattribute $1 x_domain;
@@ -17633,7 +17763,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.26/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/services/xserver.te 2009-07-30 15:33:09.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/services/xserver.te 2009-08-03 06:43:20.000000000 -0400
@@ -34,6 +34,13 @@
## <desc>
@@ -18060,7 +18190,7 @@ diff -b -B --ignore-all-space --exclude-
hostname_exec(xdm_t)
')
-@@ -542,6 +650,29 @@
+@@ -542,6 +650,30 @@
')
optional_policy(`
@@ -18068,6 +18198,7 @@ diff -b -B --ignore-all-space --exclude-
+ policykit_domtrans_auth(xdm_t)
+ policykit_read_lib(xdm_t)
+ policykit_read_reload(xdm_t)
++ policykit_signal_auth(xdm_t)
+')
+
+optional_policy(`
@@ -18090,7 +18221,7 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(xdm_t)
')
-@@ -550,8 +681,9 @@
+@@ -550,8 +682,9 @@
')
optional_policy(`
@@ -18102,7 +18233,7 @@ diff -b -B --ignore-all-space --exclude-
ifndef(`distro_redhat',`
allow xdm_t self:process { execheap execmem };
-@@ -560,7 +692,6 @@
+@@ -560,7 +693,6 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
')
@@ -18110,7 +18241,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
userhelper_dontaudit_search_config(xdm_t)
-@@ -571,6 +702,10 @@
+@@ -571,6 +703,10 @@
')
optional_policy(`
@@ -18121,7 +18252,7 @@ diff -b -B --ignore-all-space --exclude-
xfs_stream_connect(xdm_t)
')
-@@ -587,10 +722,9 @@
+@@ -587,10 +723,9 @@
# execheap needed until the X module loader is fixed.
# NVIDIA Needs execstack
@@ -18133,7 +18264,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t self:fd use;
allow xserver_t self:fifo_file rw_fifo_file_perms;
allow xserver_t self:sock_file read_sock_file_perms;
-@@ -602,9 +736,11 @@
+@@ -602,9 +737,11 @@
allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow xserver_t self:tcp_socket create_stream_socket_perms;
allow xserver_t self:udp_socket create_socket_perms;
@@ -18145,7 +18276,7 @@ diff -b -B --ignore-all-space --exclude-
allow xserver_t { input_xevent_t input_xevent_type }:x_event send;
-@@ -616,13 +752,14 @@
+@@ -616,13 +753,14 @@
type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t;
allow xserver_t { rootwindow_t x_domain }:x_drawable send;
@@ -18161,7 +18292,7 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
-@@ -635,9 +772,19 @@
+@@ -635,9 +773,19 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -18181,7 +18312,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
-@@ -680,9 +827,12 @@
+@@ -680,9 +828,12 @@
dev_rw_xserver_misc(xserver_t)
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
@@ -18195,7 +18326,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(xserver_t)
files_read_etc_runtime_files(xserver_t)
-@@ -697,8 +847,12 @@
+@@ -697,8 +848,12 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -18208,7 +18339,7 @@ diff -b -B --ignore-all-space --exclude-
selinux_validate_context(xserver_t)
selinux_compute_access_vector(xserver_t)
-@@ -720,6 +874,7 @@
+@@ -720,6 +875,7 @@
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
@@ -18216,7 +18347,7 @@ diff -b -B --ignore-all-space --exclude-
modutils_domtrans_insmod(xserver_t)
-@@ -742,7 +897,7 @@
+@@ -742,7 +898,7 @@
')
ifdef(`enable_mls',`
@@ -18225,7 +18356,7 @@ diff -b -B --ignore-all-space --exclude-
range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh;
')
-@@ -774,12 +929,20 @@
+@@ -774,12 +930,20 @@
')
optional_policy(`
@@ -18247,7 +18378,7 @@ diff -b -B --ignore-all-space --exclude-
unconfined_domtrans(xserver_t)
')
-@@ -806,7 +969,7 @@
+@@ -806,7 +970,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -18256,7 +18387,7 @@ diff -b -B --ignore-all-space --exclude-
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -827,9 +990,14 @@
+@@ -827,9 +991,14 @@
# to read ROLE_home_t - examine this in more detail
# (xauth?)
userdom_read_user_home_content_files(xserver_t)
@@ -18271,7 +18402,7 @@ diff -b -B --ignore-all-space --exclude-
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +1012,14 @@
+@@ -844,11 +1013,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -18287,7 +18418,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -881,6 +1052,8 @@
+@@ -881,6 +1053,8 @@
# X Server
# can read server-owned resources
allow x_domain xserver_t:x_resource read;
@@ -18296,7 +18427,7 @@ diff -b -B --ignore-all-space --exclude-
# can mess with own clients
allow x_domain self:x_client { manage destroy };
-@@ -905,6 +1078,8 @@
+@@ -905,6 +1079,8 @@
# operations allowed on my windows
allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive };
@@ -18305,7 +18436,7 @@ diff -b -B --ignore-all-space --exclude-
# X Colormaps
# can use the default colormap
allow x_domain rootwindow_t:x_colormap { read use add_color };
-@@ -972,17 +1147,49 @@
+@@ -972,17 +1148,49 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -19738,7 +19869,7 @@ diff -b -B --ignore-all-space --exclude-
+miscfiles_read_localization(iscsid_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.26/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-07-30 16:27:55.000000000 -0400
++++ serefpolicy-3.6.26/policy/modules/system/libraries.fc 2009-08-03 07:56:50.000000000 -0400
@@ -60,12 +60,15 @@
#
# /opt
@@ -19925,7 +20056,7 @@ diff -b -B --ignore-all-space --exclude-
') dnl end distro_redhat
#
-@@ -304,10 +294,91 @@
+@@ -304,10 +294,92 @@
/var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0)
@@ -19958,6 +20089,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/lib(64)?/nspluginwrapper/np.*\.so -- gen_context(system_u:object_r:lib_t,s0)
+
+/usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
More information about the fedora-extras-commits
mailing list