rpms/selinux-policy/F-12 policy-F12.patch,1.144,1.145
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Dec 2 20:24:05 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv17122
Modified Files:
policy-F12.patch
Log Message:
* Tue Dec 1 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-53
- Remove transition from dhcpc_t to consoletype_t, just allow exec
- Fixes for prelink cron job
- Fix label on yumex backend
- Allow unconfined_java_t to communicate with iptables
- Allow abrt to read /tmp files
- Fix nut/ups policy
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.fc | 2
policy/modules/admin/kismet.te | 13
policy/modules/admin/logrotate.te | 21
policy/modules/admin/logwatch.te | 8
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.fc | 1
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 77
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 21
policy/modules/admin/rpm.if | 344 ++
policy/modules/admin/rpm.te | 98
policy/modules/admin/shorewall.fc | 6
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 9
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 10
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 35
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 4
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 86
policy/modules/apps/chrome.te | 78
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 42
policy/modules/apps/execmem.if | 80
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 64
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +
policy/modules/apps/gnome.te | 99
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 24
policy/modules/apps/java.if | 114
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 67
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 68
policy/modules/apps/mozilla.te | 23
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 ++
policy/modules/apps/nsplugin.te | 295 +
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 3
policy/modules/apps/ptchown.if | 25
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 13
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +
policy/modules/apps/qemu.te | 85
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 60
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 188 +
policy/modules/apps/sandbox.te | 331 ++
policy/modules/apps/screen.if | 7
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120
policy/modules/apps/selinux-policy-3.6.32-41.fc12.noarch.rpm |binary
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81
policy/modules/apps/seunshare.te | 43
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 43
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corecommands.pp |binary
policy/modules/kernel/corenetwork.te.in | 46
policy/modules/kernel/devices.fc | 13
policy/modules/kernel/devices.if | 309 ++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 170 -
policy/modules/kernel/domain.te | 89
policy/modules/kernel/files.fc | 5
policy/modules/kernel/files.if | 398 ++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 256 +
policy/modules/kernel/filesystem.te | 16
policy/modules/kernel/kernel.if | 98
policy/modules/kernel/kernel.te | 32
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 2
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 44
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 126
policy/modules/roles/sysadm.te | 126
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 667 ++++
policy/modules/roles/unconfineduser.te | 436 ++
policy/modules/roles/unprivuser.te | 127
policy/modules/roles/xguest.te | 74
policy/modules/services/abrt.fc | 6
policy/modules/services/abrt.if | 102
policy/modules/services/abrt.te | 105
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 3
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106
policy/modules/services/aisexec.te | 112
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 50
policy/modules/services/apache.if | 410 +-
policy/modules/services/apache.te | 452 ++
policy/modules/services/apm.te | 6
policy/modules/services/arpwatch.te | 2
policy/modules/services/asterisk.if | 21
policy/modules/services/asterisk.te | 20
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 10
policy/modules/services/bind.if | 40
policy/modules/services/bitlbee.te | 2
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 11
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105
policy/modules/services/chronyd.te | 67
policy/modules/services/clamav.te | 18
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98
policy/modules/services/clogd.te | 62
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 24
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108
policy/modules/services/corosync.te | 109
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74
policy/modules/services/cron.te | 82
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 51
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 60
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 28
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 3
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +
policy/modules/services/git.te | 166 +
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 49
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 6
policy/modules/services/kerberos.te | 16
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 23
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 5
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 13
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 9
policy/modules/services/nagios.fc | 20
policy/modules/services/nagios.if | 89
policy/modules/services/nagios.te | 106
policy/modules/services/networkmanager.fc | 15
policy/modules/services/networkmanager.if | 65
policy/modules/services/networkmanager.te | 117
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 21
policy/modules/services/nslcd.if | 8
policy/modules/services/ntop.te | 14
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 16
policy/modules/services/nut.if | 58
policy/modules/services/nut.te | 188 +
policy/modules/services/nx.fc | 7
policy/modules/services/nx.if | 67
policy/modules/services/nx.te | 13
policy/modules/services/oddjob.if | 1
policy/modules/services/oddjob.te | 4
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.if | 22
policy/modules/services/pcscd.te | 4
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +
policy/modules/services/plymouth.te | 101
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 64
policy/modules/services/portreserve.te | 1
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150
policy/modules/services/postfix.te | 142
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 3
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59
policy/modules/services/rgmanager.te | 83
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 ++
policy/modules/services/rhcs.te | 394 ++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 17
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 4
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104
policy/modules/services/samba.te | 89
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137
policy/modules/services/sendmail.te | 87
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 123
policy/modules/services/setroubleshoot.te | 82
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/snort.te | 1
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89
policy/modules/services/spamassassin.te | 139
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 207 +
policy/modules/services/ssh.te | 155 -
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 62
policy/modules/services/sssd.te | 15
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tor.te | 1
policy/modules/services/tuned.fc | 6
policy/modules/services/tuned.if | 140
policy/modules/services/tuned.te | 58
policy/modules/services/uucp.te | 10
policy/modules/services/virt.fc | 14
policy/modules/services/virt.if | 210 +
policy/modules/services/virt.te | 276 +
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 45
policy/modules/services/xserver.if | 633 +++-
policy/modules/services/xserver.te | 363 +-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 12
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 209 +
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 3
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 163 -
policy/modules/system/init.te | 290 +
policy/modules/system/ipsec.fc | 7
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 66
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97
policy/modules/system/iptables.te | 20
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/kdump.te | 5
policy/modules/system/libraries.fc | 182 -
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 31
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 60
policy/modules/system/miscfiles.te | 2
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 56
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 83
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++
policy/modules/system/selinuxutil.te | 229 -
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 114
policy/modules/system/sysnetwork.te | 79
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 --
policy/modules/system/unconfined.te | 224 -
policy/modules/system/userdomain.fc | 7
policy/modules/system/userdomain.if | 1684 ++++++++---
policy/modules/system/userdomain.te | 51
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137
policy/support/obj_perm_sets.spt | 28
policy/users | 13
395 files changed, 19762 insertions(+), 2816 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.144
retrieving revision 1.145
diff -u -p -r1.144 -r1.145
--- policy-F12.patch 2 Dec 2009 20:15:22 -0000 1.144
+++ policy-F12.patch 2 Dec 2009 20:24:04 -0000 1.145
@@ -7181,7 +7181,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.6.32/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-12-02 13:34:38.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.fc 2009-12-02 15:20:12.000000000 -0500
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7190,7 +7190,7 @@ diff -b -B --ignore-all-space --exclude-
')
ifdef(`distro_suse',`
-@@ -48,6 +49,7 @@
+@@ -48,11 +49,13 @@
/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -7198,7 +7198,13 @@ diff -b -B --ignore-all-space --exclude-
/etc/fstab\.REVOKE -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/HOSTNAME -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-@@ -229,6 +231,8 @@
+ /etc/issue -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/issue\.net -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+ /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+ /etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
+@@ -229,6 +232,8 @@
/var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
@@ -15274,7 +15280,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-02 14:59:42.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-12-02 15:19:54.000000000 -0500
@@ -56,7 +56,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
@@ -18069,21 +18075,29 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.fc serefpolicy-3.6.32/policy/modules/services/nut.fc
--- nsaserefpolicy/policy/modules/services/nut.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/nut.fc 2009-12-02 07:58:43.000000000 -0500
-@@ -0,0 +1,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/nut.fc 2009-12-02 15:18:43.000000000 -0500
+@@ -0,0 +1,16 @@
++
++/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
++
++/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
+
-+/usr/sbin/upsd -- gen_context(system_u:object_r:upsd_exec_t,s0)
++/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
++/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
+
-+/usr/sbin/upsmon -- gen_context(system_u:object_r:upsmon_exec_t,s0)
++/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
+
-+/sbin/upsdrvctl -- gen_context(system_u:object_r:upsdrvctl_exec_t,s0)
++#/var/www/nut-cgi-bin(/.*)? -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++
++/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
++/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
+
-+/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.if serefpolicy-3.6.32/policy/modules/services/nut.if
--- nsaserefpolicy/policy/modules/services/nut.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/nut.if 2009-12-02 07:58:44.000000000 -0500
-@@ -0,0 +1,82 @@
-+## <summary>SELinux policy for nut - Network UPS Tools </summary>
++++ serefpolicy-3.6.32/policy/modules/services/nut.if 2009-12-02 15:18:43.000000000 -0500
+@@ -0,0 +1,58 @@
++## <summary>SELinux policy for NUT - Network UPS Tools </summary>
+
+#####################################
+## <summary>
@@ -18095,14 +18109,13 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`nut_domtrans_upsd',`
-+ gen_require(`
-+ type upsd_t, upsd_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,upsd_exec_t,upsd_t)
++interface(`nut_upsd_domtrans',`
++ gen_require(`
++ type nut_upsd_t, nut_upsd_exec_t;
++ ')
+
++ corecmd_search_bin($1)
++ domtrans_pattern($1, nut_upsd_exec_t, nut_upsd_t)
+')
+
+####################################
@@ -18115,14 +18128,13 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`nut_domtrans_upsmon',`
-+ gen_require(`
-+ type upsmon_t, upsmon_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,upsmon_exec_t,upsmon_t)
++interface(`nut_upsmon_domtrans',`
++ gen_require(`
++ type nut_upsmon_t, nut_upsmon_exec_t;
++ ')
+
++ corecmd_search_bin($1)
++ domtrans_pattern($1, nut_upsmon_exec_t, nut_upsmon_t)
+')
+
+####################################
@@ -18135,169 +18147,206 @@ diff -b -B --ignore-all-space --exclude-
+## </summary>
+## </param>
+#
-+interface(`nut_domtrans_upsdrvctl',`
-+ gen_require(`
-+ type upsdrvctl_t, upsdrvctl_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domtrans_pattern($1,upsdrvctl_exec_t,upsdrvctl_t)
-+
-+')
-+
-+####################################
-+## <summary>
-+## Connect to upsdrvctl over a unix domain
-+## stream socket.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`nut_stream_connect',`
-+ gen_require(`
-+ type upsdrvctl_t, nut_var_run_t;
-+ ')
++interface(`nut_upsdrvctl_domtrans',`
++ gen_require(`
++ type nut_upsdrvctl_t, nut_upsdrvctl_exec_t;
++ ')
+
-+ files_search_pids($1)
-+ stream_connect_pattern($1, nut_var_run_t, nut_var_run_t, upsdrvctl_t)
++ corecmd_search_bin($1)
++ domtrans_pattern($1, nut_upsdrvctl_exec_t, nut_upsdrvctl_t)
+')
-+
-Binary files nsaserefpolicy/policy/modules/services/nut.pp and serefpolicy-3.6.32/policy/modules/services/nut.pp differ
-Binary files nsaserefpolicy/policy/modules/services/nut.tar and serefpolicy-3.6.32/policy/modules/services/nut.tar differ
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-12-02 07:58:44.000000000 -0500
-@@ -0,0 +1,127 @@
++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-12-02 15:23:07.000000000 -0500
+@@ -0,0 +1,188 @@
+
-+policy_module(nut,1.0.0)
++policy_module(nut, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
-+type upsd_t;
-+type upsd_exec_t;
-+init_daemon_domain(upsd_t,upsd_exec_t)
++type nut_upsd_t;
++typealias nut_upsd_t alias upsd_t;
++type nut_upsd_exec_t;
++init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
++
++type nut_upsmon_t;
++typealias nut_upsmon_t alias upsmon_t;
++type nut_upsmon_exec_t;
++init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
++
++type nut_upsdrvctl_t;
++typealias nut_upsdrvctl_t alias upsdrvctl_t;
++type nut_upsdrvctl_exec_t;
++init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
++
++# conf files
++type nut_conf_t;
++files_config_file(nut_conf_t)
+
++# pid files
+type nut_var_run_t;
+files_pid_file(nut_var_run_t)
-+typealias nut_var_run_t alias { upsd_var_run_t upsmon_var_run_t upsdrvctl_var_run_t };
+
-+type upsmon_t;
-+type upsmon_exec_t;
-+init_daemon_domain(upsmon_t,upsmon_exec_t)
-+
-+type upsdrvctl_t;
-+type upsdrvctl_exec_t;
-+init_daemon_domain(upsdrvctl_t, upsdrvctl_exec_t)
-+
-+permissive upsd_t;
-+permissive upsdrvctl_t;
-+permissive upsmon_t;
++permissive nut_upsd_t;
++permissive nut_upsmon_t;
++permissive nut_upsdrvctl_t;
+
-+#######################################
++########################################
+#
-+# upsd local policy
++# Local policy for upsd
+#
-+allow upsd_t self:capability { dac_override setuid setgid };
+
-+allow upsd_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow upsd_t self:tcp_socket create_stream_socket_perms;
++allow nut_upsd_t self:capability { setgid setuid };
+
-+# pid file
-+manage_files_pattern(upsd_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(upsd_t, nut_var_run_t, nut_var_run_t)
-+manage_sock_files_pattern(upsd_t, nut_var_run_t, nut_var_run_t)
-+files_pid_filetrans(upsd_t, nut_var_run_t, { file })
++allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
+
-+corenet_tcp_bind_ups_port(upsd_t)
-+corenet_tcp_bind_generic_node(upsd_t)
++allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
+
-+kernel_read_kernel_sysctls(upsd_t)
++read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
+
-+files_read_etc_files(upsd_t)
-+files_read_usr_files(upsd_t)
++# pid file
++manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })
+
-+auth_use_nsswitch(upsd_t)
++# note: add ups port !
++corenet_tcp_bind_ups_port(nut_upsd_t)
++corenet_tcp_bind_all_nodes(nut_upsd_t)
+
-+sysnet_read_config(upsd_t)
++kernel_read_kernel_sysctls(nut_upsd_t)
+
-+logging_send_syslog_msg(upsd_t)
++# /etc/nsswitch.conf
++auth_use_nsswitch(nut_upsd_t)
+
-+miscfiles_read_localization(upsd_t)
++files_read_usr_files(nut_upsd_t)
+
-+nut_stream_connect(upsd_t)
++logging_send_syslog_msg(nut_upsd_t)
+
-+######################################
++miscfiles_read_localization(nut_upsd_t)
++
++
++########################################
+#
-+# upsmon local policy
++# Local policy for upsmon
+#
+
-+allow upsmon_t self:capability { dac_override setuid setgid };
++allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
+
-+allow upsmon_t self:fifo_file rw_fifo_file_perms;
-+allow upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
-+allow upsmon_t self:tcp_socket create_stream_socket_perms;
++allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
++allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsmon_t self:tcp_socket create_socket_perms;
++
++read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+# pid file
-+manage_files_pattern(upsmon_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(upsmon_t, nut_var_run_t, nut_var_run_t)
-+files_pid_filetrans(upsmon_t, nut_var_run_t, { file })
++manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file })
+
-+corenet_tcp_connect_ups_port(upsmon_t)
++corenet_tcp_connect_ups_port(nut_upsmon_t)
++#corenet_tcp_connect_generic_port(nut_upsmon_t)
+
-+corecmd_exec_bin(upsmon_t)
-+corecmd_exec_shell(upsmon_t)
++corecmd_exec_bin(nut_upsmon_t)
++corecmd_exec_shell(nut_upsmon_t)
+
-+kernel_read_kernel_sysctls(upsmon_t)
-+kernel_read_system_state(upsmon_t)
++kernel_read_kernel_sysctls(nut_upsmon_t)
++kernel_read_system_state(nut_upsmon_t)
+
-+files_read_etc_files(upsmon_t)
++# creates /etc/killpower
++#files_manage_etc_files(nut_upsmon_t)
+
-+auth_use_nsswitch(upsmon_t)
++# Creates /etc/killpower
++files_manage_etc_runtime_files(nut_upsmon_t)
++files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
+
-+init_read_utmp(upsmon_t)
++auth_use_nsswitch(nut_upsmon_t)
+
-+logging_send_syslog_msg(upsmon_t)
++files_search_usr(nut_upsmon_t)
+
-+miscfiles_read_localization(upsmon_t)
++logging_send_syslog_msg(nut_upsmon_t)
+
-+######################################
++miscfiles_read_localization(nut_upsmon_t)
++
++# /usr/bin/wall
++term_write_all_terms(nut_upsmon_t)
++
++#upsmon runs shutdown, probably need a shutdown domain
++init_rw_utmp(nut_upsmon_t)
++init_telinit(nut_upsmon_t)
++
++########################################
+#
-+# ups local policy
++# Local policy for upsdrvctl
+#
+
-+allow upsdrvctl_t self:capability { dac_override kill setuid setgid };
-+allow upsdrvctl_t self:process { signal signull };
++allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
++allow nut_upsdrvctl_t self:process { sigchld signal signull };
++allow nut_upsdrvctl_t self:fd use;
++
++allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
++allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
++allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
+
-+allow upsdrvctl_t self:fifo_file rw_fifo_file_perms;
-+allow upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
++read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
+
+# pid file
-+manage_files_pattern(upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-+manage_dirs_pattern(upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-+manage_sock_files_pattern(upsdrvctl_t, nut_var_run_t, nut_var_run_t)
-+files_pid_filetrans(upsdrvctl_t, nut_var_run_t, { file sock_file })
++manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
++manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
++manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
+
-+corecmd_exec_bin(upsdrvctl_t)
++# /sbin/upsdrvctl executes other drivers
++# can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
++corecmd_exec_bin(nut_upsdrvctl_t)
++corecmd_exec_sbin(nut_upsdrvctl_t)
+
-+kernel_read_kernel_sysctls(upsdrvctl_t)
++kernel_read_kernel_sysctls(nut_upsdrvctl_t)
+
-+dev_rw_generic_usb_dev(upsdrvctl_t)
++# /etc/nsswitch.conf
++auth_use_nsswitch(nut_upsdrvctl_t)
+
-+term_use_unallocated_ttys(upsdrvctl_t)
++dev_read_urand(nut_upsdrvctl_t)
++dev_rw_generic_usb_dev(nut_upsdrvctl_t)
+
-+files_read_etc_files(upsdrvctl_t)
++term_use_unallocated_ttys(nut_upsdrvctl_t)
+
-+sysnet_read_config(upsdrvctl_t)
++logging_send_syslog_msg(nut_upsdrvctl_t)
++
++miscfiles_read_localization(nut_upsdrvctl_t)
++
++init_sigchld(nut_upsdrvctl_t)
++
++#######################################
++#
++# Local policy for NUT cgi scripts
++# requires httpd_enable_cgi and httpd_can_network_connect
++#
++
++optional_policy(`
++ apache_content_template(nutups_cgi)
++
++ read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
++
++ corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
++ corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
++ corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
++ corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
++ corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
++# corenet_tcp_connect_generic_port(httpd_nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
++ corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
++ corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
++
++ sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
++')
+
-+logging_send_syslog_msg(upsdrvctl_t)
+
-+miscfiles_read_localization(upsdrvctl_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.6.32/policy/modules/services/nx.fc
--- nsaserefpolicy/policy/modules/services/nx.fc 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/nx.fc 2009-12-01 10:43:41.000000000 -0500
More information about the fedora-extras-commits
mailing list