rpms/selinux-policy/devel .cvsignore, 1.157, 1.158 policy-20090105.patch, 1.37, 1.38 selinux-policy.spec, 1.786, 1.787 sources, 1.176, 1.177
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Feb 9 22:07:51 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27787
Modified Files:
.cvsignore policy-20090105.patch selinux-policy.spec sources
Log Message:
* Mon Feb 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.5-1
- Add setrans contains from upstream
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.157
retrieving revision 1.158
diff -u -r1.157 -r1.158
--- .cvsignore 4 Feb 2009 04:02:16 -0000 1.157
+++ .cvsignore 9 Feb 2009 22:07:20 -0000 1.158
@@ -159,3 +159,4 @@
serefpolicy-3.6.2.tgz
serefpolicy-3.6.3.tgz
serefpolicy-3.6.4.tgz
+serefpolicy-3.6.5.tgz
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- policy-20090105.patch 9 Feb 2009 14:23:24 -0000 1.37
+++ policy-20090105.patch 9 Feb 2009 22:07:20 -0000 1.38
@@ -284,8 +284,38 @@
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.4/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 2008-08-07 11:15:14.000000000 -0400
-+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-03 22:57:28.000000000 -0500
-@@ -26,5 +26,5 @@
++++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-09 10:19:24.000000000 -0500
+@@ -1,14 +1,12 @@
+-.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh at redhat.com" "nfs Selinux Policy documentation"
++.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh at redhat.com" "NFS SELinux Policy documentation"
+ .SH "NAME"
+ nfs_selinux \- Security Enhanced Linux Policy for NFS
+ .SH "DESCRIPTION"
+
+-Security-Enhanced Linux secures the nfs server via flexible mandatory access
++Security Enhanced Linux secures the NFS server via flexible mandatory access
+ control.
+ .SH BOOLEANS
+-SELinux policy is customizable based on least access required. So by
+-default SElinux policy does not allow nfs to share files. If you want to
+-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
++SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
+
+ .TP
+ setsebool -P nfs_export_all_ro 1
+@@ -18,7 +16,10 @@
+ setsebool -P nfs_export_all_rw 1
+
+ .TP
+-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
++These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
++
++.TP
++If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
+ .TP
+ setsebool -P use_nfs_home_dirs 1
+ .TP
+@@ -26,5 +27,5 @@
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh at redhat.com>.
@@ -712,7 +742,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
-+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-05 13:41:50.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-09 15:39:27.000000000 -0500
@@ -3,6 +3,7 @@
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -731,7 +761,7 @@
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
-@@ -21,14 +23,17 @@
+@@ -21,14 +23,18 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -745,6 +775,7 @@
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
++/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
@@ -8884,7 +8915,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-06 16:08:00.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-09 15:59:54.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -9105,7 +9136,8 @@
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -9116,8 +9148,7 @@
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@@ -9211,7 +9242,18 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -459,8 +575,13 @@
+@@ -451,6 +567,10 @@
+ ')
+
+ optional_policy(`
++ cvs_read_data(httpd_t)
++')
++
++optional_policy(`
+ cron_system_entry(httpd_t, httpd_exec_t)
+ ')
+
+@@ -459,8 +579,13 @@
')
optional_policy(`
@@ -9227,7 +9269,12 @@
')
optional_policy(`
-@@ -472,18 +593,13 @@
+@@ -468,22 +593,18 @@
+ mailman_domtrans_cgi(httpd_t)
+ # should have separate types for public and private archives
+ mailman_search_data(httpd_t)
++ mailman_read_data_files(httpd_t)
+ mailman_read_archive(httpd_t)
')
optional_policy(`
@@ -9247,7 +9294,7 @@
')
optional_policy(`
-@@ -493,6 +609,12 @@
+@@ -493,6 +614,12 @@
openca_kill(httpd_t)
')
@@ -9260,7 +9307,7 @@
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -500,6 +622,7 @@
+@@ -500,6 +627,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -9268,7 +9315,7 @@
')
')
-@@ -508,6 +631,7 @@
+@@ -508,6 +636,7 @@
')
optional_policy(`
@@ -9276,7 +9323,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -535,6 +659,22 @@
+@@ -535,6 +664,22 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -9299,7 +9346,7 @@
########################################
#
# Apache PHP script local policy
-@@ -564,20 +704,25 @@
+@@ -564,20 +709,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -9331,7 +9378,7 @@
')
########################################
-@@ -595,23 +740,24 @@
+@@ -595,23 +745,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -9360,7 +9407,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +770,7 @@
+@@ -624,6 +775,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -9368,7 +9415,7 @@
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -641,12 +788,19 @@
+@@ -641,12 +793,19 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -9391,7 +9438,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +826,14 @@
+@@ -672,15 +831,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -9410,7 +9457,7 @@
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +852,24 @@
+@@ -699,12 +857,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -9437,7 +9484,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +877,35 @@
+@@ -712,6 +882,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -9473,7 +9520,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +918,10 @@
+@@ -724,6 +923,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -9484,7 +9531,7 @@
')
optional_policy(`
-@@ -735,6 +933,8 @@
+@@ -735,6 +938,8 @@
# httpd_rotatelogs local policy
#
@@ -9493,7 +9540,7 @@
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +954,12 @@
+@@ -754,6 +959,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -9506,7 +9553,7 @@
')
# allow accessing files/dirs below the users home dir
-@@ -762,3 +968,66 @@
+@@ -762,3 +973,66 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
@@ -11779,6 +11826,20 @@
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+miscfiles_read_fonts(cups_pdf_t)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.4/policy/modules/services/cvs.if
+--- nsaserefpolicy/policy/modules/services/cvs.if 2008-11-11 16:13:46.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/cvs.if 2009-02-09 16:00:34.000000000 -0500
+@@ -15,7 +15,9 @@
+ type cvs_data_t;
+ ')
+
+- allow $1 cvs_data_t:file { getattr read };
++ list_dirs_pattern($1, cvs_data_t, cvs_data_t)
++ read_files_pattern($1, cvs_data_t, cvs_data_t)
++ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
+ ')
+
+ ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.4/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/cvs.te 2009-02-03 22:57:29.000000000 -0500
@@ -13170,7 +13231,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.4/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-09 09:53:23.000000000 -0500
@@ -26,7 +26,7 @@
## <desc>
## <p>
@@ -13197,17 +13258,20 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
-@@ -223,6 +224,10 @@
+@@ -222,8 +223,12 @@
+ userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
userdom_manage_user_home_content_symlinks(ftpd_t)
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+
+ auth_read_all_dirs_except_shadow(ftpd_t)
+ auth_read_all_files_except_shadow(ftpd_t)
+ auth_read_all_symlinks_except_shadow(ftpd_t)
')
++userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+ fs_manage_nfs_files(ftpd_t)
@@ -258,7 +263,9 @@
')
@@ -14054,7 +14118,7 @@
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.4/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-09 15:34:52.000000000 -0500
@@ -31,6 +31,12 @@
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms;
@@ -14076,7 +14140,15 @@
corecmd_exec_all_executables(mailman_$1_t)
-@@ -209,6 +216,7 @@
+@@ -191,6 +198,7 @@
+ ')
+
+ read_files_pattern($1, mailman_data_t, mailman_data_t)
++ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
+ ')
+
+ #######################################
+@@ -209,6 +217,7 @@
type mailman_data_t;
')
@@ -14084,7 +14156,7 @@
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
-@@ -250,6 +258,25 @@
+@@ -250,6 +259,25 @@
#######################################
## <summary>
@@ -18916,7 +18988,7 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.4/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-04 08:49:43.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-09 15:50:22.000000000 -0500
@@ -13,25 +13,57 @@
type prelude_spool_t;
files_type(prelude_spool_t)
@@ -18986,7 +19058,7 @@
corecmd_search_bin(prelude_t)
corenet_all_recvfrom_unlabeled(prelude_t)
-@@ -56,15 +91,24 @@
+@@ -56,15 +91,25 @@
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
corenet_tcp_bind_generic_node(prelude_t)
@@ -18997,6 +19069,7 @@
dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
++kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
# Init script handling
@@ -19011,7 +19084,7 @@
auth_use_nsswitch(prelude_t)
-@@ -86,7 +130,7 @@
+@@ -86,7 +131,7 @@
#
# prelude_audisp local policy
#
@@ -19020,7 +19093,7 @@
allow prelude_audisp_t self:fifo_file rw_file_perms;
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -107,6 +151,7 @@
+@@ -107,6 +152,7 @@
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
corenet_tcp_bind_generic_node(prelude_audisp_t)
@@ -19028,7 +19101,7 @@
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
-@@ -114,12 +159,134 @@
+@@ -114,12 +160,135 @@
# Init script handling
domain_use_interactive_fds(prelude_audisp_t)
@@ -19127,6 +19200,7 @@
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
++kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
@@ -19163,7 +19237,7 @@
########################################
#
# prewikka_cgi Declarations
-@@ -128,6 +295,20 @@
+@@ -128,6 +297,20 @@
optional_policy(`
apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t)
@@ -20094,7 +20168,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:05:45.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:51:37.000000000 -0500
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -20124,10 +20198,10 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
-+ userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
')
++userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@@ -20172,7 +20246,7 @@
auth_write_login_records(rshd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.4/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-03 22:57:29.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-09 15:32:24.000000000 -0500
@@ -119,5 +119,9 @@
tunable_policy(`rsync_export_all_ro',`
@@ -20614,7 +20688,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-07 07:19:23.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-09 10:49:17.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@@ -20825,7 +20899,13 @@
')
optional_policy(`
-@@ -381,8 +426,10 @@
+@@ -376,13 +421,15 @@
+ tunable_policy(`samba_create_home_dirs',`
+ allow smbd_t self:capability chown;
+ userdom_create_user_home_dirs(smbd_t)
+- userdom_home_filetrans_user_home_dir(smbd_t)
+ ')
++userdom_home_filetrans_user_home_dir(smbd_t)
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@@ -20836,6 +20916,16 @@
auth_read_all_files_except_shadow(nmbd_t)
')
+@@ -391,8 +438,8 @@
+ auth_manage_all_files_except_shadow(smbd_t)
+ fs_read_noxattr_fs_files(nmbd_t)
+ auth_manage_all_files_except_shadow(nmbd_t)
+- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+ ')
++userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
+
+ ########################################
+ #
@@ -454,6 +501,7 @@
dev_getattr_mtrr_dev(nmbd_t)
@@ -21004,7 +21094,7 @@
tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
-+', `
++',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
-')
@@ -28666,7 +28756,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-08 17:11:31.000000000 -0500
++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-09 11:05:11.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -29664,9 +29754,10 @@
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
- corenet_tcp_bind_generic_node($1_t)
+- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
-+ corenet_tcp_bind_all_unreserved_ports($1_t)
++ corenet_tcp_bind_all_nodes($1_usertype)
++ corenet_tcp_bind_all_unreserved_ports($1_usertype)
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.786
retrieving revision 1.787
diff -u -r1.786 -r1.787
--- selinux-policy.spec 9 Feb 2009 14:20:38 -0000 1.786
+++ selinux-policy.spec 9 Feb 2009 22:07:20 -0000 1.787
@@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.6.4
-Release: 5%{?dist}
+Version: 3.6.5
+Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -184,7 +184,7 @@
%description
SELinux Reference Policy - modular.
-Based off of reference policy: Checked out revision 2907.
+Based off of reference policy: Checked out revision 2908.
%build
@@ -444,6 +444,12 @@
%endif
%changelog
+* Mon Feb 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.5-1
+- Add setrans contains from upstream
+
+* Mon Feb 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-6
+- Do transitions outside of the booleans
+
* Sun Feb 8 2009 Dan Walsh <dwalsh at redhat.com> 3.6.4-5
- Allow xdm to create user_tmp_t sockets for switch user to work
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/sources,v
retrieving revision 1.176
retrieving revision 1.177
diff -u -r1.176 -r1.177
--- sources 4 Feb 2009 04:02:17 -0000 1.176
+++ sources 9 Feb 2009 22:07:20 -0000 1.177
@@ -1 +1 @@
-5c9f2ee48dab2742927fb099740e9fbc serefpolicy-3.6.4.tgz
+5911f8b7b5cd991b6367110b0617ac4c serefpolicy-3.6.5.tgz
More information about the fedora-extras-commits
mailing list