rpms/selinux-policy/devel modules-mls.conf, 1.44, 1.45 policy-20090105.patch, 1.14, 1.15 selinux-policy.spec, 1.769, 1.770
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Jan 21 16:18:11 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv784
Modified Files:
modules-mls.conf policy-20090105.patch selinux-policy.spec
Log Message:
* Tue Jan 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-3
- Fixed for DeviceKit
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- modules-mls.conf 19 Jan 2009 13:51:13 -0000 1.44
+++ modules-mls.conf 21 Jan 2009 16:17:40 -0000 1.45
@@ -340,6 +340,13 @@
#
ddcprobe = off
+# Layer: services
+# Module: devicekit
+#
+# devicekit-daemon
+#
+devicekit = module
+
# Layer: kernel
# Module: devices
# Required in base
@@ -1672,6 +1679,28 @@
podsleuth = module
# Layer: role
+# Module: logadm
+#
+# logadm account on tty logins
+#
+logadm = module
+
+# Layer: role
+# Module: secadm
+#
+# secadm account on tty logins
+#
+secadm = module
+
+# Layer: role
+# Module: auditadm
+#
+# auditadm account on tty logins
+#
+auditadm = module
+
+#
+# Layer: role
# Module: guest
#
# Minimally privs guest account on tty logins
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20090105.patch,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- policy-20090105.patch 20 Jan 2009 15:12:00 -0000 1.14
+++ policy-20090105.patch 21 Jan 2009 16:17:40 -0000 1.15
@@ -523,6 +523,17 @@
samba_read_log(logwatch_t)
+ samba_read_share_files(logwatch_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.6.3/policy/modules/admin/mrtg.te
+--- nsaserefpolicy/policy/modules/admin/mrtg.te 2009-01-19 11:07:34.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/admin/mrtg.te 2009-01-20 16:16:42.000000000 -0500
+@@ -116,6 +116,7 @@
+ userdom_use_user_terminals(mrtg_t)
+ userdom_dontaudit_read_user_home_content_files(mrtg_t)
+ userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
++userdom_dontaudit_list_admin_dir(mrtg_t)
+
+ ifdef(`enable_mls',`
+ corenet_udp_sendrecv_lo_if(mrtg_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/admin/netutils.te 2009-01-19 13:10:02.000000000 -0500
@@ -4053,8 +4064,17 @@
+xserver_user_x_domain_template(user, wm_t, wm_tmpfs_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-19 13:10:02.000000000 -0500
-@@ -130,6 +130,8 @@
++++ serefpolicy-3.6.3/policy/modules/kernel/corecommands.fc 2009-01-20 14:46:23.000000000 -0500
+@@ -58,6 +58,8 @@
+
+ /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+@@ -130,6 +132,8 @@
/opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
')
@@ -4063,7 +4083,7 @@
#
# /usr
#
-@@ -203,6 +205,7 @@
+@@ -203,6 +207,7 @@
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -4071,7 +4091,7 @@
/usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-@@ -223,14 +226,15 @@
+@@ -223,14 +228,15 @@
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -4089,7 +4109,7 @@
/usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hplip/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hwbrowser/hwbrowser -- gen_context(system_u:object_r:bin_t,s0)
-@@ -293,3 +297,8 @@
+@@ -293,3 +299,8 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -4386,7 +4406,7 @@
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.3/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/devices.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/devices.if 2009-01-20 16:50:48.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1, device_t, device_node)
@@ -4532,7 +4552,7 @@
## Read and write generic the USB devices.
## </summary>
## <param name="domain">
-@@ -2785,6 +2879,97 @@
+@@ -2785,6 +2879,115 @@
########################################
## <summary>
@@ -4591,6 +4611,24 @@
+
+########################################
+## <summary>
++## Read the kernel messages
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_kmsg',`
++ gen_require(`
++ type device_t, kmsg_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, kmsg_device_t)
++')
++
++########################################
++## <summary>
+## Read the kvm devices.
+## </summary>
+## <param name="domain">
@@ -4630,7 +4668,7 @@
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
-@@ -3320,3 +3505,223 @@
+@@ -3320,3 +3523,223 @@
typeattribute $1 devices_unconfined_type;
')
@@ -5414,7 +5452,7 @@
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.3/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/filesystem.if 2009-01-20 14:57:41.000000000 -0500
@@ -534,6 +534,24 @@
########################################
@@ -5858,7 +5896,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.6.3/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.if 2009-01-20 16:17:37.000000000 -0500
@@ -1197,6 +1197,7 @@
')
@@ -5939,9 +5977,33 @@
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
+@@ -2595,3 +2637,23 @@
+
+ typeattribute $1 kern_unconfined;
+ ')
++
++########################################
++## <summary>
++## Allow the specified domain to connect to
++## the kernel with a unix socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`kernel_stream_connect',`
++ gen_require(`
++ type kernel_t;
++ ')
++
++ allow $1 kernel_t:unix_stream_socket connectto;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.3/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-01-19 11:03:28.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/kernel.te 2009-01-20 17:15:33.000000000 -0500
@@ -63,6 +63,15 @@
genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0)
@@ -5977,7 +6039,44 @@
# These initial sids are no longer used, and can be removed:
sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-@@ -273,6 +287,8 @@
+@@ -198,6 +212,8 @@
+ allow kernel_t self:sock_file read_sock_file_perms;
+ allow kernel_t self:fd use;
+
++allow kernel_t debugfs_t:dir search;
++
+ allow kernel_t proc_t:dir list_dir_perms;
+ allow kernel_t proc_t:file read_file_perms;
+ allow kernel_t proc_t:lnk_file read_lnk_file_perms;
+@@ -246,7 +263,8 @@
+
+ selinux_load_policy(kernel_t)
+
+-term_use_console(kernel_t)
++term_use_all_terms(kernel_t)
++term_use_ptmx(kernel_t)
+
+ corecmd_exec_shell(kernel_t)
+ corecmd_list_bin(kernel_t)
+@@ -260,6 +278,8 @@
+ files_list_etc(kernel_t)
+ files_list_home(kernel_t)
+ files_read_usr_files(kernel_t)
++files_manage_mounttab(kernel_t)
++files_manage_generic_spool_dirs(kernel_t)
+
+ mcs_process_set_categories(kernel_t)
+
+@@ -267,12 +287,17 @@
+ mls_process_write_down(kernel_t)
+ mls_file_write_all_levels(kernel_t)
+ mls_file_read_all_levels(kernel_t)
++mls_socket_write_all_levels(kernel_t)
++
++logging_manage_generic_logs(kernel_t)
+
+ ifdef(`distro_redhat',`
+ # Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
')
@@ -5986,6 +6085,17 @@
tunable_policy(`read_default_t',`
files_list_default(kernel_t)
files_read_default_files(kernel_t)
+@@ -357,6 +382,10 @@
+ unconfined_domain(kernel_t)
+ ')
+
++optional_policy(`
++ xserver_xdm_manage_spool(kernel_t)
++')
++
+ ########################################
+ #
+ # Unlabeled process local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.6.3/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2009-01-19 11:03:28.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/kernel/selinux.if 2009-01-19 13:32:33.000000000 -0500
@@ -6069,7 +6179,16 @@
/dev/scramdisk/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.3/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2008-11-11 16:13:41.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/kernel/terminal.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/kernel/terminal.if 2009-01-20 14:48:49.000000000 -0500
+@@ -173,7 +173,7 @@
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir list_dir_perms;
+- allow $1 { console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
++ allow $1 { devpts_t console_device_t tty_device_t ttynode ptynode }:chr_file rw_chr_file_perms;
+ ')
+
+ ########################################
@@ -250,9 +250,11 @@
interface(`term_dontaudit_use_console',`
gen_require(`
@@ -8349,7 +8468,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.3/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-20 07:55:29.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/apache.te 2009-01-21 11:01:33.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@@ -10010,7 +10129,7 @@
+/var/log/rpmpkgs.* -- gen_context(system_u:object_r:cron_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.6.3/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-11-11 16:13:47.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cron.if 2009-01-20 15:16:32.000000000 -0500
@@ -12,6 +12,10 @@
## </param>
#
@@ -10048,7 +10167,15 @@
miscfiles_read_localization($1_t)
-@@ -343,6 +357,24 @@
+@@ -261,6 +275,7 @@
+ allow $1 system_cronjob_t:fifo_file rw_file_perms;
+ allow $1 system_cronjob_t:process sigchld;
+
++ domain_auto_trans(crond_t, $2, $1)
+ allow $1 crond_t:fifo_file rw_file_perms;
+ allow $1 crond_t:fd use;
+ allow $1 crond_t:process sigchld;
+@@ -343,6 +358,24 @@
########################################
## <summary>
@@ -10073,7 +10200,7 @@
## Read and write a cron daemon unnamed pipe.
## </summary>
## <param name="domain">
-@@ -361,7 +393,7 @@
+@@ -361,7 +394,7 @@
########################################
## <summary>
@@ -10082,7 +10209,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -369,7 +401,7 @@
+@@ -369,7 +402,7 @@
## </summary>
## </param>
#
@@ -10091,7 +10218,7 @@
gen_require(`
type crond_t;
')
-@@ -481,11 +513,14 @@
+@@ -481,11 +514,14 @@
#
interface(`cron_read_system_job_tmp_files',`
gen_require(`
@@ -10107,7 +10234,7 @@
')
########################################
-@@ -506,3 +541,82 @@
+@@ -506,3 +542,82 @@
dontaudit $1 system_cronjob_tmp_t:file append;
')
@@ -10192,7 +10319,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.6.3/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/cron.te 2009-01-20 16:52:23.000000000 -0500
@@ -38,6 +38,10 @@
type cron_var_lib_t;
files_type(cron_var_lib_t)
@@ -10249,7 +10376,7 @@
dontaudit crond_t self:capability { sys_resource sys_tty_config };
allow crond_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow crond_t self:process { setexec setfscreate };
-@@ -149,15 +163,14 @@
+@@ -149,19 +163,19 @@
allow crond_t crond_var_run_t:file manage_file_perms;
files_pid_filetrans(crond_t,crond_var_run_t,file)
@@ -10268,7 +10395,12 @@
kernel_read_kernel_sysctls(crond_t)
kernel_search_key(crond_t)
-@@ -183,6 +196,8 @@
+
++dev_read_kmsg(crond_t)
+ dev_read_sysfs(crond_t)
+ selinux_get_fs_mount(crond_t)
+ selinux_validate_context(crond_t)
+@@ -183,6 +197,8 @@
corecmd_read_bin_symlinks(crond_t)
domain_use_interactive_fds(crond_t)
@@ -10277,7 +10409,7 @@
files_read_etc_files(crond_t)
files_read_generic_spool(crond_t)
-@@ -192,10 +207,13 @@
+@@ -192,10 +208,13 @@
files_search_default(crond_t)
init_rw_utmp(crond_t)
@@ -10291,7 +10423,7 @@
seutil_read_config(crond_t)
seutil_read_default_contexts(crond_t)
-@@ -208,6 +226,7 @@
+@@ -208,6 +227,7 @@
userdom_list_user_home_dirs(crond_t)
mta_send_mail(crond_t)
@@ -10299,7 +10431,7 @@
ifdef(`distro_debian',`
# pam_limits is used
-@@ -227,21 +246,45 @@
+@@ -227,21 +247,45 @@
')
')
@@ -10346,7 +10478,7 @@
')
optional_policy(`
-@@ -283,6 +326,9 @@
+@@ -283,7 +327,14 @@
allow system_cronjob_t cron_var_lib_t:file manage_file_perms;
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -10354,9 +10486,14 @@
+files_pid_filetrans(system_cronjob_t, cron_var_run_t, file)
+
allow system_cronjob_t system_cron_spool_t:file read_file_perms;
++
++# anacron forces the following
++allow system_cronjob_t system_cron_spool_t:file { write setattr };
++
# The entrypoint interface is not used as this is not
# a regular entrypoint. Since crontab files are
-@@ -314,9 +360,13 @@
+ # not directly executed, crond must ensure that
+@@ -314,9 +365,13 @@
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
@@ -10371,7 +10508,7 @@
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
-@@ -370,7 +420,8 @@
+@@ -370,7 +425,8 @@
init_read_utmp(system_cronjob_t)
init_dontaudit_rw_utmp(system_cronjob_t)
# prelink tells init to restart it self, we either need to allow or dontaudit
@@ -10381,7 +10518,7 @@
auth_use_nsswitch(system_cronjob_t)
-@@ -378,6 +429,7 @@
+@@ -378,6 +434,7 @@
libs_exec_ld_so(system_cronjob_t)
logging_read_generic_logs(system_cronjob_t)
@@ -10389,7 +10526,7 @@
logging_send_syslog_msg(system_cronjob_t)
miscfiles_read_localization(system_cronjob_t)
-@@ -428,11 +480,20 @@
+@@ -428,11 +485,20 @@
')
optional_policy(`
@@ -10410,7 +10547,7 @@
')
optional_policy(`
-@@ -460,8 +521,7 @@
+@@ -460,8 +526,7 @@
')
optional_policy(`
@@ -10420,7 +10557,7 @@
')
optional_policy(`
-@@ -469,24 +529,17 @@
+@@ -469,24 +534,17 @@
')
optional_policy(`
@@ -10429,16 +10566,16 @@
+ unconfined_domain(crond_t)
unconfined_domain(system_cronjob_t)
- userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
--')
--
+ ')
+
-ifdef(`TODO',`
-ifdef(`mta.te', `
-allow system_cronjob_t mail_spool_t:lnk_file read;
-allow mta_user_agent system_cronjob_t:fd use;
-r_dir_file(system_mail_t, crond_tmp_t)
- ')
+-')
-') dnl end TODO
-
+-
########################################
#
# User cronjobs local policy
@@ -10448,6 +10585,16 @@
allow cronjob_t self:process { signal_perms setsched };
allow cronjob_t self:fifo_file rw_fifo_file_perms;
allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
+@@ -570,6 +628,9 @@
+ userdom_manage_user_home_content_sockets(cronjob_t)
+ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set)
+
++list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
++
+ tunable_policy(`fcron_crond', `
+ allow crond_t user_cron_spool_t:file manage_file_perms;
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.6.3/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.6.3/policy/modules/services/cups.fc 2009-01-19 13:10:02.000000000 -0500
@@ -11417,8 +11564,8 @@
+/var/run/devkit(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.3/policy/modules/services/devicekit.if
--- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-19 17:17:14.000000000 -0500
-@@ -0,0 +1,139 @@
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.if 2009-01-20 17:22:44.000000000 -0500
+@@ -0,0 +1,157 @@
+
+## <summary>policy for devicekit</summary>
+
@@ -11458,7 +11605,7 @@
+ ')
+
+ files_search_pids($1)
-+ allow $1 devicekit_var_run_t:file read_file_perms;
++ read_files_pattern($1, devicekit_var_run_t, devicekit_var_run_t)
+')
+
+########################################
@@ -11505,6 +11652,24 @@
+
+########################################
+## <summary>
++## Send signal devicekit power
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`devicekit_power_signal',`
++ gen_require(`
++ type devicekit_power_t;
++ ')
++
++ allow $1 devicekit_power_t:process signal;
++')
++
++########################################
++## <summary>
+## Send and receive messages from
+## devicekit power over dbus.
+## </summary>
@@ -11560,8 +11725,8 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.3/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-19 17:06:44.000000000 -0500
-@@ -0,0 +1,55 @@
++++ serefpolicy-3.6.3/policy/modules/services/devicekit.te 2009-01-20 17:10:23.000000000 -0500
+@@ -0,0 +1,71 @@
+policy_module(devicekit,1.0.0)
+
+########################################
@@ -11587,13 +11752,21 @@
+#
+# DeviceKit local policy
+#
++allow devicekit_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
+files_pid_filetrans(devicekit_t,devicekit_var_run_t, { file dir })
+
++dev_read_sysfs(devicekit_t)
++dev_read_urand(devicekit_t)
++
++files_read_etc_files(devicekit_t)
++
+fs_list_inotifyfs(devicekit_t)
+
++miscfiles_read_localization(devicekit_t)
++
+optional_policy(`
+ dbus_system_bus_client(devicekit_t)
+')
@@ -11601,11 +11774,18 @@
+#
+# DeviceKit-Power local policy
+#
++allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
+
++dev_rw_generic_usb_dev(devicekit_power_t)
+dev_rw_netcontrol(devicekit_power_t)
++dev_read_sysfs(devicekit_power_t)
++
+files_read_etc_files(devicekit_power_t)
++
+fs_list_inotifyfs(devicekit_power_t)
+
++miscfiles_read_localization(devicekit_power_t)
++
+optional_policy(`
+ polkit_read_reload(devicekit_power_t)
+')
@@ -11614,9 +11794,10 @@
+ dbus_system_bus_client(devicekit_power_t)
+ allow devicekit_power_t devicekit_t:dbus send_msg;
+ allow devicekit_t devicekit_power_t:dbus send_msg;
++ optional_policy(`
++ consolekit_dbus_chat(devicekit_power_t)
++ ')
+')
-+
-+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.if serefpolicy-3.6.3/policy/modules/services/dhcp.if
--- nsaserefpolicy/policy/modules/services/dhcp.if 2008-11-18 18:57:20.000000000 -0500
+++ serefpolicy-3.6.3/policy/modules/services/dhcp.if 2009-01-19 13:10:02.000000000 -0500
@@ -12512,7 +12693,7 @@
/usr/libexec/hald-addon-macbookpro-backlight -- gen_context(system_u:object_r:hald_mac_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-3.6.3/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2008-11-19 11:51:44.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/hal.if 2009-01-20 15:29:07.000000000 -0500
@@ -51,10 +51,7 @@
type hald_t;
')
@@ -12527,7 +12708,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.3/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-19 14:46:49.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/hal.te 2009-01-20 11:41:48.000000000 -0500
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -12638,7 +12819,16 @@
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
-@@ -418,3 +453,49 @@
+@@ -374,6 +409,8 @@
+
+ auth_use_nsswitch(hald_mac_t)
+
++logging_send_syslog_msg(hald_mac_t)
++
+ miscfiles_read_localization(hald_mac_t)
+
+ ########################################
+@@ -418,3 +455,49 @@
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@@ -19908,7 +20098,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.3/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/setroubleshoot.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/setroubleshoot.te 2009-01-21 11:01:41.000000000 -0500
@@ -11,6 +11,9 @@
domain_type(setroubleshootd_t)
init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
@@ -19941,7 +20131,7 @@
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-@@ -68,16 +74,23 @@
+@@ -68,16 +74,24 @@
dev_read_urand(setroubleshootd_t)
dev_read_sysfs(setroubleshootd_t)
@@ -19963,10 +20153,11 @@
+fs_read_fusefs_symlinks(setroubleshootd_t)
+fs_dontaudit_read_nfs_files(setroubleshootd_t)
+fs_dontaudit_read_cifs_files(setroubleshootd_t)
++fs_list_inotifyfs(setroubleshootd_t)
selinux_get_enforce_mode(setroubleshootd_t)
selinux_validate_context(setroubleshootd_t)
-@@ -94,22 +107,24 @@
+@@ -94,22 +108,24 @@
locallogin_dontaudit_use_fds(setroubleshootd_t)
@@ -21174,7 +21365,16 @@
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.3/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/virt.te 2009-01-20 14:57:03.000000000 -0500
+@@ -53,7 +53,7 @@
+ # virtd local policy
+ #
+
+-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
++allow virtd_t self:capability { dac_override kill net_admin net_raw setuid setgid sys_nice sys_ptrace };
+ allow virtd_t self:process { getsched sigkill signal execmem };
+ allow virtd_t self:fifo_file rw_file_perms;
+ allow virtd_t self:unix_stream_socket create_stream_socket_perms;
@@ -96,7 +96,7 @@
corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t)
@@ -21192,7 +21392,16 @@
files_read_etc_runtime_files(virtd_t)
files_search_all(virtd_t)
files_list_kernel_modules(virtd_t)
-@@ -173,16 +174,17 @@
+@@ -129,6 +130,8 @@
+
+ logging_send_syslog_msg(virtd_t)
+
++sysnet_domtrans_ifconfig(virtd_t)
++
+ userdom_read_all_users_state(virtd_t)
+
+ tunable_policy(`virt_use_nfs',`
+@@ -173,16 +176,17 @@
iptables_domtrans(virtd_t)
')
@@ -21305,8 +21514,16 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.3/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-19 13:10:02.000000000 -0500
-@@ -156,7 +156,7 @@
++++ serefpolicy-3.6.3/policy/modules/services/xserver.if 2009-01-21 11:14:55.000000000 -0500
+@@ -116,6 +116,7 @@
+ # setattr: gnome-settings-daemon X11:GrabKey
+ # manage: metacity X11:ChangeWindowAttributes
+ allow $2 rootwindow_t:x_drawable { read write manage setattr };
++ allow $2 $2:x_drawable all_x_drawable_perms;
+
+ # setattr: metacity X11:InstallColormap
+ allow $2 xserver_t:x_screen { saver_getattr saver_setattr setattr };
+@@ -156,7 +157,7 @@
allow $1 xserver_t:process signal;
# Read /tmp/.X0-lock
@@ -21315,7 +21532,7 @@
# Client read xserver shm
allow $1 xserver_t:fd use;
-@@ -219,12 +219,12 @@
+@@ -219,12 +220,12 @@
allow $1 self:unix_stream_socket { connectto create_stream_socket_perms };
# Read .Xauthority file
@@ -21331,7 +21548,7 @@
allow $1 xdm_tmp_t:dir search;
allow $1 xdm_tmp_t:sock_file { read write };
dontaudit $1 xdm_t:tcp_socket { read write };
-@@ -397,11 +397,12 @@
+@@ -397,11 +398,12 @@
gen_require(`
type xdm_t, xdm_tmp_t;
type xauth_home_t, iceauth_home_t, xserver_t, xserver_tmpfs_t;
@@ -21347,7 +21564,7 @@
# Read .Xauthority file
allow $2 xauth_home_t:file read_file_perms;
-@@ -409,7 +410,7 @@
+@@ -409,7 +411,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
@@ -21356,7 +21573,7 @@
allow $2 xdm_tmp_t:dir search_dir_perms;
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
-@@ -437,6 +438,10 @@
+@@ -437,6 +439,10 @@
allow $2 xserver_t:shm rw_shm_perms;
allow $2 xserver_tmpfs_t:file rw_file_perms;
')
@@ -21367,7 +21584,7 @@
')
########################################
-@@ -639,7 +644,7 @@
+@@ -639,7 +645,7 @@
type xdm_t;
')
@@ -21376,7 +21593,7 @@
')
########################################
-@@ -738,6 +743,7 @@
+@@ -738,6 +744,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
@@ -21384,7 +21601,7 @@
')
########################################
-@@ -756,7 +762,26 @@
+@@ -756,7 +763,26 @@
')
files_search_pids($1)
@@ -21412,7 +21629,7 @@
')
########################################
-@@ -779,6 +804,31 @@
+@@ -779,6 +805,31 @@
########################################
## <summary>
@@ -21444,7 +21661,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1018,10 +1068,11 @@
+@@ -1018,10 +1069,11 @@
#
interface(`xserver_domtrans',`
gen_require(`
@@ -21457,7 +21674,7 @@
domtrans_pattern($1, xserver_exec_t, xserver_t)
')
-@@ -1159,6 +1210,253 @@
+@@ -1159,6 +1211,272 @@
########################################
## <summary>
@@ -21690,6 +21907,25 @@
+
+########################################
+## <summary>
++## Manage the xdm_spool files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_xdm_manage_spool',`
++ gen_require(`
++ type xdm_spool_t;
++ ')
++
++ files_search_spool($1)
++ manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
++')
++
++########################################
++## <summary>
+## Ptrace XDM
+## </summary>
+## <param name="domain">
@@ -21713,7 +21949,7 @@
## display.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.3/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-19 17:08:51.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/services/xserver.te 2009-01-21 11:00:16.000000000 -0500
@@ -34,6 +34,13 @@
## <desc>
@@ -22126,7 +22362,24 @@
xfs_stream_connect(xdm_t)
')
-@@ -635,6 +738,15 @@
+@@ -587,7 +690,7 @@
+ # execheap needed until the X module loader is fixed.
+ # NVIDIA Needs execstack
+
+-allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
++allow xserver_t self:capability { dac_override fowner fsetid setgid setuid ipc_owner sys_ptrace sys_rawio sys_admin sys_nice sys_tty_config mknod net_bind_service };
+ dontaudit xserver_t self:capability chown;
+ allow xserver_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow xserver_t self:memprotect mmap_zero;
+@@ -602,6 +705,7 @@
+ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow xserver_t self:tcp_socket create_stream_socket_perms;
+ allow xserver_t self:udp_socket create_socket_perms;
++allow xserver_t self:netlink_selinux_socket create_socket_perms;
+
+ # Device rules
+ allow x_domain xserver_t:x_device { read getattr use setattr setfocus grab bell };
+@@ -635,6 +739,15 @@
manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
files_search_var_lib(xserver_t)
@@ -22142,15 +22395,21 @@
# Create files in /var/log with the xserver_log_t type.
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t,file)
-@@ -682,6 +794,7 @@
+@@ -680,9 +793,13 @@
+ dev_rw_xserver_misc(xserver_t)
+ # read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev(xserver_t)
++dev_read_raw_memory(xserver_t)
++dev_write_raw_memory(xserver_t)
dev_rwx_zero(xserver_t)
+domain_mmap_low_type(xserver_t)
domain_mmap_low(xserver_t)
++domain_dontaudit_read_all_domains_state(xserver_t)
files_read_etc_files(xserver_t)
-@@ -697,6 +810,7 @@
+ files_read_etc_runtime_files(xserver_t)
+@@ -697,6 +814,7 @@
fs_search_nfs(xserver_t)
fs_search_auto_mountpoints(xserver_t)
fs_search_ramfs(xserver_t)
@@ -22158,7 +22417,26 @@
mls_xwin_read_to_clearance(xserver_t)
-@@ -806,7 +920,7 @@
+@@ -720,6 +838,7 @@
+
+ miscfiles_read_localization(xserver_t)
+ miscfiles_read_fonts(xserver_t)
++miscfiles_read_hwdata(xserver_t)
+
+ modutils_domtrans_insmod(xserver_t)
+
+@@ -774,6 +893,10 @@
+ ')
+
+ optional_policy(`
++ devicekit_power_signal(xserver_t)
++')
++
++optional_policy(`
+ rhgb_getpgid(xserver_t)
+ rhgb_signal(xserver_t)
+ ')
+@@ -806,7 +929,7 @@
allow xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xserver_t xdm_var_lib_t:dir search;
@@ -22167,7 +22445,7 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
-@@ -830,6 +944,10 @@
+@@ -830,6 +953,10 @@
xserver_use_user_fonts(xserver_t)
@@ -22178,7 +22456,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(xserver_t)
fs_manage_nfs_files(xserver_t)
-@@ -844,11 +962,14 @@
+@@ -844,11 +971,14 @@
optional_policy(`
dbus_system_bus_client(xserver_t)
@@ -22194,7 +22472,7 @@
')
optional_policy(`
-@@ -856,6 +977,11 @@
+@@ -856,6 +986,11 @@
rhgb_rw_tmpfs_files(xserver_t)
')
@@ -22206,7 +22484,7 @@
########################################
#
# Rules common to all X window domains
-@@ -972,6 +1098,37 @@
+@@ -972,6 +1107,37 @@
allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
@@ -22244,7 +22522,7 @@
ifdef(`TODO',`
tunable_policy(`allow_polyinstantiation',`
# xdm needs access for linking .X11-unix to poly /tmp
-@@ -986,3 +1143,13 @@
+@@ -986,3 +1152,13 @@
#
allow xdm_t user_home_type:file unlink;
') dnl end TODO
@@ -22398,7 +22676,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.3/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/authlogin.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/authlogin.if 2009-01-20 10:57:35.000000000 -0500
@@ -43,6 +43,7 @@
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -22717,7 +22995,7 @@
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.6.3/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2008-11-11 16:13:48.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/authlogin.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/authlogin.te 2009-01-20 10:58:05.000000000 -0500
@@ -12,7 +12,7 @@
type chkpwd_t, can_read_shadow_passwords;
@@ -22737,7 +23015,7 @@
#
# var_auth_t is the type of /var/lib/auth, usually
# used for auth data in pam_able
-@@ -121,6 +124,11 @@
+@@ -121,9 +124,18 @@
')
optional_policy(`
@@ -22749,7 +23027,14 @@
kerberos_use(chkpwd_t)
')
-@@ -168,6 +176,11 @@
++optional_policy(`
++ nis_authenticate(chkpwd_t)
++')
++
+ ########################################
+ #
+ # PAM local policy
+@@ -168,6 +180,11 @@
logging_send_syslog_msg(pam_t)
@@ -22761,7 +23046,7 @@
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(pam_t)
-@@ -183,7 +196,7 @@
+@@ -183,7 +200,7 @@
# PAM console local policy
#
@@ -22770,7 +23055,7 @@
dontaudit pam_console_t self:capability sys_tty_config;
allow pam_console_t self:process { sigchld sigkill sigstop signull signal };
-@@ -201,6 +214,8 @@
+@@ -201,6 +218,8 @@
dev_read_sysfs(pam_console_t)
dev_getattr_apm_bios_dev(pam_console_t)
dev_setattr_apm_bios_dev(pam_console_t)
@@ -22779,7 +23064,7 @@
dev_getattr_dri_dev(pam_console_t)
dev_setattr_dri_dev(pam_console_t)
dev_getattr_input_dev(pam_console_t)
-@@ -225,6 +240,10 @@
+@@ -225,6 +244,10 @@
dev_setattr_video_dev(pam_console_t)
dev_getattr_xserver_misc_dev(pam_console_t)
dev_setattr_xserver_misc_dev(pam_console_t)
@@ -22868,7 +23153,7 @@
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.3/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/init.if 2009-01-20 14:42:59.000000000 -0500
@@ -280,6 +280,27 @@
kernel_dontaudit_use_fds($1)
')
@@ -23049,7 +23334,7 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.3/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/init.te 2009-01-20 17:11:43.000000000 -0500
@@ -17,6 +17,20 @@
## </desc>
gen_tunable(init_upstart,false)
@@ -23152,11 +23437,15 @@
can_exec(initrc_t,initrc_tmp_t)
allow initrc_t initrc_tmp_t:file manage_file_perms;
-@@ -251,13 +280,14 @@
+@@ -249,15 +278,18 @@
+ kernel_rw_all_sysctls(initrc_t)
+ # for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
++kernel_stream_connect(initrc_t)
files_read_kernel_symbol_table(initrc_t)
+files_exec_etc_files(initrc_t)
++fs_list_inotifyfs(initrc_t)
corenet_all_recvfrom_unlabeled(initrc_t)
corenet_all_recvfrom_netlabel(initrc_t)
@@ -23171,7 +23460,7 @@
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
-@@ -274,7 +304,7 @@
+@@ -274,7 +306,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@@ -23180,7 +23469,7 @@
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -328,7 +358,7 @@
+@@ -328,7 +360,7 @@
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -23189,7 +23478,7 @@
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
-@@ -367,6 +397,7 @@
+@@ -367,6 +399,7 @@
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
@@ -23197,7 +23486,7 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -498,6 +529,7 @@
+@@ -498,6 +531,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -23205,7 +23494,7 @@
')
optional_policy(`
-@@ -516,6 +548,31 @@
+@@ -516,6 +550,31 @@
')
')
@@ -23237,7 +23526,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +627,10 @@
+@@ -570,6 +629,10 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -23248,7 +23537,7 @@
networkmanager_dbus_chat(initrc_t)
')
')
-@@ -655,12 +716,6 @@
+@@ -655,12 +718,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -23261,7 +23550,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -721,6 +776,9 @@
+@@ -721,6 +778,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -23271,7 +23560,7 @@
')
optional_policy(`
-@@ -733,10 +791,12 @@
+@@ -733,10 +793,12 @@
squid_manage_logs(initrc_t)
')
@@ -23284,7 +23573,7 @@
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +814,11 @@
+@@ -754,6 +816,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -23296,7 +23585,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -768,6 +833,10 @@
+@@ -768,6 +835,10 @@
')
optional_policy(`
@@ -23307,7 +23596,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -790,3 +859,11 @@
+@@ -790,3 +861,11 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -23820,7 +24109,7 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.3/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/logging.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/logging.te 2009-01-20 16:07:48.000000000 -0500
@@ -126,7 +126,7 @@
allow auditd_t self:process { signal_perms setpgid setsched };
allow auditd_t self:file rw_file_perms;
@@ -23852,7 +24141,7 @@
allow audisp_t self:unix_stream_socket create_stream_socket_perms;
allow audisp_t self:unix_dgram_socket create_socket_perms;
-@@ -226,20 +228,32 @@
+@@ -226,13 +228,18 @@
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
@@ -23866,12 +24155,13 @@
+files_read_etc_runtime_files(audisp_t)
mls_file_write_all_levels(audisp_t)
-
-+auth_use_nsswitch(audisp_t)
++mls_dbus_send_all_levels(audisp_t)
+
++auth_use_nsswitch(audisp_t)
+
logging_send_syslog_msg(audisp_t)
- miscfiles_read_localization(audisp_t)
+@@ -240,6 +247,14 @@
sysnet_dns_name_resolve(audisp_t)
@@ -23886,7 +24176,7 @@
########################################
#
# Audit remote logger local policy
-@@ -253,11 +267,16 @@
+@@ -253,11 +268,16 @@
corenet_tcp_sendrecv_generic_node(audisp_remote_t)
corenet_tcp_connect_audit_port(audisp_remote_t)
corenet_sendrecv_audit_client_packets(audisp_remote_t)
@@ -23903,7 +24193,7 @@
miscfiles_read_localization(audisp_remote_t)
sysnet_dns_name_resolve(audisp_remote_t)
-@@ -337,7 +356,7 @@
+@@ -337,7 +357,7 @@
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
@@ -23930,7 +24220,7 @@
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.3/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/lvm.te 2009-01-20 15:26:33.000000000 -0500
@@ -10,6 +10,9 @@
type clvmd_exec_t;
init_daemon_domain(clvmd_t,clvmd_exec_t)
@@ -24071,7 +24361,15 @@
kernel_read_system_state(lvm_t)
kernel_read_kernel_sysctls(lvm_t)
-@@ -221,6 +256,7 @@
+@@ -192,6 +227,7 @@
+ kernel_read_kernel_sysctls(lvm_t)
+ # it has no reason to need this
+ kernel_dontaudit_getattr_core_if(lvm_t)
++kernel_use_fds(lvm_t)
+
+ selinux_get_fs_mount(lvm_t)
+ selinux_validate_context(lvm_t)
+@@ -221,6 +257,7 @@
dev_dontaudit_getattr_generic_blk_files(lvm_t)
dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
@@ -24079,14 +24377,13 @@
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
-@@ -239,12 +275,17 @@
+@@ -239,12 +276,16 @@
storage_dev_filetrans_fixed_disk(lvm_t)
# Access raw devices and old /dev/lvm (c 109,0). Is this needed?
storage_manage_fixed_disk(lvm_t)
+mls_file_read_all_levels(lvm_t)
+
-+term_getattr_all_user_ttys(lvm_t)
-+term_list_ptys(lvm_t)
++term_use_all_terms(lvm_t)
corecmd_exec_bin(lvm_t)
corecmd_exec_shell(lvm_t)
@@ -24167,7 +24464,7 @@
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.3/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/modutils.te 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/modutils.te 2009-01-21 10:30:56.000000000 -0500
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -24216,10 +24513,12 @@
logging_send_syslog_msg(insmod_t)
logging_search_logs(insmod_t)
-@@ -110,18 +113,29 @@
+@@ -109,19 +112,30 @@
+
seutil_read_file_contexts(insmod_t)
- userdom_use_user_terminals(insmod_t)
+-userdom_use_user_terminals(insmod_t)
++term_use_all_terms(insmod_t)
+userdom_dontaudit_search_user_home_dirs(insmod_t)
-ifdef(`distro_ubuntu',`
@@ -25370,7 +25669,7 @@
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.3/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/sysnetwork.if 2009-01-19 13:10:02.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/sysnetwork.if 2009-01-20 14:55:03.000000000 -0500
@@ -192,7 +192,25 @@
type dhcpc_state_t;
')
@@ -25724,8 +26023,8 @@
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.6.3/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/udev.te 2009-01-19 13:10:02.000000000 -0500
-@@ -83,6 +83,7 @@
++++ serefpolicy-3.6.3/policy/modules/system/udev.te 2009-01-20 15:21:24.000000000 -0500
+@@ -83,10 +83,12 @@
kernel_rw_unix_dgram_sockets(udev_t)
kernel_dgram_send(udev_t)
kernel_signal(udev_t)
@@ -25733,7 +26032,12 @@
#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
kernel_rw_net_sysctls(udev_t)
-@@ -139,6 +140,7 @@
+ kernel_read_network_state(udev_t)
++kernel_read_software_raid_state(udev_t)
+
+ corecmd_exec_all_executables(udev_t)
+
+@@ -139,6 +141,7 @@
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
@@ -25741,7 +26045,7 @@
miscfiles_read_localization(udev_t)
-@@ -186,6 +188,7 @@
+@@ -186,6 +189,7 @@
optional_policy(`
alsa_domtrans(udev_t)
@@ -25749,7 +26053,7 @@
alsa_read_rw_config(udev_t)
')
-@@ -194,6 +197,10 @@
+@@ -194,6 +198,10 @@
')
optional_policy(`
@@ -25760,7 +26064,18 @@
consoletype_exec(udev_t)
')
-@@ -230,6 +237,10 @@
+@@ -202,6 +210,10 @@
+ ')
+
+ optional_policy(`
++ devicekit_read_pid_files(udev_t)
++')
++
++optional_policy(`
+ fstools_domtrans(udev_t)
+ ')
+
+@@ -230,6 +242,10 @@
')
optional_policy(`
@@ -25771,7 +26086,7 @@
kernel_write_xen_state(udev_t)
kernel_read_xen_state(udev_t)
xen_manage_log(udev_t)
-@@ -237,5 +248,9 @@
+@@ -237,5 +253,9 @@
')
optional_policy(`
@@ -26405,7 +26720,7 @@
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.3/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-19 17:15:36.000000000 -0500
++++ serefpolicy-3.6.3/policy/modules/system/userdomain.if 2009-01-20 16:18:13.000000000 -0500
@@ -30,8 +30,9 @@
')
@@ -27447,7 +27762,15 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1106,8 +1174,6 @@
+@@ -1099,6 +1167,7 @@
+ kernel_sigstop_unlabeled($1_t)
+ kernel_signull_unlabeled($1_t)
+ kernel_sigchld_unlabeled($1_t)
++ kernel_signal($1_t)
+
+ corenet_tcp_bind_generic_port($1_t)
+ # allow setting up tunnels
+@@ -1106,8 +1175,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@@ -27456,7 +27779,7 @@
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
-@@ -1162,20 +1228,6 @@
+@@ -1162,20 +1229,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@@ -27477,7 +27800,7 @@
optional_policy(`
postgresql_unconfined($1_t)
')
-@@ -1221,6 +1273,7 @@
+@@ -1221,6 +1274,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -27485,7 +27808,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1286,11 +1339,15 @@
+@@ -1286,11 +1340,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@@ -27501,7 +27824,7 @@
')
########################################
-@@ -1387,7 +1444,7 @@
+@@ -1387,7 +1445,7 @@
########################################
## <summary>
@@ -27510,7 +27833,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -1420,6 +1477,14 @@
+@@ -1420,6 +1478,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@@ -27525,7 +27848,7 @@
')
########################################
-@@ -1435,9 +1500,11 @@
+@@ -1435,9 +1501,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@@ -27537,7 +27860,7 @@
')
########################################
-@@ -1494,6 +1561,25 @@
+@@ -1494,6 +1562,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@@ -27563,7 +27886,7 @@
########################################
## <summary>
## Create directories in the home dir root with
-@@ -1547,9 +1633,9 @@
+@@ -1547,9 +1634,9 @@
type user_home_dir_t, user_home_t;
')
@@ -27575,7 +27898,7 @@
')
########################################
-@@ -1568,6 +1654,8 @@
+@@ -1568,6 +1655,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@@ -27584,7 +27907,7 @@
')
########################################
-@@ -1643,6 +1731,7 @@
+@@ -1643,6 +1732,7 @@
type user_home_dir_t, user_home_t;
')
@@ -27592,7 +27915,7 @@
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
-@@ -1741,6 +1830,62 @@
+@@ -1741,6 +1831,62 @@
########################################
## <summary>
@@ -27655,7 +27978,7 @@
## Execute user home files.
## </summary>
## <param name="domain">
-@@ -1757,14 +1902,6 @@
+@@ -1757,14 +1903,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@@ -27670,7 +27993,7 @@
')
########################################
-@@ -1787,6 +1924,46 @@
+@@ -1787,6 +1925,46 @@
########################################
## <summary>
@@ -27717,7 +28040,7 @@
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
-@@ -2819,6 +2996,24 @@
+@@ -2819,6 +2997,24 @@
########################################
## <summary>
@@ -27742,7 +28065,7 @@
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
-@@ -2851,6 +3046,7 @@
+@@ -2851,6 +3047,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@@ -27750,7 +28073,7 @@
kernel_search_proc($1)
')
-@@ -2965,6 +3161,24 @@
+@@ -2965,6 +3162,24 @@
########################################
## <summary>
@@ -27775,7 +28098,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -2981,3 +3195,264 @@
+@@ -2981,3 +3196,264 @@
allow $1 userdomain:dbus send_msg;
')
@@ -27857,7 +28180,7 @@
+#
+template(`userdom_admin_login_user_template',`
+
-+ userdom_unpriv_user_template($1)
++ userdom_admin_user_template($1)
+
+ domain_read_all_domains_state($1_t)
+ domain_getattr_all_domains($1_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.769
retrieving revision 1.770
diff -u -r1.769 -r1.770
--- selinux-policy.spec 19 Jan 2009 21:48:16 -0000 1.769
+++ selinux-policy.spec 21 Jan 2009 16:17:40 -0000 1.770
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.3
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,9 @@
%endif
%changelog
+* Tue Jan 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-3
+- Fixed for DeviceKit
+
* Mon Jan 19 2009 Dan Walsh <dwalsh at redhat.com> 3.6.3-2
- Add devicekit policy
More information about the fedora-extras-commits
mailing list