rpms/selinux-policy/F-11 policy-20090521.patch, 1.8, 1.9 selinux-policy.spec, 1.868, 1.869
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Jun 8 18:54:59 UTC 2009
- Previous message (by thread): rpms/tzdata/F-10 sources, 1.57, 1.58 tzdata.spec, 1.76, 1.77 tzdata-2009e-cairo.patch, 1.1, NONE tzdata-2009e-karachi.patch, 1.1, NONE
- Next message (by thread): rpms/tzdata/F-9 sources, 1.57, 1.58 tzdata.spec, 1.75, 1.76 tzdata-2009e-cairo.patch, 1.1, NONE tzdata-2009e-karachi.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4766
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
* Thu Jun 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-47
- Allow fprintd to read /proc
policy-20090521.patch:
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- policy-20090521.patch 2 Jun 2009 15:55:42 -0000 1.8
+++ policy-20090521.patch 8 Jun 2009 18:54:59 -0000 1.9
@@ -20,6 +20,17 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
unconfined_domain(prelink_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
+--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-06-06 06:42:14.000000000 -0400
+@@ -55,6 +55,7 @@
+ files_read_non_security_files(readahead_t)
+ files_dontaudit_read_security_files(readahead_t)
+ files_dontaudit_getattr_non_security_blk_files(readahead_t)
++files_create_boot_flag(readahead_t)
+
+ fs_getattr_all_fs(readahead_t)
+ fs_search_auto_mountpoints(readahead_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.12/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/admin/rpm.if 2009-05-29 11:02:56.000000000 -0400
@@ -59,6 +70,13 @@ diff -b -B --ignore-all-space --exclude-
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.fc serefpolicy-3.6.12/policy/modules/apps/qemu.fc
+--- nsaserefpolicy/policy/modules/apps/qemu.fc 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/apps/qemu.fc 2009-06-08 13:49:44.000000000 -0400
+@@ -1,2 +1,3 @@
+ /usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
++/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.12/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/apps/sandbox.te 2009-05-22 10:14:07.000000000 -0400
@@ -82,7 +100,7 @@ diff -b -B --ignore-all-space --exclude-
/var/run/vmware.* gen_context(system_u:object_r:vmware_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-06-02 08:25:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-06-08 08:49:07.000000000 -0400
@@ -7,6 +7,7 @@
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -91,7 +109,16 @@ diff -b -B --ignore-all-space --exclude-
/bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-@@ -145,6 +146,7 @@
+@@ -69,6 +70,8 @@
+ /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
+ /etc/ppp/ipv6-down\..* -- gen_context(system_u:object_r:bin_t,s0)
+
++/etc/racoon/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
++
+ /etc/rc\.d/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0)
+
+ /etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
+@@ -145,6 +148,7 @@
/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -99,7 +126,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -217,8 +219,11 @@
+@@ -217,8 +221,11 @@
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
@@ -114,9 +141,12 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.12/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-06-01 08:22:04.000000000 -0400
-@@ -48,6 +48,7 @@
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.fc 2009-06-08 09:12:26.000000000 -0400
+@@ -46,8 +46,10 @@
+ /dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
+ /dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
/dev/kqemu -c gen_context(system_u:object_r:qemu_device_t,s0)
++/dev/ksm -c gen_context(system_u:object_r:ksm_device_t,s0)
/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,s0)
/dev/lik.* -c gen_context(system_u:object_r:event_device_t,s0)
+/dev/lirc[0-9]+ -c gen_context(system_u:object_r:lirc_device_t,s0)
@@ -125,11 +155,81 @@ diff -b -B --ignore-all-space --exclude-
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.6.12/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-06-01 08:22:04.000000000 -0400
-@@ -1725,6 +1725,61 @@
- rw_chr_files_pattern($1, device_t, kvm_device_t)
- ')
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.if 2009-06-08 09:15:11.000000000 -0400
+@@ -1727,6 +1727,133 @@
+ ########################################
+ ## <summary>
++## Get the attributes of the ksm devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_getattr_ksm_dev',`
++ gen_require(`
++ type device_t, ksm_device_t;
++ ')
++
++ getattr_chr_files_pattern($1, device_t, ksm_device_t)
++')
++
++########################################
++## <summary>
++## Set the attributes of the ksm devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_setattr_ksm_dev',`
++ gen_require(`
++ type device_t, ksm_device_t;
++ ')
++
++ setattr_chr_files_pattern($1, device_t, ksm_device_t)
++')
++
++########################################
++## <summary>
++## Read the ksm devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_ksm',`
++ gen_require(`
++ type device_t, ksm_device_t;
++ ')
++
++ read_chr_files_pattern($1, device_t, ksm_device_t)
++')
++
++########################################
++## <summary>
++## Read and write to ksm devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_rw_ksm',`
++ gen_require(`
++ type device_t, ksm_device_t;
++ ')
++
++ rw_chr_files_pattern($1, device_t, ksm_device_t)
++')
++
+######################################
+## <summary>
+## Read the lirc device.
@@ -185,13 +285,29 @@ diff -b -B --ignore-all-space --exclude-
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+')
+
- ########################################
- ## <summary>
++########################################
++## <summary>
## Read the lvm comtrol device.
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.6.12/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-01 08:22:04.000000000 -0400
-@@ -91,6 +91,12 @@
++++ serefpolicy-3.6.12/policy/modules/kernel/devices.te 2009-06-08 09:12:06.000000000 -0400
+@@ -78,6 +78,13 @@
+ dev_node(ipmi_device_t)
+
+ #
++# ksm_device_t is the type of
++# /dev/ksm
++#
++type ksm_device_t;
++dev_node(ksm_device_t)
++
++#
+ # Type for /dev/kmsg
+ #
+ type kmsg_device_t;
+@@ -91,6 +98,12 @@
dev_node(kvm_device_t)
#
@@ -206,17 +322,31 @@ diff -b -B --ignore-all-space --exclude-
type lvm_control_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-02 11:40:14.000000000 -0400
-@@ -65,7 +65,8 @@
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.if 2009-06-02 11:47:44.000000000 -0400
+@@ -65,8 +65,8 @@
')
optional_policy(`
- selinux_dontaudit_getattr_fs($1)
+- selinux_dontaudit_read_fs($1)
+ selinux_getattr_fs($1)
+ selinux_search_fs($1)
- selinux_dontaudit_read_fs($1)
')
+ optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.6.12/policy/modules/kernel/domain.te
+--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/domain.te 2009-06-04 16:19:45.000000000 -0400
+@@ -91,6 +91,9 @@
+ kernel_read_proc_symlinks(domain)
+ kernel_read_crypto_sysctls(domain)
+
++# All executables should be able to search the directory they are in
++corecmd_search_bin(domain)
++
+ # Every domain gets the key ring, so we should default
+ # to no one allowed to look at it; afs kernel support creates
+ # a keyring
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-05-29 11:03:57.000000000 -0400
@@ -291,6 +421,35 @@ diff -b -B --ignore-all-space --exclude-
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-3.6.12/policy/modules/services/automount.if
+--- nsaserefpolicy/policy/modules/services/automount.if 2009-04-07 15:54:47.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/automount.if 2009-06-08 08:39:46.000000000 -0400
+@@ -21,6 +21,25 @@
+
+ ########################################
+ ## <summary>
++## Send automount a signal
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++#
++interface(`automount_signal',`
++ gen_require(`
++ type automount_t;
++ ')
++
++ allow $1 automount_t:process signal;
++')
++
++########################################
++## <summary>
+ ## Execute automount in the caller domain.
+ ## </summary>
+ ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-06-01 06:47:53.000000000 -0400
@@ -358,8 +517,8 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te
--- nsaserefpolicy/policy/modules/services/fprintd.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-05-27 07:16:20.000000000 -0400
-@@ -22,6 +22,7 @@
++++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-06-04 13:23:04.000000000 -0400
+@@ -22,12 +22,15 @@
corecmd_search_bin(fprintd_t)
@@ -367,6 +526,14 @@ diff -b -B --ignore-all-space --exclude-
dev_rw_generic_usb_dev(fprintd_t)
dev_read_sysfs(fprintd_t)
+ files_read_etc_files(fprintd_t)
+ files_read_usr_files(fprintd_t)
+
++kernel_read_system_state(fprintd_t)
++
+ auth_use_nsswitch(fprintd_t)
+
+ miscfiles_read_localization(fprintd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.12/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/hal.te 2009-05-27 07:02:29.000000000 -0400
@@ -421,6 +588,35 @@ diff -b -B --ignore-all-space --exclude-
read_files_pattern($1, mailman_data_t, mailman_data_t)
read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.6.12/policy/modules/services/postfix.if
+--- nsaserefpolicy/policy/modules/services/postfix.if 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/postfix.if 2009-06-03 08:38:18.000000000 -0400
+@@ -580,6 +580,25 @@
+
+ ########################################
+ ## <summary>
++## Execute the master postqueue in the
++## postfix_postqueue domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`postfix_domtrans_postqueue',`
++ gen_require(`
++ type postfix_postqueue_t, postfix_postqueue_exec_t;
++ ')
++
++ domtrans_pattern($1, postfix_postqueue_exec_t, postfix_postqueue_t)
++')
++
++########################################
++## <summary>
+ ## Execute the master postdrop in the
+ ## postfix_postdrop domain.
+ ## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.6.12/policy/modules/services/pyzor.fc
--- nsaserefpolicy/policy/modules/services/pyzor.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/pyzor.fc 2009-05-21 08:32:24.000000000 -0400
@@ -433,6 +629,54 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/pyzor -- gen_context(system_u:object_r:pyzor_exec_t,s0)
/usr/bin/pyzord -- gen_context(system_u:object_r:pyzord_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.12/policy/modules/services/rpc.te
+--- nsaserefpolicy/policy/modules/services/rpc.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rpc.te 2009-06-08 08:39:25.000000000 -0400
+@@ -95,6 +95,10 @@
+ userdom_signal_unpriv_users(rpcd_t)
+
+ optional_policy(`
++ automount_signal(rpcd_t)
++')
++
++optional_policy(`
+ nis_read_ypserv_config(rpcd_t)
+ ')
+
+@@ -214,6 +218,10 @@
+ ')
+
+ optional_policy(`
++ automount_signal(gssd_t)
++')
++
++optional_policy(`
+ kerberos_keytab_template(gssd, gssd_t)
+ ')
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.12/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/rsync.te 2009-06-03 08:45:52.000000000 -0400
+@@ -126,6 +126,8 @@
+
+ tunable_policy(`rsync_export_all_ro',`
+ fs_read_noxattr_fs_files(rsync_t)
++ fs_read_nfs_files(rsync_t)
++ fs_read_cifs_files(rsync_t)
+ auth_read_all_dirs_except_shadow(rsync_t)
+ auth_read_all_files_except_shadow(rsync_t)
+ auth_read_all_symlinks_except_shadow(rsync_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.12/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/sendmail.te 2009-06-03 08:38:28.000000000 -0400
+@@ -148,6 +148,7 @@
+
+ optional_policy(`
+ postfix_domtrans_postdrop(sendmail_t)
++ postfix_domtrans_postqueue(sendmail_t)
+ postfix_domtrans_master(sendmail_t)
+ postfix_read_config(sendmail_t)
+ postfix_search_spool(sendmail_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-05-21 08:31:58.000000000 -0400
@@ -514,8 +758,39 @@ diff -b -B --ignore-all-space --exclude-
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-05-26 09:17:39.000000000 -0400
-@@ -348,6 +348,7 @@
++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-06-08 13:37:16.000000000 -0400
+@@ -163,7 +163,7 @@
+ allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
+ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
+ allow ipsec_mgmt_t self:key_socket create_socket_perms;
+-allow ipsec_mgmt_t self:fifo_file rw_file_perms;
++allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
+
+ allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
+ files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
+@@ -284,6 +284,7 @@
+ allow racoon_t self:netlink_selinux_socket { bind create read };
+ allow racoon_t self:udp_socket create_socket_perms;
+ allow racoon_t self:key_socket create_socket_perms;
++allow racoon_t self:fifo_file rw_fifo_file_perms;
+
+ # manage pid file
+ manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
+@@ -301,6 +302,13 @@
+ kernel_read_system_state(racoon_t)
+ kernel_read_network_state(racoon_t)
+
++can_exec(racoon_t, racoon_exec_t)
++
++corecmd_exec_shell(racoon_t)
++corecmd_exec_bin(racoon_t)
++
++sysnet_exec_ifconfig(racoon_t)
++
+ corenet_all_recvfrom_unlabeled(racoon_t)
+ corenet_tcp_bind_all_nodes(racoon_t)
+ corenet_udp_bind_all_nodes(racoon_t)
+@@ -348,6 +356,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -525,7 +800,7 @@ diff -b -B --ignore-all-space --exclude-
ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.12/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2009-05-21 08:27:59.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-01 08:37:12.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/libraries.fc 2009-06-08 08:45:27.000000000 -0400
@@ -139,6 +139,7 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -534,6 +809,14 @@ diff -b -B --ignore-all-space --exclude-
/usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -366,6 +367,7 @@
+ /usr/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/matlab.*\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
++/usr/local/Zend/lib/ZendExtensionManager\.so gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+ /usr/lib/libcncpmslld328\.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-3.6.12/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2009-05-21 08:27:59.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/locallogin.te 2009-05-28 21:07:39.000000000 -0400
@@ -581,3 +864,25 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virtual.te serefpolicy-3.6.12/policy/modules/system/virtual.te
+--- nsaserefpolicy/policy/modules/system/virtual.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/virtual.te 2009-06-08 09:19:35.000000000 -0400
+@@ -38,6 +38,7 @@
+ dev_read_sound(virtualdomain)
+ dev_write_sound(virtualdomain)
+ dev_rw_kvm(virtualdomain)
++dev_rw_ksm(virtualdomain)
+ dev_rw_qemu(virtualdomain)
+
+ domain_use_interactive_fds(virtualdomain)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.6.12/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te 2009-05-21 08:27:59.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/xen.te 2009-06-04 14:47:25.000000000 -0400
+@@ -419,6 +419,7 @@
+ kernel_read_xen_state(xm_ssh_t)
+ kernel_write_xen_state(xm_ssh_t)
+
++userdom_search_admin_dir(xm_ssh_t)
+
+ #Should have a boolean wrapping these
+ fs_list_auto_mountpoints(xend_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.868
retrieving revision 1.869
diff -u -p -r1.868 -r1.869
--- selinux-policy.spec 2 Jun 2009 15:55:42 -0000 1.868
+++ selinux-policy.spec 8 Jun 2009 18:54:59 -0000 1.869
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 46%{?dist}
+Release: 47%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,9 @@ exit 0
%endif
%changelog
+* Thu Jun 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-47
+- Allow fprintd to read /proc
+
* Tue Jun 2 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-46
- Allow domains to check if the /selinux is mounted and search the directory
- Dontaudit rules are blocking audit events
- Previous message (by thread): rpms/tzdata/F-10 sources, 1.57, 1.58 tzdata.spec, 1.76, 1.77 tzdata-2009e-cairo.patch, 1.1, NONE tzdata-2009e-karachi.patch, 1.1, NONE
- Next message (by thread): rpms/tzdata/F-9 sources, 1.57, 1.58 tzdata.spec, 1.75, 1.76 tzdata-2009e-cairo.patch, 1.1, NONE tzdata-2009e-karachi.patch, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list