rpms/selinux-policy/F-12 modules-minimum.conf, 1.42, 1.43 modules-targeted.conf, 1.151, 1.152 policy-F12.patch, 1.129, 1.130 selinux-policy.spec, 1.962, 1.963
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Nov 9 22:21:26 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30885
Modified Files:
modules-minimum.conf modules-targeted.conf policy-F12.patch
selinux-policy.spec
Log Message:
* Mon Nov 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-42
- Allow kdump to read the kernel core interface
- Dontaudit abrt read all files in home dir
- Allow kismet client to write to .kismet dir in homedir
- Turn on asterisk policy and allow logrotate to communicate with it
- Allow abrt to manage rpm cache files
- Rules to allow sysadm_t to install a kernel
- Allow local_login to read console_device_t to Z series logins
- Allow automount and devicekit_disk to search all filesystem dirs
- Allow corosync to setrlimit
- Allow hal to read modules.dep
- Fix xdm using pcscd
- Dontaudit gssd trying to write user_tmp_t, kerberos libary problem.
- Eliminate transition from unconifned_t to loadkeys_t
- Dontaudit several leaks to xauth_t
- Allow xdm_t to search for man pages
- Allow xdm_dbus to append to xdm log
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-minimum.conf,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -p -r1.42 -r1.43
--- modules-minimum.conf 23 Oct 2009 14:40:38 -0000 1.42
+++ modules-minimum.conf 9 Nov 2009 22:21:23 -0000 1.43
@@ -132,6 +132,13 @@ audioentropy = module
authlogin = base
# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
# Module: automount
#
# Filesystem automounter service.
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-targeted.conf,v
retrieving revision 1.151
retrieving revision 1.152
diff -u -p -r1.151 -r1.152
--- modules-targeted.conf 23 Oct 2009 14:40:38 -0000 1.151
+++ modules-targeted.conf 9 Nov 2009 22:21:23 -0000 1.152
@@ -132,6 +132,13 @@ audioentropy = module
authlogin = base
# Layer: services
+# Module: asterisk
+#
+# Asterisk IP telephony server
+#
+asterisk = module
+
+# Layer: services
# Module: automount
#
# Filesystem automounter service.
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/kismet.fc | 2
policy/modules/admin/kismet.te | 9
policy/modules/admin/logrotate.te | 17
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 ++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 6
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 20
policy/modules/admin/rpm.if | 343 ++++++
policy/modules/admin/rpm.te | 98 +
policy/modules/admin/shorewall.fc | 3
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 5
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 11
policy/modules/admin/usermanage.te | 34
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 2
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 85 +
policy/modules/apps/chrome.te | 71 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 39
policy/modules/apps/execmem.if | 75 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 +
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 18
policy/modules/apps/java.if | 114 ++
policy/modules/apps/java.te | 19
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 52
policy/modules/apps/livecd.te | 27
policy/modules/apps/loadkeys.te | 6
policy/modules/apps/mono.fc | 2
policy/modules/apps/mono.if | 101 +
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 11
policy/modules/apps/nsplugin.if | 323 ++++++
policy/modules/apps/nsplugin.te | 295 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/podsleuth.te | 2
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 11
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 189 +++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 59 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 184 +++
policy/modules/apps/sandbox.te | 330 ++++++
policy/modules/apps/screen.if | 7
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 32
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 43
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 255 ++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 151 ++
policy/modules/kernel/domain.te | 88 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 343 ++++++
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 233 ++++
policy/modules/kernel/filesystem.te | 9
policy/modules/kernel/kernel.if | 80 +
policy/modules/kernel/kernel.te | 32
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 42
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 126 --
policy/modules/roles/sysadm.te | 126 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 638 ++++++++++++
policy/modules/roles/unconfineduser.te | 424 ++++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 37
policy/modules/services/abrt.fc | 5
policy/modules/services/abrt.if | 58 +
policy/modules/services/abrt.te | 47
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 42
policy/modules/services/apache.if | 410 +++++--
policy/modules/services/apache.te | 450 +++++++-
policy/modules/services/apm.te | 2
policy/modules/services/asterisk.if | 21
policy/modules/services/asterisk.te | 3
policy/modules/services/automount.te | 2
policy/modules/services/avahi.te | 2
policy/modules/services/bind.if | 40
policy/modules/services/bitlbee.te | 2
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 11
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 +
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 44
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.fc | 3
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 23
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 74 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 44
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 59 +
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 22
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60 +
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 +++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 49
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 2
policy/modules/services/lircd.if | 9
policy/modules/services/lircd.te | 23
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 3
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 12
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 16
policy/modules/services/nagios.if | 89 +
policy/modules/services/nagios.te | 72 -
policy/modules/services/networkmanager.fc | 14
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 115 +-
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 17
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82 +
policy/modules/services/nut.te | 140 ++
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.if | 3
policy/modules/services/pcscd.te | 4
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +++++
policy/modules/services/plymouth.te | 96 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 64 -
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++
policy/modules/services/postfix.te | 142 ++
policy/modules/services/postgresql.fc | 16
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 3
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 ++++++
policy/modules/services/rhcs.te | 394 +++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 17
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 +
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 123 ++
policy/modules/services/setroubleshoot.te | 82 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 138 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 184 ++-
policy/modules/services/ssh.te | 77 -
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 12
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/tuned.fc | 6
policy/modules/services/tuned.if | 140 ++
policy/modules/services/tuned.te | 58 +
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 13
policy/modules/services/virt.if | 181 +++
policy/modules/services/virt.te | 274 ++++-
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 39
policy/modules/services/xserver.if | 625 ++++++++++-
policy/modules/services/xserver.te | 352 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 207 +++
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 3
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 163 ++-
policy/modules/system/init.te | 290 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 58 -
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 20
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/kdump.te | 1
policy/modules/system/libraries.fc | 170 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 29
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 80 +
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 56 -
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 80 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 +++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 77 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 39
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 --------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1588 +++++++++++++++++++++++-------
policy/modules/system/userdomain.te | 47
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
384 files changed, 18646 insertions(+), 2784 deletions(-)
View full diff with command:
/usr/bin/cvs -n -f diff -kk -u -p -N -r 1.129 -r 1.130 policy-F12.patchIndex: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.129
retrieving revision 1.130
diff -u -p -r1.129 -r1.130
--- policy-F12.patch 4 Nov 2009 15:56:35 -0000 1.129
+++ policy-F12.patch 9 Nov 2009 22:21:23 -0000 1.130
@@ -239,9 +239,44 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.fc serefpolicy-3.6.32/policy/modules/admin/kismet.fc
+--- nsaserefpolicy/policy/modules/admin/kismet.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/kismet.fc 2009-11-09 13:11:24.000000000 -0500
+@@ -1,3 +1,5 @@
++HOME_DIR/\.kismet(/.*)? gen_context(system_u:object_r:kismet_home_t,s0)
++
+ /usr/bin/kismet -- gen_context(system_u:object_r:kismet_exec_t,s0)
+ /var/lib/kismet(/.*)? gen_context(system_u:object_r:kismet_var_lib_t,s0)
+ /var/log/kismet(/.*)? gen_context(system_u:object_r:kismet_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.6.32/policy/modules/admin/kismet.te
+--- nsaserefpolicy/policy/modules/admin/kismet.te 2009-08-31 13:30:04.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/kismet.te 2009-11-09 13:10:35.000000000 -0500
+@@ -26,6 +26,9 @@
+ type kismet_var_run_t;
+ files_pid_file(kismet_var_run_t)
+
++type kismet_home_t;
++userdom_user_home_content(kismet_home_t)
++
+ ########################################
+ #
+ # kismet local policy
+@@ -59,6 +62,12 @@
+ allow kismet_t kismet_var_run_t:dir manage_dir_perms;
+ files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
+
++manage_dirs_pattern(kismet_t, kismet_home_t, kismet_home_t)
++manage_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
++manage_lnk_files_pattern(kismet_t, kismet_home_t, kismet_home_t)
++userdom_search_user_home_dirs(kismet_t)
++userdom_user_home_dir_filetrans(kismet_t, kismet_home_t, { file dir })
++
+ kernel_search_debugfs(kismet_t)
+ kernel_read_system_state(kismet_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.6.32/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/logrotate.te 2009-11-09 11:59:58.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -262,10 +297,14 @@ diff -b -B --ignore-all-space --exclude-
cron_system_entry(logrotate_t, logrotate_exec_t)
cron_search_spool(logrotate_t)
-@@ -149,6 +150,10 @@
+@@ -149,6 +150,14 @@
')
optional_policy(`
++ asterisk_stream_connect(logrotate_t)
++')
++
++optional_policy(`
+ bind_manage_cache(logrotate_t)
+')
+
@@ -273,7 +312,7 @@ diff -b -B --ignore-all-space --exclude-
consoletype_exec(logrotate_t)
')
-@@ -183,6 +188,10 @@
+@@ -183,6 +192,10 @@
')
optional_policy(`
@@ -661,7 +700,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-28 08:45:03.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-06 14:38:19.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -922,7 +961,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -265,6 +470,47 @@
+@@ -265,6 +470,48 @@
########################################
## <summary>
@@ -961,6 +1000,7 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ files_search_var_lib($1)
++ manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+ manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
+')
@@ -970,13 +1010,31 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
-@@ -283,3 +529,81 @@
+@@ -283,3 +530,99 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
+#####################################
+## <summary>
++## Read rpm pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_read_pid_files',`
++ gen_require(`
++ type rpm_var_run_t;
++ ')
++
++ read_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
++')
++
++#####################################
++## <summary>
+## Create, read, write, and delete rpm pid files.
+## </summary>
+## <param name="domain">
@@ -1054,7 +1112,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-11-02 09:42:29.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-11-09 12:10:46.000000000 -0500
@@ -15,6 +15,9 @@
domain_interactive_fd(rpm_t)
role system_r types rpm_t;
@@ -1571,8 +1629,21 @@ diff -b -B --ignore-all-space --exclude-
locallogin_dontaudit_use_fds(tzdata_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.32/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/usermanage.if 2009-09-30 16:12:48.000000000 -0400
-@@ -274,6 +274,11 @@
++++ serefpolicy-3.6.32/policy/modules/admin/usermanage.if 2009-11-09 09:42:20.000000000 -0500
+@@ -113,6 +113,12 @@
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1, passwd_exec_t, passwd_t)
++
++ifdef(`hide_broken_symptoms', `
++ dontaudit passwd_t $1:unix_stream_socket rw_socket_perms;
++ dontaudit passwd_t $1:unix_dgram_socket rw_socket_perms;
++ dontaudit passwd_t $1:tcp_socket rw_socket_perms;
++')
+ ')
+
+ ########################################
+@@ -274,6 +280,11 @@
usermanage_domtrans_useradd($1)
role $2 types useradd_t;
@@ -1971,7 +2042,7 @@ diff -b -B --ignore-all-space --exclude-
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc
--- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-04 09:08:16.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-09 15:54:53.000000000 -0500
@@ -0,0 +1,39 @@
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
@@ -2007,7 +2078,7 @@ diff -b -B --ignore-all-space --exclude-
+
+/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
-+/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0)
++/opt/Adobe.*AIR/.*/Resources/Adobe.AIR.Updater -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
+/opt/likewise/bin/domainjoin-cli -- gen_context(system_u:object_r:execmem_exec_t,s0)
+
@@ -3045,6 +3116,12 @@ diff -b -B --ignore-all-space --exclude-
+ifdef(`hide_broken_symptoms',`
+ dev_dontaudit_rw_lvm_control_dev(loadkeys_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-3.6.32/policy/modules/apps/mono.fc
+--- nsaserefpolicy/policy/modules/apps/mono.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/mono.fc 2009-11-09 12:10:45.000000000 -0500
+@@ -1 +1 @@
+-/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
++/usr/bin/mono.* -- gen_context(system_u:object_r:mono_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-3.6.32/policy/modules/apps/mono.if
[...2012 lines suppressed...]
-+ rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-+ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
- allow $1 user_tmpfs_t:dir list_dir_perms;
- fs_search_tmpfs($1)
+- dontaudit $1 user_tmp_t:file manage_file_perms;
++ dontaudit $1 user_tmp_t:file write;
')
########################################
## <summary>
--## Read user tmpfs files.
-+## Get the attributes of a user domain tty.
+-## Read user temporary symbolic links.
++## Do not audit attempts to manage users
++## temporary files.
## </summary>
## <param name="domain">
## <summary>
-@@ -2419,33 +2628,12 @@
+-## Domain allowed access.
++## Domain to not audit.
## </summary>
## </param>
#
--interface(`userdom_rw_user_tmpfs_files',`
-+interface(`userdom_getattr_user_ttys',`
+-interface(`userdom_read_user_tmp_symlinks',`
++interface(`userdom_dontaudit_manage_user_tmp_files',`
gen_require(`
-- type user_tmpfs_t;
-+ type user_tty_device_t;
+ type user_tmp_t;
')
-- rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-- allow $1 user_tmpfs_t:dir list_dir_perms;
-- fs_search_tmpfs($1)
--')
--
--########################################
--## <summary>
--## Get the attributes of a user domain tty.
+- read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
+- allow $1 user_tmp_t:dir list_dir_perms;
+- files_search_tmp($1)
++ dontaudit $1 user_tmp_t:file manage_file_perms;
+ ')
+
+ ########################################
+ ## <summary>
+-## Create, read, write, and delete user
++## Read user temporary symbolic links.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_user_tmp_symlinks',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
++ allow $1 user_tmp_t:dir list_dir_perms;
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete user
+ ## temporary directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -2276,6 +2503,46 @@
+ ########################################
+ ## <summary>
+ ## Create, read, write, and delete user
++## temporary chr files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_user_tmp_chr_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete user
++## temporary blk files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_manage_user_tmp_blk_files',`
++ gen_require(`
++ type user_tmp_t;
++ ')
++
++ manage_blk_files_pattern($1, user_tmp_t, user_tmp_t)
++ files_search_tmp($1)
++')
++
++########################################
++## <summary>
++## Create, read, write, and delete user
+ ## temporary symbolic links.
+ ## </summary>
+ ## <param name="domain">
+@@ -2391,27 +2658,7 @@
+
+ ########################################
+ ## <summary>
+-## Read user tmpfs files.
-## </summary>
-## <param name="domain">
-## <summary>
@@ -32117,17 +32588,24 @@ diff -b -B --ignore-all-space --exclude-
-## </summary>
-## </param>
-#
--interface(`userdom_getattr_user_ttys',`
+-interface(`userdom_read_user_tmpfs_files',`
- gen_require(`
-- type user_tty_device_t;
+- type user_tmpfs_t;
- ')
-
-- allow $1 user_tty_device_t:chr_file getattr;
-+ allow $1 user_tty_device_t:chr_file getattr;
- ')
-
- ########################################
-@@ -2749,7 +2937,7 @@
+- read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+- allow $1 user_tmpfs_t:dir list_dir_perms;
+- fs_search_tmpfs($1)
+-')
+-
+-########################################
+-## <summary>
+-## Read user tmpfs files.
++## Read/Write user tmpfs files.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+@@ -2749,7 +2996,7 @@
domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use;
@@ -32136,7 +32614,7 @@ diff -b -B --ignore-all-space --exclude-
allow unpriv_userdomain $1:process sigchld;
')
-@@ -2765,11 +2953,32 @@
+@@ -2765,11 +3012,32 @@
#
interface(`userdom_search_user_home_content',`
gen_require(`
@@ -32171,7 +32649,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2897,7 +3106,25 @@
+@@ -2897,7 +3165,25 @@
type user_tmp_t;
')
@@ -32198,7 +32676,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -2934,6 +3161,7 @@
+@@ -2934,6 +3220,7 @@
')
read_files_pattern($1, userdomain, userdomain)
@@ -32206,7 +32684,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3292,578 @@
+@@ -3064,3 +3351,578 @@
allow $1 userdomain:dbus send_msg;
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.962
retrieving revision 1.963
diff -u -p -r1.962 -r1.963
--- selinux-policy.spec 4 Nov 2009 15:56:36 -0000 1.962
+++ selinux-policy.spec 9 Nov 2009 22:21:24 -0000 1.963
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 41%{?dist}
+Release: 42%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -445,6 +445,25 @@ exit 0
%endif
%changelog
+* Mon Nov 9 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-42
+- Allow kdump to read the kernel core interface
+- Dontaudit abrt read all files in home dir
+- Allow kismet client to write to .kismet dir in homedir
+- Turn on asterisk policy and allow logrotate to communicate with it
+- Allow abrt to manage rpm cache files
+- Rules to allow sysadm_t to install a kernel
+- Allow local_login to read console_device_t to Z series logins
+- Allow automount and devicekit_disk to search all filesystem dirs
+- Allow corosync to setrlimit
+- Allow hal to read modules.dep
+- Fix xdm using pcscd
+- Dontaudit gssd trying to write user_tmp_t, kerberos libary problem.
+- Eliminate transition from unconifned_t to loadkeys_t
+- Dontaudit several leaks to xauth_t
+- Allow xdm_t to search for man pages
+- Allow xdm_dbus to append to xdm log
+
+
* Wed Nov 4 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-41
- Allow podsleuth to send signals to users
- Allow mail agents to getattr on fifo files from apps that execute mail agent
More information about the fedora-extras-commits
mailing list