rpms/selinux-policy/F-12 modules-minimum.conf, 1.40, 1.41 modules-targeted.conf, 1.149, 1.150 policy-F12.patch, 1.114, 1.115 selinux-policy.spec, 1.947, 1.948
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 21 15:55:50 UTC 2009
- Previous message (by thread): rpms/voms/devel voms-expat.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 import.log, 1.2, 1.3 sources, 1.3, 1.4 voms-nolib64.patch, 1.1, 1.2 voms-portability.patch, 1.2, 1.3 voms-shell-syntax.patch, 1.1, 1.2 voms.spec, 1.2, 1.3
- Next message (by thread): rpms/voms/F-12 voms-expat.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 import.log, 1.2, 1.3 sources, 1.3, 1.4 voms-nolib64.patch, 1.1, 1.2 voms-portability.patch, 1.2, 1.3 voms-shell-syntax.patch, 1.1, 1.2 voms.spec, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24859
Modified Files:
modules-minimum.conf modules-targeted.conf policy-F12.patch
selinux-policy.spec
Log Message:
* Wed Oct 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-31
- Allow unconfined_execmem_t to transition to sandbox
- Add sectool policy
- Add sssd log files
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-minimum.conf,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -p -r1.40 -r1.41
--- modules-minimum.conf 15 Oct 2009 20:42:08 -0000 1.40
+++ modules-minimum.conf 21 Oct 2009 15:55:49 -0000 1.41
@@ -1406,6 +1406,13 @@ seunshare = module
#
shorewall = base
+# Layer: apps
+# Module: sectoolm
+#
+# Policy for sectool-mechanism
+#
+sectoolm = module
+
# Layer: system
# Module: setrans
# Required in base
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/modules-targeted.conf,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -p -r1.149 -r1.150
--- modules-targeted.conf 15 Oct 2009 20:42:08 -0000 1.149
+++ modules-targeted.conf 21 Oct 2009 15:55:49 -0000 1.150
@@ -1406,6 +1406,13 @@ seunshare = module
#
shorewall = base
+# Layer: apps
+# Module: sectoolm
+#
+# Policy for sectool-mechanism
+#
+sectoolm = module
+
# Layer: system
# Module: setrans
# Required in base
policy-F12.patch:
Makefile | 2
policy/flask/access_vectors | 1
policy/global_tunables | 24
policy/mcs | 10
policy/modules/admin/alsa.te | 2
policy/modules/admin/anaconda.te | 3
policy/modules/admin/brctl.te | 2
policy/modules/admin/certwatch.te | 2
policy/modules/admin/consoletype.te | 1
policy/modules/admin/dmesg.fc | 2
policy/modules/admin/dmesg.te | 10
policy/modules/admin/firstboot.te | 6
policy/modules/admin/logrotate.te | 13
policy/modules/admin/logwatch.te | 1
policy/modules/admin/mrtg.te | 1
policy/modules/admin/netutils.te | 1
policy/modules/admin/ntop.fc | 5
policy/modules/admin/ntop.if | 158 +++
policy/modules/admin/ntop.te | 40
policy/modules/admin/portage.te | 2
policy/modules/admin/prelink.if | 4
policy/modules/admin/prelink.te | 2
policy/modules/admin/readahead.te | 1
policy/modules/admin/rpm.fc | 18
policy/modules/admin/rpm.if | 320 ++++++
policy/modules/admin/rpm.te | 95 +
policy/modules/admin/shorewall.if | 40
policy/modules/admin/shorewall.te | 2
policy/modules/admin/smoltclient.fc | 4
policy/modules/admin/smoltclient.if | 1
policy/modules/admin/smoltclient.te | 66 +
policy/modules/admin/sudo.if | 13
policy/modules/admin/tmpreaper.te | 5
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 5
policy/modules/admin/usermanage.te | 34
policy/modules/admin/vbetool.te | 14
policy/modules/admin/vpn.te | 2
policy/modules/apps/calamaris.te | 7
policy/modules/apps/chrome.fc | 2
policy/modules/apps/chrome.if | 85 +
policy/modules/apps/chrome.te | 61 +
policy/modules/apps/cpufreqselector.te | 2
policy/modules/apps/execmem.fc | 31
policy/modules/apps/execmem.if | 74 +
policy/modules/apps/execmem.te | 11
policy/modules/apps/firewallgui.fc | 3
policy/modules/apps/firewallgui.if | 3
policy/modules/apps/firewallgui.te | 63 +
policy/modules/apps/gitosis.if | 45
policy/modules/apps/gnome.fc | 12
policy/modules/apps/gnome.if | 170 +++
policy/modules/apps/gnome.te | 99 +-
policy/modules/apps/gpg.te | 20
policy/modules/apps/java.fc | 18
policy/modules/apps/java.if | 112 ++
policy/modules/apps/java.te | 14
policy/modules/apps/kdumpgui.fc | 2
policy/modules/apps/kdumpgui.if | 2
policy/modules/apps/kdumpgui.te | 65 +
policy/modules/apps/livecd.fc | 2
policy/modules/apps/livecd.if | 50 +
policy/modules/apps/livecd.te | 26
policy/modules/apps/loadkeys.te | 4
policy/modules/apps/mono.if | 101 ++
policy/modules/apps/mono.te | 9
policy/modules/apps/mozilla.fc | 1
policy/modules/apps/mozilla.if | 32
policy/modules/apps/mozilla.te | 22
policy/modules/apps/nsplugin.fc | 13
policy/modules/apps/nsplugin.if | 323 ++++++
policy/modules/apps/nsplugin.te | 295 +++++
policy/modules/apps/openoffice.fc | 3
policy/modules/apps/openoffice.if | 93 +
policy/modules/apps/openoffice.te | 11
policy/modules/apps/pulseaudio.if | 2
policy/modules/apps/pulseaudio.te | 11
policy/modules/apps/qemu.fc | 4
policy/modules/apps/qemu.if | 190 +++
policy/modules/apps/qemu.te | 82 +
policy/modules/apps/sambagui.fc | 1
policy/modules/apps/sambagui.if | 2
policy/modules/apps/sambagui.te | 57 +
policy/modules/apps/sandbox.fc | 1
policy/modules/apps/sandbox.if | 184 +++
policy/modules/apps/sandbox.te | 330 ++++++
policy/modules/apps/screen.if | 5
policy/modules/apps/sectoolm.fc | 6
policy/modules/apps/sectoolm.if | 3
policy/modules/apps/sectoolm.te | 120 ++
policy/modules/apps/seunshare.fc | 2
policy/modules/apps/seunshare.if | 81 +
policy/modules/apps/seunshare.te | 45
policy/modules/apps/vmware.te | 1
policy/modules/apps/wine.fc | 24
policy/modules/apps/wine.if | 115 ++
policy/modules/apps/wine.te | 34
policy/modules/kernel/corecommands.fc | 31
policy/modules/kernel/corecommands.if | 21
policy/modules/kernel/corenetwork.te.in | 36
policy/modules/kernel/devices.fc | 11
policy/modules/kernel/devices.if | 255 +++++
policy/modules/kernel/devices.te | 25
policy/modules/kernel/domain.if | 151 ++-
policy/modules/kernel/domain.te | 84 +
policy/modules/kernel/files.fc | 3
policy/modules/kernel/files.if | 298 +++++-
policy/modules/kernel/files.te | 6
policy/modules/kernel/filesystem.fc | 2
policy/modules/kernel/filesystem.if | 211 ++++
policy/modules/kernel/filesystem.te | 9
policy/modules/kernel/kernel.if | 58 +
policy/modules/kernel/kernel.te | 29
policy/modules/kernel/selinux.if | 25
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 3
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 40
policy/modules/kernel/terminal.te | 1
policy/modules/roles/guest.te | 8
policy/modules/roles/staff.te | 123 --
policy/modules/roles/sysadm.te | 124 --
policy/modules/roles/unconfineduser.fc | 8
policy/modules/roles/unconfineduser.if | 638 ++++++++++++
policy/modules/roles/unconfineduser.te | 411 ++++++++
policy/modules/roles/unprivuser.te | 127 --
policy/modules/roles/xguest.te | 37
policy/modules/services/abrt.fc | 2
policy/modules/services/abrt.if | 40
policy/modules/services/abrt.te | 24
policy/modules/services/afs.fc | 1
policy/modules/services/afs.te | 1
policy/modules/services/aisexec.fc | 12
policy/modules/services/aisexec.if | 106 ++
policy/modules/services/aisexec.te | 112 ++
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 38
policy/modules/services/apache.if | 410 +++++---
policy/modules/services/apache.te | 439 +++++++-
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bind.if | 40
policy/modules/services/bluetooth.if | 21
policy/modules/services/bluetooth.te | 9
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.te | 33
policy/modules/services/certmaster.te | 2
policy/modules/services/chronyd.fc | 11
policy/modules/services/chronyd.if | 105 ++
policy/modules/services/chronyd.te | 67 +
policy/modules/services/clamav.te | 16
policy/modules/services/clogd.fc | 4
policy/modules/services/clogd.if | 98 +
policy/modules/services/clogd.te | 62 +
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 24
policy/modules/services/cobbler.te | 5
policy/modules/services/consolekit.if | 39
policy/modules/services/consolekit.te | 19
policy/modules/services/corosync.fc | 13
policy/modules/services/corosync.if | 108 ++
policy/modules/services/corosync.te | 109 ++
policy/modules/services/courier.if | 18
policy/modules/services/courier.te | 1
policy/modules/services/cron.fc | 4
policy/modules/services/cron.if | 72 +
policy/modules/services/cron.te | 82 +
policy/modules/services/cups.fc | 13
policy/modules/services/cups.te | 42
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 49
policy/modules/services/dbus.te | 25
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25
policy/modules/services/devicekit.fc | 2
policy/modules/services/devicekit.if | 22
policy/modules/services/devicekit.te | 54 +
policy/modules/services/dnsmasq.te | 12
policy/modules/services/dovecot.te | 22
policy/modules/services/exim.te | 5
policy/modules/services/fail2ban.te | 2
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 4
policy/modules/services/ftp.te | 60 +
policy/modules/services/git.fc | 8
policy/modules/services/git.if | 286 +++++
policy/modules/services/git.te | 166 +++
policy/modules/services/gpm.te | 3
policy/modules/services/gpsd.fc | 5
policy/modules/services/gpsd.if | 27
policy/modules/services/gpsd.te | 14
policy/modules/services/hal.fc | 1
policy/modules/services/hal.if | 18
policy/modules/services/hal.te | 48
policy/modules/services/howl.te | 2
policy/modules/services/inetd.fc | 2
policy/modules/services/inetd.te | 4
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.te | 13
policy/modules/services/kerneloops.te | 2
policy/modules/services/ktalk.te | 1
policy/modules/services/lircd.fc | 1
policy/modules/services/lircd.te | 12
policy/modules/services/mailman.te | 4
policy/modules/services/memcached.te | 2
policy/modules/services/milter.if | 2
policy/modules/services/modemmanager.te | 1
policy/modules/services/mta.fc | 2
policy/modules/services/mta.if | 10
policy/modules/services/mta.te | 36
policy/modules/services/munin.fc | 3
policy/modules/services/munin.te | 3
policy/modules/services/mysql.te | 7
policy/modules/services/nagios.fc | 11
policy/modules/services/nagios.if | 70 +
policy/modules/services/nagios.te | 55 -
policy/modules/services/networkmanager.fc | 14
policy/modules/services/networkmanager.if | 65 +
policy/modules/services/networkmanager.te | 115 ++
policy/modules/services/nis.fc | 5
policy/modules/services/nis.if | 87 +
policy/modules/services/nis.te | 13
policy/modules/services/nscd.if | 18
policy/modules/services/nscd.te | 17
policy/modules/services/nslcd.if | 8
policy/modules/services/ntp.if | 46
policy/modules/services/ntp.te | 8
policy/modules/services/nut.fc | 15
policy/modules/services/nut.if | 82 +
policy/modules/services/nut.te | 140 ++
policy/modules/services/nx.fc | 1
policy/modules/services/nx.if | 19
policy/modules/services/nx.te | 6
policy/modules/services/oddjob.if | 1
policy/modules/services/openvpn.te | 2
policy/modules/services/pcscd.te | 3
policy/modules/services/pegasus.te | 28
policy/modules/services/plymouth.fc | 5
policy/modules/services/plymouth.if | 286 +++++
policy/modules/services/plymouth.te | 96 +
policy/modules/services/policykit.fc | 5
policy/modules/services/policykit.if | 48
policy/modules/services/policykit.te | 64 +
policy/modules/services/postfix.fc | 2
policy/modules/services/postfix.if | 150 ++-
policy/modules/services/postfix.te | 140 ++
policy/modules/services/postgresql.fc | 2
policy/modules/services/postgresql.if | 43
policy/modules/services/postgresql.te | 9
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 16
policy/modules/services/prelude.te | 1
policy/modules/services/privoxy.fc | 3
policy/modules/services/privoxy.te | 3
policy/modules/services/procmail.te | 12
policy/modules/services/pyzor.fc | 4
policy/modules/services/pyzor.if | 47
policy/modules/services/pyzor.te | 37
policy/modules/services/radvd.te | 1
policy/modules/services/razor.fc | 1
policy/modules/services/razor.if | 42
policy/modules/services/razor.te | 32
policy/modules/services/rgmanager.fc | 8
policy/modules/services/rgmanager.if | 59 +
policy/modules/services/rgmanager.te | 83 +
policy/modules/services/rhcs.fc | 22
policy/modules/services/rhcs.if | 348 +++++++
policy/modules/services/rhcs.te | 394 ++++++++
policy/modules/services/ricci.te | 30
policy/modules/services/rpc.if | 7
policy/modules/services/rpc.te | 16
policy/modules/services/rpcbind.if | 20
policy/modules/services/rpcbind.te | 1
policy/modules/services/rsync.te | 23
policy/modules/services/rtkit.if | 20
policy/modules/services/rtkit.te | 2
policy/modules/services/samba.fc | 4
policy/modules/services/samba.if | 104 ++
policy/modules/services/samba.te | 89 +
policy/modules/services/sasl.te | 15
policy/modules/services/sendmail.if | 137 ++
policy/modules/services/sendmail.te | 87 +
policy/modules/services/setroubleshoot.fc | 2
policy/modules/services/setroubleshoot.if | 102 ++
policy/modules/services/setroubleshoot.te | 81 +
policy/modules/services/smartmon.te | 15
policy/modules/services/snmp.if | 38
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 15
policy/modules/services/spamassassin.if | 89 +
policy/modules/services/spamassassin.te | 137 ++
policy/modules/services/squid.te | 9
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 184 +++
policy/modules/services/ssh.te | 77 -
policy/modules/services/sssd.fc | 5
policy/modules/services/sssd.if | 43
policy/modules/services/sssd.te | 12
policy/modules/services/sysstat.te | 5
policy/modules/services/tftp.fc | 2
policy/modules/services/uucp.te | 7
policy/modules/services/virt.fc | 12
policy/modules/services/virt.if | 127 ++
policy/modules/services/virt.te | 284 +++++
policy/modules/services/w3c.te | 7
policy/modules/services/xserver.fc | 33
policy/modules/services/xserver.if | 534 ++++++++++
policy/modules/services/xserver.te | 318 +++++-
policy/modules/system/application.if | 20
policy/modules/system/application.te | 11
policy/modules/system/authlogin.fc | 9
policy/modules/system/authlogin.if | 207 +++-
policy/modules/system/authlogin.te | 10
policy/modules/system/fstools.fc | 2
policy/modules/system/fstools.te | 7
policy/modules/system/init.fc | 7
policy/modules/system/init.if | 158 +++
policy/modules/system/init.te | 285 ++++-
policy/modules/system/ipsec.fc | 3
policy/modules/system/ipsec.if | 25
policy/modules/system/ipsec.te | 58 +
policy/modules/system/iptables.fc | 17
policy/modules/system/iptables.if | 97 +
policy/modules/system/iptables.te | 15
policy/modules/system/iscsi.if | 40
policy/modules/system/iscsi.te | 6
policy/modules/system/libraries.fc | 160 ++-
policy/modules/system/libraries.if | 5
policy/modules/system/libraries.te | 18
policy/modules/system/locallogin.te | 30
policy/modules/system/logging.fc | 12
policy/modules/system/logging.if | 18
policy/modules/system/logging.te | 38
policy/modules/system/lvm.if | 39
policy/modules/system/lvm.te | 29
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 60 +
policy/modules/system/miscfiles.te | 3
policy/modules/system/modutils.fc | 1
policy/modules/system/modutils.if | 46
policy/modules/system/modutils.te | 46
policy/modules/system/mount.fc | 7
policy/modules/system/mount.if | 2
policy/modules/system/mount.te | 76 +
policy/modules/system/raid.fc | 2
policy/modules/system/raid.te | 8
policy/modules/system/selinuxutil.fc | 17
policy/modules/system/selinuxutil.if | 309 ++++++
policy/modules/system/selinuxutil.te | 229 +---
policy/modules/system/setrans.if | 20
policy/modules/system/sysnetwork.fc | 9
policy/modules/system/sysnetwork.if | 117 ++
policy/modules/system/sysnetwork.te | 77 +
policy/modules/system/udev.fc | 3
policy/modules/system/udev.if | 21
policy/modules/system/udev.te | 39
policy/modules/system/unconfined.fc | 15
policy/modules/system/unconfined.if | 443 ---------
policy/modules/system/unconfined.te | 224 ----
policy/modules/system/userdomain.fc | 6
policy/modules/system/userdomain.if | 1476 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 47
policy/modules/system/xen.fc | 6
policy/modules/system/xen.if | 28
policy/modules/system/xen.te | 137 ++
policy/support/obj_perm_sets.spt | 14
policy/users | 13
368 files changed, 17741 insertions(+), 2660 deletions(-)
Index: policy-F12.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-F12.patch,v
retrieving revision 1.114
retrieving revision 1.115
diff -u -p -r1.114 -r1.115
--- policy-F12.patch 20 Oct 2009 22:59:51 -0000 1.114
+++ policy-F12.patch 21 Oct 2009 15:55:49 -0000 1.115
@@ -641,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-20 10:47:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-21 09:33:05.000000000 -0400
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -726,7 +726,7 @@ diff -b -B --ignore-all-space --exclude-
## Send and receive messages from
## rpm over dbus.
## </summary>
-@@ -167,6 +225,48 @@
+@@ -167,6 +225,68 @@
########################################
## <summary>
@@ -770,12 +770,32 @@ diff -b -B --ignore-all-space --exclude-
+ allow rpm_script_t $1:dbus send_msg;
+')
+
++#####################################
++## <summary>
++## Allow the specified domain to append
++## to rpm log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_append_log',`
++ gen_require(`
++ type rpm_log_t;
++ ')
++
++ logging_search_logs($1)
++ append_files_pattern($1, rpm_log_t, rpm_log_t)
++')
++
+########################################
+## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
-@@ -186,6 +286,24 @@
+@@ -186,6 +306,24 @@
########################################
## <summary>
@@ -800,7 +820,7 @@ diff -b -B --ignore-all-space --exclude-
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
-@@ -219,7 +337,51 @@
+@@ -219,7 +357,51 @@
')
files_search_tmp($1)
@@ -852,7 +872,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -241,6 +403,25 @@
+@@ -241,6 +423,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -878,7 +898,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -265,6 +446,47 @@
+@@ -265,6 +466,47 @@
########################################
## <summary>
@@ -926,11 +946,46 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
-@@ -283,3 +505,46 @@
+@@ -283,3 +525,81 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
+
++#####################################
++## <summary>
++## Create, read, write, and delete rpm pid files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_manage_pid_files',`
++ gen_require(`
++ type rpm_var_run_t;
++ ')
++
++ manage_files_pattern($1,rpm_var_run_t,rpm_var_run_t)
++')
++
++######################################
++## <summary>
++## Create files in /var/run with the rpm pid file type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`rpm_pid_filetrans',`
++ gen_require(`
++ type rpm_var_run_t;
++ ')
++
++ files_pid_filetrans($1, rpm_var_run_t, file)
++')
+
+########################################
+## <summary>
@@ -3979,7 +4034,7 @@ diff -b -B --ignore-all-space --exclude-
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.te serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te
--- nsaserefpolicy/policy/modules/apps/pulseaudio.te 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-10-05 08:30:24.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.te 2009-10-21 07:52:28.000000000 -0400
@@ -26,6 +26,7 @@
can_exec(pulseaudio_t, pulseaudio_exec_t)
@@ -3988,7 +4043,17 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
-@@ -69,6 +70,7 @@
+@@ -63,12 +64,17 @@
+ miscfiles_read_localization(pulseaudio_t)
+
+ optional_policy(`
++ bluetooth_stream_connect(pulseaudio_t)
++')
++
++optional_policy(`
+ gnome_manage_config(pulseaudio_t)
+ ')
+
optional_policy(`
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
@@ -3996,7 +4061,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
consolekit_dbus_chat(pulseaudio_t)
-@@ -88,6 +90,10 @@
+@@ -88,6 +94,10 @@
')
optional_policy(`
@@ -4007,7 +4072,7 @@ diff -b -B --ignore-all-space --exclude-
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
-@@ -100,4 +106,5 @@
+@@ -100,4 +110,5 @@
optional_policy(`
xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
@@ -4414,7 +4479,7 @@ diff -b -B --ignore-all-space --exclude-
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-10-15 12:43:45.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-10-21 07:38:35.000000000 -0400
@@ -0,0 +1,184 @@
+
+## <summary>policy for sandbox</summary>
@@ -4456,7 +4521,7 @@ diff -b -B --ignore-all-space --exclude-
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
+
-+ allow sandbox_x_domain $1:process sigchld;
++ allow sandbox_x_domain $1:process { sigchld signal };
+ allow sandbox_x_domain sandbox_x_domain:process signal;
+ # Dontaudit leaked file descriptors
+ dontaudit sandbox_x_domain $1:fifo_file rw_fifo_file_perms;
@@ -4949,6 +5014,147 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state($1_screen_t)
kernel_read_kernel_sysctls($1_screen_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.fc serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc
+--- nsaserefpolicy/policy/modules/apps/sectoolm.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.fc 2009-10-21 09:33:05.000000000 -0400
+@@ -0,0 +1,6 @@
++
++/usr/libexec/sectool-mechanism\.py -- gen_context(system_u:object_r:sectoolm_exec_t,s0)
++
++/var/lib/sectool(/.*)? gen_context(system_u:object_r:sectool_var_lib_t,s0)
++
++/var/log/sectool\.log -- gen_context(system_u:object_r:sectool_var_log_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.if serefpolicy-3.6.32/policy/modules/apps/sectoolm.if
+--- nsaserefpolicy/policy/modules/apps/sectoolm.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.if 2009-10-21 09:33:05.000000000 -0400
+@@ -0,0 +1,3 @@
++
++## <summary>policy for sectool-mechanism</summary>
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sectoolm.te serefpolicy-3.6.32/policy/modules/apps/sectoolm.te
+--- nsaserefpolicy/policy/modules/apps/sectoolm.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/sectoolm.te 2009-10-21 09:35:38.000000000 -0400
+@@ -0,0 +1,120 @@
++
++policy_module(sectoolm,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sectoolm_t;
++type sectoolm_exec_t;
++dbus_system_domain(sectoolm_t, sectoolm_exec_t)
++
++# /var/lib files
++type sectool_var_lib_t;
++files_type(sectool_var_lib_t)
++
++# log files
++type sectool_var_log_t;
++logging_log_file(sectool_var_log_t)
++
++# tmp files
++type sectool_tmp_t;
++files_tmp_file(sectool_tmp_t)
++
++permissive sectoolm_t;
++
++########################################
++#
++# sectool local policy
++#
++
++allow sectoolm_t self:capability { dac_override net_admin sys_nice sys_ptrace };
++allow sectoolm_t self:process { getcap getsched signull setsched };
++dontaudit sectoolm_t self:process { execstack execmem };
++
++allow sectoolm_t self:fifo_file rw_fifo_file_perms;
++allow sectoolm_t self:unix_dgram_socket { create_socket_perms sendto };
++
++# tmp files
++manage_dirs_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
++manage_files_pattern(sectoolm_t, sectool_tmp_t, sectool_tmp_t)
++files_tmp_filetrans(sectoolm_t, sectool_tmp_t, { file dir })
++
++# var/lib files
++manage_files_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
++manage_dirs_pattern(sectoolm_t, sectool_var_lib_t,sectool_var_lib_t)
++files_var_lib_filetrans(sectoolm_t,sectool_var_lib_t, { file dir })
++
++# log files
++manage_files_pattern(sectoolm_t, sectool_var_log_t,sectool_var_log_t)
++logging_log_filetrans(sectoolm_t,sectool_var_log_t,{ file })
++
++corecmd_exec_bin(sectoolm_t)
++corecmd_exec_shell(sectoolm_t)
++
++kernel_read_net_sysctls(sectoolm_t)
++kernel_read_network_state(sectoolm_t)
++kernel_read_kernel_sysctls(sectoolm_t)
++
++dev_read_sysfs(sectoolm_t)
++dev_read_urand(sectoolm_t)
++
++dev_getattr_all_blk_files(sectoolm_t)
++dev_getattr_all_chr_files(sectoolm_t)
++
++# selinux test
++selinux_validate_context(sectoolm_t)
++
++fs_getattr_all_fs(sectoolm_t)
++fs_list_noxattr_fs(sectoolm_t)
++
++files_getattr_all_pipes(sectoolm_t)
++files_getattr_all_sockets(sectoolm_t)
++files_read_all_files(sectoolm_t)
++files_read_all_symlinks(sectoolm_t)
++
++auth_use_nsswitch(sectoolm_t)
++
++libs_exec_ld_so(sectoolm_t)
++
++logging_send_syslog_msg(sectoolm_t)
++
++# tcp_wrappers test
++application_exec_all(sectoolm_t)
++
++domain_getattr_all_domains(sectoolm_t)
++domain_read_all_domains_state(sectoolm_t)
++
++userdom_users_dgram_send(sectoolm_t)
++userdom_dgram_send(sectoolm_t)
++userdom_manage_user_tmp_sockets(sectoolm_t)
++
++# tests related to network
++hostname_exec(sectoolm_t)
++iptables_domtrans(sectoolm_t)
++sysnet_domtrans_ifconfig(sectoolm_t)
++
++optional_policy(`
++ mount_exec(sectoolm_t)
++')
++
++optional_policy(`
++ policykit_dbus_chat(sectoolm_t)
++')
++
++# suid test using
++# rpm -Vf option
++optional_policy(`
++ prelink_domtrans(sectoolm_t)
++')
++
++optional_policy(`
++ rpm_exec(sectoolm_t)
++ rpm_append_log(sectoolm_t)
++ rpm_manage_pid_files(sectoolm_t)
++ rpm_pid_filetrans(sectoolm_t)
++ rpm_dontaudit_manage_db(sectoolm_t)
++')
++
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.32/policy/modules/apps/seunshare.fc
--- nsaserefpolicy/policy/modules/apps/seunshare.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.32/policy/modules/apps/seunshare.fc 2009-09-30 16:12:48.000000000 -0400
@@ -5307,7 +5513,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-15 13:16:38.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-21 09:33:05.000000000 -0400
@@ -1,4 +1,4 @@
-
+c
@@ -5349,16 +5555,17 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0)
-@@ -221,6 +228,8 @@
+@@ -221,6 +228,9 @@
/usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -263,6 +272,7 @@
+@@ -263,6 +273,7 @@
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -5366,7 +5573,7 @@ diff -b -B --ignore-all-space --exclude-
/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
-@@ -315,3 +325,21 @@
+@@ -315,3 +326,21 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5435,7 +5642,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-09-09 09:23:16.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-07 16:06:40.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2009-10-21 07:47:57.000000000 -0400
@@ -65,6 +65,7 @@
type server_packet_t, packet_type, server_packet_type;
@@ -5444,7 +5651,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
network_port(afs_pt, udp,7002,s0)
-@@ -87,26 +88,32 @@
+@@ -87,26 +88,33 @@
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
@@ -5466,6 +5673,7 @@ diff -b -B --ignore-all-space --exclude-
+network_port(ftps, tcp,990,s0, udp,990,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
network_port(giftd, tcp,1213,s0)
++network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hddtemp, tcp,7634,s0)
@@ -5479,7 +5687,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
-@@ -129,7 +136,7 @@
+@@ -129,7 +137,7 @@
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
network_port(lmtp, tcp,24,s0, udp,24,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
@@ -5488,7 +5696,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
-@@ -147,6 +154,12 @@
+@@ -147,12 +155,19 @@
network_port(pegasus_https, tcp,5989,s0)
network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pingd, tcp,9125,s0)
@@ -5501,7 +5709,14 @@ diff -b -B --ignore-all-space --exclude-
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
-@@ -173,27 +186,34 @@
+ network_port(postgresql, tcp,5432,s0)
+ network_port(postgrey, tcp,60000,s0)
+ network_port(prelude, tcp,4690,s0, udp,4690,s0)
++network_port(presence, tcp,5298,s0, udp,5298,s0)
+ network_port(printer, tcp,515,s0)
+ network_port(ptal, tcp,5703,s0)
+ network_port(pulseaudio, tcp,4713,s0)
+@@ -173,27 +188,34 @@
network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -5539,7 +5754,7 @@ diff -b -B --ignore-all-space --exclude-
network_port(xdmcp, udp,177,s0, tcp,177,s0)
network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
-@@ -222,6 +242,8 @@
+@@ -222,6 +244,8 @@
type node_t, node_type;
sid node gen_context(system_u:object_r:node_t,s0 - mls_systemhigh)
@@ -9137,7 +9352,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-08 15:30:50.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-10-21 11:43:32.000000000 -0400
@@ -31,16 +31,37 @@
userdom_restricted_xwindows_user_template(xguest)
@@ -9197,7 +9412,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -75,9 +101,15 @@
+@@ -75,9 +101,16 @@
')
optional_policy(`
@@ -9207,6 +9422,7 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
++ networkmanager_read_var_lib_files(xguest_t)
+ corenet_tcp_connect_pulseaudio_port(xguest_t)
+ corenet_tcp_connect_ipp_port(xguest_t)
')
@@ -9278,7 +9494,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-19 14:55:25.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-21 10:05:17.000000000 -0400
@@ -75,6 +75,7 @@
corecmd_exec_bin(abrt_t)
@@ -9364,7 +9580,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/cman_.* -s gen_context(system_u:object_r:aisexec_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aisexec.if serefpolicy-3.6.32/policy/modules/services/aisexec.if
--- nsaserefpolicy/policy/modules/services/aisexec.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/aisexec.if 2009-10-21 07:51:25.000000000 -0400
@@ -0,0 +1,106 @@
+## <summary>SELinux policy for Aisexec Cluster Engine</summary>
+
@@ -9700,7 +9916,7 @@ diff -b -B --ignore-all-space --exclude-
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.32/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/apache.if 2009-10-21 11:09:04.000000000 -0400
@@ -13,21 +13,16 @@
#
template(`apache_content_template',`
@@ -11190,6 +11406,37 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
## an bind environment
## </summary>
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-3.6.32/policy/modules/services/bluetooth.if
+--- nsaserefpolicy/policy/modules/services/bluetooth.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/bluetooth.if 2009-10-21 07:54:27.000000000 -0400
+@@ -153,6 +153,27 @@
+ dontaudit $1 bluetooth_helper_t:file { read getattr };
+ ')
+
++#####################################
++## <summary>
++## Connect to bluetooth over a unix domain
++## stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`bluetooth_stream_connect',`
++ gen_require(`
++ type bluetooth_t, bluetooth_var_run_t;
++ ')
++
++ files_search_pids($1)
++ allow $1 bluetooth_t:socket rw_socket_perms;
++ stream_connect_pattern($1, bluetooth_var_run_t, bluetooth_var_run_t, bluetooth_t)
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-09-30 16:12:48.000000000 -0400
@@ -13573,6 +13820,488 @@ diff -b -B --ignore-all-space --exclude-
seutil_sigchld_newrole(ftpd_t)
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.fc serefpolicy-3.6.32/policy/modules/services/git.fc
+--- nsaserefpolicy/policy/modules/services/git.fc 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/git.fc 2009-10-21 11:39:52.000000000 -0400
+@@ -1,3 +1,9 @@
+ /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_script_rw_t,s0)
+-/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0)
+ /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0)
++
++/srv/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
++
++/usr/libexec/git-core/git-daemon -- gen_context(system_u:object_r:gitd_exec_t, s0)
++
++# Conflict with Fedora cgit fc spec.
++/var/lib/git(/.*)? gen_context(system_u:object_r:git_data_t, s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.if serefpolicy-3.6.32/policy/modules/services/git.if
+--- nsaserefpolicy/policy/modules/services/git.if 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/git.if 2009-10-21 11:33:38.000000000 -0400
+@@ -1 +1,285 @@
+-## <summary>GIT revision control system</summary>
++## <summary>Git daemon is a really simple server for Git repositories.</summary>
++## <desc>
++## <p>
++## A really simple TCP git daemon that normally listens on
++## port DEFAULT_GIT_PORT aka 9418. It waits for a
++## connection asking for a service, and will serve that
++## service if it is enabled.
++## </p>
++## <p>
++## It verifies that the directory has the magic file
++## git-daemon-export-ok, and it will refuse to export any
++## git directory that has not explicitly been marked for
++## export this way (unless the --export-all parameter is
++## specified). If you pass some directory paths as
++## git-daemon arguments, you can further restrict the
++## offers to a whitelist comprising of those.
++## </p>
++## <p>
++## By default, only upload-pack service is enabled, which
++## serves git-fetch-pack and git-ls-remote clients, which
++## are invoked from git-fetch, git-pull, and git-clone.
++## </p>
++## <p>
++## This is ideally suited for read-only updates, i.e.,
++## pulling from git repositories.
++## </p>
++## <p>
++## An upload-archive also exists to serve git-archive.
++## </p>
++## </desc>
++
++#######################################
++## <summary>
++## Role access for Git daemon session.
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## User domain for the role.
++## </summary>
++## </param>
++#
++interface(`git_session_role', `
++ gen_require(`
++ type gitd_session_t, gitd_exec_t, git_home_t;
++ ')
++
++ ########################################
++ #
++ # Git daemon session data declarations.
++ #
++
++ ## <desc>
++ ## <p>
++ ## Allow transitions to the Git daemon
++ ## session domain.
++ ## </p>
++ ## </desc>
++ gen_tunable(gitd_session_transition, false)
++
++ role $1 types gitd_session_t;
++
++ ########################################
++ #
++ # Git daemon session data policy.
++ #
++
++ tunable_policy(`gitd_session_transition', `
++ domtrans_pattern($2, gitd_exec_t, gitd_session_t)
++ ', `
++ can_exec($2, gitd_exec_t)
++ ')
++
++ allow $2 gitd_session_t:process { ptrace signal_perms };
++ ps_process_pattern($2, gitd_session_t)
++
++ exec_files_pattern($2, git_home_t, git_home_t)
++ manage_dirs_pattern($2, git_home_t, git_home_t)
++ manage_files_pattern($2, git_home_t, git_home_t)
++
++ relabel_dirs_pattern($2, git_home_t, git_home_t)
++ relabel_files_pattern($2, git_home_t, git_home_t)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to execute
++## Git daemon data files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_execute_data_files', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ exec_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to manage
++## Git daemon data content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_manage_data_content', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ manage_dirs_pattern($1, git_data_t, git_data_t)
++ manage_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to manage
++## Git daemon home content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_manage_home_content', `
++ gen_require(`
++ type git_home_t;
++ ')
++
++ manage_dirs_pattern($1, git_home_t, git_home_t)
++ manage_files_pattern($1, git_home_t, git_home_t)
++ files_search_home($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to read
++## Git daemon home content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_read_home_content', `
++ gen_require(`
++ type git_home_t;
++ ')
++
++ list_dirs_pattern($1, git_home_t, git_home_t)
++ read_files_pattern($1, git_home_t, git_home_t)
++ files_search_home($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to read
++## Git daemon data content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_read_data_content', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ list_dirs_pattern($1, git_data_t, git_data_t)
++ read_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## Git daemon data content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_data_content', `
++ gen_require(`
++ type git_data_t;
++ ')
++
++ relabel_dirs_pattern($1, git_data_t, git_data_t)
++ relabel_files_pattern($1, git_data_t, git_data_t)
++ files_search_var($1)
++')
++
++########################################
++## <summary>
++## Allow the specified domain to relabel
++## Git daemon home content.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_relabel_home_content', `
++ gen_require(`
++ type git_home_t;
++ ')
++
++ relabel_dirs_pattern($1, git_home_t, git_home_t)
++ relabel_files_pattern($1, git_home_t, git_home_t)
++ files_search_home($1)
++')
++
++########################################
++## <summary>
++## All of the rules required to administrate an
++## Git daemon system environment
++## </summary>
++## <param name="userdomain_prefix">
++## <summary>
++## Prefix of the domain. Example, user would be
++## the prefix for the user_t domain.
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the Git daemon domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`git_system_admin', `
++ gen_require(`
++ type gitd_t, gitd_exec_t;
++ ')
++
++ allow $1 gitd_t:process { getattr ptrace signal_perms };
++ ps_process_pattern($1, gitd_t)
++
++ kernel_search_proc($1)
++
++ manage_files_pattern($1, gitd_exec_t, gitd_exec_t)
++
++ # This will not work since git-shell needs to execute gitd content thus public content files.
++ # There is currently no clean way to execute public content files.
++ # miscfiles_manage_public_files($1)
++
++ git_manage_data_content($1)
++ git_relabel_data_content($1)
++
++ seutil_domtrans_setfiles($1)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
+--- nsaserefpolicy/policy/modules/services/git.te 2009-07-14 14:19:57.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/git.te 2009-10-21 11:39:13.000000000 -0400
+@@ -1,9 +1,173 @@
+
+ policy_module(git, 1.0)
+
++attribute gitd_type;
++attribute git_content_type;
++
++########################################
++#
++# Git daemon system private declarations.
++#
++
++## <desc>
++## <p>
++## Allow Git daemon system to search home directories.
++## </p>
++## </desc>
++gen_tunable(git_system_enable_homedirs, false)
++
++## <desc>
++## <p>
++## Allow Git daemon system to access cifs file systems.
++## </p>
++## </desc>
++gen_tunable(git_system_use_cifs, false)
++
++## <desc>
++## <p>
++## Allow Git daemon system to access nfs file systems.
++## </p>
++## </desc>
++gen_tunable(git_system_use_nfs, false)
++
++########################################
++#
++# Git daemon global private declarations.
++#
++type gitd_exec_t;
++
++type gitd_t, gitd_type;
++inetd_service_domain(gitd_t, gitd_exec_t)
++role system_r types gitd_t;
++
++type git_data_t, git_content_type;
++files_type(git_data_t)
++
++permissive gitd_t;
++
++########################################
++#
++# Git daemon session session private declarations.
++#
++
++## <desc>
++## <p>
++## Allow Git daemon session to bind
++## tcp sockets to all unreserved ports.
++## </p>
++## </desc>
++gen_tunable(git_session_bind_all_unreserved_ports, false)
++
++type gitd_session_t, gitd_type;
++application_domain(gitd_session_t, gitd_exec_t)
++ubac_constrained(gitd_session_t)
++
++type git_home_t, git_content_type;
++userdom_user_home_content(git_home_t)
++
++permissive gitd_session_t;
++
++########################################
++#
++# Git daemon global private policy.
++#
++
++allow gitd_type self:fifo_file rw_fifo_file_perms;
++allow gitd_type self:tcp_socket create_socket_perms;
++allow gitd_type self:udp_socket create_socket_perms;
++allow gitd_type self:unix_dgram_socket create_socket_perms;
++
++corenet_all_recvfrom_netlabel(gitd_type)
++corenet_all_recvfrom_unlabeled(gitd_type)
++
++corenet_tcp_sendrecv_all_if(gitd_type)
++corenet_tcp_sendrecv_all_nodes(gitd_type)
++corenet_tcp_sendrecv_all_ports(gitd_type)
++
++corenet_tcp_bind_all_nodes(gitd_type)
++corenet_tcp_bind_git_port(gitd_type)
++
++corecmd_exec_bin(gitd_type)
++
++files_read_etc_files(gitd_type)
++files_read_usr_files(gitd_type)
++
++fs_search_auto_mountpoints(gitd_type)
++
++kernel_read_system_state(gitd_type)
++
++logging_send_syslog_msg(gitd_type)
++
++auth_use_nsswitch(gitd_type)
++
++miscfiles_read_localization(gitd_type)
++
++########################################
++#
++# Git daemon system repository private policy.
++#
++
++list_dirs_pattern(gitd_t, git_content_type, git_content_type)
++read_files_pattern(gitd_t, git_content_type, git_content_type)
++files_search_var(gitd_t)
++
++# This will not work since git-shell needs to execute gitd content thus public content files.
++# There is currently no clean way to execute public content files.
++# miscfiles_read_public_files(gitd_t)
++
++tunable_policy(`git_system_enable_homedirs', `
++ userdom_search_user_home_dirs(gitd_t)
++')
++
++tunable_policy(`git_system_enable_homedirs && use_nfs_home_dirs', `
++ fs_list_nfs(gitd_t)
++ fs_read_nfs_files(gitd_t)
++')
++
++tunable_policy(`git_system_enable_homedirs && use_samba_home_dirs', `
++ fs_list_cifs(gitd_t)
++ fs_read_cifs_files(gitd_t)
++')
++
++tunable_policy(`git_system_use_cifs', `
++ fs_list_cifs(gitd_t)
++ fs_read_cifs_files(gitd_t)
++')
++
++tunable_policy(`git_system_use_nfs', `
++ fs_list_nfs(gitd_t)
++ fs_read_nfs_files(gitd_t)
++')
++
++########################################
++#
++# Git daemon session repository private policy.
++#
++
++list_dirs_pattern(gitd_session_t, git_home_t, git_home_t)
++read_files_pattern(gitd_session_t, git_home_t, git_home_t)
++userdom_search_user_home_dirs(gitd_session_t)
++
++userdom_use_user_terminals(gitd_session_t)
++
++tunable_policy(`git_session_bind_all_unreserved_ports', `
++ corenet_tcp_bind_all_unreserved_ports(gitd_session_t)
++')
++
++tunable_policy(`use_nfs_home_dirs', `
++ fs_list_nfs(gitd_session_t)
++ fs_read_nfs_files(gitd_session_t)
++')
++
++tunable_policy(`use_samba_home_dirs', `
++ fs_list_cifs(gitd_session_t)
++ fs_read_cifs_files(gitd_session_t)
++')
++
+ ########################################
+ #
+-# Declarations
++# cgi git Declarations
+ #
+
+ apache_content_template(git)
++git_read_data_content(httpd_git_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gpm.te serefpolicy-3.6.32/policy/modules/services/gpm.te
--- nsaserefpolicy/policy/modules/services/gpm.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/gpm.te 2009-09-30 16:12:48.000000000 -0400
@@ -13896,8 +14625,17 @@ diff -b -B --ignore-all-space --exclude-
+/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.32/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-09-30 16:12:48.000000000 -0400
-@@ -138,6 +138,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-10-21 11:02:27.000000000 -0400
+@@ -104,6 +104,8 @@
+ corenet_tcp_bind_telnetd_port(inetd_t)
+ corenet_udp_bind_tftp_port(inetd_t)
+ corenet_tcp_bind_ssh_port(inetd_t)
++corenet_tcp_bind_git_port(inetd_t)
++corenet_udp_bind_git_port(inetd_t)
+
+ # service port packets:
+ corenet_sendrecv_amanda_server_packets(inetd_t)
+@@ -138,6 +140,8 @@
files_read_etc_files(inetd_t)
files_read_etc_runtime_files(inetd_t)
@@ -14544,7 +15282,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.6.32/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-10-02 08:40:53.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/networkmanager.if 2009-10-21 10:29:42.000000000 -0400
@@ -118,6 +118,24 @@
########################################
@@ -14570,7 +15308,7 @@ diff -b -B --ignore-all-space --exclude-
## Read NetworkManager PID files.
## </summary>
## <param name="domain">
-@@ -134,3 +152,49 @@
+@@ -134,3 +152,50 @@
files_search_pids($1)
allow $1 NetworkManager_var_run_t:file read_file_perms;
')
@@ -14591,6 +15329,7 @@ diff -b -B --ignore-all-space --exclude-
+ ')
+
+ files_search_var_lib($1)
++ list_dirs_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+ read_files_pattern($1, NetworkManager_var_lib_t, NetworkManager_var_lib_t)
+')
+
@@ -17002,12 +17741,13 @@ diff -b -B --ignore-all-space --exclude-
+userdom_user_home_dir_filetrans_user_home_content(postfix_virtual_t, {file dir })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.fc serefpolicy-3.6.32/policy/modules/services/postgresql.fc
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-09-30 16:12:48.000000000 -0400
-@@ -2,6 +2,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/postgresql.fc 2009-10-21 11:42:45.000000000 -0400
+@@ -2,6 +2,8 @@
# /etc
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
++/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
#
# /usr
@@ -21049,13 +21789,18 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.fc serefpolicy-3.6.32/policy/modules/services/sssd.fc
--- nsaserefpolicy/policy/modules/services/sssd.fc 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2009-09-30 16:12:48.000000000 -0400
-@@ -1,4 +1,4 @@
++++ serefpolicy-3.6.32/policy/modules/services/sssd.fc 2009-10-21 10:05:54.000000000 -0400
+@@ -1,6 +1,9 @@
-/etc/rc.d/init.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/sssd -- gen_context(system_u:object_r:sssd_initrc_exec_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+ /var/lib/sss(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
++
++/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_lib_t,s0)
++
+ /var/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2009-09-30 16:12:48.000000000 -0400
@@ -21123,8 +21868,18 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.te serefpolicy-3.6.32/policy/modules/services/sssd.te
--- nsaserefpolicy/policy/modules/services/sssd.te 2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-09-30 16:12:48.000000000 -0400
-@@ -23,7 +23,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/sssd.te 2009-10-21 10:05:38.000000000 -0400
+@@ -16,6 +16,9 @@
+ type sssd_var_lib_t;
+ files_type(sssd_var_lib_t)
+
++type sssd_var_log_t;
++logging_log_file(sssd_var_log_t)
++
+ type sssd_var_run_t;
+ files_pid_file(sssd_var_run_t)
+
+@@ -23,7 +26,7 @@
#
# sssd local policy
#
@@ -21133,7 +21888,14 @@ diff -b -B --ignore-all-space --exclude-
allow sssd_t self:process { setsched signal getsched };
allow sssd_t self:fifo_file rw_file_perms;
allow sssd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -37,6 +37,8 @@
+@@ -33,10 +36,15 @@
+ manage_sock_files_pattern(sssd_t, sssd_var_lib_t, sssd_var_lib_t)
+ files_var_lib_filetrans(sssd_t, sssd_var_lib_t, { file dir } )
+
++manage_files_pattern(sssd_t, sssd_var_log_t, sssd_var_log_t)
++logging_log_filetrans(sssd_t, sssd_var_log_t, file)
++
+ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir })
@@ -21142,7 +21904,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(sssd_t)
corecmd_exec_bin(sssd_t)
-@@ -58,6 +60,8 @@
+@@ -58,6 +66,8 @@
miscfiles_read_localization(sssd_t)
@@ -28732,7 +29494,7 @@ diff -b -B --ignore-all-space --exclude-
+HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 14:59:26.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-21 10:57:55.000000000 -0400
@@ -30,8 +30,9 @@
')
@@ -29456,7 +30218,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
- samba_stream_connect_winbind($1_t)
-+ sandbox_transition($1_t, $1_r)
++ sandbox_transition($1_usertype, $1_r)
')
optional_policy(`
@@ -29770,6 +30532,7 @@ diff -b -B --ignore-all-space --exclude-
+# corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
# Need the following rule to allow users to run vpnc
corenet_tcp_bind_xserver_port($1_t)
++ corenet_tcp_bind_all_nodes($1_usertype)
- files_exec_usr_files($1_t)
- # cjp: why?
@@ -29782,7 +30545,6 @@ diff -b -B --ignore-all-space --exclude-
+ # the same domain and outside users) disabling this forces FTP passive mode
+ # and may change other protocols
+ tunable_policy(`user_tcp_server',`
-+ corenet_tcp_bind_all_nodes($1_usertype)
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
+ ')
@@ -30242,7 +31004,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_search_proc($1)
')
-@@ -3064,3 +3253,559 @@
+@@ -3064,3 +3253,578 @@
allow $1 userdomain:dbus send_msg;
')
@@ -30508,6 +31270,25 @@ diff -b -B --ignore-all-space --exclude-
+ allow $1 unpriv_userdomain:unix_dgram_socket sendto;
+')
+
++######################################
++## <summary>
++## Send a message to users over a unix domain
++## datagram socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_users_dgram_send',`
++ gen_require(`
++ attribute userdomain;
++ ')
++
++ allow $1 userdomain:unix_dgram_socket sendto;
++')
++
+#######################################
+## <summary>
+## Allow execmod on files in homedirectory
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.947
retrieving revision 1.948
diff -u -p -r1.947 -r1.948
--- selinux-policy.spec 20 Oct 2009 22:59:51 -0000 1.947
+++ selinux-policy.spec 21 Oct 2009 15:55:49 -0000 1.948
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 30%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -449,6 +449,11 @@ exit 0
%endif
%changelog
+* Wed Oct 21 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-31
+- Allow unconfined_execmem_t to transition to sandbox
+- Add sectool policy
+- Add sssd log files
+
* Tue Oct 20 2009 Dan Walsh <dwalsh at redhat.com> 3.6.32-30
- Fixes found for confined users day
- Previous message (by thread): rpms/voms/devel voms-expat.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 import.log, 1.2, 1.3 sources, 1.3, 1.4 voms-nolib64.patch, 1.1, 1.2 voms-portability.patch, 1.2, 1.3 voms-shell-syntax.patch, 1.1, 1.2 voms.spec, 1.2, 1.3
- Next message (by thread): rpms/voms/F-12 voms-expat.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 import.log, 1.2, 1.3 sources, 1.3, 1.4 voms-nolib64.patch, 1.1, 1.2 voms-portability.patch, 1.2, 1.3 voms-shell-syntax.patch, 1.1, 1.2 voms.spec, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list