From 45323ebfc0b02423a5099b164ca0b287cfdfa15d Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Oct 01 2010 13:51:46 +0000 Subject: - Allow devicekit-power domtrans to NetworkManager - Allow passwd to use the console, all ttys and all ptys - Add firewallgui sys_rawio capability - Add label for slim.log --- diff --git a/policy-F13.patch b/policy-F13.patch index a542e38..a164e61 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -2761,7 +2761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.7.19/policy/modules/admin/usermanage.te --- nsaserefpolicy/policy/modules/admin/usermanage.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-07-09 08:51:08.085135159 +0200 ++++ serefpolicy-3.7.19/policy/modules/admin/usermanage.te 2010-10-01 15:16:38.939348984 +0200 @@ -199,6 +199,7 @@ term_use_all_ttys(groupadd_t) @@ -2788,15 +2788,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman allow passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow passwd_t self:process { setrlimit setfscreate }; allow passwd_t self:fd use; -@@ -294,6 +297,7 @@ +@@ -294,6 +297,8 @@ term_use_all_ttys(passwd_t) term_use_all_ptys(passwd_t) ++term_use_all_terms(passwd_t) +term_use_generic_ptys(passwd_t) auth_domtrans_chk_passwd(passwd_t) auth_manage_shadow(passwd_t) -@@ -303,6 +307,9 @@ +@@ -303,6 +308,9 @@ # allow checking if a shell is executable corecmd_check_exec_shell(passwd_t) @@ -2806,7 +2807,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman domain_use_interactive_fds(passwd_t) -@@ -333,6 +340,7 @@ +@@ -333,6 +341,7 @@ # user generally runs this from their home directory, so do not audit a search # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) @@ -2814,7 +2815,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman optional_policy(` nscd_domtrans(passwd_t) -@@ -427,7 +435,7 @@ +@@ -427,7 +436,7 @@ # Useradd local policy # @@ -2823,7 +2824,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman dontaudit useradd_t self:capability sys_tty_config; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; -@@ -450,6 +458,7 @@ +@@ -450,6 +459,7 @@ corecmd_exec_bin(useradd_t) domain_use_interactive_fds(useradd_t) @@ -2831,7 +2832,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman files_manage_etc_files(useradd_t) files_search_var_lib(useradd_t) -@@ -498,12 +507,8 @@ +@@ -498,12 +508,8 @@ userdom_use_unpriv_users_fds(useradd_t) # Add/remove user home directories @@ -2845,7 +2846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/userman mta_manage_spool(useradd_t) -@@ -527,6 +532,12 @@ +@@ -527,6 +533,12 @@ ') optional_policy(` @@ -3404,7 +3405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewallgui.te serefpolicy-3.7.19/policy/modules/apps/firewallgui.te --- nsaserefpolicy/policy/modules/apps/firewallgui.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-07-19 13:22:45.974151339 +0200 ++++ serefpolicy-3.7.19/policy/modules/apps/firewallgui.te 2010-10-01 15:25:08.567599755 +0200 @@ -0,0 +1,67 @@ + +policy_module(firewallgui,1.0.0) @@ -3426,7 +3427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/firewall +# firewallgui local policy +# + -+allow firewallgui_t self:capability net_admin; ++allow firewallgui_t self:capability { net_admin sys_rawio }; + +allow firewallgui_t self:fifo_file rw_fifo_file_perms; + @@ -8646,7 +8647,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-09-09 10:26:47.476085401 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-10-01 15:21:03.204349381 +0200 @@ -9,8 +9,11 @@ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -8699,7 +8700,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /lib # -@@ -147,6 +162,9 @@ +@@ -147,12 +162,16 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -8709,7 +8710,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -189,7 +207,8 @@ + /usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/bin/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) ++/usr/libexec/git-core/git-shell -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) + /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) + +@@ -189,7 +208,8 @@ /usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -8719,7 +8727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) -@@ -216,11 +235,17 @@ +@@ -216,11 +236,17 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -8737,7 +8745,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -240,6 +265,7 @@ +@@ -240,6 +266,7 @@ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -8745,7 +8753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -297,6 +323,7 @@ +@@ -297,6 +324,7 @@ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -8753,7 +8761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0) -@@ -331,3 +358,21 @@ +@@ -331,3 +359,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -12009,19 +12017,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/auditad ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/guest.te serefpolicy-3.7.19/policy/modules/roles/guest.te --- nsaserefpolicy/policy/modules/roles/guest.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-05-28 09:42:00.044610794 +0200 -@@ -16,11 +16,7 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/guest.te 2010-10-01 15:18:58.435349564 +0200 +@@ -10,17 +10,15 @@ + + userdom_restricted_user_template(guest) + ++kernel_read_system_state(guest_t) ++ + ######################################## + # + # Local policy # optional_policy(` - java_role_template(guest, guest_r, guest_t) +-') +- +-optional_policy(` +- mono_role_template(guest, guest_r, guest_t) + apache_role(guest_r, guest_t) ') --optional_policy(` -- mono_role_template(guest, guest_r, guest_t) --') -- -#gen_user(guest_u,, guest_r, s0, s0) +gen_user(guest_u, user, guest_r, s0, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.te serefpolicy-3.7.19/policy/modules/roles/secadm.te @@ -16587,6 +16603,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/blue files_list_var_lib($1) admin_pattern($1, bluetooth_var_lib_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.7.19/policy/modules/services/bluetooth.te +--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/bluetooth.te 2010-10-01 15:18:25.436349626 +0200 +@@ -148,6 +148,10 @@ + userdom_dontaudit_search_user_home_dirs(bluetooth_t) + + optional_policy(` ++ devicekit_dbus_chat_power(bluetooth_t) ++') ++ ++optional_policy(` + dbus_system_bus_client(bluetooth_t) + dbus_connect_system_bus(bluetooth_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.fc serefpolicy-3.7.19/policy/modules/services/boinc.fc --- nsaserefpolicy/policy/modules/services/boinc.fc 1970-01-01 01:00:00.000000000 +0100 +++ serefpolicy-3.7.19/policy/modules/services/boinc.fc 2010-08-24 11:08:39.309083977 +0200 @@ -16756,8 +16786,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-09-23 15:00:44.162636936 +0200 -@@ -0,0 +1,176 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-10-01 15:32:59.836599814 +0200 +@@ -0,0 +1,178 @@ + +policy_module(boinc,1.0.0) + @@ -16907,6 +16937,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +allow boinc_project_t boinc_tmpfs_t:file { read write }; + +list_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) ++rw_dirs_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) +rw_files_pattern(boinc_project_t, boinc_var_lib_t, boinc_var_lib_t) + +corecmd_exec_bin(boinc_project_t) @@ -16925,6 +16956,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +dev_rw_xserver_misc(boinc_project_t) + +files_read_etc_files(boinc_project_t) ++files_read_usr_files(boinc_project_t) + +auth_use_nsswitch(boinc_project_t) + @@ -18010,7 +18042,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/chro diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.7.19/policy/modules/services/clamav.te --- nsaserefpolicy/policy/modules/services/clamav.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-09-09 11:18:18.035085273 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/clamav.te 2010-10-01 15:28:43.904599247 +0200 @@ -1,6 +1,13 @@ policy_module(clamav, 1.7.1) @@ -18025,15 +18057,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # Declarations -@@ -57,6 +64,7 @@ +@@ -57,6 +64,9 @@ # allow clamd_t self:capability { kill setgid setuid dac_override }; -+dontaudit clamd_t self:capability sys_tty_config; ++dontaudit clamd_t self:capability sys_tty_config; ++allow clamd_t self:process signal; ++ allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow clamd_t self:unix_dgram_socket create_socket_perms; -@@ -75,6 +83,7 @@ +@@ -75,6 +85,7 @@ # var/lib files for clamd manage_dirs_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) manage_files_pattern(clamd_t, clamd_var_lib_t, clamd_var_lib_t) @@ -18041,7 +18075,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam # log files manage_dirs_pattern(clamd_t, clamd_var_log_t, clamd_var_log_t) -@@ -167,9 +176,15 @@ +@@ -167,9 +178,15 @@ # log files (own logfiles only) manage_files_pattern(freshclam_t, freshclam_var_log_t, freshclam_var_log_t) allow freshclam_t freshclam_var_log_t:dir setattr; @@ -18058,7 +18092,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam corenet_all_recvfrom_unlabeled(freshclam_t) corenet_all_recvfrom_netlabel(freshclam_t) corenet_tcp_sendrecv_generic_if(freshclam_t) -@@ -177,8 +192,11 @@ +@@ -177,8 +194,11 @@ corenet_tcp_sendrecv_all_ports(freshclam_t) corenet_tcp_sendrecv_clamd_port(freshclam_t) corenet_tcp_connect_http_port(freshclam_t) @@ -18070,7 +18104,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam dev_read_rand(freshclam_t) dev_read_urand(freshclam_t) -@@ -189,14 +207,24 @@ +@@ -189,14 +209,24 @@ auth_use_nsswitch(freshclam_t) @@ -18095,7 +18129,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam ######################################## # # clamscam local policy -@@ -231,6 +259,7 @@ +@@ -231,6 +261,7 @@ corenet_tcp_connect_clamd_port(clamscan_t) kernel_read_kernel_sysctls(clamscan_t) @@ -18103,7 +18137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clam files_read_etc_files(clamscan_t) files_read_etc_runtime_files(clamscan_t) -@@ -246,6 +275,14 @@ +@@ -246,6 +277,14 @@ mta_send_mail(clamscan_t) @@ -20601,7 +20635,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi admin_pattern($1, devicekit_tmp_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.19/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-08-10 17:16:41.979085228 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/devicekit.te 2010-10-01 15:15:06.194599521 +0200 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -20811,7 +20845,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi dbus_system_bus_client(devicekit_power_t) allow devicekit_power_t devicekit_t:dbus send_msg; -@@ -203,17 +272,23 @@ +@@ -190,6 +259,7 @@ + + optional_policy(` + networkmanager_dbus_chat(devicekit_power_t) ++ networkmanager_domtrans(devicekit_power_t) + ') + + optional_policy(` +@@ -203,17 +273,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -23712,7 +23754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milt diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.7.19/policy/modules/services/modemmanager.te --- nsaserefpolicy/policy/modules/services/modemmanager.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/modemmanager.te 2010-05-28 09:42:00.124610948 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/modemmanager.te 2010-10-01 15:17:59.179349157 +0200 @@ -16,8 +16,8 @@ # # ModemManager local policy @@ -23732,10 +23774,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mode term_use_unallocated_ttys(modemmanager_t) miscfiles_read_localization(modemmanager_t) -@@ -38,5 +39,9 @@ +@@ -38,5 +39,13 @@ networkmanager_dbus_chat(modemmanager_t) optional_policy(` ++ devicekit_dbus_chat_power(modemmanager_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(modemmanager_t) +') + @@ -24779,7 +24825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.7.19/policy/modules/services/munin.te --- nsaserefpolicy/policy/modules/services/munin.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-08-06 12:19:29.129334324 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/munin.te 2010-10-01 15:27:17.303600577 +0200 @@ -28,12 +28,26 @@ type munin_var_run_t alias lrrd_var_run_t; files_pid_file(munin_var_run_t) @@ -24848,7 +24894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni ') optional_policy(` -@@ -164,3 +186,160 @@ +@@ -164,3 +186,161 @@ optional_policy(` udev_read_db(munin_t) ') @@ -25009,6 +25055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni +term_getattr_unallocated_ttys(munin_system_plugin_t) +term_getattr_all_ptys(munin_system_plugin_t) + ++auth_use_nsswitch(munin_system_plugin_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.if serefpolicy-3.7.19/policy/modules/services/mysql.if --- nsaserefpolicy/policy/modules/services/mysql.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/mysql.if 2010-09-16 15:01:43.198637084 +0200 @@ -35830,7 +35877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.19/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-28 09:42:00.203610788 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-10-01 15:30:07.992599971 +0200 @@ -2,13 +2,23 @@ # HOME_DIR # @@ -35905,7 +35952,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0) /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0) ifdef(`distro_debian', ` -@@ -89,17 +98,43 @@ +@@ -89,17 +98,44 @@ /var/[xgk]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) @@ -35921,6 +35968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser -/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) +/var/log/gdm(/.*)? gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/lxdm\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) ++/var/log/slim\.log.* -- gen_context(system_u:object_r:xdm_log_t,s0) +/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 7dde793..f5758e8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 62%{?dist} +Release: 63%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Fri Oct 1 2010 Miroslav Grepl 3.7.19-63 +- Allow devicekit-power domtrans to NetworkManager +- Allow passwd to use the console, all ttys and all ptys +- Add firewallgui sys_rawio capability +- Add label for slim.log + * Fri Sep 24 2010 Miroslav Grepl 3.7.19-62 - Add vbetool_mmap_zero_ignore boolean