From 5665b8eeb1ddd2a40ab374be0460228580011317 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Apr 19 2011 12:55:04 +0000 Subject: - Add support for AEOLUS project - Fixes for asterisk and setroubleshoot domains - Fix label for /usr/sbin/fping - Fix label for chrome - Fixes for foghorn policy - Fix virt_admin interface --- diff --git a/policy-F13.patch b/policy-F13.patch index a73f764..8260000 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -1429,12 +1429,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.fc serefpolicy-3.7.19/policy/modules/admin/netutils.fc --- nsaserefpolicy/policy/modules/admin/netutils.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2010-05-28 07:41:59.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/admin/netutils.fc 2011-04-18 09:20:51.327000002 +0000 @@ -9,6 +9,8 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) -+/usr/sbin/fping -- gen_context(system_u:object_r:ping_exec_t,s0) ++/usr/sbin/fping.* -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) @@ -1650,7 +1650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.19/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2010-09-16 13:32:42.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/admin/prelink.te 2011-04-13 10:11:37.712000002 +0000 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -1729,7 +1729,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +119,65 @@ +@@ -99,5 +119,66 @@ ') optional_policy(` @@ -1749,6 +1749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +# Prelink Cron system Policy +# + ++allow prelink_cron_system_t self:capability { dac_read_search dac_override }; +allow prelink_cron_system_t self:capability setuid; +allow prelink_cron_system_t self:process { setsched setfscreate signal }; + @@ -8030,8 +8031,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-04-08 17:54:32.262000002 +0000 -@@ -0,0 +1,482 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2011-04-18 10:25:26.560000003 +0000 +@@ -0,0 +1,484 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -8216,6 +8217,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_x_domain self:unix_dgram_socket { sendto create_socket_perms }; +allow sandbox_x_domain sandbox_xserver_t:unix_stream_socket connectto; +dontaudit sandbox_x_domain self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; ++dontaudit sandbox_x_domain sandbox_file_t:dir mounton; + +allow sandbox_x_domain sandbox_devpts_t:chr_file { rw_term_perms setattr }; +term_create_pty(sandbox_x_domain,sandbox_devpts_t) @@ -8471,6 +8473,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') + +optional_policy(` ++ nsplugin_manage_rw(sandbox_web_type) + nsplugin_read_rw_files(sandbox_web_type) + nsplugin_rw_exec(sandbox_web_type) +') @@ -9678,7 +9681,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2011-01-14 13:27:46.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2011-04-18 09:08:49.734000003 +0000 @@ -9,8 +9,11 @@ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -9757,7 +9760,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) -@@ -189,7 +206,8 @@ +@@ -167,6 +184,7 @@ + /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/chromium-browser/chrome -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) +@@ -189,7 +207,8 @@ /usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -9767,7 +9778,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) -@@ -216,11 +234,17 @@ +@@ -216,11 +235,17 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -9785,7 +9796,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -240,6 +264,7 @@ +@@ -236,10 +261,12 @@ + /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -9793,7 +9809,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -297,6 +322,7 @@ +@@ -266,6 +293,7 @@ + /usr/share/authconfig/authconfig\.py -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/cvs/contrib/rcs2log -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) ++/usr/share/clamav/clamd-gen -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/clamav/freshclam-sleep -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/createrepo(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/share/fedora-usermgmt/wrapper -- gen_context(system_u:object_r:bin_t,s0) +@@ -297,6 +325,7 @@ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -9801,7 +9825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0) -@@ -305,6 +331,7 @@ +@@ -305,12 +334,13 @@ /usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexnam -- gen_context(system_u:object_r:bin_t,s0) /usr/share/texmf/web2c/mktexupd -- gen_context(system_u:object_r:bin_t,s0) @@ -9809,7 +9833,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') ifdef(`distro_suse', ` -@@ -331,3 +358,24 @@ + /usr/lib/cron/run-crons -- gen_context(system_u:object_r:bin_t,s0) + /usr/lib/samba/classic/.* -- gen_context(system_u:object_r:bin_t,s0) +-/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) ++/usr/lib(64)?/ssh/.* -- gen_context(system_u:object_r:bin_t,s0) + /usr/share/apache2/[^/]* -- gen_context(system_u:object_r:bin_t,s0) + ') + +@@ -331,3 +361,24 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -9834,7 +9865,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco + +/usr/local/Brother/(.*/)?inf/brprintconf.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/local/Brother/(.*/)?inf/setup.* -- gen_context(system_u:object_r:bin_t,s0) -Binary files nsaserefpolicy/policy/modules/kernel/.corecommands.fc.swp and serefpolicy-3.7.19/policy/modules/kernel/.corecommands.fc.swp differ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.7.19/policy/modules/kernel/corecommands.if --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.if 2010-10-08 09:10:25.000000000 +0000 @@ -9881,7 +9911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-03-16 14:25:07.223107001 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/corenetwork.te.in 2011-04-19 12:36:28.365000004 +0000 @@ -25,6 +25,7 @@ # type tun_tap_device_t; @@ -9952,7 +9982,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) -@@ -124,40 +133,58 @@ +@@ -124,40 +133,59 @@ network_port(isns, tcp,3205,s0, udp,3205,s0) network_port(jabber_client, tcp,5222,s0, tcp,5223,s0) network_port(jabber_interserver, tcp,5269,s0) @@ -9992,6 +10022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene +network_port(oracle, tcp, 1521,s0,udp, 1521,s0, tcp,2483,s0,udp,2483,s0, tcp,2484,s0, udp,2484,s0) network_port(ocsp, tcp,9080,s0) network_port(openvpn, tcp,1194,s0, udp,1194,s0) ++network_port(pktcable, tcp,2126,s0, udp,2126,s0, tcp,3198,s0, udp,3198,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0) @@ -10013,7 +10044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pulseaudio, tcp,4713,s0) -@@ -177,18 +204,22 @@ +@@ -177,18 +205,22 @@ network_port(rsync, tcp,873,s0, udp,873,s0) network_port(rwho, udp,513,s0) network_port(sap, tcp,9875,s0, udp,9875,s0) @@ -10037,7 +10068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -201,23 +232,23 @@ +@@ -201,23 +233,23 @@ network_port(varnishd, tcp,6081,s0, tcp,6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -10067,7 +10098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene ######################################## # -@@ -266,5 +297,5 @@ +@@ -266,5 +298,5 @@ allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg }; # Bind to any network address. @@ -11008,7 +11039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-03-04 14:14:25.595413001 +0000 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2011-04-18 10:12:35.616000004 +0000 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -11606,7 +11637,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## ## Get the attributes of the tmp directory (/tmp). ## -@@ -3705,6 +4117,32 @@ +@@ -3649,6 +4061,24 @@ + dontaudit $1 tmp_t:dir list_dir_perms; + ') + ++####################################### ++## ++## Allow read and write to the tmp directory (/tmp). ++## ++## ++## ++## Domain not to audit. ++## ++## ++# ++interface(`files_rw_generic_tmp_dir',` ++ gen_require(` ++ type tmp_t; ++ ') ++ ++ allow $1 tmp_t:dir rw_dir_perms; ++') ++ + ######################################## + ## + ## Remove entries from the tmp directory. +@@ -3705,6 +4135,32 @@ ######################################## ## @@ -11639,7 +11695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Manage temporary files and directories in /tmp. ## ## -@@ -3757,6 +4195,24 @@ +@@ -3757,6 +4213,24 @@ rw_sock_files_pattern($1, tmp_t, tmp_t) ') @@ -11664,7 +11720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Set the attributes of all tmp directories. -@@ -3918,6 +4374,13 @@ +@@ -3918,6 +4392,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -11678,7 +11734,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4013,6 +4476,24 @@ +@@ -4013,6 +4494,24 @@ ######################################## ## @@ -11703,7 +11759,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Delete generic files in /usr in the caller domain. ## ## -@@ -4026,7 +4507,7 @@ +@@ -4026,7 +4525,7 @@ type usr_t; ') @@ -11712,7 +11768,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4107,6 +4588,24 @@ +@@ -4107,6 +4606,24 @@ ######################################## ## @@ -11737,7 +11793,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -5032,6 +5531,43 @@ +@@ -5032,6 +5549,43 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -11781,7 +11837,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5091,6 +5627,24 @@ +@@ -5091,6 +5645,24 @@ ######################################## ## @@ -11806,7 +11862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5238,6 +5792,7 @@ +@@ -5238,6 +5810,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -11814,7 +11870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5306,6 +5861,24 @@ +@@ -5306,6 +5879,24 @@ ######################################## ## @@ -11839,7 +11895,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5494,12 +6067,15 @@ +@@ -5494,12 +6085,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -11856,7 +11912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5520,3 +6096,229 @@ +@@ -5520,3 +6114,229 @@ typeattribute $1 files_unconfined_type; ') @@ -14904,8 +14960,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2011-02-17 14:43:35.779796002 +0000 -@@ -0,0 +1,457 @@ ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2011-04-18 08:45:34.996000002 +0000 +@@ -0,0 +1,462 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -15262,6 +15318,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') + +optional_policy(` ++ quota_run(unconfined_t, unconfined_r) ++') ++ ++optional_policy(` + rpm_run(unconfined_t, unconfined_r) + # Allow SELinux aware applications to request rpm_script execution + rpm_transition_script(unconfined_t) @@ -15293,6 +15353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + +optional_policy(` + virt_transition_svirt(unconfined_t, unconfined_r) ++ virt_run(unconfined_t, unconfined_r) +') + +optional_policy(` @@ -18042,13 +18103,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste init_labeled_script_domtrans($1, asterisk_initrc_exec_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.te serefpolicy-3.7.19/policy/modules/services/asterisk.te --- nsaserefpolicy/policy/modules/services/asterisk.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2011-01-25 17:02:22.368455001 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/asterisk.te 2011-04-18 09:02:11.798000003 +0000 @@ -40,12 +40,13 @@ # # dac_override for /var/run/asterisk -allow asterisk_t self:capability { dac_override setgid setuid sys_nice }; -+allow asterisk_t self:capability { dac_override setgid setuid sys_nice net_admin }; ++allow asterisk_t self:capability { dac_override chown setgid setuid sys_nice net_admin }; dontaudit asterisk_t self:capability sys_tty_config; -allow asterisk_t self:process { setsched signal_perms }; +allow asterisk_t self:process { getsched setsched signal_perms getcap setcap }; @@ -18059,12 +18120,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste allow asterisk_t self:tcp_socket create_stream_socket_perms; allow asterisk_t self:udp_socket create_socket_perms; -@@ -79,11 +80,14 @@ - manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) - files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) +@@ -54,6 +55,8 @@ + read_lnk_files_pattern(asterisk_t, asterisk_etc_t, asterisk_etc_t) + files_search_etc(asterisk_t) +can_exec(asterisk_t, asterisk_exec_t) + + manage_files_pattern(asterisk_t, asterisk_log_t, asterisk_log_t) + logging_log_filetrans(asterisk_t, asterisk_log_t, { file dir }) + +@@ -74,16 +77,18 @@ + manage_files_pattern(asterisk_t, asterisk_var_lib_t, asterisk_var_lib_t) + files_var_lib_filetrans(asterisk_t, asterisk_var_lib_t, file) + ++manage_dirs_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_fifo_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) + manage_sock_files_pattern(asterisk_t, asterisk_var_run_t, asterisk_var_run_t) +-files_pid_filetrans(asterisk_t, asterisk_var_run_t, file) ++files_pid_filetrans(asterisk_t, asterisk_var_run_t, { dir file }) + kernel_read_system_state(asterisk_t) kernel_read_kernel_sysctls(asterisk_t) +kernel_request_load_module(asterisk_t) @@ -18075,7 +18150,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste corenet_all_recvfrom_unlabeled(asterisk_t) corenet_all_recvfrom_netlabel(asterisk_t) -@@ -96,6 +100,7 @@ +@@ -96,6 +101,7 @@ corenet_tcp_bind_generic_node(asterisk_t) corenet_udp_bind_generic_node(asterisk_t) corenet_tcp_bind_asterisk_port(asterisk_t) @@ -18083,14 +18158,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste corenet_udp_bind_asterisk_port(asterisk_t) corenet_udp_bind_sip_port(asterisk_t) corenet_sendrecv_asterisk_server_packets(asterisk_t) -@@ -104,10 +109,16 @@ +@@ -104,10 +110,17 @@ corenet_udp_bind_generic_port(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) ++corenet_tcp_connect_festival_port(asterisk_t) ++corenet_tcp_connect_pktcable_port(asterisk_t) +corenet_tcp_connect_postgresql_port(asterisk_t) +corenet_tcp_connect_snmp_port(asterisk_t) +corenet_tcp_connect_sip_port(asterisk_t) -+corenet_tcp_connect_festival_port(asterisk_t) +dev_rw_generic_usb_dev(asterisk_t) dev_read_sysfs(asterisk_t) @@ -18100,8 +18176,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste domain_use_interactive_fds(asterisk_t) -@@ -118,19 +129,33 @@ +@@ -116,21 +129,40 @@ + # demo files installed in /usr/share/asterisk/sounds/demo-instruct.gsm + # are labeled usr_t files_read_usr_files(asterisk_t) ++files_dontaudit_search_home(asterisk_t) fs_getattr_all_fs(asterisk_t) +fs_list_inotifyfs(asterisk_t) @@ -18121,6 +18200,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste optional_policy(` - nis_use_ypbind(asterisk_t) ++ alsa_read_rw_config(asterisk_t) ++') ++ ++optional_policy(` + mysql_stream_connect(asterisk_t) +') + @@ -18137,7 +18220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aste ') optional_policy(` -@@ -138,10 +163,11 @@ +@@ -138,10 +170,11 @@ ') optional_policy(` @@ -26291,7 +26374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/jabb + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.7.19/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc 2010-07-23 11:43:56.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.fc 2011-04-18 10:09:06.721000003 +0000 @@ -8,7 +8,7 @@ /etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) @@ -26301,9 +26384,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb /etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +@@ -31,3 +31,4 @@ + /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) + + /var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) ++/var/tmp/HTTP_23 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.7.19/policy/modules/services/kerberos.if --- nsaserefpolicy/policy/modules/services/kerberos.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-03-25 08:29:07.333630001 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.if 2011-04-18 10:10:50.229000004 +0000 @@ -74,7 +74,7 @@ ') @@ -26359,7 +26447,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ######################################## ## ## Create a derived type for kerberos keytab -@@ -374,3 +397,41 @@ +@@ -285,6 +308,7 @@ + + seutil_read_file_contexts($1) + ++ files_rw_generic_tmp_dir($1) + allow $1 krb5_host_rcache_t:file manage_file_perms; + files_search_tmp($1) + ') +@@ -374,3 +398,41 @@ admin_pattern($1, krb5kdc_var_run_t) ') @@ -36254,8 +36350,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.te serefpolicy-3.7.19/policy/modules/services/rhcs.te --- nsaserefpolicy/policy/modules/services/rhcs.te 1970-01-01 00:00:00.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-04-11 08:54:04.983000002 +0000 -@@ -0,0 +1,288 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rhcs.te 2011-04-13 10:37:12.156000002 +0000 +@@ -0,0 +1,297 @@ + +policy_module(rhcs,1.1.0) + @@ -36398,8 +36494,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs +# + +allow foghorn_t self:process { signal }; ++allow foghorn_t self:tcp_socket create_stream_socket_perms; +allow foghorn_t self:udp_socket create_socket_perms; + ++corenet_tcp_connect_agentx_port(foghorn_t) ++ ++dev_read_urand(foghorn_t) ++ +files_read_etc_files(foghorn_t) +files_read_usr_files(foghorn_t) + @@ -36412,6 +36513,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs + snmp_stream_connect(foghorn_t) +') + ++optional_policy(` ++ unconfined_domain(foghorn_t) ++') ++ +###################################### +# +# gfs_controld local policy @@ -38400,17 +38505,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2010-04-13 18:44:36.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te 2010-05-28 07:42:00.000000000 +0000 -@@ -22,13 +22,19 @@ - type setroubleshoot_var_run_t; - files_pid_file(setroubleshoot_var_run_t) ++++ serefpolicy-3.7.19/policy/modules/services/setroubleshoot.te 2011-04-18 09:18:29.205000002 +0000 +@@ -11,6 +11,10 @@ + domain_type(setroubleshootd_t) + init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t) +type setroubleshoot_fixit_t; +type setroubleshoot_fixit_exec_t; +dbus_system_domain(setroubleshoot_fixit_t, setroubleshoot_fixit_exec_t) + - ######################################## - # + type setroubleshoot_var_lib_t; + files_type(setroubleshoot_var_lib_t) + +@@ -27,8 +31,10 @@ # setroubleshootd local policy # @@ -38423,7 +38530,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr allow setroubleshootd_t self:fifo_file rw_fifo_file_perms; allow setroubleshootd_t self:tcp_socket create_stream_socket_perms; allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto }; -@@ -52,7 +58,10 @@ +@@ -46,16 +52,21 @@ + logging_log_filetrans(setroubleshootd_t, setroubleshoot_var_log_t, { file dir }) + + # pid file ++manage_dirs_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) + manage_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) + manage_sock_files_pattern(setroubleshootd_t, setroubleshoot_var_run_t, setroubleshoot_var_run_t) +-files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file }) ++files_pid_filetrans(setroubleshootd_t, setroubleshoot_var_run_t, { file sock_file dir }) kernel_read_kernel_sysctls(setroubleshootd_t) kernel_read_system_state(setroubleshootd_t) @@ -38434,7 +38549,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr corecmd_exec_bin(setroubleshootd_t) corecmd_exec_shell(setroubleshootd_t) -@@ -68,16 +77,26 @@ ++corecmd_read_all_executables(setroubleshootd_t) + + corenet_all_recvfrom_unlabeled(setroubleshootd_t) + corenet_all_recvfrom_netlabel(setroubleshootd_t) +@@ -68,16 +79,27 @@ dev_read_urand(setroubleshootd_t) dev_read_sysfs(setroubleshootd_t) @@ -38452,17 +38571,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +files_getattr_all_pipes(setroubleshootd_t) +files_getattr_all_sockets(setroubleshootd_t) +files_read_all_symlinks(setroubleshootd_t) ++files_read_mnt_files(setroubleshootd_t) fs_getattr_all_dirs(setroubleshootd_t) fs_getattr_all_files(setroubleshootd_t) +fs_read_fusefs_symlinks(setroubleshootd_t) ++fs_list_inotifyfs(setroubleshootd_t) +fs_dontaudit_read_nfs_files(setroubleshootd_t) +fs_dontaudit_read_cifs_files(setroubleshootd_t) -+fs_list_inotifyfs(setroubleshootd_t) selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,81 @@ +@@ -90,27 +112,87 @@ + init_read_utmp(setroubleshootd_t) + init_dontaudit_write_utmp(setroubleshootd_t) + ++libs_exec_ld_so(setroubleshootd_t) ++ + miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -38484,13 +38610,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr - dbus_system_bus_client(setroubleshootd_t) - dbus_connect_system_bus(setroubleshootd_t) + locate_read_lib_files(setroubleshootd_t) -+') -+ -+optional_policy(` -+ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ') optional_policy(` ++ dbus_system_domain(setroubleshootd_t, setroubleshootd_exec_t) ++') ++ ++optional_policy(` + rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) @@ -38511,6 +38637,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +setroubleshoot_dbus_chat(setroubleshoot_fixit_t) +setroubleshoot_stream_connect(setroubleshoot_fixit_t) + ++kernel_read_system_state(setroubleshoot_fixit_t) ++ +corecmd_exec_bin(setroubleshoot_fixit_t) +corecmd_exec_shell(setroubleshoot_fixit_t) + @@ -38521,8 +38649,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +files_read_etc_files(setroubleshoot_fixit_t) +files_list_tmp(setroubleshoot_fixit_t) + -+kernel_read_system_state(setroubleshoot_fixit_t) -+ +auth_use_nsswitch(setroubleshoot_fixit_t) + +logging_send_audit_msgs(setroubleshoot_fixit_t) @@ -38545,7 +38671,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr +') + +optional_policy(` -+ policykit_dbus_chat(setroubleshoot_fixit_t) ++ policykit_dbus_chat(setroubleshoot_fixit_t) + userdom_read_all_users_state(setroubleshoot_fixit_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.if serefpolicy-3.7.19/policy/modules/services/smartmon.if @@ -39329,7 +39455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi gen_require(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.7.19/policy/modules/services/squid.te --- nsaserefpolicy/policy/modules/services/squid.te 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/squid.te 2011-01-03 08:56:23.000000000 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/squid.te 2011-04-18 10:11:50.678000002 +0000 @@ -14,6 +14,13 @@ ## gen_tunable(squid_connect_any, false) @@ -39383,15 +39509,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi sysnet_dns_name_resolve(httpd_squid_script_t) -@@ -186,8 +203,3 @@ - optional_policy(` +@@ -187,7 +204,6 @@ udev_read_db(squid_t) ') -- + -ifdef(`TODO',` -#squid requires the following when run in diskd mode, the recommended setting -allow squid_t tmpfs_t:file { read write }; -') dnl end TODO ++optional_policy(` ++ kerberos_manage_host_rcache(squid_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.fc serefpolicy-3.7.19/policy/modules/services/ssh.fc --- nsaserefpolicy/policy/modules/services/ssh.fc 2010-04-13 18:44:37.000000000 +0000 +++ serefpolicy-3.7.19/policy/modules/services/ssh.fc 2011-01-25 15:34:07.026455001 +0000 @@ -40948,7 +41076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/vhos optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.7.19/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2011-03-25 08:50:01.013630001 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/virt.fc 2011-04-19 12:14:15.572000005 +0000 @@ -1,4 +1,5 @@ -HOME_DIR/.virtinst(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +HOME_DIR/.libvirt(/.*)? gen_context(system_u:object_r:virt_home_t,s0) @@ -40956,7 +41084,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) -@@ -12,18 +13,22 @@ +@@ -12,18 +13,29 @@ /etc/xen/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/xen/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) @@ -40982,9 +41110,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt +# bug 685061 +/usr/share/vdsm/vdsm -- gen_context(system_u:object_r:virtd_exec_t,s0) /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++ ++# support for AEOLUS project ++/usr/bin/imgfac\.py -- gen_context(system_u:object_r:virtd_exec_t,s0) ++/var/cache/oz(/.*)? gen_context(system_u:object_r:virt_cache_t,s0) ++/var/lib/oz(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) ++/var/lib/oz/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 18:44:37.000000000 +0000 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2011-03-17 10:41:54.513325002 +0000 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2011-04-19 12:15:25.589000003 +0000 @@ -21,6 +21,8 @@ type $1_t, virt_domain; domain_type($1_t) @@ -41034,7 +41169,37 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt optional_policy(` xserver_rw_shm($1_t) ') -@@ -171,6 +161,7 @@ +@@ -114,6 +104,29 @@ + domtrans_pattern($1, virtd_exec_t, virtd_t) + ') + ++###################################### ++## ++## Execute a domain transition to run virt. ++## ++## ++## ++## Domain allowed to transition. ++## ++## ++# ++interface(`virt_run',` ++ gen_require(` ++ type virtd_t; ++ type qemu_t; ++ ') ++ ++ virt_domtrans($1) ++ ++ role $2 types virtd_t; ++ role $2 types qemu_t; ++ ++') ++ + ####################################### + ## + ## Connect to virt over an unix domain stream socket. +@@ -171,6 +184,7 @@ files_search_etc($1) read_files_pattern($1, virt_etc_t, virt_etc_t) read_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -41042,7 +41207,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -192,6 +183,7 @@ +@@ -192,6 +206,7 @@ files_search_etc($1) manage_files_pattern($1, virt_etc_t, virt_etc_t) manage_files_pattern($1, virt_etc_rw_t, virt_etc_rw_t) @@ -41050,7 +41215,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -229,6 +221,24 @@ +@@ -229,6 +244,24 @@ ') ') @@ -41075,7 +41240,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## ## ## Read virt PID files. -@@ -306,6 +316,24 @@ +@@ -306,6 +339,24 @@ read_lnk_files_pattern($1, virt_var_lib_t, virt_var_lib_t) ') @@ -41100,7 +41265,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## ## ## Create, read, write, and delete -@@ -386,6 +414,24 @@ +@@ -386,6 +437,24 @@ manage_lnk_files_pattern($1, virt_log_t, virt_log_t) ') @@ -41125,7 +41290,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## ## ## Allow domain to read virt image files -@@ -433,15 +479,15 @@ +@@ -433,15 +502,15 @@ ## ## # @@ -41146,10 +41311,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +562,86 @@ +@@ -515,4 +584,92 @@ + virt_manage_lib_files($1) virt_manage_log($1) - ') ++ ++ virt_manage_images($1) ++ ++ allow $1 virt_domain:process { ptrace signal_perms }; ++ ++') + +######################################## +## @@ -41196,7 +41367,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + type virtd_t; + ') + dontaudit $1 virtd_t:fifo_file write; -+') + ') + +###################################### +## diff --git a/selinux-policy.spec b/selinux-policy.spec index 21cef76..ba727e5 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 106%{?dist} +Release: 107%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,14 @@ exit 0 %endif %changelog +* Tue Apr 19 2011 Miroslav Grepl 3.7.19-107 +- Add support for AEOLUS project +- Fixes for asterisk and setroubleshoot domains +- Fix label for /usr/sbin/fping +- Fix label for chrome +- Fixes for foghorn policy +- Fix virt_admin interface + * Fri Apr 11 2011 Miroslav Grepl 3.7.19-106 - Add label for matahari-broker.pid file - Allow foghor to read snmp lib files