From 5dd89f381919ef760baef5d2d4995dd779764358 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 02 2009 11:52:13 +0000 Subject: - Fix /sbin/ip6tables-save context --- diff --git a/modules-targeted.conf b/modules-targeted.conf index ee6680c..eb63df8 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -994,7 +994,7 @@ portmap = module # postfix = module -o# Layer: services +# Layer: services # Module: postgrey # # email scanner diff --git a/policy-20090105.patch b/policy-20090105.patch index 8693697..519d45e 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -4479,6 +4479,41 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +permissive sambagui_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.6.12/policy/modules/apps/screen.fc +--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-11-11 16:13:42.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/screen.fc 2009-05-02 07:46:25.000000000 -0400 +@@ -13,3 +13,4 @@ + # + /var/run/screens?/S-[^/]+ -d gen_context(system_u:object_r:screen_dir_t,s0) + /var/run/screens?/S-[^/]+/.* <> ++/var/run/screen(/.*)? gen_context(system_u:object_r:screen_var_run_t,s0) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.12/policy/modules/apps/screen.if +--- nsaserefpolicy/policy/modules/apps/screen.if 2009-01-19 11:03:28.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/apps/screen.if 2009-05-02 07:49:38.000000000 -0400 +@@ -165,3 +165,23 @@ + nscd_socket_use($1_screen_t) + ') + ') ++ ++######################################## ++## ++## Manage screen var_run files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`screen_manage_var_run',` ++ gen_require(` ++ type screen_var_run_t; ++ ') ++ ++ manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t) ++ manage_files_pattern($1,screen_var_run_t,screen_var_run_t) ++ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/uml.te serefpolicy-3.6.12/policy/modules/apps/uml.te --- nsaserefpolicy/policy/modules/apps/uml.te 2009-01-19 11:03:28.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/apps/uml.te 2009-04-28 11:42:33.000000000 -0400 @@ -6039,7 +6074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-3.6.12/policy/modules/kernel/kernel.te --- nsaserefpolicy/policy/modules/kernel/kernel.te 2009-02-03 22:50:50.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/kernel/kernel.te 2009-05-01 13:41:10.000000000 -0400 @@ -63,6 +63,15 @@ genfscon debugfs / gen_context(system_u:object_r:debugfs_t,s0) @@ -6056,7 +6091,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # kvmFS # -@@ -120,6 +129,10 @@ +@@ -100,6 +109,7 @@ + genfscon proc /net gen_context(system_u:object_r:proc_net_t,s0) + + type proc_xen_t, proc_type; ++files_mountpoint(proc_xen_t) + genfscon proc /xen gen_context(system_u:object_r:proc_xen_t,s0) + + # +@@ -120,6 +130,10 @@ type sysctl_rpc_t, sysctl_type; genfscon proc /net/rpc gen_context(system_u:object_r:sysctl_rpc_t,s0) @@ -6067,7 +6110,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /proc/sys/fs directory and files type sysctl_fs_t, sysctl_type; files_mountpoint(sysctl_fs_t) -@@ -160,6 +173,7 @@ +@@ -160,6 +174,7 @@ # type unlabeled_t; sid unlabeled gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) @@ -6075,7 +6118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # These initial sids are no longer used, and can be removed: sid any_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh) -@@ -198,6 +212,8 @@ +@@ -198,6 +213,8 @@ allow kernel_t self:sock_file read_sock_file_perms; allow kernel_t self:fd use; @@ -6084,7 +6127,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow kernel_t proc_t:dir list_dir_perms; allow kernel_t proc_t:file read_file_perms; allow kernel_t proc_t:lnk_file read_lnk_file_perms; -@@ -248,7 +264,8 @@ +@@ -248,7 +265,8 @@ selinux_load_policy(kernel_t) @@ -6094,7 +6137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) -@@ -262,6 +279,8 @@ +@@ -262,6 +280,8 @@ files_list_etc(kernel_t) files_list_home(kernel_t) files_read_usr_files(kernel_t) @@ -6103,7 +6146,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_process_set_categories(kernel_t) -@@ -269,12 +288,18 @@ +@@ -269,12 +289,18 @@ mls_process_write_down(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) @@ -6122,7 +6165,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(kernel_t) files_read_default_files(kernel_t) -@@ -356,7 +381,11 @@ +@@ -356,7 +382,11 @@ ') optional_policy(` @@ -6135,7 +6178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -388,3 +417,7 @@ +@@ -388,3 +418,7 @@ allow kern_unconfined unlabeled_t:association *; allow kern_unconfined unlabeled_t:packet *; allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap }; @@ -6257,48 +6300,46 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +gen_user(guest_u, user, guest_r, s0, s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.6.12/policy/modules/roles/staff.te --- nsaserefpolicy/policy/modules/roles/staff.te 2008-11-11 16:13:47.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-04-23 09:44:57.000000000 -0400 -@@ -15,156 +15,90 @@ ++++ serefpolicy-3.6.12/policy/modules/roles/staff.te 2009-05-02 07:50:07.000000000 -0400 +@@ -15,156 +15,95 @@ # Local policy # -optional_policy(` - apache_role(staff_r, staff_t) -') -- --optional_policy(` -- auth_role(staff_r, staff_t) --') -- --optional_policy(` -- auditadm_role_change(staff_r) --') +kernel_read_ring_buffer(staff_t) +kernel_getattr_core_if(staff_t) +kernel_getattr_message_if(staff_t) +kernel_read_software_raid_state(staff_t) -optional_policy(` -- bluetooth_role(staff_r, staff_t) +- auth_role(staff_r, staff_t) -') +auth_domtrans_pam_console(staff_t) -optional_policy(` -- cdrecord_role(staff_r, staff_t) +- auditadm_role_change(staff_r) -') +libs_manage_shared_libs(staff_t) -optional_policy(` +- bluetooth_role(staff_r, staff_t) +-') +- +-optional_policy(` +- cdrecord_role(staff_r, staff_t) +-') +- +-optional_policy(` - cron_role(staff_r, staff_t) -') - -optional_policy(` - dbus_role_template(staff, staff_r, staff_t) -') -+seutil_run_newrole(staff_t, staff_r) -+netutils_run_ping(staff_t, staff_r) - - optional_policy(` +- +-optional_policy(` - ethereal_role(staff_r, staff_t) -') - @@ -6317,8 +6358,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -optional_policy(` - gnome_role(staff_r, staff_t) -') -- --optional_policy(` ++seutil_run_newrole(staff_t, staff_r) ++netutils_run_ping(staff_t, staff_r) + + optional_policy(` - gpg_role(staff_r, staff_t) -') - @@ -6332,122 +6375,123 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - -optional_policy(` - lockdev_role(staff_r, staff_t) --') -- --optional_policy(` -- lpd_role(staff_r, staff_t) --') -- --optional_policy(` -- mozilla_role(staff_r, staff_t) + sudo_role_template(staff, staff_r, staff_t) ') optional_policy(` -- mplayer_role(staff_r, staff_t) +- lpd_role(staff_r, staff_t) + auditadm_role_change(staff_r) ') optional_policy(` -- mta_role(staff_r, staff_t) +- mozilla_role(staff_r, staff_t) + kerneloops_manage_tmp_files(staff_t) ') optional_policy(` -- oident_manage_user_content(staff_t) -- oident_relabel_user_content(staff_t) +- mplayer_role(staff_r, staff_t) + logadm_role_change(staff_r) ') optional_policy(` -- pyzor_role(staff_r, staff_t) +- mta_role(staff_r, staff_t) + secadm_role_change(staff_r) ') optional_policy(` -- razor_role(staff_r, staff_t) +- oident_manage_user_content(staff_t) +- oident_relabel_user_content(staff_t) + ssh_role_template(staff, staff_r, staff_t) ') optional_policy(` -- rssh_role(staff_r, staff_t) +- pyzor_role(staff_r, staff_t) + sysadm_role_change(staff_r) ') optional_policy(` -- screen_role_template(staff, staff_r, staff_t) +- razor_role(staff_r, staff_t) + usernetctl_run(staff_t, staff_r) ') optional_policy(` -- secadm_role_change(staff_r) +- rssh_role(staff_r, staff_t) + unconfined_role_change(staff_r) ') optional_policy(` -- spamassassin_role(staff_r, staff_t) +- screen_role_template(staff, staff_r, staff_t) + webadm_role_change(staff_r) ') -optional_policy(` -- ssh_role_template(staff, staff_r, staff_t) +- secadm_role_change(staff_r) -') +domain_read_all_domains_state(staff_t) +domain_getattr_all_domains(staff_t) +domain_obj_id_change_exemption(staff_t) -optional_policy(` -- su_role_template(staff, staff_r, staff_t) +- spamassassin_role(staff_r, staff_t) -') +files_read_kernel_modules(staff_t) -optional_policy(` -- sudo_role_template(staff, staff_r, staff_t) +- ssh_role_template(staff, staff_r, staff_t) -') +kernel_read_fs_sysctls(staff_t) -optional_policy(` -- sysadm_role_change(staff_r) -- userdom_dontaudit_use_user_terminals(staff_t) +- su_role_template(staff, staff_r, staff_t) -') +modutils_read_module_config(staff_t) +modutils_read_module_deps(staff_t) -optional_policy(` -- thunderbird_role(staff_r, staff_t) +- sudo_role_template(staff, staff_r, staff_t) -') +miscfiles_read_hwdata(staff_t) -optional_policy(` -- tvtime_role(staff_r, staff_t) +- sysadm_role_change(staff_r) +- userdom_dontaudit_use_user_terminals(staff_t) -') +term_use_unallocated_ttys(staff_t) optional_policy(` -- uml_role(staff_r, staff_t) +- thunderbird_role(staff_r, staff_t) + gnomeclock_dbus_chat(staff_t) ') optional_policy(` -- userhelper_role_template(staff, staff_r, staff_t) +- tvtime_role(staff_r, staff_t) + kerneloops_dbus_chat(staff_t) ') optional_policy(` -- vmware_role(staff_r, staff_t) +- uml_role(staff_r, staff_t) + rpm_dbus_chat(staff_usertype) ') optional_policy(` -- wireshark_role(staff_r, staff_t) +- userhelper_role_template(staff, staff_r, staff_t) ++ screen_manage_var_run(staff_t) + ') + + optional_policy(` +- vmware_role(staff_r, staff_t) + setroubleshoot_stream_connect(staff_t) + setroubleshoot_dbus_chat(staff_t) ') optional_policy(` -- xserver_role(staff_r, staff_t) +- wireshark_role(staff_r, staff_t) + virt_stream_connect(staff_t) ') + +-optional_policy(` +- xserver_role(staff_r, staff_t) +-') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.6.12/policy/modules/roles/sysadm.if --- nsaserefpolicy/policy/modules/roles/sysadm.if 2009-01-19 11:07:34.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/roles/sysadm.if 2009-04-23 09:44:57.000000000 -0400 @@ -12280,7 +12324,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/DeviceKit-disk(/.*)? gen_context(system_u:object_r:devicekit_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.if serefpolicy-3.6.12/policy/modules/services/devicekit.if --- nsaserefpolicy/policy/modules/services/devicekit.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/devicekit.if 2009-05-02 07:48:49.000000000 -0400 @@ -0,0 +1,197 @@ + +## policy for devicekit @@ -13432,8 +13476,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/fprintd -- gen_context(system_u:object_r:fprintd_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.if serefpolicy-3.6.12/policy/modules/services/fprintd.if --- nsaserefpolicy/policy/modules/services/fprintd.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-04-28 15:26:38.000000000 -0400 -@@ -0,0 +1,22 @@ ++++ serefpolicy-3.6.12/policy/modules/services/fprintd.if 2009-05-01 09:45:48.000000000 -0400 +@@ -0,0 +1,42 @@ + +## policy for fprintd + @@ -13456,6 +13500,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + domtrans_pattern($1,fprintd_exec_t,fprintd_t) +') + ++######################################## ++## ++## Send and receive messages from ++## fprintd over dbus. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fprintd_dbus_chat',` ++ gen_require(` ++ type fprintd_t; ++ class dbus send_msg; ++ ') ++ ++ allow $1 fprintd_t:dbus send_msg; ++ allow fprintd_t $1:dbus send_msg; ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fprintd.te serefpolicy-3.6.12/policy/modules/services/fprintd.te --- nsaserefpolicy/policy/modules/services/fprintd.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.12/policy/modules/services/fprintd.te 2009-04-29 10:10:42.000000000 -0400 @@ -14625,7 +14689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.6.12/policy/modules/services/kerneloops.te --- nsaserefpolicy/policy/modules/services/kerneloops.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/kerneloops.te 2009-05-01 13:21:26.000000000 -0400 @@ -13,6 +13,9 @@ type kerneloops_initrc_exec_t; init_script_file(kerneloops_initrc_exec_t) @@ -14636,13 +14700,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # kerneloops local policy -@@ -23,8 +26,13 @@ +@@ -21,10 +24,14 @@ + allow kerneloops_t self:capability sys_nice; + allow kerneloops_t self:process { setsched getsched signal }; allow kerneloops_t self:fifo_file rw_file_perms; - allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; - +-allow kerneloops_t self:netlink_route_socket r_netlink_socket_perms; ++ +manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t) +files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file) -+ + kernel_read_ring_buffer(kerneloops_t) +fs_list_inotifyfs(kerneloops_t) @@ -14650,9 +14716,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Init script handling domain_use_interactive_fds(kerneloops_t) -@@ -46,6 +54,5 @@ - sysnet_dns_name_resolve(kerneloops_t) +@@ -38,14 +45,13 @@ + + files_read_etc_files(kerneloops_t) + ++auth_use_nsswitch(kerneloops_t) ++ + logging_send_syslog_msg(kerneloops_t) + logging_read_generic_logs(kerneloops_t) + + miscfiles_read_localization(kerneloops_t) +-sysnet_dns_name_resolve(kerneloops_t) +- optional_policy(` - dbus_system_bus_client(kerneloops_t) - dbus_connect_system_bus(kerneloops_t) @@ -25914,7 +25990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-04-23 09:44:57.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-05-01 09:46:46.000000000 -0400 @@ -43,20 +43,38 @@ interface(`auth_login_pgm_domain',` gen_require(` @@ -25962,7 +26038,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol init_rw_utmp($1) -@@ -100,11 +119,40 @@ +@@ -100,9 +119,42 @@ seutil_read_config($1) seutil_read_default_contexts($1) @@ -25975,16 +26051,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + optional_policy(` + afs_rw_udp_sockets($1) -+ ') + ') + + optional_policy(` + dbus_system_bus_client($1) + optional_policy(` + oddjob_dbus_chat($1) + oddjob_domtrans_mkhomedir($1) - ') - ') - ++ ') ++') ++ + optional_policy(` + corecmd_exec_bin($1) + storage_getattr_fixed_disk_dev($1) @@ -25992,6 +26068,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + + optional_policy(` ++ fprintd_dbus_chat($1) ++ ') ++ ++ optional_policy(` + nis_authenticate($1) + ') + @@ -26000,12 +26080,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_read_user_home_content_files($1) + ') + -+') -+ + ') + ######################################## - ## - ## Use the login program as an entry point program. -@@ -197,8 +245,11 @@ +@@ -197,8 +249,11 @@ interface(`auth_domtrans_chk_passwd',` gen_require(` type chkpwd_t, chkpwd_exec_t, shadow_t; @@ -26017,7 +26095,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin($1) domtrans_pattern($1, chkpwd_exec_t, chkpwd_t) -@@ -207,19 +258,16 @@ +@@ -207,19 +262,16 @@ dev_read_rand($1) dev_read_urand($1) @@ -26042,7 +26120,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -230,6 +278,29 @@ +@@ -230,6 +282,29 @@ optional_policy(` samba_stream_connect_winbind($1) ') @@ -26072,7 +26150,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -254,6 +325,7 @@ +@@ -254,6 +329,7 @@ auth_domtrans_chk_passwd($1) role $2 types chkpwd_t; @@ -26080,7 +26158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -650,7 +722,7 @@ +@@ -650,7 +726,7 @@ ######################################## ## @@ -26089,7 +26167,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1031,6 +1103,32 @@ +@@ -1031,6 +1107,32 @@ ######################################## ## @@ -26122,7 +26200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Manage all files on the filesystem, except ## the shadow passwords and listed exceptions. ## -@@ -1297,6 +1395,14 @@ +@@ -1297,6 +1399,14 @@ ') optional_policy(` @@ -26137,7 +26215,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol nis_use_ypbind($1) ') -@@ -1305,8 +1411,13 @@ +@@ -1305,8 +1415,13 @@ ') optional_policy(` @@ -26151,7 +26229,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1341,3 +1452,99 @@ +@@ -1341,3 +1456,99 @@ typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') @@ -27102,9 +27180,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(racoon_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400 -+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 08:29:56.000000000 -0400 -@@ -1,9 +1,11 @@ - /sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) ++++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 18:57:54.000000000 -0400 +@@ -1,9 +1,10 @@ +-/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0) -/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) +/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index b63b10f..e47bb1b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -480,6 +480,9 @@ exit 0 %endif %changelog +* Fri May 1 2009 Dan Walsh 3.6.12-27 +- Fix /sbin/ip6tables-save context + * Thu Apr 30 2009 Dan Walsh 3.6.12-26 - Add shorewall policy