From 70f79c960d88081db4a534ba874d561cba55244f Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 12 2009 14:46:11 +0000 Subject: - Add lighttpd file context to apache.fc - Allow tmpreaper to read /var/cache/yum - Allow kdump_t sys_rawio - Add execmem_exec_t context for /usr/bin/aticonfig - Allow dovecot-deliver to signull dovecot - Add textrel_shlib_t to /usr/lib/libADM5avcodec.so --- diff --git a/policy-F12.patch b/policy-F12.patch index f4ee25c..2db71b3 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -700,7 +700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-06 14:38:19.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-12 08:20:36.000000000 -0500 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -1595,7 +1595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te --- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-10-05 11:13:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/tmpreaper.te 2009-11-12 08:20:55.000000000 -0500 @@ -42,6 +42,7 @@ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) @@ -1615,6 +1615,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kismet_manage_log(tmpreaper_t) ') +@@ -60,5 +65,9 @@ + ') + + optional_policy(` ++ rpm_read_cache(tmpreaper_t) ++') ++ ++optional_policy(` + unconfined_domain(tmpreaper_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tzdata.te serefpolicy-3.6.32/policy/modules/admin/tzdata.te --- nsaserefpolicy/policy/modules/admin/tzdata.te 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/admin/tzdata.te 2009-09-30 16:12:48.000000000 -0400 @@ -2043,8 +2053,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-09 15:54:53.000000000 -0500 -@@ -0,0 +1,39 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-11-12 08:43:37.000000000 -0500 +@@ -0,0 +1,40 @@ ++/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -2944,7 +2955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/kdumpgui.te serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te --- nsaserefpolicy/policy/modules/apps/kdumpgui.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/kdumpgui.te 2009-11-12 08:45:00.000000000 -0500 @@ -0,0 +1,65 @@ +policy_module(kdumpgui,1.0.0) + @@ -3284,7 +3295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.32/policy/modules/apps/mozilla.if --- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-07-28 13:28:33.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-11-10 08:15:19.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.if 2009-11-10 16:28:27.000000000 -0500 @@ -45,6 +45,18 @@ relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t) relabel_files_pattern($2, mozilla_home_t, mozilla_home_t) @@ -3312,7 +3323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') -@@ -88,6 +101,43 @@ +@@ -88,6 +101,61 @@ ######################################## ## @@ -3353,6 +3364,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## Dontaudit attempts to read/write mozilla home directory content ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`mozilla_dontaudit_rw_user_home_files',` ++ gen_require(` ++ type mozilla_home_t; ++ ') ++ ++ dontaudit $1 mozilla_home_t:file { read write }; ++') ++ ++######################################## ++## ## Run mozilla in the mozilla domain. ## ## @@ -4856,8 +4885,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.32/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-10-06 17:01:45.000000000 -0400 -@@ -0,0 +1,330 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.te 2009-11-10 16:28:19.000000000 -0500 +@@ -0,0 +1,335 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -5188,6 +5217,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +optional_policy(` + hal_dbus_chat(sandbox_net_client_t) +') ++ ++ifdef(`hide_broken_symptoms', ` ++ mozilla_dontaudit_rw_user_home_files(sandbox_x_server_t) ++ mozilla_dontaudit_rw_user_home_files(sandbox_x_domain) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.32/policy/modules/apps/screen.if --- nsaserefpolicy/policy/modules/apps/screen.if 2009-09-09 09:23:16.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/apps/screen.if 2009-10-22 14:51:34.000000000 -0400 @@ -9939,7 +9973,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-09 17:18:29.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-10 16:07:06.000000000 -0500 @@ -33,12 +33,16 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -9994,7 +10028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_getattr_all_files(abrt_t) files_read_etc_files(abrt_t) files_read_usr_files(abrt_t) -@@ -96,22 +108,37 @@ +@@ -96,22 +108,41 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -10038,6 +10072,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol sendmail_domtrans(abrt_t) ') + ++optional_policy(` ++ sssd_stream_connect(abrt_t) ++') ++ +permissive abrt_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/afs.fc serefpolicy-3.6.32/policy/modules/services/afs.fc --- nsaserefpolicy/policy/modules/services/afs.fc 2009-07-23 14:11:04.000000000 -0400 @@ -10317,8 +10355,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-10-30 16:21:42.000000000 -0400 -@@ -1,12 +1,13 @@ ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-11-10 14:50:41.000000000 -0500 +@@ -1,12 +1,15 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -10331,19 +10369,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/httpd/conf/keytab -- gen_context(system_u:object_r:httpd_keytab_t,s0) /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0) /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0) ++/etc/lighttpd(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/lighttpd -- gen_context(system_u:object_r:httpd_initrc_exec_t,s0) /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0) /srv/([^/]*/)?www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) -@@ -22,6 +23,7 @@ +@@ -21,10 +24,13 @@ + /usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) ++/usr/lib(64)?/lighttpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0) +/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0) /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0) -@@ -32,12 +34,18 @@ ++/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0) + /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) + /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) + +@@ -32,12 +38,19 @@ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) ') @@ -10357,12 +10403,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/cache/httpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) ++/var/cache/lighttpd(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mason(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) +/var/cache/mediawiki(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -46,7 +54,9 @@ +@@ -46,7 +59,9 @@ /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) @@ -10372,7 +10419,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,8 +60,10 @@ +@@ -50,13 +65,17 @@ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -10383,7 +10430,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +76,33 @@ + /var/log/cgiwrap\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) + /var/log/httpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++/var/log/lighttpd(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) ++ + ifdef(`distro_debian', ` + /var/log/horde2(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) + ') +@@ -64,11 +83,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -17586,8 +17640,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/plymouth.te serefpolicy-3.6.32/policy/modules/services/plymouth.te --- nsaserefpolicy/policy/modules/services/plymouth.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-10-29 10:28:34.000000000 -0400 -@@ -0,0 +1,96 @@ ++++ serefpolicy-3.6.32/policy/modules/services/plymouth.te 2009-11-11 09:44:38.000000000 -0500 +@@ -0,0 +1,97 @@ +policy_module(plymouthd, 1.0.0) + +######################################## @@ -17682,6 +17736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +ifdef(`hide_broken_symptoms', ` +optional_policy(` + hal_dontaudit_write_log(plymouth_t) ++ hal_dontaudit_rw_pipes(plymouth_t) +') +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.fc serefpolicy-3.6.32/policy/modules/services/policykit.fc @@ -23002,7 +23057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-10-26 11:31:38.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-11-11 09:52:40.000000000 -0500 @@ -0,0 +1,58 @@ + +policy_module(tuned,1.0.0) @@ -23029,7 +23084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# tuned local policy +# + -+dontaudit tuned_t self:capability { dac_override }; ++dontaudit tuned_t self:capability { dac_override sys_tty_config }; + +manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t) +files_pid_filetrans(tuned_t, tuned_var_run_t, { file }) @@ -23848,7 +23903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.32/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2009-09-09 15:37:17.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-09 15:37:59.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.if 2009-11-10 16:23:46.000000000 -0500 @@ -74,6 +74,12 @@ domtrans_pattern($2, iceauth_exec_t, iceauth_t) @@ -25604,7 +25659,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.32/policy/modules/system/authlogin.if --- nsaserefpolicy/policy/modules/system/authlogin.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-10-29 14:34:39.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/authlogin.if 2009-11-10 16:06:50.000000000 -0500 @@ -40,17 +40,76 @@ ## ## @@ -27364,8 +27419,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.te serefpolicy-3.6.32/policy/modules/system/kdump.te --- nsaserefpolicy/policy/modules/system/kdump.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/kdump.te 2009-11-09 11:33:54.000000000 -0500 -@@ -29,6 +29,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/kdump.te 2009-11-12 08:45:07.000000000 -0500 +@@ -21,7 +21,7 @@ + # kdump local policy + # + +-allow kdump_t self:capability { sys_boot dac_override }; ++allow kdump_t self:capability { sys_boot sys_rawio dac_override }; + + read_files_pattern(kdump_t, kdump_etc_t, kdump_etc_t) + +@@ -29,8 +29,11 @@ files_read_kernel_img(kdump_t) kernel_read_system_state(kdump_t) @@ -27373,9 +27437,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_framebuffer(kdump_t) dev_read_sysfs(kdump_t) + + term_use_console(kdump_t) ++ ++permissive kdump_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-04 09:29:07.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-12 08:52:03.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -27425,7 +27493,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,27 +120,36 @@ +@@ -115,27 +120,37 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27440,6 +27508,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/catalyst/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libADM5avcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27470,7 +27539,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -143,11 +157,8 @@ +@@ -143,11 +158,8 @@ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27482,7 +27551,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,12 +179,12 @@ +@@ -168,12 +180,12 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php @@ -27497,7 +27566,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -185,15 +196,10 @@ +@@ -185,15 +197,10 @@ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27514,7 +27583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -228,31 +234,17 @@ +@@ -228,31 +235,17 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27550,7 +27619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -268,8 +260,8 @@ +@@ -268,8 +261,8 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27561,7 +27630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -295,6 +287,8 @@ +@@ -295,6 +288,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27570,7 +27639,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +301,102 @@ +@@ -307,10 +302,102 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) diff --git a/selinux-policy.spec b/selinux-policy.spec index 3c3685b..71f9209 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 43%{?dist} +Release: 44%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,7 +445,15 @@ exit 0 %endif %changelog -* Tue Nov 9 2009 Dan Walsh 3.6.32-43 +* Tue Nov 10 2009 Dan Walsh 3.6.32-44 +- Add lighttpd file context to apache.fc +- Allow tmpreaper to read /var/cache/yum +- Allow kdump_t sys_rawio +- Add execmem_exec_t context for /usr/bin/aticonfig +- Allow dovecot-deliver to signull dovecot +- Add textrel_shlib_t to /usr/lib/libADM5avcodec.so + +* Tue Nov 10 2009 Dan Walsh 3.6.32-43 - Fix transition so unconfined_exemem_t creates user_tmp_t - Allow chrome_sandbox_t to write to user_tmp_t when printing - Allow corosync to connect to port 5404 and to interact with user_tmpfs_t files