From b07daea6b87fb7dbe33bd841c70bd2ac34ab5df9 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 24 2007 20:15:22 +0000 Subject: - Dontaudit mail programs looking at munin_var_lib --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index ea86836..6929f99 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -104,7 +104,7 @@ httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # -httpd_tty_comm = false +httpd_tty_comm = true # Run CGI in the main httpd domain # @@ -216,7 +216,7 @@ write_untrusted_content = false # Allow all domains to talk to ttys # -allow_daemons_use_tty = false +allow_daemons_use_tty = true # Allow login domains to polyinstatiate directories # @@ -224,7 +224,7 @@ allow_polyinstantiation = false # Allow all domains to talk to ttys # -allow_daemons_dump_core = false +allow_daemons_dump_core = true # Allow mount command to mounton any directory # diff --git a/policy-20070703.patch b/policy-20070703.patch index 1d0b1fe..7bba72a 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -2088,7 +2088,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.0.8/policy/modules/admin/usermanage.if --- nsaserefpolicy/policy/modules/admin/usermanage.if 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.if 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.if 2007-10-23 22:49:15.000000000 -0400 @@ -265,6 +265,24 @@ ######################################## @@ -4746,7 +4746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav dev_read_rand(amavis_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2007-10-24 13:23:10.000000000 -0400 @@ -16,7 +16,6 @@ /usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0) @@ -4774,7 +4774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac +/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if --- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-10-24 13:24:07.000000000 -0400 @@ -18,10 +18,6 @@ attribute httpd_script_exec_type; type httpd_t, httpd_suexec_t, httpd_log_t; @@ -5191,7 +5191,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-10-24 13:24:16.000000000 -0400 @@ -20,6 +20,8 @@ # Declarations # @@ -7269,7 +7269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2007-10-24 15:27:53.000000000 -0400 @@ -0,0 +1,15 @@ +# $Id$ +# Draft SELinux refpolicy module for the Exim MTA @@ -8202,7 +8202,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te --- nsaserefpolicy/policy/modules/services/mailman.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2007-10-24 14:15:17.000000000 -0400 @@ -55,6 +55,8 @@ apache_use_fds(mailman_cgi_t) apache_dontaudit_append_log(mailman_cgi_t) @@ -8212,7 +8212,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail optional_policy(` nscd_socket_use(mailman_cgi_t) -@@ -96,6 +98,7 @@ +@@ -67,6 +69,14 @@ + # + + allow mailman_mail_t self:unix_dgram_socket create_socket_perms; ++allow mailman_mail_t initrc_t:process signal; ++allow mailman_mail_t self:capability { setuid setgid }; ++ ++mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) ++ ++auth_use_nsswitch(mailman_mail_t) ++ ++files_search_spool(mailman_mail_t) + + mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t) + +@@ -96,6 +106,7 @@ kernel_read_proc_symlinks(mailman_queue_t) auth_domtrans_chk_passwd(mailman_queue_t) @@ -8487,6 +8502,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta. logrotate_read_tmp_files(system_mail_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.if serefpolicy-3.0.8/policy/modules/services/munin.if +--- nsaserefpolicy/policy/modules/services/munin.if 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/munin.if 2007-10-24 08:51:46.000000000 -0400 +@@ -61,3 +61,21 @@ + allow $1 munin_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) + ') ++ ++####################################### ++## ++## dontaudit Search munin library directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`munin_dontaudit_search_lib',` ++ gen_require(` ++ type munin_var_lib_t; ++ ') ++ ++ dontaudit $1 munin_var_lib_t:dir search_dir_perms; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.0.8/policy/modules/services/mysql.fc --- nsaserefpolicy/policy/modules/services/mysql.fc 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/mysql.fc 2007-10-22 13:22:31.000000000 -0400 @@ -8787,7 +8827,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.8/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.te 2007-10-24 15:41:31.000000000 -0400 @@ -13,6 +13,9 @@ type NetworkManager_var_run_t; files_pid_file(NetworkManager_var_run_t) @@ -8835,7 +8875,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -162,6 +166,7 @@ +@@ -151,6 +155,8 @@ + optional_policy(` + nscd_socket_use(NetworkManager_t) + nscd_signal(NetworkManager_t) ++ nscd_script_domtrans(NetworkManager_t) ++ nscd_domtrans(NetworkManager_t) + ') + + optional_policy(` +@@ -162,6 +168,7 @@ ppp_domtrans(NetworkManager_t) ppp_read_pid_files(NetworkManager_t) ppp_signal(NetworkManager_t) @@ -8843,7 +8892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -173,8 +178,10 @@ +@@ -173,8 +180,10 @@ ') optional_policy(` @@ -8966,10 +9015,54 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis. corenet_dontaudit_tcp_bind_all_reserved_ports(ypxfr_t) corenet_dontaudit_udp_bind_all_reserved_ports(ypxfr_t) corenet_tcp_connect_all_ports(ypxfr_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.fc serefpolicy-3.0.8/policy/modules/services/nscd.fc +--- nsaserefpolicy/policy/modules/services/nscd.fc 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/nscd.fc 2007-10-24 15:39:40.000000000 -0400 +@@ -9,3 +9,6 @@ + /var/run/\.nscd_socket -s gen_context(system_u:object_r:nscd_var_run_t,s0) + + /var/run/nscd(/.*)? gen_context(system_u:object_r:nscd_var_run_t,s0) ++ ++/etc/rc\.d/init\.d/nscd -- gen_context(system_u:object_r:httpd_script_exec_t,s0) ++ +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.0.8/policy/modules/services/nscd.if +--- nsaserefpolicy/policy/modules/services/nscd.if 2007-10-22 13:21:39.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2007-10-24 15:39:19.000000000 -0400 +@@ -204,3 +204,22 @@ + role $2 types nscd_t; + dontaudit nscd_t $3:chr_file rw_term_perms; + ') ++ ++######################################## ++## ++## Execute nscd server in the ntpd domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`nscd_script_domtrans',` ++ gen_require(` ++ type nscd_script_exec_t; ++ ') ++ ++ init_script_domtrans_spec($1,nscd_script_exec_t) ++') ++ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-3.0.8/policy/modules/services/nscd.te --- nsaserefpolicy/policy/modules/services/nscd.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/nscd.te 2007-10-22 13:22:31.000000000 -0400 -@@ -28,14 +28,14 @@ ++++ serefpolicy-3.0.8/policy/modules/services/nscd.te 2007-10-24 15:39:46.000000000 -0400 +@@ -23,19 +23,22 @@ + type nscd_log_t; + logging_log_file(nscd_log_t) + ++type nscd_script_exec_t; ++init_script_type(nscd_script_exec_t) ++ + ######################################## + # # Local policy # @@ -8987,7 +9080,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd allow nscd_t self:tcp_socket create_socket_perms; allow nscd_t self:udp_socket create_socket_perms; -@@ -50,6 +50,8 @@ +@@ -50,6 +53,8 @@ manage_sock_files_pattern(nscd_t,nscd_var_run_t,nscd_var_run_t) files_pid_filetrans(nscd_t,nscd_var_run_t,{ file sock_file }) @@ -8996,7 +9089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd kernel_read_kernel_sysctls(nscd_t) kernel_list_proc(nscd_t) kernel_read_proc_symlinks(nscd_t) -@@ -73,6 +75,8 @@ +@@ -73,6 +78,8 @@ corenet_udp_sendrecv_all_nodes(nscd_t) corenet_tcp_sendrecv_all_ports(nscd_t) corenet_udp_sendrecv_all_ports(nscd_t) @@ -9005,7 +9098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd corenet_tcp_connect_all_ports(nscd_t) corenet_sendrecv_all_client_packets(nscd_t) corenet_rw_tun_tap_dev(nscd_t) -@@ -93,6 +97,7 @@ +@@ -93,6 +100,7 @@ libs_use_ld_so(nscd_t) libs_use_shared_libs(nscd_t) @@ -9013,7 +9106,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd logging_send_syslog_msg(nscd_t) miscfiles_read_localization(nscd_t) -@@ -114,3 +119,12 @@ +@@ -114,3 +122,12 @@ xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') @@ -9798,7 +9891,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-3.0.8/policy/modules/services/procmail.te --- nsaserefpolicy/policy/modules/services/procmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/procmail.te 2007-10-24 08:51:22.000000000 -0400 @@ -30,6 +30,8 @@ allow procmail_t procmail_tmp_t:file manage_file_perms; files_tmp_filetrans(procmail_t, procmail_tmp_t, file) @@ -9816,7 +9909,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc auth_use_nsswitch(procmail_t) -@@ -108,6 +111,9 @@ +@@ -65,6 +68,8 @@ + libs_use_ld_so(procmail_t) + libs_use_shared_libs(procmail_t) + ++logging_send_syslog_msg(procmail_t) ++ + miscfiles_read_localization(procmail_t) + + # only works until we define a different type for maildir +@@ -97,17 +102,16 @@ + ') + + optional_policy(` +- logging_send_syslog_msg(procmail_t) +-') +- +-optional_policy(` +- nis_use_ypbind(procmail_t) ++ munin_dontaudit_search_lib(procmail_t) + ') + + optional_policy(` # for a bug in the postfix local program postfix_dontaudit_rw_local_tcp_sockets(procmail_t) postfix_dontaudit_use_fds(procmail_t) @@ -9826,7 +9940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` -@@ -129,3 +135,7 @@ +@@ -129,3 +133,7 @@ spamassassin_exec_client(procmail_t) spamassassin_read_lib_files(procmail_t) ') @@ -11032,7 +11146,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-10-24 08:46:31.000000000 -0400 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -11067,7 +11181,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) corenet_tcp_sendrecv_all_if(sendmail_t) -@@ -94,30 +99,24 @@ +@@ -94,30 +99,28 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) @@ -11089,20 +11203,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send optional_policy(` - clamav_search_lib(sendmail_t) --') -- --optional_policy(` -- nis_use_ypbind(sendmail_t) + cron_read_pipes(sendmail_t) ') optional_policy(` -- nscd_socket_use(sendmail_t) +- nis_use_ypbind(sendmail_t) + clamav_search_lib(sendmail_t) ') optional_policy(` -@@ -131,6 +130,10 @@ +- nscd_socket_use(sendmail_t) ++ munin_dontaudit_search_lib(sendmail_t) + ') + + optional_policy(` +@@ -131,6 +134,10 @@ ') optional_policy(` @@ -11113,7 +11228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send seutil_sigchld_newrole(sendmail_t) ') -@@ -156,3 +159,15 @@ +@@ -156,3 +163,15 @@ dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl }; ') dnl end TODO @@ -11839,7 +11954,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-24 14:01:12.000000000 -0400 @@ -126,6 +126,8 @@ # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev($1_xserver_t) @@ -11872,12 +11987,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser type $1_iceauth_t; domain_type($1_iceauth_t) -@@ -282,11 +286,14 @@ +@@ -282,11 +286,15 @@ domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t) allow $1_xserver_t $1_xauth_home_t:file { getattr read }; + allow xdm_t $1_xauth_home_t:file append_file_perms; ++ read_files_pattern($1_xserver_t, $2, $2) domtrans_pattern($2, xserver_exec_t, $1_xserver_t) allow $1_xserver_t $2:process signal; @@ -11887,7 +12003,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t) manage_files_pattern($2,$1_fonts_t,$1_fonts_t) -@@ -316,6 +323,7 @@ +@@ -316,6 +324,7 @@ userdom_use_user_ttys($1,$1_xserver_t) userdom_setattr_user_ttys($1,$1_xserver_t) userdom_rw_user_tmpfs_files($1,$1_xserver_t) @@ -11895,7 +12011,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser xserver_use_user_fonts($1,$1_xserver_t) xserver_rw_xdm_tmp_files($1_xauth_t) -@@ -353,12 +361,6 @@ +@@ -353,12 +362,6 @@ # allow ps to show xauth ps_process_pattern($2,$1_xauth_t) @@ -11908,7 +12024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser domain_use_interactive_fds($1_xauth_t) files_read_etc_files($1_xauth_t) -@@ -387,6 +389,14 @@ +@@ -387,6 +390,14 @@ ') optional_policy(` @@ -11923,7 +12039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser nis_use_ypbind($1_xauth_t) ') -@@ -537,16 +547,14 @@ +@@ -537,16 +548,14 @@ gen_require(` type xdm_t, xdm_tmp_t; @@ -11945,7 +12061,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # for when /tmp/.X11-unix is created by the system allow $2 xdm_t:fd use; -@@ -555,25 +563,53 @@ +@@ -555,25 +564,53 @@ allow $2 xdm_tmp_t:sock_file { read write }; dontaudit $2 xdm_t:tcp_socket { read write }; @@ -12007,7 +12123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ') -@@ -626,6 +662,24 @@ +@@ -626,6 +663,24 @@ ######################################## ## @@ -12032,7 +12148,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -659,6 +713,73 @@ +@@ -659,6 +714,73 @@ ######################################## ## @@ -12106,7 +12222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Transition to a user Xauthority domain. ## ## -@@ -927,6 +1048,7 @@ +@@ -927,6 +1049,7 @@ files_search_tmp($1) allow $1 xdm_tmp_t:dir list_dir_perms; create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t) @@ -12114,7 +12230,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -987,6 +1109,37 @@ +@@ -987,6 +1110,37 @@ ######################################## ## @@ -12152,7 +12268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -1136,7 +1289,7 @@ +@@ -1136,7 +1290,7 @@ type xdm_xserver_tmp_t; ') @@ -12161,7 +12277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') ######################################## -@@ -1325,3 +1478,63 @@ +@@ -1325,3 +1479,63 @@ files_search_tmp($1) stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t) ') @@ -15286,7 +15402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-22 13:22:31.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-23 22:51:09.000000000 -0400 @@ -76,7 +76,6 @@ type restorecond_exec_t; init_daemon_domain(restorecond_t,restorecond_exec_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 2b426f8..07007ed 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -373,6 +373,9 @@ exit 0 %endif %changelog +* Wed Oct 24 2007 Dan Walsh 3.0.8-32 +- Dontaudit mail programs looking at munin_var_lib + * Tue Oct 23 2007 Dan Walsh 3.0.8-31 - Fixes for vmware - Additional textrel_shlib_t for codecs