From bae9b75bf9c35c0190927ccd3fc2d7bf981cbd9c Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Feb 02 2010 15:57:16 +0000 Subject: - Allow policykit-auth to set attributes on fonts cache directory - Add label for RealPlayer plugins - Add label for /usr/sbin/xrdp - Allow chrome-sandbox to read gnome homedir content - Allow rsyslogd to connect to MySQL using a unix domain stream socket - Allow apache to list inotifyfs filesystem - Add label for /dev/pps device --- diff --git a/policy-20100106.patch b/policy-20100106.patch index 59c8fa6..b12534a 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -71,6 +71,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Crack local policy +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te +--- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-02-02 14:30:20.961067885 +0100 +@@ -59,7 +59,8 @@ + miscfiles_read_fonts(chrome_sandbox_t) + + optional_policy(` +- gnome_write_inherited_config(chrome_sandbox_t) ++ gnome_rw_inherited_config(chrome_sandbox_t) ++ gnome_list_home_config(chrome_sandbox_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc serefpolicy-3.6.32/policy/modules/apps/gnome.fc --- nsaserefpolicy/policy/modules/apps/gnome.fc 2010-01-18 18:24:22.594539949 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.fc 2010-01-21 18:31:02.867611919 +0100 @@ -91,8 +104,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.32/policy/modules/apps/gnome.if --- nsaserefpolicy/policy/modules/apps/gnome.if 2010-01-18 18:24:22.595534558 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-01-21 18:31:10.642612238 +0100 -@@ -84,12 +84,12 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/gnome.if 2010-02-02 15:10:12.321068500 +0100 +@@ -72,6 +72,24 @@ + domtrans_pattern($1, gconfd_exec_t, gconfd_t) + ') + ++####################################### ++## ++## Dontaudit search gnome homedir content (.config) ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++interface(`gnome_dontaudit_search_config',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ dontaudit $1 gnome_home_type:dir search_dir_perms; ++') ++ + ######################################## + ## + ## manage gnome homedir content (.config) +@@ -84,12 +102,12 @@ # interface(`gnome_manage_config',` gen_require(` @@ -109,7 +147,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_search_user_home_dirs($1) ') -@@ -129,12 +129,12 @@ +@@ -129,17 +147,17 @@ # template(`gnome_read_config',` gen_require(` @@ -126,7 +164,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -255,11 +255,11 @@ + ## +-## read gconf config files ++## Read gconf config files + ## + ## + ## +@@ -238,6 +256,24 @@ + manage_files_pattern($1, gconf_home_t, gconf_home_t) + ') + ++####################################### ++## ++## Read gnome homedir content (.config) ++## ++## ++## ++## The type of the user domain. ++## ++## ++# ++template(`gnome_list_home_config',` ++ gen_require(` ++ type config_home_t; ++ ') ++ ++ allow $1 config_home_t:dir list_dir_perms; ++') ++ + ######################################## + ## + ## Connect to gnome over an unix stream socket. +@@ -255,11 +291,29 @@ # interface(`gnome_stream_connect',` gen_require(` @@ -137,10 +206,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Connect to pulseaudit server - stream_connect_pattern($1, gnome_home_t, gnome_home_t, $2) + stream_connect_pattern($1, gnome_home_type, gnome_home_type, $2) ++') ++ ++####################################### ++## ++## Read/Write all inherited gnome home config ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`gnome_rw_inherited_config',` ++ gen_require(` ++ attribute gnome_home_type; ++ ') ++ ++ allow $1 gnome_home_type:file rw_inherited_file_perms; ') ######################################## -@@ -274,8 +274,8 @@ +@@ -274,8 +328,9 @@ # interface(`gnome_write_inherited_config',` gen_require(` @@ -151,6 +238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - allow $1 gnome_home_t:file rw_inherited_file_perms; + allow $1 gnome_home_type:file rw_inherited_file_perms; ') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.te serefpolicy-3.6.32/policy/modules/apps/gnome.te --- nsaserefpolicy/policy/modules/apps/gnome.te 2010-01-18 18:24:22.596529936 +0100 +++ serefpolicy-3.6.32/policy/modules/apps/gnome.te 2010-01-21 18:31:15.086614286 +0100 @@ -621,6 +709,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_mmap_low_type(wine_t) tunable_policy(`mmap_low_allowed',` domain_mmap_low(wine_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in +--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2009-09-16 16:01:19.000000000 +0200 ++++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.if.in 2010-02-02 15:20:43.717067439 +0100 +@@ -1703,6 +1703,24 @@ + allow $1 tun_tap_device_t:chr_file rw_chr_file_perms; + ') + ++####################################### ++## ++## dontaudit Read and write the TUN/TAP virtual network device. ++## ++## ++## ++## The domain allowed access. ++## ++## ++# ++interface(`corenet_dontaudit_rw_tun_tap_dev',` ++ gen_require(` ++ type tun_tap_device_t; ++ ') ++ ++ dontaudit $1 tun_tap_device_t:chr_file { read write }; ++') ++ + ######################################## + ## + ## Getattr the point-to-point device. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-18 18:24:22.668540002 +0100 +++ serefpolicy-3.6.32/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:10:56.565608631 +0100 @@ -791,13 +907,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-18 18:24:22.720530134 +0100 -+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-18 18:27:02.752530994 +0100 -@@ -2,7 +2,7 @@ ++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-02-02 10:47:12.668175161 +0100 +@@ -2,7 +2,10 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) +/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++/usr/sbin/xrdp -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++/usr/sbin/xrdp-sesman -- gen_context(system_u:object_r:unconfined_exec_t,s0) ++ /usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) /usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0) @@ -975,7 +1094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to read and write Apache diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-01-18 18:24:22.739530246 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-01-26 15:36:27.882713495 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2010-02-02 14:56:02.348068014 +0100 @@ -309,7 +309,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) @@ -985,7 +1104,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow the httpd_t to read the web servers config files allow httpd_t httpd_config_t:dir list_dir_perms; -@@ -612,6 +612,11 @@ +@@ -400,6 +400,7 @@ + dev_rw_crypto(httpd_t) + + fs_getattr_all_fs(httpd_t) ++fs_list_inotifyfs(httpd_t) + fs_search_auto_mountpoints(httpd_t) + fs_read_iso9660_files(httpd_t) + +@@ -612,6 +613,11 @@ avahi_dbus_chat(httpd_t) ') ') @@ -1531,6 +1658,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +term_dontaudit_use_all_user_ptys(memcached_t) +term_dontaudit_use_all_user_ttys(memcached_t) +term_dontaudit_use_console(memcached_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.32/policy/modules/services/mta.te +--- nsaserefpolicy/policy/modules/services/mta.te 2010-01-18 18:24:22.813543710 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/mta.te 2010-02-02 10:43:31.244162625 +0100 +@@ -132,6 +132,7 @@ + + optional_policy(` + fail2ban_append_log(system_mail_t) ++ fail2ban_dontaudit_leaks(system_mail_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2010-01-18 18:24:22.819530575 +0100 +++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2010-01-26 14:38:16.349463228 +0100 @@ -1797,7 +1935,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(plymouth_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-02-01 20:36:15.743410648 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-02-02 15:30:16.529067989 +0100 @@ -89,6 +89,10 @@ ') ') @@ -1818,6 +1956,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) files_search_home(policykit_auth_t) +@@ -129,7 +135,9 @@ + + miscfiles_read_localization(policykit_auth_t) + miscfiles_read_fonts(policykit_auth_t) ++miscfiles_setattr_fonts_cache_dirs(policykit_auth_t) + ++userdom_read_admin_home_files(policykit_auth_t) + userdom_dontaudit_read_user_home_content_files(policykit_auth_t) + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.32/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2010-01-18 18:24:22.855540671 +0100 +++ serefpolicy-3.6.32/policy/modules/services/postfix.te 2010-01-18 18:27:02.768530934 +0100 @@ -2630,6 +2778,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol consoletype_exec(hotplug_t) ') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if +--- nsaserefpolicy/policy/modules/system/init.if 2010-01-18 18:24:22.933540325 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/init.if 2010-02-02 15:33:20.194067768 +0100 +@@ -1686,3 +1686,25 @@ + allow $1 initrc_t:sem rw_sem_perms; + ') + ++####################################### ++## ++## Dontaudit read and write an leaked init scrip file descriptors ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`init_dontaudit_script_leaks',` ++ gen_require(` ++ type initrc_t; ++ ') ++ ++ dontaudit $1 initrc_t:tcp_socket { read write }; ++ dontaudit $1 initrc_t:unix_dgram_socket { read write }; ++ dontaudit $1 initrc_t:unix_stream_socket { read write }; ++ dontaudit $1 initrc_t:shm rw_shm_perms; ++ init_dontaudit_use_script_ptys($1) ++ init_dontaudit_use_script_fds($1) ++') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2010-01-18 18:24:22.936530091 +0100 +++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-18 18:27:02.782531248 +0100 @@ -2664,19 +2841,51 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms; manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te +--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-18 18:24:22.941530168 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2010-02-02 15:25:03.135335306 +0100 +@@ -52,6 +52,7 @@ + kernel_use_fds(iptables_t) + + corenet_relabelto_all_packets(iptables_t) ++corenet_dontaudit_rw_tun_tap_dev(iptables_t) + + dev_read_sysfs(iptables_t) + +@@ -71,6 +72,7 @@ + + auth_use_nsswitch(iptables_t) + ++init_dontaudit_script_leaks(iptables_t) + init_use_fds(iptables_t) + init_use_script_ptys(iptables_t) + # to allow rules to be saved on reboot: diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc --- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200 -+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-18 18:27:02.783531305 +0100 -@@ -1,3 +1,5 @@ ++++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-02-02 15:17:13.812067843 +0100 +@@ -1,5 +1,8 @@ + -+/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) ++/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0) + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) + /var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.6.32/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2010-01-18 18:24:22.943530492 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-01-18 18:27:02.783531305 +0100 -@@ -35,10 +35,13 @@ ++++ serefpolicy-3.6.32/policy/modules/system/iscsi.te 2010-02-02 15:08:50.761068281 +0100 +@@ -14,6 +14,9 @@ + type iscsi_lock_t; + files_lock_file(iscsi_lock_t) + ++type iscsi_log_t; ++logging_log_file(iscsi_log_t) ++ + type iscsi_tmp_t; + files_tmp_file(iscsi_tmp_t) + +@@ -35,10 +38,13 @@ allow iscsid_t self:unix_dgram_socket create_socket_perms; allow iscsid_t self:sem create_sem_perms; allow iscsid_t self:shm create_shm_perms; @@ -2690,7 +2899,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) files_lock_filetrans(iscsid_t, iscsi_lock_t, file) -@@ -67,6 +70,7 @@ +@@ -51,6 +57,9 @@ + read_lnk_files_pattern(iscsid_t, iscsi_var_lib_t, iscsi_var_lib_t) + files_search_var_lib(iscsid_t) + ++manage_files_pattern(iscsid_t, iscsi_log_t, iscsi_log_t) ++logging_log_filetrans(iscsid_t, iscsi_log_t, file) ++ + manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) + files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) + +@@ -67,6 +76,7 @@ corenet_tcp_connect_isns_port(iscsid_t) dev_rw_sysfs(iscsid_t) @@ -2700,7 +2919,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-01-18 18:24:22.945540594 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-01-27 14:59:22.372614529 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2010-02-02 10:45:09.949162869 +0100 @@ -245,8 +245,12 @@ # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame /usr/lib(64)?.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -2725,14 +2944,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -433,8 +435,17 @@ +@@ -433,8 +435,16 @@ /usr/lib(64)?/octagaplayer/libapplication\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/AutoScan/usr/lib/libvte\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libsybdb\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/Unify/SQLBase/libgptsblmsui11.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/real/RealPlayer/plugins/theorarend\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/opt/real/RealPlayer/plugins/oggfformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/real/RealPlayer/plugins/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/bin/bsnes -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -2774,6 +2992,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/webmin(/.*)? gen_context(system_u:object_r:var_log_t,s0) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.32/policy/modules/system/logging.te +--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-18 18:24:22.951535142 +0100 ++++ serefpolicy-3.6.32/policy/modules/system/logging.te 2010-02-02 14:39:43.439068166 +0100 +@@ -489,6 +489,10 @@ + ') + + optional_policy(` ++ mysql_stream_connect(syslogd_t) ++') ++ ++optional_policy(` + postgresql_stream_connect(syslogd_t) + ') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.6.32/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-01-18 18:24:22.955540050 +0100 +++ serefpolicy-3.6.32/policy/modules/system/miscfiles.if 2010-01-22 16:24:01.851857861 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index 24d832d..491df01 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 80%{?dist} +Release: 81%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -454,6 +454,15 @@ exit 0 %endif %changelog +* Tue Feb 2 2010 Miroslav Grepl 3.6.32-81 +- Allow policykit-auth to set attributes on fonts cache directory +- Add label for RealPlayer plugins +- Add label for /usr/sbin/xrdp +- Allow chrome-sandbox to read gnome homedir content +- Allow rsyslogd to connect to MySQL using a unix domain stream socket +- Allow apache to list inotifyfs filesystem +- Add label for /dev/pps device + * Mon Feb 1 2010 Miroslav Grepl 3.6.32-80 - Allow xdm to execute octave - Add label for var/run/lxdm.auth