From c33872fd60bfb88d44ddca490461206fe71b4326 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Jan 03 2012 23:25:52 +0000 Subject: +* Wed Jan 4 2012 Miroslav Grepl 3.10.0-71 +- New fix for seunshare, requires seunshare_domains to be able to mounton / --- diff --git a/policy-F16.patch b/policy-F16.patch index 68f4fea..2475a02 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -11501,10 +11501,10 @@ index 1dc7a85..a01511f 100644 + corecmd_shell_domtrans($1_seunshare_t, $1_t) ') diff --git a/policy/modules/apps/seunshare.te b/policy/modules/apps/seunshare.te -index 7590165..7e6f53c 100644 +index 7590165..0596425 100644 --- a/policy/modules/apps/seunshare.te +++ b/policy/modules/apps/seunshare.te -@@ -5,40 +5,59 @@ policy_module(seunshare, 1.1.0) +@@ -5,40 +5,60 @@ policy_module(seunshare, 1.1.0) # Declarations # @@ -11543,6 +11543,7 @@ index 7590165..7e6f53c 100644 +files_search_all(seunshare_domain) +files_read_etc_files(seunshare_domain) +files_mounton_all_poly_members(seunshare_domain) ++files_mounton_rootfs(seunshare_domain) +files_manage_generic_tmp_dirs(seunshare_domain) +files_relabelfrom_tmp_dirs(seunshare_domain) @@ -16815,7 +16816,7 @@ index c19518a..12e8e9c 100644 +/nsr(/.*)? gen_context(system_u:object_r:var_t,s0) +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if -index ff006ea..b682bcf 100644 +index ff006ea..90fa357 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -55,6 +55,7 @@ @@ -16980,7 +16981,32 @@ index ff006ea..b682bcf 100644 ## Unmount a rootfs filesystem. ## ## -@@ -1848,7 +1952,7 @@ interface(`files_boot_filetrans',` +@@ -1678,6 +1782,24 @@ interface(`files_unmount_rootfs',` + + ######################################## + ## ++## Mount a filesystem on the root file system ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_mounton_rootfs',` ++ gen_require(` ++ type root_t; ++ ') ++ ++ allow $1 root_t:dir { search_dir_perms mounton }; ++') ++ ++######################################## ++## + ## Get attributes of the /boot directory. + ## + ## +@@ -1848,7 +1970,7 @@ interface(`files_boot_filetrans',` type boot_t; ') @@ -16989,7 +17015,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -2372,6 +2476,24 @@ interface(`files_rw_etc_dirs',` +@@ -2372,6 +2494,24 @@ interface(`files_rw_etc_dirs',` allow $1 etc_t:dir rw_dir_perms; ') @@ -17014,7 +17040,7 @@ index ff006ea..b682bcf 100644 ########################################## ## ## Manage generic directories in /etc -@@ -2451,7 +2573,7 @@ interface(`files_read_etc_files',` +@@ -2451,7 +2591,7 @@ interface(`files_read_etc_files',` ## ## ## @@ -17023,7 +17049,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -2507,6 +2629,25 @@ interface(`files_manage_etc_files',` +@@ -2507,6 +2647,25 @@ interface(`files_manage_etc_files',` ######################################## ## @@ -17049,7 +17075,7 @@ index ff006ea..b682bcf 100644 ## Delete system configuration files in /etc. ## ## -@@ -2525,6 +2666,24 @@ interface(`files_delete_etc_files',` +@@ -2525,6 +2684,24 @@ interface(`files_delete_etc_files',` ######################################## ## @@ -17074,7 +17100,7 @@ index ff006ea..b682bcf 100644 ## Execute generic files in /etc. ## ## -@@ -2624,7 +2783,7 @@ interface(`files_etc_filetrans',` +@@ -2624,7 +2801,7 @@ interface(`files_etc_filetrans',` type etc_t; ') @@ -17083,7 +17109,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -2680,24 +2839,6 @@ interface(`files_delete_boot_flag',` +@@ -2680,24 +2857,6 @@ interface(`files_delete_boot_flag',` ######################################## ## @@ -17108,7 +17134,7 @@ index ff006ea..b682bcf 100644 ## Read files in /etc that are dynamically ## created on boot, such as mtab. ## -@@ -2738,6 +2879,24 @@ interface(`files_read_etc_runtime_files',` +@@ -2738,6 +2897,24 @@ interface(`files_read_etc_runtime_files',` ######################################## ## @@ -17133,7 +17159,7 @@ index ff006ea..b682bcf 100644 ## Do not audit attempts to read files ## in /etc that are dynamically ## created on boot, such as mtab. -@@ -2775,6 +2934,7 @@ interface(`files_rw_etc_runtime_files',` +@@ -2775,6 +2952,7 @@ interface(`files_rw_etc_runtime_files',` allow $1 etc_t:dir list_dir_perms; rw_files_pattern($1, etc_t, etc_runtime_t) @@ -17141,7 +17167,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -2796,6 +2956,7 @@ interface(`files_manage_etc_runtime_files',` +@@ -2796,6 +2974,7 @@ interface(`files_manage_etc_runtime_files',` ') manage_files_pattern($1, { etc_t etc_runtime_t }, etc_runtime_t) @@ -17149,7 +17175,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3364,7 +3525,7 @@ interface(`files_home_filetrans',` +@@ -3364,7 +3543,7 @@ interface(`files_home_filetrans',` type home_root_t; ') @@ -17158,7 +17184,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3502,20 +3663,38 @@ interface(`files_list_mnt',` +@@ -3502,20 +3681,38 @@ interface(`files_list_mnt',` ###################################### ## @@ -17202,7 +17228,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3804,7 +3983,7 @@ interface(`files_kernel_modules_filetrans',` +@@ -3804,7 +4001,7 @@ interface(`files_kernel_modules_filetrans',` type modules_object_t; ') @@ -17211,7 +17237,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -3900,6 +4079,99 @@ interface(`files_read_world_readable_sockets',` +@@ -3900,6 +4097,99 @@ interface(`files_read_world_readable_sockets',` allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -17311,7 +17337,7 @@ index ff006ea..b682bcf 100644 ######################################## ## ## Allow the specified type to associate -@@ -3945,7 +4217,7 @@ interface(`files_getattr_tmp_dirs',` +@@ -3945,7 +4235,7 @@ interface(`files_getattr_tmp_dirs',` ## ## ## @@ -17320,7 +17346,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4017,7 +4289,7 @@ interface(`files_list_tmp',` +@@ -4017,7 +4307,7 @@ interface(`files_list_tmp',` ## ## ## @@ -17329,7 +17355,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4029,6 +4301,24 @@ interface(`files_dontaudit_list_tmp',` +@@ -4029,6 +4319,24 @@ interface(`files_dontaudit_list_tmp',` dontaudit $1 tmp_t:dir list_dir_perms; ') @@ -17354,12 +17380,13 @@ index ff006ea..b682bcf 100644 ######################################## ## ## Remove entries from the tmp directory. -@@ -4085,6 +4375,32 @@ interface(`files_manage_generic_tmp_dirs',` +@@ -4085,17 +4393,43 @@ interface(`files_manage_generic_tmp_dirs',` ######################################## ## +-## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. -+## + ## +## +##

+## Allow shared library text relocations in tmp files. @@ -17368,14 +17395,16 @@ index ff006ea..b682bcf 100644 +## This is added to support java policy. +##

+## -+## -+## -+## Domain allowed access. -+## -+## -+# + ## + ## + ## Domain allowed access. + ## + ## + # +-interface(`files_manage_generic_tmp_files',` +interface(`files_execmod_tmp',` -+ gen_require(` + gen_require(` +- type tmp_t; + attribute tmpfile; + ') + @@ -17384,26 +17413,34 @@ index ff006ea..b682bcf 100644 + +######################################## +## - ## Manage temporary files and directories in /tmp. - ## - ## -@@ -4139,7 +4455,7 @@ interface(`files_rw_generic_tmp_sockets',` ++## Manage temporary files and directories in /tmp. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`files_manage_generic_tmp_files',` ++ gen_require(` ++ type tmp_t; + ') + + manage_files_pattern($1, tmp_t, tmp_t) +@@ -4139,6 +4473,42 @@ interface(`files_rw_generic_tmp_sockets',` ######################################## ## --## Set the attributes of all tmp directories. +## Relabel a dir from the type used in /tmp. - ## - ## - ## -@@ -4147,9 +4463,45 @@ interface(`files_rw_generic_tmp_sockets',` - ## - ## - # --interface(`files_setattr_all_tmp_dirs',` ++## ++## ++## ++## Domain allowed access. ++## ++## ++# +interface(`files_relabelfrom_tmp_dirs',` - gen_require(` -- attribute tmpfile; ++ gen_require(` + type tmp_t; + ') + @@ -17430,21 +17467,10 @@ index ff006ea..b682bcf 100644 + +######################################## +## -+## Set the attributes of all tmp directories. -+## -+## -+## -+## Domain allowed access. -+## -+## -+# -+interface(`files_setattr_all_tmp_dirs',` -+ gen_require(` -+ attribute tmpfile; - ') - - allow $1 tmpfile:dir { search_dir_perms setattr }; -@@ -4202,7 +4554,7 @@ interface(`files_relabel_all_tmp_dirs',` + ## Set the attributes of all tmp directories. + ## + ## +@@ -4202,7 +4572,7 @@ interface(`files_relabel_all_tmp_dirs',` ## ## ## @@ -17453,7 +17479,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4262,7 +4614,7 @@ interface(`files_relabel_all_tmp_files',` +@@ -4262,7 +4632,7 @@ interface(`files_relabel_all_tmp_files',` ## ## ## @@ -17462,7 +17488,7 @@ index ff006ea..b682bcf 100644 ## ## # -@@ -4318,7 +4670,7 @@ interface(`files_tmp_filetrans',` +@@ -4318,7 +4688,7 @@ interface(`files_tmp_filetrans',` type tmp_t; ') @@ -17471,7 +17497,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -4342,6 +4694,16 @@ interface(`files_purge_tmp',` +@@ -4342,6 +4712,16 @@ interface(`files_purge_tmp',` delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -17488,7 +17514,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -4681,7 +5043,7 @@ interface(`files_usr_filetrans',` +@@ -4681,7 +5061,7 @@ interface(`files_usr_filetrans',` type usr_t; ') @@ -17497,7 +17523,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5084,7 +5446,7 @@ interface(`files_var_filetrans',` +@@ -5084,7 +5464,7 @@ interface(`files_var_filetrans',` type var_t; ') @@ -17506,7 +17532,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5219,7 +5581,7 @@ interface(`files_var_lib_filetrans',` +@@ -5219,7 +5599,7 @@ interface(`files_var_lib_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17515,7 +17541,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5304,6 +5666,25 @@ interface(`files_manage_mounttab',` +@@ -5304,6 +5684,25 @@ interface(`files_manage_mounttab',` ######################################## ## @@ -17541,7 +17567,7 @@ index ff006ea..b682bcf 100644 ## Search the locks directory (/var/lock). ## ## -@@ -5317,6 +5698,8 @@ interface(`files_search_locks',` +@@ -5317,6 +5716,8 @@ interface(`files_search_locks',` type var_t, var_lock_t; ') @@ -17550,7 +17576,7 @@ index ff006ea..b682bcf 100644 search_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5336,12 +5719,14 @@ interface(`files_dontaudit_search_locks',` +@@ -5336,12 +5737,14 @@ interface(`files_dontaudit_search_locks',` type var_lock_t; ') @@ -17566,7 +17592,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5349,12 +5734,30 @@ interface(`files_dontaudit_search_locks',` +@@ -5349,12 +5752,30 @@ interface(`files_dontaudit_search_locks',` ## ## # @@ -17599,7 +17625,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5373,6 +5776,7 @@ interface(`files_rw_lock_dirs',` +@@ -5373,6 +5794,7 @@ interface(`files_rw_lock_dirs',` type var_t, var_lock_t; ') @@ -17607,7 +17633,7 @@ index ff006ea..b682bcf 100644 rw_dirs_pattern($1, var_t, var_lock_t) ') -@@ -5385,7 +5789,6 @@ interface(`files_rw_lock_dirs',` +@@ -5385,7 +5807,6 @@ interface(`files_rw_lock_dirs',` ## Domain allowed access. ## ## @@ -17615,7 +17641,7 @@ index ff006ea..b682bcf 100644 # interface(`files_relabel_all_lock_dirs',` gen_require(` -@@ -5412,7 +5815,7 @@ interface(`files_getattr_generic_locks',` +@@ -5412,7 +5833,7 @@ interface(`files_getattr_generic_locks',` type var_t, var_lock_t; ') @@ -17624,7 +17650,7 @@ index ff006ea..b682bcf 100644 allow $1 var_lock_t:dir list_dir_perms; getattr_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5428,12 +5831,12 @@ interface(`files_getattr_generic_locks',` +@@ -5428,12 +5849,12 @@ interface(`files_getattr_generic_locks',` ## # interface(`files_delete_generic_locks',` @@ -17641,7 +17667,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5452,7 +5855,7 @@ interface(`files_manage_generic_locks',` +@@ -5452,7 +5873,7 @@ interface(`files_manage_generic_locks',` type var_t, var_lock_t; ') @@ -17650,7 +17676,7 @@ index ff006ea..b682bcf 100644 manage_files_pattern($1, var_lock_t, var_lock_t) ') -@@ -5493,7 +5896,7 @@ interface(`files_read_all_locks',` +@@ -5493,7 +5914,7 @@ interface(`files_read_all_locks',` type var_t, var_lock_t; ') @@ -17659,7 +17685,7 @@ index ff006ea..b682bcf 100644 allow $1 lockfile:dir list_dir_perms; read_files_pattern($1, lockfile, lockfile) read_lnk_files_pattern($1, lockfile, lockfile) -@@ -5515,7 +5918,7 @@ interface(`files_manage_all_locks',` +@@ -5515,7 +5936,7 @@ interface(`files_manage_all_locks',` type var_t, var_lock_t; ') @@ -17668,7 +17694,7 @@ index ff006ea..b682bcf 100644 manage_dirs_pattern($1, lockfile, lockfile) manage_files_pattern($1, lockfile, lockfile) manage_lnk_files_pattern($1, lockfile, lockfile) -@@ -5547,8 +5950,8 @@ interface(`files_lock_filetrans',` +@@ -5547,8 +5968,8 @@ interface(`files_lock_filetrans',` type var_t, var_lock_t; ') @@ -17679,7 +17705,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5608,6 +6011,43 @@ interface(`files_search_pids',` +@@ -5608,6 +6029,43 @@ interface(`files_search_pids',` search_dirs_pattern($1, var_t, var_run_t) ') @@ -17723,7 +17749,7 @@ index ff006ea..b682bcf 100644 ######################################## ## ## Do not audit attempts to search -@@ -5629,6 +6069,25 @@ interface(`files_dontaudit_search_pids',` +@@ -5629,6 +6087,25 @@ interface(`files_dontaudit_search_pids',` ######################################## ## @@ -17749,7 +17775,7 @@ index ff006ea..b682bcf 100644 ## List the contents of the runtime process ## ID directories (/var/run). ## -@@ -5736,7 +6195,7 @@ interface(`files_pid_filetrans',` +@@ -5736,7 +6213,7 @@ interface(`files_pid_filetrans',` ') allow $1 var_t:dir search_dir_perms; @@ -17758,7 +17784,7 @@ index ff006ea..b682bcf 100644 ') ######################################## -@@ -5815,29 +6274,25 @@ interface(`files_dontaudit_ioctl_all_pids',` +@@ -5815,29 +6292,25 @@ interface(`files_dontaudit_ioctl_all_pids',` ######################################## ## @@ -17792,7 +17818,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5845,42 +6300,35 @@ interface(`files_read_all_pids',` +@@ -5845,42 +6318,35 @@ interface(`files_read_all_pids',` ## ## # @@ -17842,7 +17868,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5888,20 +6336,17 @@ interface(`files_delete_all_pids',` +@@ -5888,20 +6354,17 @@ interface(`files_delete_all_pids',` ## ## # @@ -17866,7 +17892,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5909,56 +6354,59 @@ interface(`files_delete_all_pid_dirs',` +@@ -5909,56 +6372,59 @@ interface(`files_delete_all_pid_dirs',` ## ## # @@ -17942,7 +17968,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5966,18 +6414,17 @@ interface(`files_list_spool',` +@@ -5966,18 +6432,17 @@ interface(`files_list_spool',` ## ## # @@ -17965,7 +17991,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -5985,19 +6432,18 @@ interface(`files_manage_generic_spool_dirs',` +@@ -5985,19 +6450,18 @@ interface(`files_manage_generic_spool_dirs',` ## ## # @@ -17990,7 +18016,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -6005,50 +6451,61 @@ interface(`files_read_generic_spool',` +@@ -6005,50 +6469,61 @@ interface(`files_read_generic_spool',` ## ## # @@ -18071,7 +18097,7 @@ index ff006ea..b682bcf 100644 ## ## ## -@@ -6056,31 +6513,283 @@ interface(`files_spool_filetrans',` +@@ -6056,16 +6531,268 @@ interface(`files_spool_filetrans',` ## ## # @@ -18086,26 +18112,11 @@ index ff006ea..b682bcf 100644 - # Need to give access to /selinux/member - selinux_compute_member($1) -- -- # Need sys_admin capability for mounting -- allow $1 self:capability { chown fsetid sys_admin fowner }; -- -- # Need to give access to the directories to be polyinstantiated -- allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -- -- # Need to give access to the polyinstantiated subdirectories -- allow $1 polymember:dir search_dir_perms; -- -- # Need to give access to parent directories where original -- # is remounted for polyinstantiation aware programs (like gdm) -- allow $1 polyparent:dir { getattr mounton }; + allow $1 var_t:dir search_dir_perms; + delete_dirs_pattern($1, pidfile, pidfile) +') -- # Need to give permission to create directories where applicable -- allow $1 self:process setfscreate; -- allow $1 polymember: dir { create setattr relabelto }; +- # Need sys_admin capability for mounting +######################################## +## +## Make the specified type a file @@ -18358,25 +18369,10 @@ index ff006ea..b682bcf 100644 + selinux_compute_member($1) + + # Need sys_admin capability for mounting -+ allow $1 self:capability { chown fsetid sys_admin fowner }; -+ -+ # Need to give access to the directories to be polyinstantiated -+ allow $1 polydir:dir { create open getattr search write add_name setattr mounton rmdir }; -+ -+ # Need to give access to the polyinstantiated subdirectories -+ allow $1 polymember:dir search_dir_perms; -+ -+ # Need to give access to parent directories where original -+ # is remounted for polyinstantiation aware programs (like gdm) -+ allow $1 polyparent:dir { getattr mounton }; -+ -+ # Need to give permission to create directories where applicable -+ allow $1 self:process setfscreate; -+ allow $1 polymember: dir { create setattr relabelto }; - allow $1 polydir: dir { write add_name open }; - allow $1 polyparent:dir { open read write remove_name add_name relabelfrom relabelto }; + allow $1 self:capability { chown fsetid sys_admin fowner }; -@@ -6117,3 +6826,284 @@ interface(`files_unconfined',` + # Need to give access to the directories to be polyinstantiated +@@ -6117,3 +6844,284 @@ interface(`files_unconfined',` typeattribute $1 files_unconfined_type; ') @@ -33177,7 +33173,7 @@ index 305ddf4..173cd16 100644 admin_pattern($1, ptal_etc_t) diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te -index 0f28095..825cafb 100644 +index 0f28095..4082621 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -15,6 +15,7 @@ files_pid_file(cupsd_config_var_run_t) @@ -33236,7 +33232,15 @@ index 0f28095..825cafb 100644 term_use_unallocated_ttys(cupsd_t) term_search_ptys(cupsd_t) -@@ -270,12 +275,6 @@ files_dontaudit_list_home(cupsd_t) +@@ -220,6 +225,7 @@ corecmd_exec_bin(cupsd_t) + + domain_use_interactive_fds(cupsd_t) + ++files_getattr_boot_dirs(cupsd_t) + files_list_spool(cupsd_t) + files_read_etc_files(cupsd_t) + files_read_etc_runtime_files(cupsd_t) +@@ -270,12 +276,6 @@ files_dontaudit_list_home(cupsd_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_t) userdom_dontaudit_search_user_home_content(cupsd_t) @@ -33249,7 +33253,7 @@ index 0f28095..825cafb 100644 optional_policy(` apm_domtrans_client(cupsd_t) ') -@@ -297,8 +296,10 @@ optional_policy(` +@@ -297,8 +297,10 @@ optional_policy(` hal_dbus_chat(cupsd_t) ') @@ -33260,7 +33264,7 @@ index 0f28095..825cafb 100644 ') ') -@@ -311,10 +312,22 @@ optional_policy(` +@@ -311,10 +313,22 @@ optional_policy(` ') optional_policy(` @@ -33283,7 +33287,7 @@ index 0f28095..825cafb 100644 mta_send_mail(cupsd_t) ') -@@ -371,8 +384,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) +@@ -371,8 +385,9 @@ files_tmp_filetrans(cupsd_config_t, cupsd_tmp_t, { lnk_file file dir }) allow cupsd_config_t cupsd_var_run_t:file read_file_perms; @@ -33294,7 +33298,7 @@ index 0f28095..825cafb 100644 domtrans_pattern(cupsd_config_t, hplip_exec_t, hplip_t) -@@ -393,6 +407,10 @@ dev_read_sysfs(cupsd_config_t) +@@ -393,6 +408,10 @@ dev_read_sysfs(cupsd_config_t) dev_read_urand(cupsd_config_t) dev_read_rand(cupsd_config_t) dev_rw_generic_usb_dev(cupsd_config_t) @@ -33305,7 +33309,7 @@ index 0f28095..825cafb 100644 files_search_all_mountpoints(cupsd_config_t) -@@ -425,11 +443,11 @@ seutil_dontaudit_search_config(cupsd_config_t) +@@ -425,11 +444,11 @@ seutil_dontaudit_search_config(cupsd_config_t) userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -33319,7 +33323,7 @@ index 0f28095..825cafb 100644 ifdef(`distro_redhat',` optional_policy(` rpm_read_db(cupsd_config_t) -@@ -453,6 +471,10 @@ optional_policy(` +@@ -453,6 +472,10 @@ optional_policy(` ') optional_policy(` @@ -33330,7 +33334,7 @@ index 0f28095..825cafb 100644 hal_domtrans(cupsd_config_t) hal_read_tmp_files(cupsd_config_t) hal_dontaudit_use_fds(hplip_t) -@@ -467,6 +489,10 @@ optional_policy(` +@@ -467,6 +490,10 @@ optional_policy(` ') optional_policy(` @@ -33341,7 +33345,7 @@ index 0f28095..825cafb 100644 policykit_dbus_chat(cupsd_config_t) userdom_read_all_users_state(cupsd_config_t) ') -@@ -587,13 +613,17 @@ auth_use_nsswitch(cups_pdf_t) +@@ -587,13 +614,17 @@ auth_use_nsswitch(cups_pdf_t) miscfiles_read_localization(cups_pdf_t) miscfiles_read_fonts(cups_pdf_t) @@ -33361,7 +33365,7 @@ index 0f28095..825cafb 100644 tunable_policy(`use_nfs_home_dirs',` fs_search_auto_mountpoints(cups_pdf_t) -@@ -606,6 +636,10 @@ tunable_policy(`use_samba_home_dirs',` +@@ -606,6 +637,10 @@ tunable_policy(`use_samba_home_dirs',` fs_manage_cifs_files(cups_pdf_t) ') @@ -33372,7 +33376,7 @@ index 0f28095..825cafb 100644 ######################################## # # HPLIP local policy -@@ -639,7 +673,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) +@@ -639,7 +674,7 @@ manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t) manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) @@ -33381,7 +33385,7 @@ index 0f28095..825cafb 100644 manage_files_pattern(hplip_t, hplip_var_run_t, hplip_var_run_t) files_pid_filetrans(hplip_t, hplip_var_run_t, file) -@@ -685,6 +719,7 @@ domain_use_interactive_fds(hplip_t) +@@ -685,6 +720,7 @@ domain_use_interactive_fds(hplip_t) files_read_etc_files(hplip_t) files_read_etc_runtime_files(hplip_t) files_read_usr_files(hplip_t) @@ -33389,7 +33393,7 @@ index 0f28095..825cafb 100644 logging_send_syslog_msg(hplip_t) -@@ -696,8 +731,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) +@@ -696,8 +732,10 @@ userdom_dontaudit_use_unpriv_user_fds(hplip_t) userdom_dontaudit_search_user_home_dirs(hplip_t) userdom_dontaudit_search_user_home_content(hplip_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index a727853..5eff3e4 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 70%{?dist} +Release: 71%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,9 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Jan 4 2012 Miroslav Grepl 3.10.0-71 +- New fix for seunshare, requires seunshare_domains to be able to mounton / + * Tue Jan 3 2012 Miroslav Grepl 3.10.0-70 - Allow systemctl running as logrotate_t to connect to private systemd socket - Allow tmpwatch to read meminfo