From efa1438b312e66e0fc6583d5af07ed5aba526a75 Mon Sep 17 00:00:00 2001 From: Miroslav Date: Dec 02 2011 11:57:04 +0000 Subject: - Use fs_use_xattr for squashf - Fix procs_type interface - Dovecot has a new fifo_file /var/run/dovecot/stats-mail - Dovecot has a new fifo_file /var/run/stats-mail - Colord does not need to connect to network - Allow system_cronjob to dbus chat with NetworkManager - Puppet manages content, want to make sure it labels everything correctly --- diff --git a/policy-F16.patch b/policy-F16.patch index 90d2dcb..d880889 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -19233,10 +19233,18 @@ index 97fcdac..630ff53 100644 +') + diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index f125dc2..3c6e827 100644 +index f125dc2..f5e522e 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te -@@ -52,6 +52,7 @@ type anon_inodefs_t; +@@ -33,6 +33,7 @@ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); + fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); ++fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); + + # Use the allocating task SID to label inodes in the following filesystem + # types, and label the filesystem itself with the specified context. +@@ -52,6 +53,7 @@ type anon_inodefs_t; fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) genfscon anon_inodefs / gen_context(system_u:object_r:anon_inodefs_t,s0) @@ -19244,7 +19252,7 @@ index f125dc2..3c6e827 100644 type bdev_t; fs_type(bdev_t) -@@ -67,7 +68,7 @@ fs_type(capifs_t) +@@ -67,7 +69,7 @@ fs_type(capifs_t) files_mountpoint(capifs_t) genfscon capifs / gen_context(system_u:object_r:capifs_t,s0) @@ -19253,7 +19261,7 @@ index f125dc2..3c6e827 100644 fs_type(cgroup_t) files_type(cgroup_t) files_mountpoint(cgroup_t) -@@ -96,6 +97,7 @@ type hugetlbfs_t; +@@ -96,6 +98,7 @@ type hugetlbfs_t; fs_type(hugetlbfs_t) files_mountpoint(hugetlbfs_t) fs_use_trans hugetlbfs gen_context(system_u:object_r:hugetlbfs_t,s0); @@ -19261,7 +19269,19 @@ index f125dc2..3c6e827 100644 type ibmasmfs_t; fs_type(ibmasmfs_t) -@@ -175,6 +177,7 @@ fs_type(tmpfs_t) +@@ -144,11 +147,6 @@ fs_type(spufs_t) + genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) + files_mountpoint(spufs_t) + +-type squash_t; +-fs_type(squash_t) +-genfscon squash / gen_context(system_u:object_r:squash_t,s0) +-files_mountpoint(squash_t) +- + type sysv_t; + fs_noxattr_type(sysv_t) + files_mountpoint(sysv_t) +@@ -175,6 +173,7 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -19269,7 +19289,7 @@ index f125dc2..3c6e827 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -254,6 +257,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -254,6 +253,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -19278,7 +19298,7 @@ index f125dc2..3c6e827 100644 files_mountpoint(removable_t) # -@@ -273,6 +278,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -273,6 +274,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -32034,7 +32054,7 @@ index 35241ed..445ced4 100644 + manage_files_pattern($1, system_cronjob_var_lib_t, system_cronjob_var_lib_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te -index f7583ab..1d71121 100644 +index f7583ab..9b5a52f 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -10,18 +10,18 @@ gen_require(` @@ -32437,7 +32457,18 @@ index f7583ab..1d71121 100644 ') optional_policy(` -@@ -480,7 +591,7 @@ optional_policy(` +@@ -472,6 +583,10 @@ optional_policy(` + ') + + optional_policy(` ++ networkmanager_dbus_chat(system_cronjob_t) ++') ++ ++optional_policy(` + postfix_read_config(system_cronjob_t) + ') + +@@ -480,7 +595,7 @@ optional_policy(` prelink_manage_lib(system_cronjob_t) prelink_manage_log(system_cronjob_t) prelink_read_cache(system_cronjob_t) @@ -32446,7 +32477,7 @@ index f7583ab..1d71121 100644 ') optional_policy(` -@@ -495,6 +606,7 @@ optional_policy(` +@@ -495,6 +610,7 @@ optional_policy(` optional_policy(` spamassassin_manage_lib_files(system_cronjob_t) @@ -32454,7 +32485,7 @@ index f7583ab..1d71121 100644 ') optional_policy(` -@@ -502,7 +614,13 @@ optional_policy(` +@@ -502,7 +618,13 @@ optional_policy(` ') optional_policy(` @@ -32468,7 +32499,7 @@ index f7583ab..1d71121 100644 userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -595,9 +713,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) +@@ -595,9 +717,12 @@ userdom_manage_user_home_content_sockets(cronjob_t) #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) @@ -35990,10 +36021,10 @@ index fdaeeba..b1ea136 100644 + virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) ') diff --git a/policy/modules/services/dovecot.fc b/policy/modules/services/dovecot.fc -index bfc880b..9a1dcba 100644 +index bfc880b..9089c1a 100644 --- a/policy/modules/services/dovecot.fc +++ b/policy/modules/services/dovecot.fc -@@ -25,7 +25,7 @@ ifdef(`distro_debian', ` +@@ -25,13 +25,14 @@ ifdef(`distro_debian', ` ifdef(`distro_redhat', ` /usr/libexec/dovecot/auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) /usr/libexec/dovecot/deliver -- gen_context(system_u:object_r:dovecot_deliver_exec_t,s0) @@ -36002,6 +36033,13 @@ index bfc880b..9a1dcba 100644 /usr/libexec/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0) ') + # + # /var + # ++/var/run/stats-mail gen_context(system_u:object_r:dovecot_var_run_t,s0) + /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0) + /var/run/dovecot/login/ssl-parameters.dat -- gen_context(system_u:object_r:dovecot_var_lib_t,s0) + diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if index e1d7dc5..673f185 100644 --- a/policy/modules/services/dovecot.if @@ -36096,7 +36134,7 @@ index e1d7dc5..673f185 100644 admin_pattern($1, dovecot_var_run_t) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te -index acf6d4f..2fbb869 100644 +index acf6d4f..aa446e9 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -18,7 +18,7 @@ type dovecot_auth_tmp_t; @@ -36150,7 +36188,7 @@ index acf6d4f..2fbb869 100644 files_search_etc(dovecot_t) can_exec(dovecot_t, dovecot_exec_t) -@@ -94,10 +99,11 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) +@@ -94,10 +99,12 @@ manage_dirs_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) manage_lnk_files_pattern(dovecot_t, dovecot_spool_t, dovecot_spool_t) @@ -36159,11 +36197,12 @@ index acf6d4f..2fbb869 100644 manage_lnk_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) manage_sock_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) -files_pid_filetrans(dovecot_t, dovecot_var_run_t, file) -+files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file }) ++manage_fifo_files_pattern(dovecot_t, dovecot_var_run_t, dovecot_var_run_t) ++files_pid_filetrans(dovecot_t, dovecot_var_run_t, { dir file fifo_file }) kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -110,6 +116,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) +@@ -110,6 +117,7 @@ corenet_tcp_sendrecv_all_ports(dovecot_t) corenet_tcp_bind_generic_node(dovecot_t) corenet_tcp_bind_mail_port(dovecot_t) corenet_tcp_bind_pop_port(dovecot_t) @@ -36171,7 +36210,7 @@ index acf6d4f..2fbb869 100644 corenet_tcp_bind_sieve_port(dovecot_t) corenet_tcp_connect_all_ports(dovecot_t) corenet_tcp_connect_postgresql_port(dovecot_t) -@@ -160,6 +167,15 @@ optional_policy(` +@@ -160,6 +168,15 @@ optional_policy(` ') optional_policy(` @@ -36187,7 +36226,7 @@ index acf6d4f..2fbb869 100644 postgresql_stream_connect(dovecot_t) ') -@@ -180,8 +196,8 @@ optional_policy(` +@@ -180,8 +197,8 @@ optional_policy(` # dovecot auth local policy # @@ -36198,7 +36237,7 @@ index acf6d4f..2fbb869 100644 allow dovecot_auth_t self:fifo_file rw_fifo_file_perms; allow dovecot_auth_t self:unix_dgram_socket create_socket_perms; allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms; -@@ -190,6 +206,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p +@@ -190,6 +207,9 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p read_files_pattern(dovecot_auth_t, dovecot_passwd_t, dovecot_passwd_t) @@ -36208,7 +36247,7 @@ index acf6d4f..2fbb869 100644 manage_dirs_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, dovecot_auth_tmp_t) files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir }) -@@ -201,9 +220,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) +@@ -201,9 +221,12 @@ dovecot_stream_connect_auth(dovecot_auth_t) kernel_read_all_sysctls(dovecot_auth_t) kernel_read_system_state(dovecot_auth_t) @@ -36221,7 +36260,7 @@ index acf6d4f..2fbb869 100644 dev_read_urand(dovecot_auth_t) auth_domtrans_chk_passwd(dovecot_auth_t) -@@ -218,6 +240,8 @@ files_read_var_lib_files(dovecot_auth_t) +@@ -218,6 +241,8 @@ files_read_var_lib_files(dovecot_auth_t) files_search_tmp(dovecot_auth_t) files_read_var_lib_files(dovecot_t) @@ -36230,7 +36269,7 @@ index acf6d4f..2fbb869 100644 init_rw_utmp(dovecot_auth_t) miscfiles_read_localization(dovecot_auth_t) -@@ -236,6 +260,8 @@ optional_policy(` +@@ -236,6 +261,8 @@ optional_policy(` optional_policy(` mysql_search_db(dovecot_auth_t) mysql_stream_connect(dovecot_auth_t) @@ -36239,7 +36278,7 @@ index acf6d4f..2fbb869 100644 ') optional_policy(` -@@ -243,6 +269,8 @@ optional_policy(` +@@ -243,6 +270,8 @@ optional_policy(` ') optional_policy(` @@ -36248,7 +36287,7 @@ index acf6d4f..2fbb869 100644 postfix_search_spool(dovecot_auth_t) ') -@@ -250,23 +278,42 @@ optional_policy(` +@@ -250,23 +279,42 @@ optional_policy(` # # dovecot deliver local policy # @@ -36293,7 +36332,7 @@ index acf6d4f..2fbb869 100644 miscfiles_read_localization(dovecot_deliver_t) -@@ -302,5 +349,19 @@ tunable_policy(`use_samba_home_dirs',` +@@ -302,5 +350,19 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` @@ -39438,10 +39477,10 @@ index 671d8fd..25c7ab8 100644 + dontaudit gnomeclock_t $1:dbus send_msg; +') diff --git a/policy/modules/services/gnomeclock.te b/policy/modules/services/gnomeclock.te -index 4fde46b..4978f18 100644 +index 4fde46b..9f468a5 100644 --- a/policy/modules/services/gnomeclock.te +++ b/policy/modules/services/gnomeclock.te -@@ -15,18 +15,25 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) +@@ -15,18 +15,27 @@ dbus_system_domain(gnomeclock_t, gnomeclock_exec_t) # allow gnomeclock_t self:capability { sys_nice sys_time sys_ptrace }; @@ -39463,15 +39502,16 @@ index 4fde46b..4978f18 100644 +files_read_etc_runtime_files(gnomeclock_t) files_read_usr_files(gnomeclock_t) --auth_use_nsswitch(gnomeclock_t) +fs_getattr_xattr_fs(gnomeclock_t) ++ + auth_use_nsswitch(gnomeclock_t) -clock_domtrans(gnomeclock_t) -+auth_use_nsswitch(gnomeclock_t) ++logging_send_syslog_msg(gnomeclock_t) miscfiles_read_localization(gnomeclock_t) miscfiles_manage_localization(gnomeclock_t) -@@ -35,10 +42,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) +@@ -35,10 +44,33 @@ miscfiles_etc_filetrans_localization(gnomeclock_t) userdom_read_all_users_state(gnomeclock_t) optional_policy(` @@ -63689,7 +63729,7 @@ index 4966c94..cb2e1a3 100644 +/var/lib/pqsql/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0) + diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if -index 130ced9..b6fb17a 100644 +index 130ced9..351ed06 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -19,9 +19,10 @@ @@ -63774,13 +63814,15 @@ index 130ced9..b6fb17a 100644 xserver_xsession_entry_type($2) xserver_dontaudit_write_log($2) xserver_stream_connect_xdm($2) -@@ -106,12 +116,24 @@ interface(`xserver_restricted_role',` +@@ -106,12 +116,26 @@ interface(`xserver_restricted_role',` xserver_create_xdm_tmp_sockets($2) # Needed for escd, remove if we get escd policy xserver_manage_xdm_tmp_files($2) + xserver_read_xdm_etc_files($2) + xserver_xdm_append_log($2) + ++ term_use_virtio_console($2) ++ + modutils_run_insmod(xserver_t, $1) # Client write xserver shm @@ -63799,7 +63841,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -143,13 +165,15 @@ interface(`xserver_role',` +@@ -143,13 +167,15 @@ interface(`xserver_role',` allow $2 xserver_tmpfs_t:file rw_file_perms; allow $2 iceauth_home_t:file manage_file_perms; @@ -63817,7 +63859,7 @@ index 130ced9..b6fb17a 100644 relabel_dirs_pattern($2, user_fonts_t, user_fonts_t) relabel_files_pattern($2, user_fonts_t, user_fonts_t) -@@ -162,7 +186,6 @@ interface(`xserver_role',` +@@ -162,7 +188,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) @@ -63825,7 +63867,7 @@ index 130ced9..b6fb17a 100644 ') ####################################### -@@ -197,7 +220,7 @@ interface(`xserver_ro_session',` +@@ -197,7 +222,7 @@ interface(`xserver_ro_session',` allow $1 xserver_t:process signal; # Read /tmp/.X0-lock @@ -63834,7 +63876,7 @@ index 130ced9..b6fb17a 100644 # Client read xserver shm allow $1 xserver_t:fd use; -@@ -227,7 +250,7 @@ interface(`xserver_rw_session',` +@@ -227,7 +252,7 @@ interface(`xserver_rw_session',` type xserver_t, xserver_tmpfs_t; ') @@ -63843,7 +63885,7 @@ index 130ced9..b6fb17a 100644 allow $1 xserver_t:shm rw_shm_perms; allow $1 xserver_tmpfs_t:file rw_file_perms; ') -@@ -255,7 +278,7 @@ interface(`xserver_non_drawing_client',` +@@ -255,7 +280,7 @@ interface(`xserver_non_drawing_client',` allow $1 self:x_gc { create setattr }; @@ -63852,7 +63894,7 @@ index 130ced9..b6fb17a 100644 allow $1 xserver_t:unix_stream_socket connectto; allow $1 xextension_t:x_extension { query use }; -@@ -291,13 +314,13 @@ interface(`xserver_user_client',` +@@ -291,13 +316,13 @@ interface(`xserver_user_client',` allow $1 self:unix_stream_socket { connectto create_stream_socket_perms }; # Read .Xauthority file @@ -63870,7 +63912,7 @@ index 130ced9..b6fb17a 100644 allow $1 xdm_tmp_t:sock_file { read write }; dontaudit $1 xdm_t:tcp_socket { read write }; -@@ -342,19 +365,23 @@ interface(`xserver_user_client',` +@@ -342,19 +367,23 @@ interface(`xserver_user_client',` # template(`xserver_common_x_domain_template',` gen_require(` @@ -63897,7 +63939,7 @@ index 130ced9..b6fb17a 100644 ') ############################## -@@ -386,6 +413,15 @@ template(`xserver_common_x_domain_template',` +@@ -386,6 +415,15 @@ template(`xserver_common_x_domain_template',` allow $2 xevent_t:{ x_event x_synthetic_event } receive; # dont audit send failures dontaudit $2 input_xevent_type:x_event send; @@ -63913,7 +63955,7 @@ index 130ced9..b6fb17a 100644 ') ####################################### -@@ -444,8 +480,9 @@ template(`xserver_object_types_template',` +@@ -444,8 +482,9 @@ template(`xserver_object_types_template',` # template(`xserver_user_x_domain_template',` gen_require(` @@ -63925,7 +63967,7 @@ index 130ced9..b6fb17a 100644 ') allow $2 self:shm create_shm_perms; -@@ -456,11 +493,18 @@ template(`xserver_user_x_domain_template',` +@@ -456,11 +495,18 @@ template(`xserver_user_x_domain_template',` allow $2 xauth_home_t:file read_file_perms; allow $2 iceauth_home_t:file read_file_perms; @@ -63946,7 +63988,7 @@ index 130ced9..b6fb17a 100644 dontaudit $2 xdm_t:tcp_socket { read write }; # Allow connections to X server. -@@ -472,20 +516,26 @@ template(`xserver_user_x_domain_template',` +@@ -472,20 +518,26 @@ template(`xserver_user_x_domain_template',` # for .xsession-errors userdom_dontaudit_write_user_home_content_files($2) @@ -63975,7 +64017,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -517,6 +567,7 @@ interface(`xserver_use_user_fonts',` +@@ -517,6 +569,7 @@ interface(`xserver_use_user_fonts',` # Read per user fonts allow $1 user_fonts_t:dir list_dir_perms; allow $1 user_fonts_t:file read_file_perms; @@ -63983,7 +64025,7 @@ index 130ced9..b6fb17a 100644 # Manipulate the global font cache manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t) -@@ -549,6 +600,24 @@ interface(`xserver_domtrans_xauth',` +@@ -549,6 +602,24 @@ interface(`xserver_domtrans_xauth',` ######################################## ## @@ -64008,7 +64050,7 @@ index 130ced9..b6fb17a 100644 ## Create a Xauthority file in the user home directory. ## ## -@@ -598,6 +667,7 @@ interface(`xserver_read_user_xauth',` +@@ -598,6 +669,7 @@ interface(`xserver_read_user_xauth',` allow $1 xauth_home_t:file read_file_perms; userdom_search_user_home_dirs($1) @@ -64016,7 +64058,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -615,7 +685,7 @@ interface(`xserver_setattr_console_pipes',` +@@ -615,7 +687,7 @@ interface(`xserver_setattr_console_pipes',` type xconsole_device_t; ') @@ -64025,7 +64067,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -638,6 +708,25 @@ interface(`xserver_rw_console',` +@@ -638,6 +710,25 @@ interface(`xserver_rw_console',` ######################################## ## @@ -64051,7 +64093,7 @@ index 130ced9..b6fb17a 100644 ## Use file descriptors for xdm. ## ## -@@ -651,7 +740,7 @@ interface(`xserver_use_xdm_fds',` +@@ -651,7 +742,7 @@ interface(`xserver_use_xdm_fds',` type xdm_t; ') @@ -64060,7 +64102,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -670,7 +759,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` +@@ -670,7 +761,7 @@ interface(`xserver_dontaudit_use_xdm_fds',` type xdm_t; ') @@ -64069,7 +64111,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -688,7 +777,7 @@ interface(`xserver_rw_xdm_pipes',` +@@ -688,7 +779,7 @@ interface(`xserver_rw_xdm_pipes',` type xdm_t; ') @@ -64078,7 +64120,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -703,12 +792,11 @@ interface(`xserver_rw_xdm_pipes',` +@@ -703,12 +794,11 @@ interface(`xserver_rw_xdm_pipes',` ## # interface(`xserver_dontaudit_rw_xdm_pipes',` @@ -64092,7 +64134,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -724,11 +812,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` +@@ -724,11 +814,31 @@ interface(`xserver_dontaudit_rw_xdm_pipes',` # interface(`xserver_stream_connect_xdm',` gen_require(` @@ -64126,7 +64168,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -752,6 +860,25 @@ interface(`xserver_read_xdm_rw_config',` +@@ -752,6 +862,25 @@ interface(`xserver_read_xdm_rw_config',` ######################################## ## @@ -64152,7 +64194,7 @@ index 130ced9..b6fb17a 100644 ## Set the attributes of XDM temporary directories. ## ## -@@ -765,7 +892,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` +@@ -765,7 +894,7 @@ interface(`xserver_setattr_xdm_tmp_dirs',` type xdm_tmp_t; ') @@ -64161,7 +64203,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -805,7 +932,26 @@ interface(`xserver_read_xdm_pid',` +@@ -805,7 +934,26 @@ interface(`xserver_read_xdm_pid',` ') files_search_pids($1) @@ -64189,7 +64231,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -828,6 +974,24 @@ interface(`xserver_read_xdm_lib_files',` +@@ -828,6 +976,24 @@ interface(`xserver_read_xdm_lib_files',` ######################################## ## @@ -64214,7 +64256,7 @@ index 130ced9..b6fb17a 100644 ## Make an X session script an entrypoint for the specified domain. ## ## -@@ -897,7 +1061,7 @@ interface(`xserver_getattr_log',` +@@ -897,7 +1063,7 @@ interface(`xserver_getattr_log',` ') logging_search_logs($1) @@ -64223,7 +64265,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -916,7 +1080,7 @@ interface(`xserver_dontaudit_write_log',` +@@ -916,7 +1082,7 @@ interface(`xserver_dontaudit_write_log',` type xserver_log_t; ') @@ -64232,7 +64274,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -963,6 +1127,45 @@ interface(`xserver_read_xkb_libs',` +@@ -963,6 +1129,45 @@ interface(`xserver_read_xkb_libs',` ######################################## ## @@ -64278,7 +64320,7 @@ index 130ced9..b6fb17a 100644 ## Read xdm temporary files. ## ## -@@ -976,7 +1179,7 @@ interface(`xserver_read_xdm_tmp_files',` +@@ -976,7 +1181,7 @@ interface(`xserver_read_xdm_tmp_files',` type xdm_tmp_t; ') @@ -64287,7 +64329,7 @@ index 130ced9..b6fb17a 100644 read_files_pattern($1, xdm_tmp_t, xdm_tmp_t) ') -@@ -1038,6 +1241,42 @@ interface(`xserver_manage_xdm_tmp_files',` +@@ -1038,6 +1243,42 @@ interface(`xserver_manage_xdm_tmp_files',` ######################################## ## @@ -64330,7 +64372,7 @@ index 130ced9..b6fb17a 100644 ## Do not audit attempts to get the attributes of ## xdm temporary named sockets. ## -@@ -1052,7 +1291,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` +@@ -1052,7 +1293,7 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',` type xdm_tmp_t; ') @@ -64339,7 +64381,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1070,8 +1309,10 @@ interface(`xserver_domtrans',` +@@ -1070,8 +1311,10 @@ interface(`xserver_domtrans',` type xserver_t, xserver_exec_t; ') @@ -64351,7 +64393,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1185,6 +1426,26 @@ interface(`xserver_stream_connect',` +@@ -1185,6 +1428,26 @@ interface(`xserver_stream_connect',` files_search_tmp($1) stream_connect_pattern($1, xserver_tmp_t, xserver_tmp_t, xserver_t) @@ -64378,7 +64420,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1210,7 +1471,7 @@ interface(`xserver_read_tmp_files',` +@@ -1210,7 +1473,7 @@ interface(`xserver_read_tmp_files',` ## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the @@ -64387,7 +64429,7 @@ index 130ced9..b6fb17a 100644 ## ## ## -@@ -1220,13 +1481,23 @@ interface(`xserver_read_tmp_files',` +@@ -1220,13 +1483,23 @@ interface(`xserver_read_tmp_files',` # interface(`xserver_manage_core_devices',` gen_require(` @@ -64412,7 +64454,7 @@ index 130ced9..b6fb17a 100644 ') ######################################## -@@ -1243,10 +1514,458 @@ interface(`xserver_manage_core_devices',` +@@ -1243,10 +1516,458 @@ interface(`xserver_manage_core_devices',` # interface(`xserver_unconfined',` gen_require(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 0fee544..7a72978 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 63%{?dist} +Release: 64%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -466,6 +466,15 @@ SELinux Reference policy mls base module. %endif %changelog +* Fri Dec 2 2011 Miroslav Grepl 3.10.0-64 +- Use fs_use_xattr for squashf +- Fix procs_type interface +- Dovecot has a new fifo_file /var/run/dovecot/stats-mail +- Dovecot has a new fifo_file /var/run/stats-mail +- Colord does not need to connect to network +- Allow system_cronjob to dbus chat with NetworkManager +- Puppet manages content, want to make sure it labels everything correctly + * Tue Nov 29 2011 Miroslav Grepl 3.10.0-63 - Change port 9050 to tor_socks_port_t and then allow openvpn to connect to it - Allow all postfix domains to use the fifo_file