diff --git a/policy-F16.patch b/policy-F16.patch index 4ff9a1d..45d7e6a 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -1048,10 +1048,18 @@ index 4f7bd3c..a29af21 100644 - unconfined_domain(kudzu_t) ') diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te -index 7090dae..6eac7b9 100644 +index 7090dae..c4bbe69 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te -@@ -61,6 +61,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) +@@ -39,6 +39,7 @@ allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimi + allow logrotate_t self:process setfscreate; + + allow logrotate_t self:fd use; ++allow logrotate_t self:key manage_key_perms; + allow logrotate_t self:fifo_file rw_fifo_file_perms; + allow logrotate_t self:unix_dgram_socket create_socket_perms; + allow logrotate_t self:unix_stream_socket create_stream_socket_perms; +@@ -61,6 +62,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir }) # for /var/lib/logrotate.status and /var/lib/logcheck create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t) @@ -1059,7 +1067,7 @@ index 7090dae..6eac7b9 100644 files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file) kernel_read_system_state(logrotate_t) -@@ -102,6 +103,7 @@ files_read_var_lib_files(logrotate_t) +@@ -102,6 +104,7 @@ files_read_var_lib_files(logrotate_t) files_manage_generic_spool(logrotate_t) files_manage_generic_spool_dirs(logrotate_t) files_getattr_generic_locks(logrotate_t) @@ -1067,7 +1075,7 @@ index 7090dae..6eac7b9 100644 # cjp: why is this needed? init_domtrans_script(logrotate_t) -@@ -116,17 +118,15 @@ miscfiles_read_localization(logrotate_t) +@@ -116,17 +119,15 @@ miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -1090,7 +1098,7 @@ index 7090dae..6eac7b9 100644 # for savelog can_exec(logrotate_t, logrotate_exec_t) -@@ -162,10 +162,20 @@ optional_policy(` +@@ -162,10 +163,20 @@ optional_policy(` ') optional_policy(` @@ -1111,7 +1119,7 @@ index 7090dae..6eac7b9 100644 cups_domtrans(logrotate_t) ') -@@ -203,7 +213,6 @@ optional_policy(` +@@ -203,7 +214,6 @@ optional_policy(` psad_domtrans(logrotate_t) ') @@ -1119,7 +1127,7 @@ index 7090dae..6eac7b9 100644 optional_policy(` samba_exec_log(logrotate_t) ') -@@ -228,3 +237,14 @@ optional_policy(` +@@ -228,3 +238,14 @@ optional_policy(` optional_policy(` varnishd_manage_log(logrotate_t) ') @@ -12389,7 +12397,7 @@ index 4f3b542..5a41e58 100644 corenet_udp_recvfrom_labeled($1, $2) corenet_raw_recvfrom_labeled($1, $2) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in -index 99b71cb..9a30b71 100644 +index 99b71cb..5287f7a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -11,11 +11,14 @@ attribute netif_type; @@ -12506,13 +12514,11 @@ index 99b71cb..9a30b71 100644 network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0) -@@ -114,12 +148,13 @@ network_port(hadoop_namenode, tcp,8020,s0) - network_port(hddtemp, tcp,7634,s0) +@@ -115,11 +149,12 @@ network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) --network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port + network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port -network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy -+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,18001,s0) #8443 is mod_nss default port #18001 is used for jboss +network_port(http_cache, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,8123,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) @@ -12530,7 +12536,7 @@ index 99b71cb..9a30b71 100644 -network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) -network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) +network_port(jabber_router, tcp,5347,s0) -+network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0) ++network_port(jboss_management, tcp,4712,s0, udp,4712,s0, tcp,9123,s0, udp,9123,s0, tcp, 18001, s0) +network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0, tcp,4444,s0, udp,4444,s0) +network_port(kerberos_admin, tcp,749,s0) +network_port(kerberos_password, tcp,464,s0, udp,464,s0) @@ -12551,7 +12557,11 @@ index 99b71cb..9a30b71 100644 network_port(mpd, tcp,6600,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) network_port(mssql, tcp,1433-1434,s0, udp,1433-1434,s0) -@@ -155,13 +195,21 @@ network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) +@@ -152,16 +192,25 @@ network_port(mysqlmanagerd, tcp,2273,s0) + network_port(nessus, tcp,1241,s0) + network_port(netport, tcp,3129,s0, udp,3129,s0) + network_port(netsupport, tcp,5404,s0, udp,5404,s0, tcp,5405,s0, udp,5405,s0) ++network_port(nfs, tcp,2049,s0, udp,2049,s0) network_port(nmbd, udp,137,s0, udp,138,s0) network_port(ntop, tcp,3000-3001,s0, udp,3000-3001,s0) network_port(ntp, udp,123,s0) @@ -12574,7 +12584,7 @@ index 99b71cb..9a30b71 100644 network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0) network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) -@@ -179,30 +227,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) +@@ -179,30 +228,35 @@ network_port(radacct, udp,1646,s0, udp,1813,s0) network_port(radius, udp,1645,s0, udp,1812,s0) network_port(radsec, tcp,2083,s0) network_port(razor, tcp,2703,s0) @@ -12614,7 +12624,7 @@ index 99b71cb..9a30b71 100644 network_port(tcs, tcp, 30003, s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) -@@ -215,7 +268,7 @@ network_port(uucpd, tcp,540,s0) +@@ -215,7 +269,7 @@ network_port(uucpd, tcp,540,s0) network_port(varnishd, tcp,6081-6082,s0) network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0) network_port(virt_migration, tcp,49152-49216,s0) @@ -12623,7 +12633,7 @@ index 99b71cb..9a30b71 100644 network_port(wccp, udp,2048,s0) network_port(whois, tcp,43,s0, udp,43,s0, tcp, 4321, s0 , udp, 4321, s0 ) network_port(xdmcp, udp,177,s0, tcp,177,s0) -@@ -229,6 +282,7 @@ network_port(zookeeper_client, tcp,2181,s0) +@@ -229,6 +283,7 @@ network_port(zookeeper_client, tcp,2181,s0) network_port(zookeeper_election, tcp,3888,s0) network_port(zookeeper_leader, tcp,2888,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) @@ -12631,7 +12641,7 @@ index 99b71cb..9a30b71 100644 network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; -@@ -238,6 +292,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) +@@ -238,6 +293,8 @@ portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0) portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0) @@ -12640,7 +12650,7 @@ index 99b71cb..9a30b71 100644 ######################################## # -@@ -282,9 +338,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; +@@ -282,9 +339,10 @@ typealias netif_t alias { lo_netif_t netif_lo_t }; allow corenet_unconfined_type node_type:node *; allow corenet_unconfined_type netif_type:netif *; allow corenet_unconfined_type packet_type:packet *; @@ -21416,7 +21426,7 @@ index 0b827c5..bfb68b2 100644 + dontaudit $1 abrt_t:sock_file write; +') diff --git a/policy/modules/services/abrt.te b/policy/modules/services/abrt.te -index 30861ec..ee2d7f1 100644 +index 30861ec..bd5ff95 100644 --- a/policy/modules/services/abrt.te +++ b/policy/modules/services/abrt.te @@ -5,7 +5,25 @@ policy_module(abrt, 1.2.0) @@ -21513,15 +21523,17 @@ index 30861ec..ee2d7f1 100644 rw_files_pattern(abrt_t, abrt_etc_t, abrt_etc_t) # log file -@@ -69,6 +119,7 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) +@@ -68,7 +118,9 @@ logging_log_filetrans(abrt_t, abrt_var_log_t, file) + # abrt tmp files manage_dirs_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) manage_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) ++manage_lnk_files_pattern(abrt_t, abrt_tmp_t, abrt_tmp_t) files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) +can_exec(abrt_t, abrt_tmp_t) # abrt var/cache files manage_files_pattern(abrt_t, abrt_var_cache_t, abrt_var_cache_t) -@@ -82,10 +133,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) +@@ -82,10 +134,9 @@ manage_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_dirs_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_sock_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) manage_lnk_files_pattern(abrt_t, abrt_var_run_t, abrt_var_run_t) @@ -21533,7 +21545,7 @@ index 30861ec..ee2d7f1 100644 kernel_rw_kernel_sysctl(abrt_t) corecmd_exec_bin(abrt_t) -@@ -104,6 +154,7 @@ corenet_tcp_connect_all_ports(abrt_t) +@@ -104,6 +155,7 @@ corenet_tcp_connect_all_ports(abrt_t) corenet_sendrecv_http_client_packets(abrt_t) dev_getattr_all_chr_files(abrt_t) @@ -21541,7 +21553,7 @@ index 30861ec..ee2d7f1 100644 dev_read_urand(abrt_t) dev_rw_sysfs(abrt_t) dev_dontaudit_read_raw_memory(abrt_t) -@@ -113,7 +164,8 @@ domain_read_all_domains_state(abrt_t) +@@ -113,7 +165,8 @@ domain_read_all_domains_state(abrt_t) domain_signull_all_domains(abrt_t) files_getattr_all_files(abrt_t) @@ -21551,7 +21563,7 @@ index 30861ec..ee2d7f1 100644 files_read_var_symlinks(abrt_t) files_read_var_lib_files(abrt_t) files_read_usr_files(abrt_t) -@@ -121,6 +173,8 @@ files_read_generic_tmp_files(abrt_t) +@@ -121,6 +174,8 @@ files_read_generic_tmp_files(abrt_t) files_read_kernel_modules(abrt_t) files_dontaudit_list_default(abrt_t) files_dontaudit_read_default_files(abrt_t) @@ -21560,7 +21572,7 @@ index 30861ec..ee2d7f1 100644 fs_list_inotifyfs(abrt_t) fs_getattr_all_fs(abrt_t) -@@ -131,15 +185,23 @@ fs_read_nfs_files(abrt_t) +@@ -131,15 +186,23 @@ fs_read_nfs_files(abrt_t) fs_read_nfs_symlinks(abrt_t) fs_search_all(abrt_t) @@ -21587,7 +21599,7 @@ index 30861ec..ee2d7f1 100644 optional_policy(` dbus_system_domain(abrt_t, abrt_exec_t) -@@ -150,6 +212,11 @@ optional_policy(` +@@ -150,6 +213,11 @@ optional_policy(` ') optional_policy(` @@ -21599,7 +21611,7 @@ index 30861ec..ee2d7f1 100644 policykit_dbus_chat(abrt_t) policykit_domtrans_auth(abrt_t) policykit_read_lib(abrt_t) -@@ -167,6 +234,7 @@ optional_policy(` +@@ -167,6 +235,7 @@ optional_policy(` rpm_exec(abrt_t) rpm_dontaudit_manage_db(abrt_t) rpm_manage_cache(abrt_t) @@ -21607,7 +21619,7 @@ index 30861ec..ee2d7f1 100644 rpm_manage_pid_files(abrt_t) rpm_read_db(abrt_t) rpm_signull(abrt_t) -@@ -178,12 +246,35 @@ optional_policy(` +@@ -178,12 +247,35 @@ optional_policy(` ') optional_policy(` @@ -21644,7 +21656,7 @@ index 30861ec..ee2d7f1 100644 # allow abrt_helper_t self:capability { chown setgid sys_nice }; -@@ -200,23 +291,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) +@@ -200,23 +292,22 @@ files_var_filetrans(abrt_helper_t, abrt_var_cache_t, { file dir }) read_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) read_lnk_files_pattern(abrt_helper_t, abrt_var_run_t, abrt_var_run_t) @@ -21673,7 +21685,7 @@ index 30861ec..ee2d7f1 100644 userdom_dontaudit_read_user_home_content_files(abrt_helper_t) userdom_dontaudit_read_user_tmp_files(abrt_helper_t) dev_dontaudit_read_all_blk_files(abrt_helper_t) -@@ -224,4 +314,126 @@ ifdef(`hide_broken_symptoms', ` +@@ -224,4 +315,126 @@ ifdef(`hide_broken_symptoms', ` dev_dontaudit_write_all_chr_files(abrt_helper_t) dev_dontaudit_write_all_blk_files(abrt_helper_t) fs_dontaudit_rw_anon_inodefs_files(abrt_helper_t) @@ -30227,7 +30239,7 @@ index 25546bc..4def4f7 100644 /var/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) /var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0) diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te -index a01be9d..f82c32f 100644 +index a01be9d..01f2f23 100644 --- a/policy/modules/services/cyrus.te +++ b/policy/modules/services/cyrus.te @@ -26,7 +26,7 @@ files_pid_file(cyrus_var_run_t) @@ -30239,7 +30251,15 @@ index a01be9d..f82c32f 100644 dontaudit cyrus_t self:capability sys_tty_config; allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow cyrus_t self:process setrlimit; -@@ -119,6 +119,10 @@ optional_policy(` +@@ -73,6 +73,7 @@ corenet_udp_sendrecv_all_ports(cyrus_t) + corenet_tcp_bind_generic_node(cyrus_t) + corenet_tcp_bind_mail_port(cyrus_t) + corenet_tcp_bind_lmtp_port(cyrus_t) ++corenet_tcp_bind_innd_port(cyrus_t) + corenet_tcp_bind_pop_port(cyrus_t) + corenet_tcp_bind_sieve_port(cyrus_t) + corenet_tcp_connect_all_ports(cyrus_t) +@@ -119,6 +120,10 @@ optional_policy(` ') optional_policy(` @@ -30250,7 +30270,7 @@ index a01be9d..f82c32f 100644 kerberos_keytab_template(cyrus, cyrus_t) ') -@@ -135,6 +139,7 @@ optional_policy(` +@@ -135,6 +140,7 @@ optional_policy(` ') optional_policy(` @@ -34674,10 +34694,10 @@ index 99a94de..6dbc203 100644 files_search_etc(gatekeeper_t) diff --git a/policy/modules/services/git.fc b/policy/modules/services/git.fc -index 54f0737..2b552c5 100644 +index 54f0737..44a9663 100644 --- a/policy/modules/services/git.fc +++ b/policy/modules/services/git.fc -@@ -1,3 +1,13 @@ +@@ -1,3 +1,17 @@ +HOME_DIR/public_git(/.*)? gen_context(system_u:object_r:git_session_content_t,s0) +HOME_DIR/\.gitaliases -- gen_context(system_u:object_r:git_session_content_t,s0) +HOME_DIR/\.gitconfig -- gen_context(system_u:object_r:git_session_content_t,s0) @@ -34688,10 +34708,14 @@ index 54f0737..2b552c5 100644 + /var/cache/cgit(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) -/var/lib/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) ++/var/cache/gitweb-caching(/.*)? gen_context(system_u:object_r:httpd_git_rw_content_t,s0) ++ +/var/lib/git(/.*)? gen_context(system_u:object_r:git_system_content_t,s0) ++ /var/www/cgi-bin/cgit -- gen_context(system_u:object_r:httpd_git_script_exec_t,s0) +/var/www/git(/.*)? gen_context(system_u:object_r:httpd_git_content_t,s0) -+/var/www/git/gitweb.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++/var/www/git/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) ++/var/www/gitweb-caching/gitweb\.cgi gen_context(system_u:object_r:httpd_git_script_exec_t,s0) diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if index 458aac6..8e83609 100644 --- a/policy/modules/services/git.if @@ -42732,7 +42756,7 @@ index abe3f7f..2de87de 100644 + nis_systemctl($1) ') diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te -index 4876cae..5f29ad9 100644 +index 4876cae..dccdc78 100644 --- a/policy/modules/services/nis.te +++ b/policy/modules/services/nis.te @@ -24,6 +24,9 @@ files_tmp_file(ypbind_tmp_t) @@ -42783,7 +42807,18 @@ index 4876cae..5f29ad9 100644 allow yppasswdd_t self:unix_dgram_socket create_socket_perms; allow yppasswdd_t self:unix_stream_socket create_stream_socket_perms; allow yppasswdd_t self:netlink_route_socket r_netlink_socket_perms; -@@ -224,8 +231,8 @@ optional_policy(` +@@ -211,6 +218,10 @@ optional_policy(` + ') + + optional_policy(` ++ mta_send_mail(yppasswdd_t) ++') ++ ++optional_policy(` + seutil_sigchld_newrole(yppasswdd_t) + ') + +@@ -224,8 +235,8 @@ optional_policy(` # dontaudit ypserv_t self:capability sys_tty_config; @@ -50680,7 +50715,7 @@ index cda37bb..484e552 100644 + allow $1 var_lib_nfs_t:file relabel_file_perms; ') diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te -index b1468ed..fb0f852 100644 +index b1468ed..66a585d 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0) @@ -50758,7 +50793,7 @@ index b1468ed..fb0f852 100644 ######################################## # # NFSD local policy -@@ -120,6 +133,9 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; +@@ -120,9 +133,13 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms; kernel_read_system_state(nfsd_t) kernel_read_network_state(nfsd_t) kernel_dontaudit_getattr_core_if(nfsd_t) @@ -50768,7 +50803,11 @@ index b1468ed..fb0f852 100644 corenet_tcp_bind_all_rpc_ports(nfsd_t) corenet_udp_bind_all_rpc_ports(nfsd_t) -@@ -148,6 +164,8 @@ storage_raw_read_removable_device(nfsd_t) ++corenet_tcp_bind_nfs_port(nfsd_t) + + dev_dontaudit_getattr_all_blk_files(nfsd_t) + dev_dontaudit_getattr_all_chr_files(nfsd_t) +@@ -148,6 +165,8 @@ storage_raw_read_removable_device(nfsd_t) # Read access to public_content_t and public_content_rw_t miscfiles_read_public_files(nfsd_t) @@ -50777,7 +50816,7 @@ index b1468ed..fb0f852 100644 # Write access to public_content_t and public_content_rw_t tunable_policy(`allow_nfsd_anon_write',` miscfiles_manage_public_files(nfsd_t) -@@ -158,7 +176,6 @@ tunable_policy(`nfs_export_all_rw',` +@@ -158,7 +177,6 @@ tunable_policy(`nfs_export_all_rw',` dev_getattr_all_chr_files(nfsd_t) fs_read_noxattr_fs_files(nfsd_t) @@ -50785,7 +50824,7 @@ index b1468ed..fb0f852 100644 ') tunable_policy(`nfs_export_all_ro',` -@@ -170,8 +187,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -170,8 +188,7 @@ tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -50795,7 +50834,7 @@ index b1468ed..fb0f852 100644 ') ######################################## -@@ -181,7 +197,7 @@ tunable_policy(`nfs_export_all_ro',` +@@ -181,7 +198,7 @@ tunable_policy(`nfs_export_all_ro',` allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; allow gssd_t self:process { getsched setsched }; @@ -50804,7 +50843,7 @@ index b1468ed..fb0f852 100644 manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -@@ -199,6 +215,7 @@ corecmd_exec_bin(gssd_t) +@@ -199,6 +216,7 @@ corecmd_exec_bin(gssd_t) fs_list_rpc(gssd_t) fs_rw_rpc_sockets(gssd_t) fs_read_rpc_files(gssd_t) @@ -50812,7 +50851,7 @@ index b1468ed..fb0f852 100644 fs_list_inotifyfs(gssd_t) files_list_tmp(gssd_t) -@@ -210,14 +227,14 @@ auth_manage_cache(gssd_t) +@@ -210,14 +228,14 @@ auth_manage_cache(gssd_t) miscfiles_read_generic_certs(gssd_t) @@ -50829,7 +50868,7 @@ index b1468ed..fb0f852 100644 ') optional_policy(` -@@ -229,6 +246,10 @@ optional_policy(` +@@ -229,6 +247,10 @@ optional_policy(` ') optional_policy(` @@ -53773,7 +53812,7 @@ index 078bcd7..2d60774 100644 +/root/\.ssh(/.*)? gen_context(system_u:object_r:ssh_home_t,s0) +/root/\.shosts gen_context(system_u:object_r:ssh_home_t,s0) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if -index 22adaca..d9c1d90 100644 +index 22adaca..0d987fd 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -32,10 +32,10 @@ @@ -53870,7 +53909,7 @@ index 22adaca..d9c1d90 100644 kernel_read_kernel_sysctls($1_t) kernel_read_network_state($1_t) -+ kernel_request_load_module(ssh_t) ++ kernel_request_load_module($1_t) corenet_all_recvfrom_unlabeled($1_t) corenet_all_recvfrom_netlabel($1_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6dfe590..f1c7240 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -13,11 +13,11 @@ %define POLICYVER 26 %define libsepolver 2.0.44-2 %define POLICYCOREUTILSVER 2.0.86-12 -%define CHECKPOLICYVER 2.1.3-1.1 +%define CHECKPOLICYVER 2.1.3-1.2 Summary: SELinux policy configuration Name: selinux-policy Version: 3.10.0 -Release: 31%{?dist} +Release: 32%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -468,6 +468,14 @@ SELinux Reference policy mls base module. %endif %changelog +* Wed Sep 21 2011 Miroslav Grepl 3.10.0-32 +- Allow pwupdate to send mail +- Fix execmem_execmod() interface +- Allow pwupdate to send mail +- nfsd is binding to the nfs port 2049 +- Add additional gitweb file context labeling +- Allow logrotate to set its own keys + * Tue Sep 20 2011 Miroslav Grepl 3.10.0-31 - Needs to require a new version of checkpolicy - Interface fixes