diff --git a/policy-F13.patch b/policy-F13.patch index 9caefb4..180b020 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -8402,19 +8402,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-08-20 13:57:30.568084981 +0200 -@@ -9,8 +9,10 @@ ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-08-30 20:26:39.691335235 +0200 +@@ -9,8 +9,11 @@ /bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/fish -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/ksh.* -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/mksh -- gen_context(system_u:object_r:shell_exec_t,s0) ++/bin/mountpoint -- gen_context(system_u:object_r:bin_t,s0) /bin/sash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) +/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) # -@@ -49,7 +51,8 @@ +@@ -49,7 +52,8 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -8424,7 +8425,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -65,11 +68,20 @@ +@@ -65,11 +69,20 @@ /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) @@ -8445,7 +8446,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) -@@ -147,6 +159,9 @@ +@@ -147,6 +160,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -8455,7 +8456,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -189,7 +204,8 @@ +@@ -189,7 +205,8 @@ /usr/lib(64)?/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) @@ -8465,7 +8466,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) -@@ -216,11 +232,17 @@ +@@ -216,11 +233,17 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) @@ -8483,7 +8484,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -240,6 +262,7 @@ +@@ -240,6 +263,7 @@ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -8491,7 +8492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -297,6 +320,7 @@ +@@ -297,6 +321,7 @@ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -8499,7 +8500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0) -@@ -331,3 +355,21 @@ +@@ -331,3 +356,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -9549,7 +9550,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.7.19/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-08-09 14:32:12.282084745 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.if 2010-08-30 19:22:32.465335135 +0200 @@ -1053,10 +1053,8 @@ relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) @@ -9563,7 +9564,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # satisfy the assertions: seutil_relabelto_bin_policy($1) -@@ -1428,6 +1426,42 @@ +@@ -1408,6 +1406,24 @@ + allow $1 mountpoint:dir getattr; + ') + ++####################################### ++## ++## Do not audit listing of all mount points. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`files_dontaudit_list_all_mountpoints',` ++ gen_require(` ++ attribute mountpoint; ++ ') ++ ++ dontaudit $1 mountpoint:dir list_dir_perms; ++') ++ + ######################################## + ## + ## Search all mount points. +@@ -1428,6 +1444,42 @@ ######################################## ## @@ -9606,7 +9632,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## List the contents of the root directory. ## ## -@@ -1552,6 +1586,24 @@ +@@ -1552,6 +1604,24 @@ ######################################## ## @@ -9631,7 +9657,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Remove entries from the root directory. ## ## -@@ -1697,6 +1749,24 @@ +@@ -1697,6 +1767,24 @@ ######################################## ## @@ -9656,7 +9682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create a private type object in boot ## with an automatic type transition ## -@@ -1740,7 +1810,7 @@ +@@ -1740,7 +1828,7 @@ type boot_t; ') @@ -9665,7 +9691,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2209,6 +2279,24 @@ +@@ -2209,6 +2297,24 @@ allow $1 etc_t:dir rw_dir_perms; ') @@ -9690,7 +9716,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ########################################## ## ## Manage generic directories in /etc -@@ -2280,6 +2368,7 @@ +@@ -2280,6 +2386,7 @@ allow $1 etc_t:dir list_dir_perms; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) @@ -9698,7 +9724,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2362,6 +2451,24 @@ +@@ -2362,6 +2469,24 @@ ######################################## ## @@ -9723,7 +9749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Execute generic files in /etc. ## ## -@@ -2789,6 +2896,120 @@ +@@ -2789,6 +2914,120 @@ ######################################## ## @@ -9844,7 +9870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create, read, write, and delete files ## on new filesystems that have not yet been labeled. ## -@@ -2899,6 +3120,7 @@ +@@ -2899,6 +3138,7 @@ ') allow $1 home_root_t:dir getattr; @@ -9852,7 +9878,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2919,6 +3141,7 @@ +@@ -2919,6 +3159,7 @@ ') dontaudit $1 home_root_t:dir getattr; @@ -9860,7 +9886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2937,6 +3160,7 @@ +@@ -2937,6 +3178,7 @@ ') allow $1 home_root_t:dir search_dir_perms; @@ -9868,7 +9894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2956,6 +3180,7 @@ +@@ -2956,6 +3198,7 @@ ') dontaudit $1 home_root_t:dir search_dir_perms; @@ -9876,7 +9902,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2975,6 +3200,7 @@ +@@ -2975,6 +3218,7 @@ ') dontaudit $1 home_root_t:dir list_dir_perms; @@ -9884,7 +9910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -2993,6 +3219,7 @@ +@@ -2993,6 +3237,7 @@ ') allow $1 home_root_t:dir list_dir_perms; @@ -9892,7 +9918,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -3156,6 +3383,24 @@ +@@ -3156,6 +3401,24 @@ allow $1 mnt_t:dir list_dir_perms; ') @@ -9917,7 +9943,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Mount a filesystem on /mnt. -@@ -3229,6 +3474,24 @@ +@@ -3229,6 +3492,24 @@ read_files_pattern($1, mnt_t, mnt_t) ') @@ -9942,7 +9968,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Create, read, write, and delete symbolic links in /mnt. -@@ -3520,6 +3783,82 @@ +@@ -3520,6 +3801,82 @@ allow $1 readable_t:sock_file read_sock_file_perms; ') @@ -10025,13 +10051,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Allow the specified type to associate -@@ -3705,25 +4044,51 @@ +@@ -3705,6 +4062,32 @@ ######################################## ## --## Manage temporary files and directories in /tmp. +## Allow shared library text relocations in tmp files. - ## ++## +## +##

+## Allow shared library text relocations in tmp files. @@ -10040,50 +10065,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. +## This is added to support java policy. +##

+## - ## - ## --## The type of the process performing this action. -+## Domain allowed access. - ## - ## - # --interface(`files_manage_generic_tmp_files',` -+interface(`files_execmod_tmp',` - gen_require(` -- type tmp_t; -+ attribute tmpfile; - ') - -- manage_files_pattern($1, tmp_t, tmp_t) -+ allow $1 tmpfile:file execmod; - ') - - ######################################## - ## --## Read symbolic links in the tmp directory (/tmp). -+## Manage temporary files and directories in /tmp. -+## +## +## -+## The type of the process performing this action. ++## Domain allowed access. +## +## +# -+interface(`files_manage_generic_tmp_files',` ++interface(`files_execmod_tmp',` + gen_require(` -+ type tmp_t; ++ attribute tmpfile; + ') + -+ manage_files_pattern($1, tmp_t, tmp_t) ++ allow $1 tmpfile:file execmod; +') + +######################################## +## -+## Read symbolic links in the tmp directory (/tmp). + ## Manage temporary files and directories in /tmp. ## ## - ## -@@ -3918,6 +4283,13 @@ +@@ -3918,6 +4301,13 @@ delete_lnk_files_pattern($1, tmpfile, tmpfile) delete_fifo_files_pattern($1, tmpfile, tmpfile) delete_sock_files_pattern($1, tmpfile, tmpfile) @@ -10097,7 +10098,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4013,6 +4385,24 @@ +@@ -4013,6 +4403,24 @@ ######################################## ## @@ -10122,7 +10123,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Delete generic files in /usr in the caller domain. ## ## -@@ -4026,7 +4416,7 @@ +@@ -4026,7 +4434,7 @@ type usr_t; ') @@ -10131,7 +10132,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -4107,6 +4497,24 @@ +@@ -4107,6 +4515,24 @@ ######################################## ## @@ -10156,7 +10157,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## dontaudit write of /usr files ## ## -@@ -5032,6 +5440,43 @@ +@@ -5032,6 +5458,43 @@ search_dirs_pattern($1, var_t, var_run_t) ') @@ -10200,7 +10201,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ######################################## ## ## Do not audit attempts to search -@@ -5091,6 +5536,24 @@ +@@ -5091,6 +5554,24 @@ ######################################## ## @@ -10225,7 +10226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Create an object in the process ID directory, with a private type. ## ## -@@ -5238,6 +5701,7 @@ +@@ -5238,6 +5719,7 @@ list_dirs_pattern($1, var_t, pidfile) read_files_pattern($1, pidfile, pidfile) @@ -10233,7 +10234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ######################################## -@@ -5306,6 +5770,24 @@ +@@ -5306,6 +5788,24 @@ ######################################## ## @@ -10258,7 +10259,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ## Search the contents of generic spool ## directories (/var/spool). ## -@@ -5494,12 +5976,15 @@ +@@ -5494,12 +5994,15 @@ allow $1 poly_t:dir { create mounton }; fs_unmount_xattr_fs($1) @@ -10275,7 +10276,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. ') ') -@@ -5520,3 +6005,229 @@ +@@ -5520,3 +6023,229 @@ typeattribute $1 files_unconfined_type; ') @@ -16092,8 +16093,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.7.19/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-24 14:44:00.443083769 +0200 -@@ -0,0 +1,160 @@ ++++ serefpolicy-3.7.19/policy/modules/services/boinc.te 2010-08-30 20:30:56.405084998 +0200 +@@ -0,0 +1,163 @@ + +policy_module(boinc,1.0.0) + @@ -16248,10 +16249,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin + +corenet_tcp_connect_boinc_port(boinc_project_t) + ++dev_read_urand(boinc_project_t) +dev_rw_xserver_misc(boinc_project_t) + +files_read_etc_files(boinc_project_t) + ++auth_use_nsswitch(boinc_project_t) ++ +miscfiles_read_localization(boinc_project_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bugzilla.fc serefpolicy-3.7.19/policy/modules/services/bugzilla.fc @@ -21988,17 +21992,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal. # Local hald dccm policy diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/icecast.te serefpolicy-3.7.19/policy/modules/services/icecast.te --- nsaserefpolicy/policy/modules/services/icecast.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-06-09 23:33:37.510220114 +0200 -@@ -38,6 +38,8 @@ ++++ serefpolicy-3.7.19/policy/modules/services/icecast.te 2010-08-30 20:14:45.201335228 +0200 +@@ -38,7 +38,10 @@ manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir }) +kernel_read_system_state(icecast_t) + corenet_tcp_bind_soundd_port(icecast_t) ++corenet_tcp_connect_soundd_port(icecast_t) # Init script handling -@@ -52,5 +54,9 @@ + domain_use_interactive_fds(icecast_t) +@@ -52,5 +55,9 @@ sysnet_dns_name_resolve(icecast_t) optional_policy(` @@ -22056,7 +22062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb allow $1 self:udp_socket create_socket_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.7.19/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2010-06-09 23:35:26.680218272 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/kerberos.te 2010-08-30 19:33:49.977335019 +0200 @@ -112,6 +112,7 @@ kernel_read_kernel_sysctls(kadmind_t) @@ -22075,7 +22081,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb corenet_tcp_bind_reserved_port(kadmind_t) corenet_dontaudit_tcp_bind_all_reserved_ports(kadmind_t) corenet_sendrecv_kerberos_admin_server_packets(kadmind_t) -@@ -198,8 +201,7 @@ +@@ -149,6 +152,7 @@ + + logging_send_syslog_msg(kadmind_t) + ++miscfiles_read_certs(kadmind_t) + miscfiles_read_localization(kadmind_t) + + seutil_read_file_contexts(kadmind_t) +@@ -198,8 +202,7 @@ allow krb5kdc_t krb5kdc_log_t:file manage_file_perms; logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file) @@ -22085,7 +22099,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb manage_dirs_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) manage_files_pattern(krb5kdc_t, krb5kdc_tmp_t, krb5kdc_tmp_t) -@@ -283,7 +285,7 @@ +@@ -249,6 +252,7 @@ + + logging_send_syslog_msg(krb5kdc_t) + ++miscfiles_read_certs(krb5kdc_t) + miscfiles_read_localization(krb5kdc_t) + + seutil_read_file_contexts(krb5kdc_t) +@@ -283,7 +287,7 @@ allow kpropd_t self:unix_stream_socket create_stream_socket_perms; allow kpropd_t self:tcp_socket create_stream_socket_perms; @@ -25549,7 +25571,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.19/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-08-25 16:04:52.823085230 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-08-25 16:39:24.497085412 +0200 @@ -67,13 +67,15 @@ allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -25562,7 +25584,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut. manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) -files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file) -+manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) ++manage_sock_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) +files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file sock_file }) kernel_read_kernel_sysctls(nut_upsmon_t) @@ -28276,7 +28298,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/puppet.te serefpolicy-3.7.19/policy/modules/services/puppet.te --- nsaserefpolicy/policy/modules/services/puppet.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-07-23 13:43:42.151388430 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/puppet.te 2010-08-30 19:46:34.715085037 +0200 @@ -192,7 +192,14 @@ manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t) files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir }) @@ -28301,6 +28323,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pupp optional_policy(` hostname_exec(puppetmaster_t) ') +@@ -232,3 +241,8 @@ + rpm_exec(puppetmaster_t) + rpm_read_db(puppetmaster_t) + ') ++ ++optional_policy(` ++ usermanage_domtrans_groupadd(puppetmaster_t) ++ usermanage_domtrans_useradd(puppetmaster_t) ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pyzor.fc serefpolicy-3.7.19/policy/modules/services/pyzor.fc --- nsaserefpolicy/policy/modules/services/pyzor.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/pyzor.fc 2010-05-28 09:42:00.162610723 +0200 @@ -28754,7 +28785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid +sysnet_dns_name_resolve(qpidd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radius.te serefpolicy-3.7.19/policy/modules/services/radius.te --- nsaserefpolicy/policy/modules/services/radius.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/radius.te 2010-06-01 17:29:47.678168541 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/radius.te 2010-08-30 19:31:22.527085108 +0200 @@ -37,7 +37,7 @@ # gzip also needs chown access to preserve GID for radwtmp files allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; @@ -28764,6 +28795,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radi allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket create_stream_socket_perms; allow radiusd_t self:tcp_socket create_stream_socket_perms; +@@ -131,6 +131,7 @@ + + optional_policy(` + samba_read_var_files(radiusd_t) ++ samba_domtrans_winbind_helper(radiusd_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.fc serefpolicy-3.7.19/policy/modules/services/razor.fc --- nsaserefpolicy/policy/modules/services/razor.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/razor.fc 2010-05-28 09:42:00.165610873 +0200 @@ -30339,8 +30378,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcb allow $2 system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.7.19/policy/modules/services/rpcbind.te --- nsaserefpolicy/policy/modules/services/rpcbind.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/rpcbind.te 2010-06-09 23:09:15.321208553 +0200 -@@ -72,3 +72,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rpcbind.te 2010-08-30 20:25:53.722333587 +0200 +@@ -44,6 +44,8 @@ + kernel_read_network_state(rpcbind_t) + kernel_request_load_module(rpcbind_t) + ++corecmd_exec_shell(rpcbind_t) ++ + corenet_all_recvfrom_unlabeled(rpcbind_t) + corenet_all_recvfrom_netlabel(rpcbind_t) + corenet_tcp_sendrecv_generic_if(rpcbind_t) +@@ -72,3 +74,7 @@ ifdef(`hide_broken_symptoms',` dontaudit rpcbind_t self:udp_socket listen; ') @@ -30864,7 +30912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.19/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-08-13 07:48:03.254335706 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/samba.te 2010-08-30 19:22:59.872334445 +0200 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -30945,16 +30993,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(smbd_t) domain_dontaudit_list_all_domains_state(smbd_t) -@@ -325,6 +340,8 @@ +@@ -325,6 +340,9 @@ files_read_etc_runtime_files(smbd_t) files_read_usr_files(smbd_t) files_search_spool(smbd_t) +# smbd seems to getattr all mountpoints +files_dontaudit_getattr_all_dirs(smbd_t) ++files_dontaudit_list_all_mountpoints(smbd_t) # Allow samba to list mnt_t for potential mounted dirs files_list_mnt(smbd_t) -@@ -337,10 +354,13 @@ +@@ -337,10 +355,13 @@ miscfiles_read_public_files(smbd_t) userdom_use_unpriv_users_fds(smbd_t) @@ -30969,7 +31018,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ifdef(`hide_broken_symptoms', ` files_dontaudit_getattr_default_dirs(smbd_t) files_dontaudit_getattr_boot_dirs(smbd_t) -@@ -352,19 +372,19 @@ +@@ -352,19 +373,19 @@ ') tunable_policy(`samba_domain_controller',` @@ -30995,7 +31044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ') # Support Samba sharing of NFS mount points -@@ -376,6 +396,15 @@ +@@ -376,6 +397,15 @@ fs_manage_nfs_named_sockets(smbd_t) ') @@ -31011,7 +31060,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(smbd_t) cups_stream_connect(smbd_t) -@@ -391,6 +420,11 @@ +@@ -391,6 +421,11 @@ ') optional_policy(` @@ -31023,7 +31072,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb rpc_search_nfs_state_data(smbd_t) ') -@@ -405,13 +439,15 @@ +@@ -405,13 +440,15 @@ tunable_policy(`samba_create_home_dirs',` allow smbd_t self:capability chown; userdom_create_user_home_dirs(smbd_t) @@ -31040,7 +31089,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb auth_read_all_files_except_shadow(nmbd_t) ') -@@ -420,8 +456,8 @@ +@@ -420,8 +457,8 @@ auth_manage_all_files_except_shadow(smbd_t) fs_read_noxattr_fs_files(nmbd_t) auth_manage_all_files_except_shadow(nmbd_t) @@ -31050,7 +31099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # -@@ -525,6 +561,7 @@ +@@ -525,6 +562,7 @@ allow smbcontrol_t winbind_t:process { signal signull }; @@ -31058,7 +31107,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb samba_read_config(smbcontrol_t) samba_rw_var_files(smbcontrol_t) samba_search_var(smbcontrol_t) -@@ -536,6 +573,8 @@ +@@ -536,6 +574,8 @@ miscfiles_read_localization(smbcontrol_t) @@ -31067,7 +31116,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb ######################################## # # smbmount Local policy -@@ -618,7 +657,7 @@ +@@ -618,7 +658,7 @@ # SWAT Local policy # @@ -31076,7 +31125,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t self:process { setrlimit signal_perms }; allow swat_t self:fifo_file rw_fifo_file_perms; allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms; -@@ -626,23 +665,25 @@ +@@ -626,23 +666,25 @@ allow swat_t self:udp_socket create_socket_perms; allow swat_t self:unix_stream_socket connectto; @@ -31110,7 +31159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb allow swat_t smbd_exec_t:file mmap_file_perms ; allow swat_t smbd_t:process signull; -@@ -657,11 +698,14 @@ +@@ -657,11 +699,14 @@ files_pid_filetrans(swat_t, swat_var_run_t, file) allow swat_t winbind_exec_t:file mmap_file_perms; @@ -31126,7 +31175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb kernel_read_kernel_sysctls(swat_t) kernel_read_system_state(swat_t) kernel_read_network_state(swat_t) -@@ -700,6 +744,8 @@ +@@ -700,6 +745,8 @@ miscfiles_read_localization(swat_t) @@ -31135,7 +31184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb optional_policy(` cups_read_rw_config(swat_t) cups_stream_connect(swat_t) -@@ -713,12 +759,23 @@ +@@ -713,12 +760,23 @@ kerberos_use(swat_t) ') @@ -31160,7 +31209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dontaudit winbind_t self:capability sys_tty_config; allow winbind_t self:process { signal_perms getsched setsched }; allow winbind_t self:fifo_file rw_fifo_file_perms; -@@ -779,6 +836,9 @@ +@@ -779,6 +837,9 @@ corenet_tcp_bind_generic_node(winbind_t) corenet_udp_bind_generic_node(winbind_t) corenet_tcp_connect_smbd_port(winbind_t) @@ -31170,7 +31219,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb dev_read_sysfs(winbind_t) dev_read_urand(winbind_t) -@@ -788,7 +848,7 @@ +@@ -788,7 +849,7 @@ auth_domtrans_chk_passwd(winbind_t) auth_use_nsswitch(winbind_t) @@ -31179,7 +31228,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb domain_use_interactive_fds(winbind_t) -@@ -866,6 +926,18 @@ +@@ -866,6 +927,18 @@ # optional_policy(` @@ -31198,7 +31247,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb type samba_unconfined_script_t; type samba_unconfined_script_exec_t; domain_type(samba_unconfined_script_t) -@@ -876,9 +948,12 @@ +@@ -876,9 +949,12 @@ allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms; allow smbd_t samba_unconfined_script_exec_t:file ioctl; @@ -33167,7 +33216,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt /var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.7.19/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-08-10 16:36:52.708085543 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/virt.if 2010-08-30 20:21:58.039085207 +0200 @@ -21,6 +21,7 @@ type $1_t, virt_domain; domain_type($1_t) @@ -33281,7 +33330,32 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ######################################## ## ## Create, read, write, and delete -@@ -433,15 +460,15 @@ +@@ -386,6 +413,24 @@ + manage_lnk_files_pattern($1, virt_log_t, virt_log_t) + ') + ++####################################### ++## ++## Allow domain to read virt blk image files ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`virt_read_blk_images',` ++ gen_require(` ++ attribute virt_image_type; ++ ') ++ ++ read_blk_files_pattern($1, virt_image_type, virt_image_type) ++') ++ + ######################################## + ## + ## Allow domain to read virt image files +@@ -433,15 +478,15 @@ ## ## # @@ -33302,7 +33376,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') ######################################## -@@ -516,3 +543,49 @@ +@@ -516,3 +561,49 @@ virt_manage_log($1) ') @@ -35700,7 +35774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool /sbin/partx -- gen_context(system_u:object_r:fsadm_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.7.19/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-05-28 09:42:00.213610890 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/fstools.te 2010-08-30 20:22:56.254334577 +0200 @@ -118,6 +118,8 @@ fs_search_tmpfs(fsadm_t) fs_getattr_tmpfs_dirs(fsadm_t) @@ -35734,6 +35808,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool nis_use_ypbind(fsadm_t) ') +@@ -176,6 +186,10 @@ + ') + + optional_policy(` ++ virt_read_blk_images(fsadm_t) ++') ++ ++optional_policy(` + xen_append_log(fsadm_t) + xen_rw_image_files(fsadm_t) + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-3.7.19/policy/modules/system/getty.te --- nsaserefpolicy/policy/modules/system/getty.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/getty.te 2010-05-28 09:42:00.213610890 +0200 @@ -37060,8 +37145,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump. dev_read_sysfs(kdump_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-24 15:43:47.418115008 +0200 -@@ -127,17 +127,19 @@ ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-08-30 10:11:52.522085110 +0200 +@@ -127,17 +127,21 @@ /usr/lib64/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -37070,10 +37155,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/codec/plugins/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vlc/plugins/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -/usr/lib64/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/codec/plugins/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/vlc/plugins/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib64/vlc/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib64/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libtfmessbsp\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -37085,7 +37172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -151,6 +153,7 @@ +@@ -151,6 +155,7 @@ /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -37093,7 +37180,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +211,7 @@ +@@ -208,6 +213,7 @@ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -37101,7 +37188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -302,13 +306,8 @@ +@@ -302,13 +308,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -37117,7 +37204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +318,153 @@ +@@ -319,14 +320,153 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -38573,7 +38660,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +/etc/share/selinux/mls(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.7.19/policy/modules/system/selinuxutil.if --- nsaserefpolicy/policy/modules/system/selinuxutil.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2010-05-28 09:42:00.513610614 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/selinuxutil.if 2010-08-30 20:19:44.277333391 +0200 @@ -361,6 +361,27 @@ ######################################## @@ -38602,7 +38689,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute run_init in the run_init domain. ## ## -@@ -545,6 +566,53 @@ +@@ -514,6 +535,10 @@ + files_search_usr($1) + corecmd_search_bin($1) + domtrans_pattern($1, setfiles_exec_t, setfiles_t) ++ ++ ifdef(`hide_broken_symptoms', ` ++ dontaudit setfiles_t $1:socket_class_set { read write }; ++ ') + ') + + ######################################## +@@ -545,6 +570,53 @@ ######################################## ## @@ -38656,7 +38754,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute setfiles in the caller domain. ## ## -@@ -690,6 +758,7 @@ +@@ -690,6 +762,7 @@ ') files_search_etc($1) @@ -38664,7 +38762,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu manage_files_pattern($1, selinux_config_t, selinux_config_t) read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') -@@ -1009,6 +1078,26 @@ +@@ -1009,6 +1082,26 @@ ######################################## ## @@ -38691,7 +38789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Execute semanage in the semanage domain, and ## allow the specified role the semanage domain, ## and use the caller's terminal. -@@ -1020,7 +1109,7 @@ +@@ -1020,7 +1113,7 @@ ## ## ## @@ -38700,7 +38798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## ## ## -@@ -1038,6 +1127,54 @@ +@@ -1038,6 +1131,54 @@ ######################################## ## @@ -38755,7 +38853,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ## Full management of the semanage ## module store. ## -@@ -1149,3 +1286,194 @@ +@@ -1149,3 +1290,194 @@ selinux_dontaudit_get_fs_mount($1) seutil_dontaudit_read_config($1) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 2af40c3..528de8e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.7.19 -Release: 51%{?dist} +Release: 52%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,10 @@ exit 0 %endif %changelog +* Mon Aug 30 2010 Miroslav Grepl 3.7.19-52 +- Fix label for /bin/mountpoint +- Allow fsadm to read virt blk image files + * Wed Aug 25 2010 Miroslav Grepl 3.7.19-51 - Allow seunshare fowner capability - Allow dovecot to manage postfix privet socket