diff --git a/policy-F15.patch b/policy-F15.patch index c3d81f9..de55537 100644 --- a/policy-F15.patch +++ b/policy-F15.patch @@ -5566,7 +5566,7 @@ index 93ac529..aafece7 100644 /usr/lib64/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:mozilla_exec_t,s0) +/usr/lib(64)?/xulrunner[^/]*/plugin-container -- gen_context(system_u:object_r:mozilla_plugin_exec_t,s0) diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if -index 9a6d67d..d88c02c 100644 +index 9a6d67d..19de023 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -29,6 +29,8 @@ interface(`mozilla_role',` @@ -5677,7 +5677,7 @@ index 9a6d67d..d88c02c 100644 + allow $1 mozilla_plugin_t:unix_stream_socket { connectto rw_socket_perms }; + allow $1 mozilla_plugin_t:process { signal sigkill }; + -+ ++ allow mozilla_plugin_t $1:unix_stream_socket rw_socket_perms; +') + +######################################## @@ -5703,7 +5703,7 @@ index 9a6d67d..d88c02c 100644 ## Send and receive messages from ## mozilla over dbus. ## -@@ -204,3 +301,40 @@ interface(`mozilla_rw_tcp_sockets',` +@@ -204,3 +301,39 @@ interface(`mozilla_rw_tcp_sockets',` allow $1 mozilla_t:tcp_socket rw_socket_perms; ') @@ -5743,9 +5743,8 @@ index 9a6d67d..d88c02c 100644 + + dontaudit $1 mozilla_plugin_t:unix_stream_socket { read write }; +') -+ diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te -index 2a91fa8..3188ebc 100644 +index 2a91fa8..584c255 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -7,7 +7,7 @@ policy_module(mozilla, 2.3.0) @@ -5827,7 +5826,7 @@ index 2a91fa8..3188ebc 100644 pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +291,192 @@ optional_policy(` +@@ -266,3 +291,194 @@ optional_policy(` optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -5991,6 +5990,7 @@ index 2a91fa8..3188ebc 100644 + nsplugin_manage_home_files(mozilla_plugin_t) + nsplugin_user_home_dir_filetrans(mozilla_plugin_t, dir) + nsplugin_user_home_filetrans(mozilla_plugin_t, file) ++ nsplugin_read_rw_files(mozilla_plugin_t); + nsplugin_signal(mozilla_plugin_t) +') + @@ -6007,6 +6007,7 @@ index 2a91fa8..3188ebc 100644 + xserver_use_user_fonts(mozilla_plugin_t) + xserver_read_user_iceauth(mozilla_plugin_t) + xserver_read_user_xauth(mozilla_plugin_t) ++ xserver_append_xdm_home_files(mozilla_plugin_t); +') + +tunable_policy(`use_nfs_home_dirs',` @@ -6169,10 +6170,10 @@ index 0000000..8d7c751 +') diff --git a/policy/modules/apps/namespace.te b/policy/modules/apps/namespace.te new file mode 100644 -index 0000000..ce7dbac +index 0000000..625dc1e --- /dev/null +++ b/policy/modules/apps/namespace.te -@@ -0,0 +1,38 @@ +@@ -0,0 +1,40 @@ +policy_module(namespace,1.0.0) + +######################################## @@ -6204,6 +6205,8 @@ index 0000000..ce7dbac +files_read_etc_files(namespace_init_t) +files_polyinstantiate_all(namespace_init_t) + ++auth_use_nsswitch(namespace_init_t) ++ +miscfiles_read_localization(namespace_init_t) + +userdom_manage_user_home_content_dirs(namespace_init_t) @@ -10943,7 +10946,7 @@ index bc534c1..b70ea07 100644 +# broken kernel +dontaudit can_change_object_identity can_change_object_identity:key link; diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc -index 16108f6..7307872 100644 +index 16108f6..a02d2cc 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -18,6 +18,7 @@ ifdef(`distro_redhat',` @@ -11028,7 +11031,7 @@ index 16108f6..7307872 100644 /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0) /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0) ') -@@ -227,6 +242,8 @@ ifndef(`distro_redhat',` +@@ -227,23 +242,27 @@ ifndef(`distro_redhat',` /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -11037,7 +11040,11 @@ index 16108f6..7307872 100644 /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -237,13 +254,14 @@ ifndef(`distro_redhat',` + + /var/lock(/.*)? gen_context(system_u:object_r:var_lock_t,s0) ++/var/lock -l gen_context(system_u:object_r:var_lock_t,s0) + + /var/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/lost\+found/.* <> /var/run -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) @@ -11053,7 +11060,7 @@ index 16108f6..7307872 100644 /var/tmp/.* <> /var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /var/tmp/lost\+found/.* <> -@@ -252,3 +270,7 @@ ifndef(`distro_redhat',` +@@ -252,3 +271,7 @@ ifndef(`distro_redhat',` ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -16761,7 +16768,7 @@ index 0370dba..af5d229 100644 # interface(`aisexec_domtrans',` diff --git a/policy/modules/services/aisexec.te b/policy/modules/services/aisexec.te -index 97c9cae..c24bd66 100644 +index 97c9cae..568e37d 100644 --- a/policy/modules/services/aisexec.te +++ b/policy/modules/services/aisexec.te @@ -32,7 +32,7 @@ files_pid_file(aisexec_var_run_t) @@ -16773,7 +16780,7 @@ index 97c9cae..c24bd66 100644 allow aisexec_t self:process { setrlimit setsched signal }; allow aisexec_t self:fifo_file rw_fifo_file_perms; allow aisexec_t self:sem create_sem_perms; -@@ -81,6 +81,9 @@ logging_send_syslog_msg(aisexec_t) +@@ -81,11 +81,18 @@ logging_send_syslog_msg(aisexec_t) miscfiles_read_localization(aisexec_t) @@ -16783,6 +16790,15 @@ index 97c9cae..c24bd66 100644 optional_policy(` ccs_stream_connect(aisexec_t) ') + + optional_policy(` ++ corosync_domtrans(aisexec_t) ++') ++ ++optional_policy(` + # to communication with RHCS + rhcs_rw_dlm_controld_semaphores(aisexec_t) + diff --git a/policy/modules/services/ajaxterm.fc b/policy/modules/services/ajaxterm.fc new file mode 100644 index 0000000..aeb1888 @@ -20118,6 +20134,16 @@ index 0000000..e7d2a5b +dev_search_sysfs(cachefiles_kernel_t) + +init_sigchld_script(cachefiles_kernel_t) +diff --git a/policy/modules/services/canna.fc b/policy/modules/services/canna.fc +index 5432d0e..f77df02 100644 +--- a/policy/modules/services/canna.fc ++++ b/policy/modules/services/canna.fc +@@ -20,4 +20,4 @@ + + /var/run/\.iroha_unix -d gen_context(system_u:object_r:canna_var_run_t,s0) + /var/run/\.iroha_unix/.* -s gen_context(system_u:object_r:canna_var_run_t,s0) +-/var/run/wnn-unix(/.*) gen_context(system_u:object_r:canna_var_run_t,s0) ++/var/run/wnn-unix(/.*)? gen_context(system_u:object_r:canna_var_run_t,s0) diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te index 1d25efe..1b16191 100644 --- a/policy/modules/services/canna.te @@ -21664,10 +21690,10 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..5187146 +index 0000000..32289dc --- /dev/null +++ b/policy/modules/services/colord.te -@@ -0,0 +1,95 @@ +@@ -0,0 +1,98 @@ +policy_module(colord,1.0.0) + +######################################## @@ -21734,16 +21760,15 @@ index 0000000..5187146 + +sysnet_dns_name_resolve(colord_t) + -+userdom_search_user_home_dirs(colord_t) ++fs_search_all(colord_t) ++fs_read_noxattr_fs_files(colord_t) + +tunable_policy(`use_nfs_home_dirs',` -+ fs_getattr_nfs(colord_t) -+ fs_search_nfs(colord_t) ++ fs_read_nfs_files(colord_t) +') + +tunable_policy(`use_samba_home_dirs',` -+ fs_getattr_cifs(colord_t) -+ fs_search_cifs(colord_t) ++ fs_read_cifs_files(colord_t) +') + +optional_policy(` @@ -21754,6 +21779,10 @@ index 0000000..5187146 +') + +optional_policy(` ++ gnome_read_gconf_home_files(colord_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(colord_t) + policykit_domtrans_auth(colord_t) + policykit_read_lib(colord_t) @@ -49113,7 +49142,7 @@ index cc83689..e83c909 100644 +') + diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te -index ea29513..890810e 100644 +index ea29513..f00a023 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -16,6 +16,34 @@ gen_require(` @@ -49272,7 +49301,7 @@ index ea29513..890810e 100644 corecmd_shell_domtrans(init_t, initrc_t) ',` # Run the shell in the sysadm role for single-user mode. -@@ -186,12 +234,118 @@ tunable_policy(`init_upstart',` +@@ -186,12 +234,119 @@ tunable_policy(`init_upstart',` sysadm_shell_domtrans(init_t) ') @@ -49285,6 +49314,7 @@ index ea29513..890810e 100644 +tunable_policy(`init_systemd',` + allow init_t self:unix_dgram_socket { create_socket_perms sendto }; + allow init_t self:process { setsockcreate setfscreate }; ++ allow init_t self:process { getcap setcap }; + allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; + allow init_t self:netlink_kobject_uevent_socket create_socket_perms; + # Until systemd is fixed @@ -49391,7 +49421,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -199,10 +353,25 @@ optional_policy(` +@@ -199,10 +354,25 @@ optional_policy(` ') optional_policy(` @@ -49417,7 +49447,7 @@ index ea29513..890810e 100644 unconfined_domain(init_t) ') -@@ -212,7 +381,7 @@ optional_policy(` +@@ -212,7 +382,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; @@ -49426,7 +49456,7 @@ index ea29513..890810e 100644 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -@@ -241,12 +410,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) +@@ -241,12 +411,15 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) @@ -49442,7 +49472,7 @@ index ea29513..890810e 100644 init_write_initctl(initrc_t) -@@ -258,20 +430,32 @@ kernel_change_ring_buffer_level(initrc_t) +@@ -258,20 +431,32 @@ kernel_change_ring_buffer_level(initrc_t) kernel_clear_ring_buffer(initrc_t) kernel_get_sysvipc_info(initrc_t) kernel_read_all_sysctls(initrc_t) @@ -49479,7 +49509,7 @@ index ea29513..890810e 100644 corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -279,6 +463,7 @@ corenet_sendrecv_all_client_packets(initrc_t) +@@ -279,6 +464,7 @@ corenet_sendrecv_all_client_packets(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) @@ -49487,7 +49517,7 @@ index ea29513..890810e 100644 dev_write_kmsg(initrc_t) dev_write_rand(initrc_t) dev_write_urand(initrc_t) -@@ -291,6 +476,7 @@ dev_read_sound_mixer(initrc_t) +@@ -291,6 +477,7 @@ dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) dev_rw_lvm_control(initrc_t) @@ -49495,7 +49525,7 @@ index ea29513..890810e 100644 dev_delete_lvm_control_dev(initrc_t) dev_manage_generic_symlinks(initrc_t) dev_manage_generic_files(initrc_t) -@@ -298,13 +484,13 @@ dev_manage_generic_files(initrc_t) +@@ -298,13 +485,13 @@ dev_manage_generic_files(initrc_t) dev_delete_generic_symlinks(initrc_t) dev_getattr_all_blk_files(initrc_t) dev_getattr_all_chr_files(initrc_t) @@ -49511,7 +49541,7 @@ index ea29513..890810e 100644 domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) -@@ -316,6 +502,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) +@@ -316,6 +503,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t) domain_dontaudit_getattr_all_tcp_sockets(initrc_t) domain_dontaudit_getattr_all_dgram_sockets(initrc_t) domain_dontaudit_getattr_all_pipes(initrc_t) @@ -49519,7 +49549,7 @@ index ea29513..890810e 100644 files_getattr_all_dirs(initrc_t) files_getattr_all_files(initrc_t) -@@ -323,8 +510,10 @@ files_getattr_all_symlinks(initrc_t) +@@ -323,8 +511,10 @@ files_getattr_all_symlinks(initrc_t) files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -49531,7 +49561,7 @@ index ea29513..890810e 100644 files_delete_all_pids(initrc_t) files_delete_all_pid_dirs(initrc_t) files_read_etc_files(initrc_t) -@@ -340,8 +529,12 @@ files_list_isid_type_dirs(initrc_t) +@@ -340,8 +530,12 @@ files_list_isid_type_dirs(initrc_t) files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) @@ -49545,7 +49575,7 @@ index ea29513..890810e 100644 fs_list_inotifyfs(initrc_t) fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -351,6 +544,8 @@ fs_mount_all_fs(initrc_t) +@@ -351,6 +545,8 @@ fs_mount_all_fs(initrc_t) fs_unmount_all_fs(initrc_t) fs_remount_all_fs(initrc_t) fs_getattr_all_fs(initrc_t) @@ -49554,7 +49584,7 @@ index ea29513..890810e 100644 # initrc_t needs to do a pidof which requires ptrace mcs_ptrace_all(initrc_t) -@@ -363,6 +558,7 @@ mls_process_read_up(initrc_t) +@@ -363,6 +559,7 @@ mls_process_read_up(initrc_t) mls_process_write_down(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) @@ -49562,7 +49592,7 @@ index ea29513..890810e 100644 selinux_get_enforce_mode(initrc_t) -@@ -374,6 +570,7 @@ term_use_all_terms(initrc_t) +@@ -374,6 +571,7 @@ term_use_all_terms(initrc_t) term_reset_tty_labels(initrc_t) auth_rw_login_records(initrc_t) @@ -49570,7 +49600,7 @@ index ea29513..890810e 100644 auth_setattr_login_records(initrc_t) auth_rw_lastlog(initrc_t) auth_read_pam_pid(initrc_t) -@@ -394,13 +591,12 @@ logging_read_audit_config(initrc_t) +@@ -394,13 +592,12 @@ logging_read_audit_config(initrc_t) miscfiles_read_localization(initrc_t) # slapd needs to read cert files from its initscript @@ -49586,7 +49616,7 @@ index ea29513..890810e 100644 userdom_read_user_home_content_files(initrc_t) # Allow access to the sysadm TTYs. Note that this will give access to the # TTYs to any process in the initrc_t domain. Therefore, daemons and such -@@ -458,6 +654,10 @@ ifdef(`distro_gentoo',` +@@ -458,6 +655,10 @@ ifdef(`distro_gentoo',` sysnet_setattr_config(initrc_t) optional_policy(` @@ -49597,7 +49627,7 @@ index ea29513..890810e 100644 alsa_read_lib(initrc_t) ') -@@ -478,7 +678,7 @@ ifdef(`distro_redhat',` +@@ -478,7 +679,7 @@ ifdef(`distro_redhat',` # Red Hat systems seem to have a stray # fd open from the initrd @@ -49606,7 +49636,7 @@ index ea29513..890810e 100644 files_dontaudit_read_root_files(initrc_t) # These seem to be from the initrd -@@ -493,6 +693,7 @@ ifdef(`distro_redhat',` +@@ -493,6 +694,7 @@ ifdef(`distro_redhat',` files_create_boot_dirs(initrc_t) files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) @@ -49614,7 +49644,7 @@ index ea29513..890810e 100644 # wants to read /.fonts directory files_read_default_files(initrc_t) files_mountpoint(initrc_tmp_t) -@@ -522,8 +723,29 @@ ifdef(`distro_redhat',` +@@ -522,8 +724,29 @@ ifdef(`distro_redhat',` ') optional_policy(` @@ -49644,7 +49674,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -531,10 +753,17 @@ ifdef(`distro_redhat',` +@@ -531,10 +754,17 @@ ifdef(`distro_redhat',` rpc_write_exports(initrc_t) rpc_manage_nfs_state_data(initrc_t) ') @@ -49662,7 +49692,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -549,6 +778,39 @@ ifdef(`distro_suse',` +@@ -549,6 +779,39 @@ ifdef(`distro_suse',` ') ') @@ -49702,7 +49732,7 @@ index ea29513..890810e 100644 optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -561,6 +823,8 @@ optional_policy(` +@@ -561,6 +824,8 @@ optional_policy(` optional_policy(` apache_read_config(initrc_t) apache_list_modules(initrc_t) @@ -49711,7 +49741,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -577,6 +841,7 @@ optional_policy(` +@@ -577,6 +842,7 @@ optional_policy(` optional_policy(` cgroup_stream_connect_cgred(initrc_t) @@ -49719,7 +49749,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -589,6 +854,11 @@ optional_policy(` +@@ -589,6 +855,11 @@ optional_policy(` ') optional_policy(` @@ -49731,7 +49761,7 @@ index ea29513..890810e 100644 dev_getattr_printer_dev(initrc_t) cups_read_log(initrc_t) -@@ -605,9 +875,13 @@ optional_policy(` +@@ -605,9 +876,13 @@ optional_policy(` dbus_connect_system_bus(initrc_t) dbus_system_bus_client(initrc_t) dbus_read_config(initrc_t) @@ -49745,7 +49775,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -649,6 +923,11 @@ optional_policy(` +@@ -649,6 +924,11 @@ optional_policy(` ') optional_policy(` @@ -49757,7 +49787,7 @@ index ea29513..890810e 100644 inn_exec_config(initrc_t) ') -@@ -706,7 +985,13 @@ optional_policy(` +@@ -706,7 +986,13 @@ optional_policy(` ') optional_policy(` @@ -49771,7 +49801,7 @@ index ea29513..890810e 100644 mta_dontaudit_read_spool_symlinks(initrc_t) ') -@@ -729,6 +1014,10 @@ optional_policy(` +@@ -729,6 +1015,10 @@ optional_policy(` ') optional_policy(` @@ -49782,7 +49812,7 @@ index ea29513..890810e 100644 postgresql_manage_db(initrc_t) postgresql_read_config(initrc_t) ') -@@ -738,10 +1027,20 @@ optional_policy(` +@@ -738,10 +1028,20 @@ optional_policy(` ') optional_policy(` @@ -49803,7 +49833,7 @@ index ea29513..890810e 100644 quota_manage_flags(initrc_t) ') -@@ -750,6 +1049,10 @@ optional_policy(` +@@ -750,6 +1050,10 @@ optional_policy(` ') optional_policy(` @@ -49814,7 +49844,7 @@ index ea29513..890810e 100644 fs_write_ramfs_sockets(initrc_t) fs_search_ramfs(initrc_t) -@@ -771,8 +1074,6 @@ optional_policy(` +@@ -771,8 +1075,6 @@ optional_policy(` # bash tries ioctl for some reason files_dontaudit_ioctl_all_pids(initrc_t) @@ -49823,7 +49853,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -781,14 +1082,21 @@ optional_policy(` +@@ -781,14 +1083,21 @@ optional_policy(` ') optional_policy(` @@ -49845,7 +49875,7 @@ index ea29513..890810e 100644 optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -800,7 +1108,6 @@ optional_policy(` +@@ -800,7 +1109,6 @@ optional_policy(` ') optional_policy(` @@ -49853,7 +49883,7 @@ index ea29513..890810e 100644 udev_manage_pid_files(initrc_t) udev_manage_rules_files(initrc_t) ') -@@ -810,11 +1117,24 @@ optional_policy(` +@@ -810,11 +1118,24 @@ optional_policy(` ') optional_policy(` @@ -49879,7 +49909,7 @@ index ea29513..890810e 100644 ifdef(`distro_redhat',` # system-config-services causes avc messages that should be dontaudited -@@ -824,6 +1144,25 @@ optional_policy(` +@@ -824,6 +1145,25 @@ optional_policy(` optional_policy(` mono_domtrans(initrc_t) ') @@ -49905,7 +49935,7 @@ index ea29513..890810e 100644 ') optional_policy(` -@@ -849,3 +1188,42 @@ optional_policy(` +@@ -849,3 +1189,42 @@ optional_policy(` optional_policy(` zebra_read_config(initrc_t) ') @@ -54850,7 +54880,7 @@ index 025348a..4e2ca03 100644 +') + diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te -index d88f7c3..5f34c11 100644 +index d88f7c3..1a72d12 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -17,14 +17,12 @@ init_daemon_domain(udev_t, udev_exec_t) @@ -54950,14 +54980,17 @@ index d88f7c3..5f34c11 100644 logging_search_logs(udev_t) logging_send_syslog_msg(udev_t) -@@ -186,6 +197,7 @@ ifdef(`distro_redhat',` +@@ -186,8 +197,9 @@ ifdef(`distro_redhat',` fs_manage_tmpfs_chr_files(udev_t) fs_relabel_tmpfs_blk_file(udev_t) fs_relabel_tmpfs_chr_file(udev_t) + fs_manage_hugetlbfs_dirs(udev_t) - term_search_ptys(udev_t) +- term_search_ptys(udev_t) ++ term_use_generic_ptys(udev_t) + # for arping used for static IP addresses on PCMCIA ethernet + netutils_domtrans(udev_t) @@ -216,11 +228,16 @@ optional_policy(` ') diff --git a/selinux-policy.spec b/selinux-policy.spec index fc200a5..c066533 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 17%{?dist} +Release: 18%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -471,6 +471,12 @@ exit 0 %endif %changelog +* Wed Apr 27 2011 Miroslav Grepl 3.9.16-18 +- Allow init_t getcap and setcap +- Allow namespace_init_t to use nsswitch +- aisexec will execute corosync +- colord tries to read files off noxattr file systems + * Tue Apr 26 2011 Miroslav Grepl 3.9.16-17 - Add back transition from unconfined to telepathy domains