diff --git a/policy-F12.patch b/policy-F12.patch index 9696638..6f1f1aa 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -7584,7 +7584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.6.32/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-11-13 10:04:43.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.te 2009-11-13 15:46:18.000000000 -0500 @@ -29,6 +29,7 @@ fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0); fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0); @@ -7612,7 +7612,23 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow tmpfs_t noxattrfs:filesystem associate; -@@ -250,9 +254,13 @@ +@@ -200,6 +204,7 @@ + # + type dosfs_t; + fs_noxattr_type(dosfs_t) ++files_mountpoint(dosfs_t) + allow dosfs_t fs_t:filesystem associate; + genfscon fat / gen_context(system_u:object_r:dosfs_t,s0) + genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0) +@@ -223,6 +228,7 @@ + # + type iso9660_t; + fs_noxattr_type(iso9660_t) ++files_mountpoint(iso9660_t) + genfscon iso9660 / gen_context(system_u:object_r:iso9660_t,s0) + genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) + +@@ -250,9 +256,13 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) @@ -14188,7 +14204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow $1 devicekit_t:process { ptrace signal_perms getattr }; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.32/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-09-16 10:01:19.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-11-05 08:28:20.000000000 -0500 ++++ serefpolicy-3.6.32/policy/modules/services/devicekit.te 2009-11-14 00:17:13.000000000 -0500 @@ -36,12 +36,15 @@ manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) @@ -14218,17 +14234,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) manage_files_pattern(devicekit_disk_t, devicekit_tmp_t, devicekit_tmp_t) -@@ -71,7 +77,9 @@ +@@ -71,7 +77,10 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) +kernel_read_fs_sysctls(devicekit_disk_t) kernel_read_software_raid_state(devicekit_disk_t) +kernel_read_system_state(devicekit_disk_t) ++kernel_request_load_module(devicekit_disk_t) kernel_setsched(devicekit_disk_t) corecmd_exec_bin(devicekit_disk_t) -@@ -79,21 +87,35 @@ +@@ -79,21 +88,35 @@ dev_rw_sysfs(devicekit_disk_t) dev_read_urand(devicekit_disk_t) dev_getattr_usbfs_dirs(devicekit_disk_t) @@ -14265,7 +14282,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(devicekit_disk_t) miscfiles_read_localization(devicekit_disk_t) -@@ -110,6 +132,7 @@ +@@ -110,6 +133,7 @@ ') optional_policy(` @@ -14273,7 +14290,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol policykit_domtrans_auth(devicekit_disk_t) policykit_read_lib(devicekit_disk_t) policykit_read_reload(devicekit_disk_t) -@@ -134,14 +157,26 @@ +@@ -134,14 +158,26 @@ udev_read_db(devicekit_disk_t) ') @@ -14301,7 +14318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t) -@@ -151,6 +186,7 @@ +@@ -151,6 +187,7 @@ kernel_read_system_state(devicekit_power_t) kernel_rw_hotplug_sysctls(devicekit_power_t) kernel_rw_kernel_sysctl(devicekit_power_t) @@ -14309,7 +14326,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(devicekit_power_t) corecmd_exec_shell(devicekit_power_t) -@@ -159,6 +195,7 @@ +@@ -159,6 +196,7 @@ domain_read_all_domains_state(devicekit_power_t) @@ -14317,7 +14334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_rw_generic_usb_dev(devicekit_power_t) dev_rw_netcontrol(devicekit_power_t) dev_rw_sysfs(devicekit_power_t) -@@ -167,12 +204,17 @@ +@@ -167,12 +205,17 @@ files_read_etc_files(devicekit_power_t) files_read_usr_files(devicekit_power_t) @@ -14335,7 +14352,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_read_all_users_state(devicekit_power_t) optional_policy(` -@@ -180,8 +222,11 @@ +@@ -180,8 +223,11 @@ ') optional_policy(` @@ -14348,7 +14365,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow devicekit_power_t devicekit_t:dbus send_msg; optional_policy(` -@@ -203,17 +248,23 @@ +@@ -203,17 +249,23 @@ optional_policy(` hal_domtrans_mac(devicekit_power_t) @@ -17142,8 +17159,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te --- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-10-07 16:06:40.000000000 -0400 -@@ -0,0 +1,140 @@ ++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-11-13 15:34:47.000000000 -0500 +@@ -0,0 +1,138 @@ + +policy_module(nut,1.0.0) + @@ -17184,7 +17201,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +allow upsd_t self:capability { setuid setgid }; + -+allow upsd_t self:netlink_route_socket r_netlink_socket_perms; +allow upsd_t self:unix_dgram_socket { create_socket_perms sendto }; +allow upsd_t self:tcp_socket create_stream_socket_perms; + @@ -17204,7 +17220,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_read_etc_files(upsd_t) +files_read_usr_files(upsd_t) + -+sysnet_read_config(upsd_t) ++auth_use_nsswitch(upsd_t) + +logging_send_syslog_msg(upsd_t) + @@ -17222,7 +17238,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow upsmon_t self:capability { dac_override setuid setgid }; + +allow upsmon_t self:fifo_file rw_fifo_file_perms; -+allow upsmon_t self:netlink_route_socket r_netlink_socket_perms; +allow upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; +allow upsmon_t self:tcp_socket create_stream_socket_perms; + @@ -17243,7 +17258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +files_read_etc_files(upsmon_t) + -+sysnet_read_config(upsmon_t) ++auth_use_nsswitch(upsmon_t) + +init_read_utmp(upsmon_t) + diff --git a/selinux-policy.spec b/selinux-policy.spec index 71f9209..9c80438 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 44%{?dist} +Release: 45%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,7 +445,11 @@ exit 0 %endif %changelog -* Tue Nov 10 2009 Dan Walsh 3.6.32-44 +* Fri Nov 13 2009 Dan Walsh 3.6.32-45 +- Allow mount on dos file systems +- fixes for upsmon and upsd to be able to retrieve pwnam and resolve addresses + +* Thu Nov 12 2009 Dan Walsh 3.6.32-44 - Add lighttpd file context to apache.fc - Allow tmpreaper to read /var/cache/yum - Allow kdump_t sys_rawio