- Lots of fixes for initrc and other unconfined domains

This commit is contained in:
Daniel J Walsh 2009-09-08 14:30:36 +00:00
parent 72bc25da0e
commit 123ae9957d
2 changed files with 154 additions and 73 deletions

View File

@ -989,7 +989,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
locallogin_dontaudit_use_fds(tzdata_t) locallogin_dontaudit_use_fds(tzdata_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.30/policy/modules/admin/usermanage.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.6.30/policy/modules/admin/usermanage.if
--- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/usermanage.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/admin/usermanage.if 2009-09-08 07:14:39.000000000 -0400
@@ -274,6 +274,11 @@ @@ -274,6 +274,11 @@
usermanage_domtrans_useradd($1) usermanage_domtrans_useradd($1)
role $2 types useradd_t; role $2 types useradd_t;
@ -1004,7 +1004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.30/policy/modules/admin/usermanage.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.6.30/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/usermanage.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/admin/usermanage.te 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/admin/usermanage.te 2009-09-08 07:19:05.000000000 -0400
@@ -209,6 +209,7 @@ @@ -209,6 +209,7 @@
files_manage_etc_files(groupadd_t) files_manage_etc_files(groupadd_t)
files_relabel_etc_files(groupadd_t) files_relabel_etc_files(groupadd_t)
@ -1046,7 +1046,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_manage_etc_files(useradd_t) files_manage_etc_files(useradd_t)
files_search_var_lib(useradd_t) files_search_var_lib(useradd_t)
@@ -468,15 +468,12 @@ @@ -465,18 +465,16 @@
selinux_compute_relabel_context(useradd_t)
selinux_compute_user_contexts(useradd_t)
+term_use_console(useradd_t)
term_use_all_user_ttys(useradd_t) term_use_all_user_ttys(useradd_t)
term_use_all_user_ptys(useradd_t) term_use_all_user_ptys(useradd_t)
@ -1065,19 +1069,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
init_use_fds(useradd_t) init_use_fds(useradd_t)
init_rw_utmp(useradd_t) init_rw_utmp(useradd_t)
@@ -494,10 +491,7 @@ @@ -494,10 +492,8 @@
userdom_use_unpriv_users_fds(useradd_t) userdom_use_unpriv_users_fds(useradd_t)
# Add/remove user home directories # Add/remove user home directories
-userdom_manage_user_home_content_dirs(useradd_t) -userdom_manage_user_home_content_dirs(useradd_t)
-userdom_manage_user_home_content_files(useradd_t) -userdom_manage_user_home_content_files(useradd_t)
-userdom_home_filetrans_user_home_dir(useradd_t) userdom_home_filetrans_user_home_dir(useradd_t)
-userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) -userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set)
+userdom_manage_home_role(system_r, useradd_t) +userdom_manage_home_role(system_r, useradd_t)
mta_manage_spool(useradd_t) mta_manage_spool(useradd_t)
@@ -521,6 +515,12 @@ @@ -521,6 +517,12 @@
') ')
optional_policy(` optional_policy(`
@ -1398,7 +1402,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.30/policy/modules/apps/gnome.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.6.30/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/gnome.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/apps/gnome.if 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/apps/gnome.if 2009-09-08 07:07:37.000000000 -0400
@@ -89,5 +89,175 @@ @@ -89,5 +89,175 @@
allow $1 gnome_home_t:dir manage_dir_perms; allow $1 gnome_home_t:dir manage_dir_perms;
@ -4395,12 +4399,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.30/policy/modules/apps/wine.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-3.6.30/policy/modules/apps/wine.te
--- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/apps/wine.te 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-09-02 09:37:57.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/apps/wine.te 2009-09-08 07:24:41.000000000 -0400
@@ -9,20 +9,36 @@ @@ -9,20 +9,46 @@
type wine_t; type wine_t;
type wine_exec_t; type wine_exec_t;
application_domain(wine_t, wine_exec_t) application_domain(wine_t, wine_exec_t)
+role system_r types wine_t; +role system_r types wine_t;
+
+type wine_tmp_t;
+files_tmp_file(wine_tmp_t)
+ubac_constrained(wine_tmp_t)
######################################## ########################################
# #
@ -4414,6 +4422,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- unconfined_domain_noaudit(wine_t) - unconfined_domain_noaudit(wine_t)
+allow wine_t self:fifo_file manage_fifo_file_perms; +allow wine_t self:fifo_file manage_fifo_file_perms;
+ +
+can_exec(wine_t, wine_exec_t)
+
+manage_dirs_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+manage_files_pattern(wine_t, wine_tmp_t, wine_tmp_t)
+files_tmp_filetrans(wine_t, wine_tmp_t,{ file dir })
+
+domain_mmap_low_type(wine_t) +domain_mmap_low_type(wine_t)
+tunable_policy(`mmap_low_allowed',` +tunable_policy(`mmap_low_allowed',`
+ domain_mmap_low(wine_t) + domain_mmap_low(wine_t)
@ -4428,7 +4442,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
+ +
+optional_policy(` +optional_policy(`
+ unconfined_domain(wine_t) + unconfined_domain_noaudit(wine_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -4513,7 +4527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/gimp/.*/plug-ins(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.30/policy/modules/kernel/corecommands.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.30/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/corecommands.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.if 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/kernel/corecommands.if 2009-09-07 07:16:21.000000000 -0400
@@ -893,6 +893,7 @@ @@ -893,6 +893,7 @@
read_lnk_files_pattern($1, bin_t, bin_t) read_lnk_files_pattern($1, bin_t, bin_t)
@ -4522,6 +4536,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -973,6 +974,7 @@
type bin_t;
')
+ manage_dirs_pattern($1, bin_t, exec_type)
manage_files_pattern($1, bin_t, exec_type)
manage_lnk_files_pattern($1, bin_t, bin_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/kernel/corenetwork.te.in 2009-08-31 13:40:47.000000000 -0400
@ -5246,7 +5268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <<none>> /var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.30/policy/modules/kernel/files.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.30/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/files.if 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/kernel/files.if 2009-09-07 06:40:00.000000000 -0400
@@ -110,6 +110,11 @@ @@ -110,6 +110,11 @@
## </param> ## </param>
# #
@ -5683,7 +5705,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.30/policy/modules/kernel/filesystem.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.30/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-04 11:37:45.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/kernel/filesystem.if 2009-09-08 07:44:43.000000000 -0400
@@ -1537,6 +1537,24 @@ @@ -1537,6 +1537,24 @@
######################################## ########################################
@ -6142,7 +6164,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/tty -c gen_context(system_u:object_r:devtty_t,s0) /dev/tty -c gen_context(system_u:object_r:devtty_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.30/policy/modules/kernel/terminal.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.30/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/kernel/terminal.if 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/kernel/terminal.if 2009-09-08 07:17:17.000000000 -0400
@@ -173,7 +173,7 @@ @@ -173,7 +173,7 @@
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
@ -8028,14 +8050,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+gen_user(xguest_u, user, xguest_r, s0, s0) +gen_user(xguest_u, user, xguest_r, s0, s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.30/policy/modules/services/abrt.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.fc serefpolicy-3.6.30/policy/modules/services/abrt.fc
--- nsaserefpolicy/policy/modules/services/abrt.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/services/abrt.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.6.30/policy/modules/services/abrt.fc 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/services/abrt.fc 2009-09-07 13:12:20.000000000 -0400
@@ -0,0 +1,13 @@ @@ -0,0 +1,13 @@
+ +
+/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0) +/etc/rc\.d/init\.d/abrt -- gen_context(system_u:object_r:abrt_initrc_exec_t,s0)
+ +
+/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0) +/etc/abrt(/.*)? gen_context(system_u:object_r:abrt_etc_t,s0)
+ +
+/usr/sbin/abrt -- gen_context(system_u:object_r:abrt_exec_t,s0) +/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
+ +
+/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0) +/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
+ +
@ -11273,7 +11295,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow $1 devicekit_t:process { ptrace signal_perms getattr }; allow $1 devicekit_t:process { ptrace signal_perms getattr };
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.30/policy/modules/services/devicekit.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.6.30/policy/modules/services/devicekit.te
--- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/devicekit.te 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/services/devicekit.te 2009-09-07 07:18:47.000000000 -0400
@@ -36,12 +36,15 @@ @@ -36,12 +36,15 @@
manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_dirs_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t) manage_files_pattern(devicekit_t, devicekit_var_run_t, devicekit_var_run_t)
@ -11295,7 +11317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# #
-allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio };
+allow devicekit_disk_t self:process signal_perms; +allow devicekit_disk_t self:process signal_perms;
+ +
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
@ -11495,8 +11517,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# dovecot deliver local policy # dovecot deliver local policy
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.30/policy/modules/services/exim.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.30/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/exim.te 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/services/exim.te 2009-09-07 06:39:57.000000000 -0400
@@ -191,6 +191,10 @@ @@ -111,6 +111,7 @@
files_search_var(exim_t)
files_read_etc_files(exim_t)
files_read_etc_runtime_files(exim_t)
+files_getattr_all_mountpoints(exim_t)
fs_getattr_xattr_fs(exim_t)
fs_list_inotifyfs(exim_t)
@@ -191,6 +192,10 @@
') ')
optional_policy(` optional_policy(`
@ -11945,7 +11975,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.30/policy/modules/services/hal.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.30/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/services/hal.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/hal.te 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/services/hal.te 2009-09-07 07:18:31.000000000 -0400
@@ -55,6 +55,9 @@ @@ -55,6 +55,9 @@
type hald_var_lib_t; type hald_var_lib_t;
files_type(hald_var_lib_t) files_type(hald_var_lib_t)
@ -12184,6 +12214,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+permissive hddtemp_t; +permissive hddtemp_t;
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.30/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/inetd.te 2009-09-08 06:38:44.000000000 -0400
@@ -138,6 +138,8 @@
files_read_etc_files(inetd_t)
files_read_etc_runtime_files(inetd_t)
+auth_use_nsswitch(inetd_t)
+
logging_send_syslog_msg(inetd_t)
miscfiles_read_localization(inetd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.30/policy/modules/services/kerberos.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.6.30/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/services/kerberos.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/kerberos.te 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/services/kerberos.te 2009-08-31 13:40:47.000000000 -0400
@ -18321,7 +18363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.30/policy/modules/services/virt.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.30/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400 --- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/services/virt.te 2009-08-31 13:57:44.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/services/virt.te 2009-09-08 10:19:57.000000000 -0400
@@ -20,6 +20,28 @@ @@ -20,6 +20,28 @@
## </desc> ## </desc>
gen_tunable(virt_use_samba, false) gen_tunable(virt_use_samba, false)
@ -18367,7 +18409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
type virt_log_t; type virt_log_t;
logging_log_file(virt_log_t) logging_log_file(virt_log_t)
@@ -48,18 +75,38 @@ @@ -48,27 +75,58 @@
type virtd_initrc_exec_t; type virtd_initrc_exec_t;
init_script_file(virtd_initrc_exec_t) init_script_file(virtd_initrc_exec_t)
@ -18408,7 +18450,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -69,6 +116,14 @@ +manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+
manage_dirs_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir) filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
manage_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
@ -18423,7 +18470,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
manage_files_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -87,6 +142,7 @@ @@ -87,6 +145,7 @@
kernel_read_network_state(virtd_t) kernel_read_network_state(virtd_t)
kernel_rw_net_sysctls(virtd_t) kernel_rw_net_sysctls(virtd_t)
kernel_load_module(virtd_t) kernel_load_module(virtd_t)
@ -18431,7 +18478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_bin(virtd_t) corecmd_exec_bin(virtd_t)
corecmd_exec_shell(virtd_t) corecmd_exec_shell(virtd_t)
@@ -97,30 +153,52 @@ @@ -97,30 +156,52 @@
corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_generic_node(virtd_t)
corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t)
corenet_tcp_bind_generic_node(virtd_t) corenet_tcp_bind_generic_node(virtd_t)
@ -18487,7 +18534,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_ptmx(virtd_t) term_use_ptmx(virtd_t)
auth_use_nsswitch(virtd_t) auth_use_nsswitch(virtd_t)
@@ -130,7 +208,14 @@ @@ -130,7 +211,14 @@
logging_send_syslog_msg(virtd_t) logging_send_syslog_msg(virtd_t)
@ -18502,7 +18549,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',` tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs(virtd_t) fs_manage_nfs_dirs(virtd_t)
@@ -168,22 +253,35 @@ @@ -168,22 +256,35 @@
dnsmasq_domtrans(virtd_t) dnsmasq_domtrans(virtd_t)
dnsmasq_signal(virtd_t) dnsmasq_signal(virtd_t)
dnsmasq_kill(virtd_t) dnsmasq_kill(virtd_t)
@ -18525,16 +18572,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(` +optional_policy(`
+ lvm_domtrans(virtd_t) + lvm_domtrans(virtd_t)
+') +')
+
optional_policy(` +optional_policy(`
- qemu_domtrans(virtd_t)
+ policykit_dbus_chat(virtd_t) + policykit_dbus_chat(virtd_t)
+ policykit_domtrans_auth(virtd_t) + policykit_domtrans_auth(virtd_t)
+ policykit_domtrans_resolve(virtd_t) + policykit_domtrans_resolve(virtd_t)
+ policykit_read_lib(virtd_t) + policykit_read_lib(virtd_t)
+') +')
+
+optional_policy(` optional_policy(`
- qemu_domtrans(virtd_t)
+ qemu_spec_domtrans(virtd_t, svirt_t) + qemu_spec_domtrans(virtd_t, svirt_t)
qemu_read_state(virtd_t) qemu_read_state(virtd_t)
qemu_signal(virtd_t) qemu_signal(virtd_t)
@ -18543,7 +18590,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -196,8 +294,159 @@ @@ -196,8 +297,159 @@
xen_stream_connect(virtd_t) xen_stream_connect(virtd_t)
xen_stream_connect_xenstore(virtd_t) xen_stream_connect_xenstore(virtd_t)
@ -21415,7 +21462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.30/policy/modules/system/init.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.30/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/system/init.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/init.te 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/system/init.te 2009-09-08 07:47:24.000000000 -0400
@@ -17,6 +17,20 @@ @@ -17,6 +17,20 @@
## </desc> ## </desc>
gen_tunable(init_upstart, false) gen_tunable(init_upstart, false)
@ -21587,7 +21634,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_unmount_all_fs(initrc_t) +fs_unmount_all_fs(initrc_t)
+fs_remount_all_fs(initrc_t) +fs_remount_all_fs(initrc_t)
+fs_getattr_all_fs(initrc_t) +fs_getattr_all_fs(initrc_t)
+fs_search_nfsd_fs(initrc_t) +fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t) +fs_getattr_nfsd_files(initrc_t)
+ +
+# initrc_t needs to do a pidof which requires ptrace +# initrc_t needs to do a pidof which requires ptrace
@ -21649,9 +21696,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_exec_etc_files(initrc_t) files_exec_etc_files(initrc_t)
files_read_usr_files(initrc_t) files_read_usr_files(initrc_t)
files_manage_urandom_seed(initrc_t) files_manage_urandom_seed(initrc_t)
@@ -325,47 +415,13 @@ @@ -324,48 +414,16 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t) files_list_default(initrc_t)
files_mounton_default(initrc_t) files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
-fs_register_binary_executable_type(initrc_t) -fs_register_binary_executable_type(initrc_t)
-# rhgb-console writes to ramfs -# rhgb-console writes to ramfs
@ -21699,7 +21749,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg(initrc_t) logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t) logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t) logging_read_all_logs(initrc_t)
@@ -374,13 +430,14 @@ @@ -374,19 +432,22 @@
miscfiles_read_localization(initrc_t) miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript # slapd needs to read cert files from its initscript
@ -21715,7 +21765,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_read_user_home_content_files(initrc_t) userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the # Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such # TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -422,8 +479,6 @@ # started from init should be placed in their own domain.
userdom_use_user_terminals(initrc_t)
+usermanage_domtrans_passwd(initrc_t)
+
ifdef(`distro_debian',`
dev_setattr_generic_dirs(initrc_t)
@@ -422,8 +483,6 @@
# init scripts touch this # init scripts touch this
clock_dontaudit_write_adjtime(initrc_t) clock_dontaudit_write_adjtime(initrc_t)
@ -21724,7 +21782,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# for integrated run_init to read run_init_type. # for integrated run_init to read run_init_type.
# happens during boot (/sbin/rc execs init scripts) # happens during boot (/sbin/rc execs init scripts)
seutil_read_default_contexts(initrc_t) seutil_read_default_contexts(initrc_t)
@@ -450,11 +505,9 @@ @@ -450,11 +509,9 @@
# Red Hat systems seem to have a stray # Red Hat systems seem to have a stray
# fd open from the initrd # fd open from the initrd
@ -21737,7 +21795,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# These seem to be from the initrd # These seem to be from the initrd
# during device initialization: # during device initialization:
dev_create_generic_dirs(initrc_t) dev_create_generic_dirs(initrc_t)
@@ -464,6 +517,7 @@ @@ -464,6 +521,7 @@
storage_raw_read_fixed_disk(initrc_t) storage_raw_read_fixed_disk(initrc_t)
storage_raw_write_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t)
@ -21745,11 +21803,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_create_boot_flag(initrc_t) files_create_boot_flag(initrc_t)
files_rw_boot_symlinks(initrc_t) files_rw_boot_symlinks(initrc_t)
# wants to read /.fonts directory # wants to read /.fonts directory
@@ -492,11 +546,13 @@ @@ -492,11 +550,17 @@
optional_policy(` optional_policy(`
bind_manage_config_dirs(initrc_t) bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t) bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t) + bind_setattr_zone_dirs(initrc_t)
+ ')
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
') ')
optional_policy(` optional_policy(`
@ -21759,7 +21821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -515,6 +571,33 @@ @@ -515,6 +579,33 @@
') ')
') ')
@ -21793,7 +21855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
amavis_search_lib(initrc_t) amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t) amavis_setattr_pid_files(initrc_t)
@@ -567,10 +650,19 @@ @@ -567,10 +658,19 @@
dbus_connect_system_bus(initrc_t) dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t) dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t) dbus_read_config(initrc_t)
@ -21813,7 +21875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -590,6 +682,10 @@ @@ -590,6 +690,10 @@
') ')
optional_policy(` optional_policy(`
@ -21824,7 +21886,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_usbfs(initrc_t) dev_read_usbfs(initrc_t)
# init scripts run /etc/hotplug/usb.rc # init scripts run /etc/hotplug/usb.rc
@@ -646,20 +742,20 @@ @@ -646,20 +750,20 @@
') ')
optional_policy(` optional_policy(`
@ -21851,7 +21913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@@ -668,6 +764,7 @@ @@ -668,6 +772,7 @@
mysql_stream_connect(initrc_t) mysql_stream_connect(initrc_t)
mysql_write_log(initrc_t) mysql_write_log(initrc_t)
@ -21859,7 +21921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -696,7 +793,6 @@ @@ -696,7 +801,6 @@
') ')
optional_policy(` optional_policy(`
@ -21867,7 +21929,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_write_ramfs_sockets(initrc_t) fs_write_ramfs_sockets(initrc_t)
fs_search_ramfs(initrc_t) fs_search_ramfs(initrc_t)
@@ -718,8 +814,6 @@ @@ -718,8 +822,6 @@
# bash tries ioctl for some reason # bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t) files_dontaudit_ioctl_all_pids(initrc_t)
@ -21876,7 +21938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -732,13 +826,16 @@ @@ -732,13 +834,16 @@
squid_manage_logs(initrc_t) squid_manage_logs(initrc_t)
') ')
@ -21893,7 +21955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -747,6 +844,7 @@ @@ -747,6 +852,7 @@
optional_policy(` optional_policy(`
udev_rw_db(initrc_t) udev_rw_db(initrc_t)
@ -21901,7 +21963,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -754,6 +852,15 @@ @@ -754,6 +860,15 @@
') ')
optional_policy(` optional_policy(`
@ -21917,7 +21979,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
unconfined_domain(initrc_t) unconfined_domain(initrc_t)
ifdef(`distro_redhat',` ifdef(`distro_redhat',`
@@ -764,6 +871,13 @@ @@ -764,6 +879,13 @@
optional_policy(` optional_policy(`
mono_domtrans(initrc_t) mono_domtrans(initrc_t)
') ')
@ -21931,7 +21993,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -789,3 +903,31 @@ @@ -789,3 +911,31 @@
optional_policy(` optional_policy(`
zebra_read_config(initrc_t) zebra_read_config(initrc_t)
') ')
@ -23636,6 +23698,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/cache/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
+/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0) +/var/run/davfs2(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.30/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2009-07-29 15:15:33.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/mount.if 2009-09-08 06:58:15.000000000 -0400
@@ -84,9 +84,11 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
+ type unconfined_mount_t;
')
allow $1 mount_t:process signal;
+ allow $1 unconfined_mount_t:process signal;
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.30/policy/modules/system/mount.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.6.30/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400 --- nsaserefpolicy/policy/modules/system/mount.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/mount.te 2009-08-31 13:40:47.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/system/mount.te 2009-08-31 13:40:47.000000000 -0400
@ -26011,7 +26088,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.gvfs(/.*)? <<none>> +HOME_DIR/\.gvfs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.30/policy/modules/system/userdomain.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.30/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400
+++ serefpolicy-3.6.30/policy/modules/system/userdomain.if 2009-09-01 07:40:59.000000000 -0400 +++ serefpolicy-3.6.30/policy/modules/system/userdomain.if 2009-09-07 06:34:54.000000000 -0400
@@ -30,8 +30,9 @@ @@ -30,8 +30,9 @@
') ')
@ -27140,15 +27217,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work # Allow MAKEDEV to work
dev_create_all_blk_files($1_t) dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t) dev_create_all_chr_files($1_t)
@@ -1124,6 +1247,7 @@ @@ -1124,6 +1247,8 @@
files_exec_usr_src_files($1_t) files_exec_usr_src_files($1_t)
fs_getattr_all_fs($1_t) fs_getattr_all_fs($1_t)
+ fs_getattr_all_files($1_t)
+ fs_list_all($1_t) + fs_list_all($1_t)
fs_set_all_quotas($1_t) fs_set_all_quotas($1_t)
fs_exec_noxattr($1_t) fs_exec_noxattr($1_t)
@@ -1152,20 +1276,6 @@ @@ -1152,20 +1277,6 @@
# But presently necessary for installing the file_contexts file. # But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t) seutil_manage_bin_policy($1_t)
@ -27169,7 +27247,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
postgresql_unconfined($1_t) postgresql_unconfined($1_t)
') ')
@@ -1211,6 +1321,7 @@ @@ -1211,6 +1322,7 @@
dev_relabel_all_dev_nodes($1) dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1) files_create_boot_flag($1)
@ -27177,7 +27255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi # Necessary for managing /boot/efi
fs_manage_dos_files($1) fs_manage_dos_files($1)
@@ -1276,11 +1387,15 @@ @@ -1276,11 +1388,15 @@
interface(`userdom_user_home_content',` interface(`userdom_user_home_content',`
gen_require(` gen_require(`
type user_home_t; type user_home_t;
@ -27193,7 +27271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1391,12 +1506,13 @@ @@ -1391,12 +1507,13 @@
') ')
allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_dir_t:dir search_dir_perms;
@ -27208,7 +27286,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -1429,6 +1545,14 @@ @@ -1429,6 +1546,14 @@
allow $1 user_home_dir_t:dir list_dir_perms; allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1) files_search_home($1)
@ -27223,7 +27301,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1444,9 +1568,11 @@ @@ -1444,9 +1569,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
type user_home_dir_t; type user_home_dir_t;
@ -27235,7 +27313,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1503,6 +1629,25 @@ @@ -1503,6 +1630,25 @@
allow $1 user_home_dir_t:dir relabelto; allow $1 user_home_dir_t:dir relabelto;
') ')
@ -27261,7 +27339,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
## <summary> ## <summary>
## Create directories in the home dir root with ## Create directories in the home dir root with
@@ -1577,6 +1722,8 @@ @@ -1577,6 +1723,8 @@
') ')
dontaudit $1 user_home_t:dir search_dir_perms; dontaudit $1 user_home_t:dir search_dir_perms;
@ -27270,7 +27348,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1670,6 +1817,7 @@ @@ -1670,6 +1818,7 @@
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -27278,7 +27356,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1) files_search_home($1)
') ')
@@ -1797,19 +1945,32 @@ @@ -1797,19 +1946,32 @@
# #
interface(`userdom_exec_user_home_content_files',` interface(`userdom_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -27318,7 +27396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -1844,6 +2005,7 @@ @@ -1844,6 +2006,7 @@
interface(`userdom_manage_user_home_content_files',` interface(`userdom_manage_user_home_content_files',`
gen_require(` gen_require(`
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
@ -27326,7 +27404,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
manage_files_pattern($1, user_home_t, user_home_t) manage_files_pattern($1, user_home_t, user_home_t)
@@ -2391,27 +2553,7 @@ @@ -2391,27 +2554,7 @@
######################################## ########################################
## <summary> ## <summary>
@ -27355,7 +27433,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2765,11 +2907,32 @@ @@ -2765,11 +2908,32 @@
# #
interface(`userdom_search_user_home_content',` interface(`userdom_search_user_home_content',`
gen_require(` gen_require(`
@ -27390,7 +27468,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -2897,7 +3060,25 @@ @@ -2897,7 +3061,25 @@
type user_tmp_t; type user_tmp_t;
') ')
@ -27417,7 +27495,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -2934,6 +3115,7 @@ @@ -2934,6 +3116,7 @@
') ')
read_files_pattern($1, userdomain, userdomain) read_files_pattern($1, userdomain, userdomain)
@ -27425,7 +27503,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1) kernel_search_proc($1)
') ')
@@ -3064,3 +3246,559 @@ @@ -3064,3 +3247,559 @@
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.30 Version: 3.6.30
Release: 4%{?dist} Release: 5%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -443,6 +443,9 @@ exit 0
%endif %endif
%changelog %changelog
* Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-5
- Lots of fixes for initrc and other unconfined domains
* Fri Sep 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-4 * Fri Sep 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.30-4
- Allow xserver to use netlink_kobject_uevent_socket - Allow xserver to use netlink_kobject_uevent_socket