- Allow nsplugin to look at autofs_t directory

This commit is contained in:
Daniel J Walsh 2008-10-24 12:14:54 +00:00
parent de61cc7d10
commit 3281238148
2 changed files with 143 additions and 51 deletions

View File

@ -1545,7 +1545,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.13/policy/modules/admin/vbetool.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vbetool.te serefpolicy-3.5.13/policy/modules/admin/vbetool.te
--- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-08-07 11:15:13.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/vbetool.te 2008-08-07 11:15:13.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/admin/vbetool.te 2008-10-17 10:31:26.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/admin/vbetool.te 2008-10-23 17:12:42.000000000 -0400
@@ -23,6 +23,9 @@ @@ -23,6 +23,9 @@
dev_rwx_zero(vbetool_t) dev_rwx_zero(vbetool_t)
dev_read_sysfs(vbetool_t) dev_read_sysfs(vbetool_t)
@ -1556,7 +1556,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
term_use_unallocated_ttys(vbetool_t) term_use_unallocated_ttys(vbetool_t)
libs_use_ld_so(vbetool_t) libs_use_ld_so(vbetool_t)
@@ -35,3 +38,8 @@ @@ -35,3 +38,9 @@
hal_write_log(vbetool_t) hal_write_log(vbetool_t)
hal_dontaudit_append_lib_files(vbetool_t) hal_dontaudit_append_lib_files(vbetool_t)
') ')
@ -1565,6 +1565,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ xserver_exec_pid(vbetool_t) + xserver_exec_pid(vbetool_t)
+ xserver_write_pid(vbetool_t) + xserver_write_pid(vbetool_t)
+') +')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.13/policy/modules/admin/vpn.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.if serefpolicy-3.5.13/policy/modules/admin/vpn.if
--- nsaserefpolicy/policy/modules/admin/vpn.if 2008-10-08 19:00:27.000000000 -0400 --- nsaserefpolicy/policy/modules/admin/vpn.if 2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/admin/vpn.if 2008-10-17 10:31:26.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/admin/vpn.if 2008-10-17 10:31:26.000000000 -0400
@ -4059,8 +4060,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-10-17 10:31:26.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.fc 2008-10-23 14:40:47.000000000 -0400
@@ -0,0 +1,9 @@ @@ -0,0 +1,10 @@
+ +
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
+/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0) +/usr/lib(64)?/nspluginwrapper/plugin-config -- gen_context(system_u:object_r:nsplugin_config_exec_t,s0)
@ -4069,7 +4070,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.adobe(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.macromedia(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.gstreamer-.* gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0) +HOME_DIR/\.config/totem(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
+HOME_DIR/\.gcjwebplugin(/.*)? gen_context(system_u:object_r:nsplugin_home_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.5.13/policy/modules/apps/nsplugin.if
--- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-20 09:36:38.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.if 2008-10-20 09:36:38.000000000 -0400
@ -4373,8 +4375,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-17 16:06:37.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-23 14:17:48.000000000 -0400
@@ -0,0 +1,253 @@ @@ -0,0 +1,255 @@
+ +
+policy_module(nsplugin, 1.0.0) +policy_module(nsplugin, 1.0.0)
+ +
@ -4456,6 +4458,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+corenet_tcp_connect_streaming_port(nsplugin_t) +corenet_tcp_connect_streaming_port(nsplugin_t)
+corenet_tcp_connect_pulseaudio_port(nsplugin_t) +corenet_tcp_connect_pulseaudio_port(nsplugin_t)
+corenet_tcp_connect_http_port(nsplugin_t) +corenet_tcp_connect_http_port(nsplugin_t)
+corenet_tcp_connect_http_cache_port(nsplugin_t)
+corenet_tcp_sendrecv_generic_if(nsplugin_t) +corenet_tcp_sendrecv_generic_if(nsplugin_t)
+corenet_tcp_sendrecv_all_nodes(nsplugin_t) +corenet_tcp_sendrecv_all_nodes(nsplugin_t)
+ +
@ -4480,6 +4483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+fs_list_inotifyfs(nsplugin_t) +fs_list_inotifyfs(nsplugin_t)
+fs_getattr_tmpfs(nsplugin_t) +fs_getattr_tmpfs(nsplugin_t)
+fs_getattr_xattr_fs(nsplugin_t) +fs_getattr_xattr_fs(nsplugin_t)
+fs_search_auto_mountpoints(nsplugin_t)
+ +
+storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t) +storage_dontaudit_getattr_fixed_disk_dev(nsplugin_t)
+ +
@ -6168,7 +6172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-23 08:53:02.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-23 14:24:15.000000000 -0400
@@ -79,6 +79,7 @@ @@ -79,6 +79,7 @@
network_port(auth, tcp,113,s0) network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
@ -6181,7 +6185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
network_port(distccd, tcp,3632,s0) network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0) network_port(dns, udp,53,s0, tcp,53,s0)
network_port(fingerd, tcp,79,s0) network_port(fingerd, tcp,79,s0)
+network_port(flash, tcp,1935,s0, udp,1935,s0) +network_port(flash, tcp,843,s0, tcp,1935,s0, udp,1935,s0)
network_port(ftp_data, tcp,20,s0) network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0) network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0) network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@ -10557,7 +10561,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400 --- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-23 08:58:26.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-23 10:30:58.000000000 -0400
@@ -20,6 +20,8 @@ @@ -20,6 +20,8 @@
# Declarations # Declarations
# #
@ -12387,7 +12391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0) +/var/lib/glpi/files(/.*)? gen_context(system_u:object_r:cron_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-3.5.13/policy/modules/services/cron.if
--- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/cron.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/cron.if 2008-10-23 17:00:09.000000000 -0400
@@ -35,39 +35,24 @@ @@ -35,39 +35,24 @@
# #
template(`cron_per_role_template',` template(`cron_per_role_template',`
@ -12691,7 +12695,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -584,3 +500,45 @@ @@ -584,3 +500,64 @@
dontaudit $1 system_crond_tmp_t:file append; dontaudit $1 system_crond_tmp_t:file append;
') ')
@ -12737,6 +12741,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+ read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t) + read_files_pattern($1, system_crond_var_lib_t, system_crond_var_lib_t)
+') +')
+
+########################################
+## <summary>
+## Manage lib files used by cron
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_lib_files',`
+ gen_require(`
+ type crond_var_lib_t;
+ ')
+
+
+ manage_files_pattern($1, crond_var_lib_t, crond_var_lib_t)
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.5.13/policy/modules/services/cron.te
--- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/cron.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/cron.te 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/cron.te 2008-10-17 10:31:27.000000000 -0400
@ -14439,8 +14462,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) /var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.if serefpolicy-3.5.13/policy/modules/services/dnsmasq.if
--- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/dnsmasq.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.if 2008-10-23 17:21:21.000000000 -0400
@@ -1 +1,137 @@ @@ -1 +1,156 @@
## <summary>dnsmasq DNS forwarder and DHCP server</summary> ## <summary>dnsmasq DNS forwarder and DHCP server</summary>
+ +
+######################################## +########################################
@ -14543,6 +14566,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
+######################################## +########################################
+## <summary> +## <summary>
+## Send dnsmasq a sigkill
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+#
+interface(`dnsmasq_delete_pid_files',`
+ gen_require(`
+ type dnsmasq_var_run_t;
+ ')
+
+ delete_files_pattern($1, dnsmasq_var_run_t, dnsmasq_var_run_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate +## All of the rules required to administrate
+## an dnsmasq environment +## an dnsmasq environment
+## </summary> +## </summary>
@ -14580,7 +14622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.5.13/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-16 17:21:16.000000000 -0400 --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/dnsmasq.te 2008-10-23 16:59:49.000000000 -0400
@@ -10,6 +10,9 @@ @@ -10,6 +10,9 @@
type dnsmasq_exec_t; type dnsmasq_exec_t;
init_daemon_domain(dnsmasq_t, dnsmasq_exec_t) init_daemon_domain(dnsmasq_t, dnsmasq_exec_t)
@ -14619,6 +14661,31 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_sendrecv_dns_server_packets(dnsmasq_t) corenet_sendrecv_dns_server_packets(dnsmasq_t)
corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) corenet_sendrecv_dhcpd_server_packets(dnsmasq_t)
@@ -71,6 +73,8 @@
fs_getattr_all_fs(dnsmasq_t)
fs_search_auto_mountpoints(dnsmasq_t)
+auth_use_nsswitch(dnsmasq_t)
+
libs_use_ld_so(dnsmasq_t)
libs_use_shared_libs(dnsmasq_t)
@@ -78,14 +82,12 @@
miscfiles_read_localization(dnsmasq_t)
-sysnet_read_config(dnsmasq_t)
-
userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
sysadm_dontaudit_search_home_dirs(dnsmasq_t)
optional_policy(`
- nis_use_ypbind(dnsmasq_t)
+ cron_manage_lib_files(crond_var_lib_t)
')
optional_policy(`
@@ -95,3 +97,7 @@ @@ -95,3 +97,7 @@
optional_policy(` optional_policy(`
udev_read_db(dnsmasq_t) udev_read_db(dnsmasq_t)
@ -15569,7 +15636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.5.13/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/hal.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/hal.te 2008-10-23 10:40:11.000000000 -0400
@@ -49,6 +49,9 @@ @@ -49,6 +49,9 @@
type hald_var_lib_t; type hald_var_lib_t;
files_type(hald_var_lib_t) files_type(hald_var_lib_t)
@ -15601,7 +15668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_search_nfs_state_data(hald_t) rpc_search_nfs_state_data(hald_t)
') ')
@@ -300,6 +310,10 @@ @@ -300,12 +310,16 @@
vbetool_domtrans(hald_t) vbetool_domtrans(hald_t)
') ')
@ -15612,6 +15679,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
# #
# Hal acl local policy # Hal acl local policy
#
-allow hald_acl_t self:capability { dac_override fowner };
+allow hald_acl_t self:capability { dac_override fowner sys_resource };
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -344,13 +358,22 @@ @@ -344,13 +358,22 @@
libs_use_ld_so(hald_acl_t) libs_use_ld_so(hald_acl_t)
libs_use_shared_libs(hald_acl_t) libs_use_shared_libs(hald_acl_t)
@ -16800,7 +16874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.5.13/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400 --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2008-09-24 09:07:28.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/networkmanager.fc 2008-10-23 16:31:49.000000000 -0400
@@ -1,8 +1,12 @@ @@ -1,8 +1,12 @@
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0) +/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+ +
@ -16821,7 +16895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0) +/var/run/nm-dhclient.* gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.5.13/policy/modules/services/networkmanager.if
--- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400 --- nsaserefpolicy/policy/modules/services/networkmanager.if 2008-09-11 11:28:34.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/networkmanager.if 2008-10-23 16:34:49.000000000 -0400
@@ -118,6 +118,24 @@ @@ -118,6 +118,24 @@
######################################## ########################################
@ -16849,7 +16923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## <param name="domain"> ## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400 --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-10-23 16:47:42.000000000 -0400
@@ -33,9 +33,9 @@ @@ -33,9 +33,9 @@
# networkmanager will ptrace itself if gdb is installed # networkmanager will ptrace itself if gdb is installed
@ -16878,7 +16952,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_kernel_sysctls(NetworkManager_t) kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t) kernel_load_module(NetworkManager_t)
+kernel_read_debugfs(NetworkManager_t) +kernel_read_debugfs(NetworkManager_t)
+kernel_search_network_sysctl(NetworkManager_t) +kernel_rw_net_sysctls(NetworkManager_t)
corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_unlabeled(NetworkManager_t)
corenet_all_recvfrom_netlabel(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t)
@ -16950,13 +17024,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
bind_domtrans(NetworkManager_t) bind_domtrans(NetworkManager_t)
bind_manage_cache(NetworkManager_t) bind_manage_cache(NetworkManager_t)
+ bind_sigkill(NetworkManager_t)
bind_signal(NetworkManager_t) bind_signal(NetworkManager_t)
+ bind_signull(NetworkManager_t) + bind_signull(NetworkManager_t)
+ bind_sigkill(NetworkManager_t)
') ')
optional_policy(` optional_policy(`
@@ -151,8 +173,18 @@ @@ -151,8 +173,20 @@
') ')
optional_policy(` optional_policy(`
@ -16966,9 +17040,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+') +')
+ +
+optional_policy(` +optional_policy(`
+ dnsmasq_delete_pid_files(NetworkManager_t)
+ dnsmasq_domtrans(NetworkManager_t)
+ dnsmasq_initrc_domtrans(NetworkManager_t) + dnsmasq_initrc_domtrans(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_sigkill(NetworkManager_t) + dnsmasq_sigkill(NetworkManager_t)
+ dnsmasq_signal(NetworkManager_t)
+ dnsmasq_signull(NetworkManager_t) + dnsmasq_signull(NetworkManager_t)
+') +')
+ +
@ -16977,7 +17053,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -160,23 +192,48 @@ @@ -160,23 +194,48 @@
') ')
optional_policy(` optional_policy(`
@ -17001,9 +17077,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
openvpn_domtrans(NetworkManager_t) openvpn_domtrans(NetworkManager_t)
+ openvpn_sigkill(NetworkManager_t)
openvpn_signal(NetworkManager_t) openvpn_signal(NetworkManager_t)
+ openvpn_signull(NetworkManager_t) + openvpn_signull(NetworkManager_t)
+ openvpn_sigkill(NetworkManager_t)
+') +')
+ +
+optional_policy(` +optional_policy(`
@ -17028,7 +17104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -194,7 +251,9 @@ @@ -194,7 +253,9 @@
optional_policy(` optional_policy(`
vpn_domtrans(NetworkManager_t) vpn_domtrans(NetworkManager_t)
@ -19615,7 +19691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-23 14:47:03.000000000 -0400
@@ -13,25 +13,57 @@ @@ -13,25 +13,57 @@
type prelude_spool_t; type prelude_spool_t;
files_type(prelude_spool_t) files_type(prelude_spool_t)
@ -19717,7 +19793,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(prelude_audisp_t) dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t) dev_read_urand(prelude_audisp_t)
@@ -117,15 +161,142 @@ @@ -117,15 +161,143 @@
# Init script handling # Init script handling
domain_use_interactive_fds(prelude_audisp_t) domain_use_interactive_fds(prelude_audisp_t)
@ -19833,6 +19909,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+files_search_var_lib(prelude_lml_t) +files_search_var_lib(prelude_lml_t)
+ +
+fs_list_inotifyfs(prelude_lml_t) +fs_list_inotifyfs(prelude_lml_t)
+fs_read_anon_inodefs_files(prelude_lml_t)
+ +
+kernel_read_sysctl(prelude_lml_t) +kernel_read_sysctl(prelude_lml_t)
+ +
@ -19860,7 +19937,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
######################################## ########################################
# #
# prewikka_cgi Declarations # prewikka_cgi Declarations
@@ -134,6 +305,17 @@ @@ -134,6 +306,17 @@
optional_policy(` optional_policy(`
apache_content_template(prewikka) apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t) files_read_etc_files(httpd_prewikka_script_t)
@ -23883,7 +23960,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.13/policy/modules/services/xserver.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.5.13/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.fc 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/xserver.fc 2008-10-23 17:11:34.000000000 -0400
@@ -1,13 +1,15 @@ @@ -1,13 +1,15 @@
# #
# HOME_DIR # HOME_DIR
@ -23962,7 +24039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0) /var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.5.13/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.if 2008-10-08 19:00:27.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-21 11:39:30.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/xserver.if 2008-10-23 17:14:25.000000000 -0400
@@ -16,6 +16,7 @@ @@ -16,6 +16,7 @@
gen_require(` gen_require(`
type xkb_var_lib_t, xserver_exec_t, xserver_log_t; type xkb_var_lib_t, xserver_exec_t, xserver_log_t;
@ -25216,7 +25293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-16 17:21:16.000000000 -0400 --- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-16 17:21:16.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-10-23 17:11:00.000000000 -0400
@@ -8,6 +8,14 @@ @@ -8,6 +8,14 @@
## <desc> ## <desc>
@ -26983,7 +27060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; allow iscsid_t iscsi_tmp_t:dir manage_dir_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400 --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-08-13 15:24:56.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-20 14:06:44.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-10-23 15:34:21.000000000 -0400
@@ -60,12 +60,15 @@ @@ -60,12 +60,15 @@
# #
# /opt # /opt
@ -27010,10 +27087,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -115,9 +119,16 @@ @@ -115,9 +119,17 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -27027,7 +27105,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -133,6 +144,7 @@ @@ -133,6 +145,7 @@
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -27035,7 +27113,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -168,7 +180,8 @@ @@ -168,7 +181,8 @@
# Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv
# HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php
/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -27045,7 +27123,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -187,6 +200,7 @@ @@ -187,6 +201,7 @@
/usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -27053,7 +27131,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -246,7 +260,7 @@ @@ -246,7 +261,7 @@
# Flash plugin, Macromedia # Flash plugin, Macromedia
HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -27062,7 +27140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -267,6 +281,8 @@ @@ -267,6 +282,8 @@
/usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -27071,7 +27149,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Java, Sun Microsystems (JPackage SRPM) # Java, Sun Microsystems (JPackage SRPM)
/usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -291,6 +307,8 @@ @@ -291,6 +308,8 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@ -27080,7 +27158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') dnl end distro_redhat ') dnl end distro_redhat
# #
@@ -310,3 +328,15 @@ @@ -310,3 +329,15 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@ -29458,7 +29536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.5.13/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400 --- nsaserefpolicy/policy/modules/system/unconfined.te 2008-10-14 11:58:09.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/unconfined.te 2008-10-23 10:34:43.000000000 -0400
@@ -6,35 +6,76 @@ @@ -6,35 +6,76 @@
# Declarations # Declarations
# #
@ -29673,9 +29751,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- # cjp: this should probably be removed: - # cjp: this should probably be removed:
- postfix_domtrans_master(unconfined_t) - postfix_domtrans_master(unconfined_t)
-') -')
-
+ qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r) + qemu_per_role_template_notrans(unconfined, unconfined_t, unconfined_r)
-
-optional_policy(` -optional_policy(`
- pyzor_per_role_template(unconfined) - pyzor_per_role_template(unconfined)
+ tunable_policy(`allow_unconfined_qemu_transition',` + tunable_policy(`allow_unconfined_qemu_transition',`
@ -29753,7 +29831,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
######################################## ########################################
@@ -229,14 +293,43 @@ @@ -229,14 +293,52 @@
allow unconfined_execmem_t self:process { execstack execmem }; allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t) unconfined_domain_noaudit(unconfined_execmem_t)
@ -29795,9 +29873,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(` +optional_policy(`
+ gen_require(` + gen_require(`
+ type mplayer_exec_t; + type mplayer_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
') ')
+ domtrans_pattern(unconfined_t, mplayer_exec_t, unconfined_execmem_t)
+')
+
+optional_policy(`
+ tunable_policy(`allow_unconfined_nsplugin_transition',`', `
+ gen_require(`
+ type mozilla_exec_t;
+ ')
+ domtrans_pattern(unconfined_t, mozilla_exec_t, unconfined_execmem_t)
+ ')
+')
+ +
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.5.13/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400 --- nsaserefpolicy/policy/modules/system/userdomain.fc 2008-08-07 11:15:12.000000000 -0400
@ -33082,13 +33169,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) +gen_user(root, user, unconfined_r sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.5.13/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2008-08-07 11:15:14.000000000 -0400 --- nsaserefpolicy/support/Makefile.devel 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-17 10:31:27.000000000 -0400 +++ serefpolicy-3.5.13/support/Makefile.devel 2008-10-24 08:13:54.000000000 -0400
@@ -181,7 +181,7 @@ @@ -181,8 +181,8 @@
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module" @$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
@test -d $(@D) || mkdir -p $(@D) @test -d $(@D) || mkdir -p $(@D)
- $(call peruser-expansion,$(basename $(@F)),$@.role) - $(call peruser-expansion,$(basename $(@F)),$@.role)
- $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
+# $(call peruser-expansion,$(basename $(@F)),$@.role) +# $(call peruser-expansion,$(basename $(@F)),$@.role)
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp) +# $(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@ $(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
tmp/%.mod.fc: $(m4support) %.fc

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.5.13 Version: 3.5.13
Release: 5%{?dist} Release: 6%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -462,6 +462,9 @@ exit 0
%endif %endif
%changelog %changelog
* Thu Oct 23 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-6
- Allow nsplugin to look at autofs_t directory
* Wed Oct 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-5 * Wed Oct 22 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-5
- Allow kerneloops to create tmp files - Allow kerneloops to create tmp files