patch from russell, Thu, 5 Oct 2006 22:44:49 +1000

Allow unconfined processes to see unlabeled processes in ps.

Removed a redundant rule in samba.te

Removed support for the pre-Fedora Red Hat code to create sym-links in /boot.

Removed support for devpts_t files in /tmp (there is no way that would ever 
work).

Allowed postgrey to create socket files.

Made the specs for the /lib and /lib64 directories better support stem 
compression.

Changelog

@@ -1,3 +1,4 @@
+- Patch from Russell Coker Thu, 5 Oct 2006
 - Move range transitions to modules.
 - Make number of MLS sensitivities, and number of MLS and MCS
   categories configurable as build options.

policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.16)
+policy_module(kernel,1.3.17)
 
 ########################################
 #
@@ -351,5 +351,6 @@ allow kern_unconfined unlabeled_t:dir_file_class_set *;
 allow kern_unconfined unlabeled_t:filesystem *;
 allow kern_unconfined unlabeled_t:association *;
 allow kern_unconfined unlabeled_t:packet *;
+allow kern_unconfined unlabeled_t:process ~{ transition dyntransition execmem execstack execheap };
 
 kernel_rw_all_sysctls(kern_unconfined)

policy/modules/kernel/terminal.te

@@ -1,5 +1,5 @@
 
-policy_module(terminal,1.1.9)
+policy_module(terminal,1.1.10)
 
 ########################################
 #
@@ -28,7 +28,6 @@ dev_node(console_device_t)
 type devpts_t;
 files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
-files_associate_tmp(devpts_t)
 fs_type(devpts_t)
 fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
 

policy/modules/services/mailman.te

@@ -1,5 +1,5 @@
 
-policy_module(mailman,1.1.7)
+policy_module(mailman,1.1.8)
 
 ########################################
 #
@@ -44,10 +44,12 @@ optional_policy(`
 	allow mailman_cgi_t mailman_archive_t:lnk_file create_lnk_perms;
 	allow mailman_cgi_t mailman_archive_t:file create_file_perms;
 
+	files_search_spool(mailman_cgi_t)
 
 	term_use_controlling_term(mailman_cgi_t)
 
-	files_search_spool(mailman_cgi_t)
+	# for python pre-compile foolishness
+	libs_dontaudit_write_lib_dirs(mailman_cgi_t)
 
 	apache_sigchld(mailman_cgi_t)
 	apache_use_fds(mailman_cgi_t)

policy/modules/services/postgrey.te

@@ -1,5 +1,5 @@
 
-policy_module(postgrey,1.0.2)
+policy_module(postgrey,1.0.3)
 
 ########################################
 #
@@ -40,7 +40,7 @@ files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
 allow postgrey_t postgrey_var_run_t:file create_file_perms;
 allow postgrey_t postgrey_var_run_t:sock_file manage_file_perms;
 allow postgrey_t postgrey_var_run_t:dir rw_dir_perms;
-files_pid_filetrans(postgrey_t,postgrey_var_run_t,file)
+files_pid_filetrans(postgrey_t,postgrey_var_run_t,{ file sock_file })
 
 kernel_read_system_state(postgrey_t)
 kernel_read_kernel_sysctls(postgrey_t)

policy/modules/services/samba.te

@@ -1,5 +1,5 @@
 
-policy_module(samba,1.2.10)
+policy_module(samba,1.2.11)
 
 #################################
 #
@@ -500,10 +500,6 @@ sysnet_read_config(smbmount_t)
 userdom_use_all_users_fds(smbmount_t)
 userdom_use_sysadm_ttys(smbmount_t)
 
-optional_policy(`
-	cups_read_rw_config(smbd_t)
-')
-
 optional_policy(`
 	nis_use_ypbind(smbmount_t)
 ')

policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.27)
+policy_module(init,1.3.28)
 
 gen_require(`
 	class passwd rootok;
@@ -430,11 +430,6 @@ ifdef(`distro_redhat',`
 
 	selinux_set_enforce_mode(initrc_t)
 
-	# Create and read /boot/kernel.h and /boot/System.map.
-	# Redhat systems typically create this file at boot time.
-	bootloader_create_runtime_file(initrc_t)
-	files_rw_boot_symlinks(initrc_t)
-
 	# These seem to be from the initrd
 	# during device initialization:
 	dev_create_generic_dirs(initrc_t)

policy/modules/system/libraries.fc

@@ -41,8 +41,10 @@ ifdef(`distro_redhat',`
 #
 # /lib(64)?
 #
-/lib(/.*)?					gen_context(system_u:object_r:lib_t,s0)
-/lib64(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib/.*						gen_context(system_u:object_r:lib_t,s0)
+/lib64					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib64/.*					gen_context(system_u:object_r:lib_t,s0)
 /lib/.+\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
 /lib64/.+\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
 /lib/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
@@ -57,7 +59,8 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
-/lib32(/.*)?					gen_context(system_u:object_r:lib_t,s0)
+/lib32					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib32/.*					gen_context(system_u:object_r:lib_t,s0)
 /lib32/.+\.so(\.[^/]*)*			--	gen_context(system_u:object_r:shlib_t,s0)
 /lib32/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
 ')

policy/modules/system/libraries.if

@@ -201,6 +201,31 @@ interface(`libs_search_lib',`
 	allow $1 lib_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to write to library directories.
+## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to write to library directories.
+##	Typically this is used to quiet attempts to recompile
+##	python byte code.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_dontaudit_write_lib_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	dontaudit $1 lib_t:dir write;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete library directories.

policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.14)
+policy_module(libraries,1.3.15)
 
 ########################################
 #