- Eliminate mount_ntfs_t policy, merge into mount_t

This commit is contained in:
Daniel J Walsh 2007-07-31 17:53:29 +00:00
parent 07351eb493
commit 47a35fa722
2 changed files with 123 additions and 74 deletions

View File

@ -2233,7 +2233,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc 2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/corecommands.fc 2007-07-31 13:41:19.000000000 -0400
@@ -36,6 +36,11 @@
/etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0)
/etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0)
@ -2246,7 +2246,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco
/etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0)
/etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0)
@@ -217,6 +222,7 @@
@@ -127,7 +132,10 @@
/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
-/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/filter(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/backend(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/daemon(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
@@ -160,6 +168,7 @@
/usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/local/Brother/lpd(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -217,6 +226,7 @@
/usr/share/system-config-network/neat-control\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/nfs-export\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-nfs/system-config-nfs\.py -- gen_context(system_u:object_r:bin_t,s0)
@ -2317,8 +2337,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.4/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-06-15 14:54:30.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-07-25 13:27:51.000000000 -0400
@@ -53,7 +53,7 @@
+++ serefpolicy-3.0.4/policy/modules/kernel/devices.fc 2007-07-31 13:38:24.000000000 -0400
@@ -19,6 +19,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
+/dev/[0-9].* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
@@ -53,7 +54,7 @@
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/dev/raw1394.* -c gen_context(system_u:object_r:v4l_device_t,s0)
@ -2327,7 +2355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/sequencer -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/sequencer2 -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/smpte.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -65,6 +65,7 @@
@@ -65,6 +66,7 @@
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
@ -2335,7 +2363,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
@@ -127,3 +128,7 @@
@@ -127,3 +129,7 @@
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
@ -2656,6 +2684,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+ allow $1 root_t:dir rw_dir_perms;
+ allow $1 root_t:file { create getattr write };
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.0.4/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2007-07-25 10:37:36.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/files.te 2007-07-31 13:52:33.000000000 -0400
@@ -55,6 +55,7 @@
# compatibility aliases for removed types:
typealias etc_t alias automount_etc_t;
typealias etc_t alias snmpd_etc_t;
+typealias etc_t alias gconf_etc_t;
#
# etc_runtime_t is the type of various
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.4/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-07-03 07:05:38.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/kernel/filesystem.if 2007-07-30 10:20:15.000000000 -0400
@ -3708,8 +3747,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.fc serefpolicy-3.0.4/policy/modules/services/apcupsd.fc
--- nsaserefpolicy/policy/modules/services/apcupsd.fc 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.fc 2007-07-25 13:27:51.000000000 -0400
@@ -1,9 +1,10 @@
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.fc 2007-07-30 11:44:31.000000000 -0400
@@ -1,9 +1,11 @@
-ifdef(`distro_debian',`
-/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
-')
@ -3717,6 +3756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
/usr/sbin/apcupsd -- gen_context(system_u:object_r:apcupsd_exec_t,s0)
/var/log/apcupsd\.events.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
+/var/log/apcupsd\.status.* -- gen_context(system_u:object_r:apcupsd_log_t,s0)
/var/run/apcupsd\.pid -- gen_context(system_u:object_r:apcupsd_var_run_t,s0)
+
@ -3755,7 +3795,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.te serefpolicy-3.0.4/policy/modules/services/apcupsd.te
--- nsaserefpolicy/policy/modules/services/apcupsd.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/apcupsd.te 2007-07-30 11:42:36.000000000 -0400
@@ -16,6 +16,9 @@
type apcupsd_log_t;
logging_log_file(apcupsd_log_t)
@ -3798,19 +3838,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcu
dev_rw_generic_usb_dev(apcupsd_t)
@@ -56,9 +67,53 @@
@@ -55,6 +66,15 @@
files_read_etc_files(apcupsd_t)
files_search_locks(apcupsd_t)
+# Creates /etc/nologin
+files_manage_etc_runtime_files(apcupsd_t)
+files_etc_filetrans_etc_runtime(apcuspd_t,file)
+
+#apcupsd runs shutdown, probably need a shutdown domain
+init_rw_utmp(apcupsd_t)
+init_telinit(apcupsd_t)
+
+kernel_read_system_state(apcupsd_t)
+
libs_use_ld_so(apcupsd_t)
libs_use_shared_libs(apcupsd_t)
@@ -62,3 +82,41 @@
logging_send_syslog_msg(apcupsd_t)
miscfiles_read_localization(apcupsd_t)
@ -4503,7 +4547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.0.4/policy/modules/services/cups.fc
--- nsaserefpolicy/policy/modules/services/cups.fc 2007-05-29 14:10:57.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/cups.fc 2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/cups.fc 2007-07-31 13:36:05.000000000 -0400
@@ -8,6 +8,7 @@
/etc/cups/ppd/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/ppds\.dat -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@ -4512,14 +4556,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
/etc/cups/certs -d gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
/etc/cups/certs/.* -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -52,3 +53,4 @@
@@ -17,8 +18,6 @@
/usr/bin/cups-config-daemon -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/lib(64)?/cups/backend/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
-/usr/lib(64)?/cups/daemon/.* -- gen_context(system_u:object_r:cupsd_exec_t,s0)
/usr/lib(64)?/cups/daemon/cups-lpd -- gen_context(system_u:object_r:cupsd_lpd_exec_t,s0)
/usr/libexec/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0)
@@ -52,3 +51,4 @@
/var/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_var_run_t,s0)
/var/spool/cups(/.*)? gen_context(system_u:object_r:print_spool_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-25 14:08:39.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/cups.te 2007-07-31 12:58:26.000000000 -0400
@@ -81,12 +81,11 @@
# /usr/lib/cups/backend/serial needs sys_admin(?!)
allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@ -4534,6 +4587,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
allow cupsd_t self:tcp_socket create_stream_socket_perms;
allow cupsd_t self:udp_socket create_socket_perms;
allow cupsd_t self:appletalk_socket create_socket_perms;
@@ -105,7 +104,7 @@
# allow cups to execute its backend scripts
can_exec(cupsd_t, cupsd_exec_t)
-allow cupsd_t cupsd_exec_t:dir search;
+allow cupsd_t cupsd_exec_t:dir search_dir_perms;
allow cupsd_t cupsd_exec_t:lnk_file read;
manage_files_pattern(cupsd_t,cupsd_log_t,cupsd_log_t)
@@ -150,14 +149,17 @@
corenet_tcp_bind_reserved_port(cupsd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
@ -7605,7 +7667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.4/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/xserver.te 2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/services/xserver.te 2007-07-31 10:08:15.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@ -7702,16 +7764,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser
resmgr_stream_connect(xdm_t)
')
@@ -434,47 +453,15 @@
@@ -434,47 +453,19 @@
')
optional_policy(`
- unconfined_domain_noaudit(xdm_xserver_t)
- unconfined_domtrans(xdm_xserver_t)
-
+ rpm_dontaudit_rw_shm(xdm_xserver_t)
+')
- ifndef(`distro_redhat',`
- allow xdm_xserver_t self:process { execheap execmem };
- ')
+optional_policy(`
+ unconfined_rw_shm(xdm_xserver_t)
+ unconfined_execmem_rw_shm(xdm_xserver_t)
+')
@ -8238,7 +8303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.te serefpolicy-3.0.4/policy/modules/system/brctl.te
--- nsaserefpolicy/policy/modules/system/brctl.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-27 13:35:00.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/brctl.te 2007-07-30 11:23:32.000000000 -0400
@@ -0,0 +1,50 @@
+policy_module(brctl,1.0.0)
+
@ -8262,7 +8327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/brctl.
+allow brctl_t self:tcp_socket create_socket_perms;
+allow brctl_t self:unix_dgram_socket create_socket_perms;
+
+dev_read_sysfs(brctl_t)
+dev_rw_sysfs(brctl_t)
+
+# Init script handling
+domain_use_interactive_fds(brctl_t)
@ -9438,13 +9503,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.4/policy/modules/system/mount.fc
--- nsaserefpolicy/policy/modules/system/mount.fc 2007-05-29 14:10:58.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/mount.fc 2007-07-25 13:27:51.000000000 -0400
@@ -1,4 +1,3 @@
+++ serefpolicy-3.0.4/policy/modules/system/mount.fc 2007-07-30 11:34:24.000000000 -0400
@@ -1,4 +1,2 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-
-/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.ntfs-3g -- gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.0.4/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2007-06-11 16:05:30.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/mount.if 2007-07-25 13:27:51.000000000 -0400
@ -9491,7 +9555,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.4/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-26 13:15:01.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/mount.te 2007-07-30 11:32:20.000000000 -0400
@@ -8,6 +8,13 @@
## <desc>
@ -9506,16 +9570,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
## Allow mount to mount any file
## </p>
## </desc>
@@ -16,19 +23,22 @@
@@ -16,19 +23,21 @@
type mount_t;
type mount_exec_t;
init_system_domain(mount_t,mount_exec_t)
+application_executable_file(mount_exec_t)
role system_r types mount_t;
+type mount_ntfs_t;
+type mount_ntfs_exec_t;
+init_system_domain(mount_ntfs_t, mount_ntfs_exec_t)
+typealias mount_t alias mount_ntfs_t;
+typealias mount_exec_t alias mount_ntfs_exec_t;
+
type mount_loopback_t; # customizable
files_type(mount_loopback_t)
@ -9532,7 +9595,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
########################################
#
@@ -36,7 +46,7 @@
@@ -36,7 +45,7 @@
#
# setuid/setgid needed to mount cifs
@ -9541,7 +9604,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
allow mount_t mount_loopback_t:file read_file_perms;
allow mount_t self:netlink_route_socket r_netlink_socket_perms;
@@ -51,6 +61,7 @@
@@ -51,6 +60,7 @@
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
@ -9549,7 +9612,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
@@ -101,6 +112,8 @@
@@ -101,6 +111,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@ -9558,7 +9621,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
libs_use_ld_so(mount_t)
libs_use_shared_libs(mount_t)
@@ -127,10 +140,15 @@
@@ -127,10 +139,15 @@
')
')
@ -9575,7 +9638,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
')
optional_policy(`
@@ -201,4 +219,54 @@
@@ -201,4 +218,29 @@
optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
unconfined_domain(unconfined_mount_t)
@ -9586,48 +9649,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
+
+########################################
+#
+# mount_ntfs local policy
+# ntfs local policy
+#
+allow mount_ntfs_t self:capability { setuid sys_admin };
+allow mount_ntfs_t self:fifo_file { read write };
+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_ntfs_t self:unix_dgram_socket { connect create };
+allow mount_t self:fifo_file { read write };
+allow mount_t self:unix_stream_socket create_stream_socket_perms;
+allow mount_t self:unix_dgram_socket { connect create };
+
+corecmd_read_bin_symlinks(mount_ntfs_t)
+corecmd_exec_shell(mount_ntfs_t)
+corecmd_exec_shell(mount_t)
+
+files_read_etc_files(mount_ntfs_t)
+files_search_all(mount_ntfs_t)
+fusermount_domtrans(mount_t)
+fusermount_use_fds(mount_t)
+
+libs_use_ld_so(mount_ntfs_t)
+libs_use_shared_libs(mount_ntfs_t)
+
+fusermount_domtrans(mount_ntfs_t)
+fusermount_use_fds(mount_ntfs_t)
+
+init_dontaudit_use_fds(mount_ntfs_t)
+
+kernel_read_system_state(mount_ntfs_t)
+
+logging_send_syslog_msg(mount_ntfs_t)
+
+miscfiles_read_localization(mount_ntfs_t)
+
+modutils_domtrans_insmod(mount_ntfs_t)
+
+mount_ntfs_domtrans(mount_t)
+
+storage_raw_read_fixed_disk(mount_ntfs_t)
+storage_raw_write_fixed_disk(mount_ntfs_t)
+# modutils_domtrans_insmod(mount_t)
+
+optional_policy(`
+ nscd_socket_use(mount_ntfs_t)
+')
+
+optional_policy(`
+ hal_write_log(mount_ntfs_t)
+ hal_use_fds(mount_ntfs_t)
+ hal_rw_pipes(mount_ntfs_t)
+ hal_write_log(mount_t)
+ hal_use_fds(mount_t)
+ hal_rw_pipes(mount_t)
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-3.0.4/policy/modules/system/netlabel.te
@ -9644,7 +9682,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlab
libs_use_ld_so(netlabel_mgmt_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.4/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-06-15 14:54:34.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/raid.te 2007-07-25 13:27:51.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/raid.te 2007-07-31 09:56:48.000000000 -0400
@@ -19,7 +19,7 @@
# Local policy
#
@ -9654,6 +9692,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t
dontaudit mdadm_t self:capability sys_tty_config;
allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -70,6 +70,7 @@
userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
userdom_dontaudit_use_sysadm_ttys(mdadm_t)
+userdom_dontaudit_search_all_users_home_content(mdadm_t)
mta_send_mail(mdadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.4/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-05-30 11:47:29.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/selinuxutil.fc 2007-07-25 13:27:51.000000000 -0400
@ -10591,7 +10637,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-28 11:09:17.000000000 -0400
+++ serefpolicy-3.0.4/policy/modules/system/userdomain.if 2007-07-31 09:56:28.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };

View File

@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.4
Release: 3%{?dist}
Release: 4%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -359,6 +359,9 @@ exit 0
%endif
%changelog
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-4
- Eliminate mount_ntfs_t policy, merge into mount_t
* Mon Jul 30 2007 Dan Walsh <dwalsh@redhat.com> 3.0.4-3
- Allow xserver to write to ramfs mounted by rhgb