- Allow hal_acl_t to getattr/setattr fixed_disk

This commit is contained in:
Daniel J Walsh 2009-01-04 19:45:03 +00:00
parent 32363900ec
commit 5df2628335
2 changed files with 128 additions and 68 deletions

View File

@ -2004,7 +2004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.1/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2008-11-11 16:13:41.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/java.te 2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/apps/java.te 2009-01-04 13:53:30.000000000 -0500
@@ -40,7 +40,7 @@
# Local policy
#
@ -2014,7 +2014,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow java_t self:fifo_file rw_fifo_file_perms;
allow java_t self:tcp_socket create_socket_perms;
allow java_t self:udp_socket create_socket_perms;
@@ -147,4 +147,11 @@
@@ -116,12 +116,13 @@
allow java_t java_tmp_t:file execute;
- libs_legacy_use_shared_libs(java_t)
libs_legacy_use_ld_so(java_t)
miscfiles_legacy_read_localization(java_t)
')
+libs_legacy_use_shared_libs(java_t)
+
optional_policy(`
nis_use_ypbind(java_t)
')
@@ -147,4 +148,11 @@
unconfined_domain_noaudit(unconfined_java_t)
unconfined_dbus_chat(unconfined_java_t)
@ -5496,7 +5511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.1/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-11-11 16:13:41.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if 2008-12-01 16:27:54.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if 2009-01-04 12:00:43.000000000 -0500
@@ -534,6 +534,24 @@
########################################
@ -7814,7 +7829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+permissive afs_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-11-25 09:45:43.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-12-29 10:16:33.000000000 -0500
@@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -7874,10 +7889,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -64,11 +71,21 @@
@@ -64,11 +71,22 @@
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
@ -8432,7 +8448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-08 16:47:30.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2009-01-04 12:50:52.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@ -12351,7 +12367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2008-11-19 11:51:44.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-19 17:16:25.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2009-01-04 12:01:07.000000000 -0500
@@ -49,6 +49,15 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@ -12368,7 +12384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Local policy
@@ -143,6 +152,7 @@
@@ -143,11 +152,16 @@
files_getattr_all_dirs(hald_t)
files_read_kernel_img(hald_t)
files_rw_lock_dirs(hald_t)
@ -12376,7 +12392,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
@@ -195,6 +205,7 @@
fs_list_inotifyfs(hald_t)
fs_list_auto_mountpoints(hald_t)
+fs_mount_dos_fs(hald_t)
+fs_unmount_dos_fs(hald_t)
+fs_manage_dos_files(hald_t)
+
files_getattr_all_mountpoints(hald_t)
mls_file_read_all_levels(hald_t)
@@ -195,6 +209,7 @@
seutil_read_file_contexts(hald_t)
sysnet_read_config(hald_t)
@ -12384,7 +12409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_use_unpriv_user_fds(hald_t)
userdom_dontaudit_search_user_home_dirs(hald_t)
@@ -277,6 +288,12 @@
@@ -277,6 +292,12 @@
')
optional_policy(`
@ -12397,7 +12422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
rpc_search_nfs_state_data(hald_t)
')
@@ -301,12 +318,16 @@
@@ -301,12 +322,16 @@
virt_manage_images(hald_t)
')
@ -12415,7 +12440,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow hald_acl_t self:process { getattr signal };
allow hald_acl_t self:fifo_file rw_fifo_file_perms;
@@ -346,12 +367,17 @@
@@ -321,6 +346,7 @@
manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t)
files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file })
+allow hald_t hald_var_run_t:dir mounton;
corecmd_exec_bin(hald_acl_t)
@@ -339,6 +365,8 @@
storage_getattr_removable_dev(hald_acl_t)
storage_setattr_removable_dev(hald_acl_t)
+storage_getattr_fixed_disk_dev(hald_acl_t)
+storage_setattr_fixed_disk_dev(hald_acl_t)
auth_use_nsswitch(hald_acl_t)
@@ -346,12 +374,17 @@
miscfiles_read_localization(hald_acl_t)
@ -12434,7 +12476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t)
allow hald_t hald_mac_t:process signal;
@@ -418,3 +444,49 @@
@@ -418,3 +451,49 @@
files_read_usr_files(hald_keymap_t)
miscfiles_read_localization(hald_keymap_t)
@ -18108,6 +18150,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_dontaudit_search_user_home_dirs(pyzor_t)
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.1/policy/modules/services/radvd.te
--- nsaserefpolicy/policy/modules/services/radvd.te 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/radvd.te 2009-01-04 12:30:51.000000000 -0500
@@ -22,7 +22,7 @@
#
# Local policy
#
-allow radvd_t self:capability { setgid setuid net_raw };
+allow radvd_t self:capability { setgid setuid net_raw net_admin };
dontaudit radvd_t self:capability sys_tty_config;
allow radvd_t self:process signal_perms;
allow radvd_t self:unix_dgram_socket create_socket_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.1/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/razor.if 2008-11-25 09:45:43.000000000 -0500
@ -19423,7 +19477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.1/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2008-11-25 09:01:08.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/sendmail.te 2008-11-25 10:40:18.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/services/sendmail.te 2009-01-04 12:51:01.000000000 -0500
@@ -1,5 +1,5 @@
-policy_module(sendmail, 1.8.2)
@ -19459,11 +19513,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corenet_all_recvfrom_unlabeled(sendmail_t)
corenet_all_recvfrom_netlabel(sendmail_t)
@@ -64,24 +69,29 @@
@@ -64,24 +69,30 @@
fs_getattr_all_fs(sendmail_t)
fs_search_auto_mountpoints(sendmail_t)
+fs_rw_anon_inodefs_files(sendmail_t)
+fs_list_inotifyfs(sendmail_t)
term_dontaudit_use_console(sendmail_t)
@ -19489,7 +19544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(sendmail_t)
@@ -89,23 +99,38 @@
@@ -89,23 +100,38 @@
libs_read_lib_files(sendmail_t)
logging_send_syslog_msg(sendmail_t)
@ -19530,7 +19585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -113,13 +138,19 @@
@@ -113,13 +139,19 @@
')
optional_policy(`
@ -19551,7 +19606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -127,24 +158,29 @@
@@ -127,24 +159,29 @@
')
optional_policy(`
@ -26456,7 +26511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-27 06:28:18.000000000 -0500
+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2009-01-04 13:57:22.000000000 -0500
@@ -30,8 +30,9 @@
')
@ -27133,7 +27188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
@@ -722,15 +740,27 @@
@@ -722,15 +740,29 @@
userdom_base_user_template($1)
@ -27148,26 +27203,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
- userdom_exec_user_home_content_files($1_t)
+ userdom_manage_tmp_role($1_r, $1_usertype)
+ userdom_manage_tmpfs_role($1_r, $1_usertype)
+
+ ifelse(`$1',`unconfined',`',`
+ gen_tunable(allow_$1_exec_content, true)
+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
+ ')
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
+
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
+ ')
- userdom_change_password_template($1)
+ gen_tunable(allow_$1_exec_content, true)
+
+ tunable_policy(`allow_$1_exec_content',`
+ userdom_exec_user_tmp_files($1_usertype)
+ userdom_exec_user_home_content_files($1_usertype)
+ ')
+
+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',`
+ fs_exec_nfs_files($1_usertype)
+ ')
+
+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',`
+ fs_exec_cifs_files($1_usertype)
+ ')
##############################
#
@@ -746,70 +776,72 @@
@@ -746,70 +778,72 @@
allow $1_t self:context contains;
@ -27273,7 +27330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -846,6 +878,28 @@
@@ -846,6 +880,28 @@
# Local policy
#
@ -27302,7 +27359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
loadkeys_run($1_t,$1_r)
')
@@ -876,7 +930,7 @@
@@ -876,7 +932,7 @@
userdom_restricted_user_template($1)
@ -27311,17 +27368,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##############################
#
@@ -884,14 +938,18 @@
@@ -884,14 +940,18 @@
#
auth_role($1_r, $1_t)
- auth_search_pam_console_data($1_t)
+ auth_search_pam_console_data($1_usertype)
+
+ xserver_role($1_r, $1_t)
- dev_read_sound($1_t)
- dev_write_sound($1_t)
+ xserver_role($1_r, $1_t)
+
+ dev_read_sound($1_usertype)
+ dev_write_sound($1_usertype)
# gnome keyring wants to read this.
@ -27335,7 +27392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_dontaudit_send_audit_msgs($1_t)
# Need to to this just so screensaver will work. Should be moved to screensaver domain
@@ -899,28 +957,24 @@
@@ -899,28 +959,24 @@
selinux_get_enforce_mode($1_t)
optional_policy(`
@ -27370,7 +27427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -931,8 +985,7 @@
@@ -931,8 +987,7 @@
## </summary>
## <desc>
## <p>
@ -27380,7 +27437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </p>
## <p>
## This template creates a user domain, types, and
@@ -954,8 +1007,8 @@
@@ -954,8 +1009,8 @@
# Declarations
#
@ -27390,7 +27447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
userdom_common_user_template($1)
##############################
@@ -964,11 +1017,10 @@
@@ -964,11 +1019,10 @@
#
# port access is audited even if dac would not have allowed it, so dontaudit it here
@ -27403,7 +27460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# cjp: why?
files_read_kernel_symbol_table($1_t)
@@ -986,37 +1038,43 @@
@@ -986,37 +1040,43 @@
')
')
@ -27460,7 +27517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
#######################################
@@ -1050,7 +1108,7 @@
@@ -1050,7 +1110,7 @@
#
template(`userdom_admin_user_template',`
gen_require(`
@ -27469,7 +27526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
##############################
@@ -1059,8 +1117,7 @@
@@ -1059,8 +1119,7 @@
#
# Inherit rules for ordinary users.
@ -27479,7 +27536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
domain_obj_id_change_exemption($1_t)
role system_r types $1_t;
@@ -1083,7 +1140,8 @@
@@ -1083,7 +1142,8 @@
# Skip authentication when pam_rootok is specified.
allow $1_t self:passwd rootok;
@ -27489,7 +27546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
@@ -1106,8 +1164,6 @@
@@ -1106,8 +1166,6 @@
dev_getattr_generic_blk_files($1_t)
dev_getattr_generic_chr_files($1_t)
@ -27498,7 +27555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Allow MAKEDEV to work
dev_create_all_blk_files($1_t)
dev_create_all_chr_files($1_t)
@@ -1162,20 +1218,6 @@
@@ -1162,20 +1220,6 @@
# But presently necessary for installing the file_contexts file.
seutil_manage_bin_policy($1_t)
@ -27519,7 +27576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
postgresql_unconfined($1_t)
')
@@ -1221,6 +1263,7 @@
@@ -1221,6 +1265,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@ -27527,7 +27584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
@@ -1286,11 +1329,15 @@
@@ -1286,11 +1331,15 @@
interface(`userdom_user_home_content',`
gen_require(`
type user_home_t;
@ -27543,7 +27600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1387,7 +1434,7 @@
@@ -1387,7 +1436,7 @@
########################################
## <summary>
@ -27552,7 +27609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## </summary>
## <param name="domain">
## <summary>
@@ -1420,6 +1467,14 @@
@@ -1420,6 +1469,14 @@
allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1)
@ -27567,7 +27624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1435,9 +1490,11 @@
@@ -1435,9 +1492,11 @@
interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(`
type user_home_dir_t;
@ -27579,7 +27636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1494,6 +1551,25 @@
@@ -1494,6 +1553,25 @@
allow $1 user_home_dir_t:dir relabelto;
')
@ -27605,7 +27662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
## <summary>
## Create directories in the home dir root with
@@ -1547,9 +1623,9 @@
@@ -1547,9 +1625,9 @@
type user_home_dir_t, user_home_t;
')
@ -27617,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1568,6 +1644,8 @@
@@ -1568,6 +1646,8 @@
')
dontaudit $1 user_home_t:dir search_dir_perms;
@ -27626,7 +27683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1643,6 +1721,7 @@
@@ -1643,6 +1723,7 @@
type user_home_dir_t, user_home_t;
')
@ -27634,7 +27691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
files_search_home($1)
')
@@ -1741,6 +1820,62 @@
@@ -1741,6 +1822,62 @@
########################################
## <summary>
@ -27697,7 +27754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Execute user home files.
## </summary>
## <param name="domain">
@@ -1757,14 +1892,6 @@
@@ -1757,14 +1894,6 @@
files_search_home($1)
exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t)
@ -27712,7 +27769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -1787,6 +1914,46 @@
@@ -1787,6 +1916,46 @@
########################################
## <summary>
@ -27759,7 +27816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete files
## in a user home subdirectory.
## </summary>
@@ -2819,6 +2986,24 @@
@@ -2819,6 +2988,24 @@
########################################
## <summary>
@ -27784,7 +27841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
@@ -2851,6 +3036,7 @@
@@ -2851,6 +3038,7 @@
')
read_files_pattern($1,userdomain,userdomain)
@ -27792,7 +27849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
kernel_search_proc($1)
')
@@ -2965,6 +3151,24 @@
@@ -2965,6 +3153,24 @@
########################################
## <summary>
@ -27817,7 +27874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
@@ -2981,3 +3185,264 @@
@@ -2981,3 +3187,264 @@
allow $1 userdomain:dbus send_msg;
')

View File

@ -1,4 +1,4 @@
%define distro redhat
%define distro redhat
%define polyinstatiate n
%define monolithic n
%if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1}
@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.1
Release: 14%{?dist}
Release: 15%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -446,6 +446,9 @@ exit 0
%endif
%changelog
* Sun Jan 4 2009 Dan Walsh <dwalsh@redhat.com> 3.6.1-15
- Allow hal_acl_t to getattr/setattr fixed_disk
* Sat Dec 27 2008 Dan Walsh <dwalsh@redhat.com> 3.6.1-14
- Change userdom_read_all_users_state to include reading symbolic links in /proc