diff --git a/policy-20090105.patch b/policy-20090105.patch index 85193520..0040cb21 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -6501,8 +6501,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc --- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-09 04:44:48.000000000 -0400 -@@ -0,0 +1,30 @@ ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.fc 2009-04-15 10:01:33.000000000 -0400 +@@ -0,0 +1,32 @@ +# Add programs here which should not be confined by SELinux +# e.g.: +# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) @@ -6522,6 +6522,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/opera/[^/]*/works -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib/opera/[^/]*/opera -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -7177,8 +7179,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-09 05:43:27.000000000 -0400 -@@ -0,0 +1,402 @@ ++++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.te 2009-04-16 10:03:34.000000000 -0400 +@@ -0,0 +1,403 @@ +policy_module(unconfineduser, 1.0.0) + +######################################## @@ -7267,6 +7269,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +init_run_daemon(unconfined_t, unconfined_r) +init_domtrans_script(unconfined_t) ++init_chat(unconfined_t) + +libs_run_ldconfig(unconfined_t, unconfined_r) + @@ -12859,7 +12862,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.12/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-07 16:01:44.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/exim.te 2009-04-15 08:33:18.000000000 -0400 @@ -21,9 +21,20 @@ ## gen_tunable(exim_manage_user_files, false) @@ -14346,8 +14349,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.6.12/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-07 16:01:44.000000000 -0400 -@@ -0,0 +1,55 @@ ++++ serefpolicy-3.6.12/policy/modules/services/lircd.te 2009-04-16 09:47:17.000000000 -0400 +@@ -0,0 +1,58 @@ +policy_module(lircd,1.0.0) + +######################################## @@ -14393,6 +14396,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# /dev/lircd socket +manage_sock_files_pattern(lircd_t, lircd_sock_t, lircd_sock_t) +dev_filetrans(lircd_t, lircd_sock_t, sock_file ) ++dev_read_generic_usb_dev(lircd_t) + +logging_send_syslog_msg(lircd_t) + @@ -14401,8 +14405,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +files_manage_generic_locks(lircd_t) +files_read_all_locks(lircd_t) + ++fs_list_inotifyfs(lircd_t) ++ +miscfiles_read_localization(lircd_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-3.6.12/policy/modules/services/lpd.if +--- nsaserefpolicy/policy/modules/services/lpd.if 2009-01-05 15:39:43.000000000 -0500 ++++ serefpolicy-3.6.12/policy/modules/services/lpd.if 2009-04-15 17:56:28.000000000 -0400 +@@ -134,6 +134,7 @@ + files_search_spool($1) + manage_dirs_pattern($1, print_spool_t, print_spool_t) + manage_files_pattern($1, print_spool_t, print_spool_t) ++ manage_lnk_files_pattern($1, print_spool_t, print_spool_t) + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.fc serefpolicy-3.6.12/policy/modules/services/mailman.fc --- nsaserefpolicy/policy/modules/services/mailman.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.6.12/policy/modules/services/mailman.fc 2009-04-07 16:01:44.000000000 -0400 @@ -17791,7 +17808,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.6.12/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-13 11:44:30.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/services/postfix.te 2009-04-15 08:35:07.000000000 -0400 @@ -6,6 +6,15 @@ # Declarations # @@ -17870,7 +17887,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_master_t postfix_etc_t:file rw_file_perms; -@@ -142,6 +159,7 @@ +@@ -132,6 +149,7 @@ + # allow access to deferred queue and allow removing bogus incoming entries + manage_dirs_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_master_t, postfix_spool_t, postfix_spool_t) ++files_spool_filetrans(postfix_master_t, postfix_spool_t, dir) + + allow postfix_master_t postfix_spool_bounce_t:dir manage_dir_perms; + allow postfix_master_t postfix_spool_bounce_t:file getattr; +@@ -142,6 +160,7 @@ delete_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) rename_files_pattern(postfix_master_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t) @@ -17878,7 +17903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_all_sysctls(postfix_master_t) -@@ -153,6 +171,9 @@ +@@ -153,6 +172,9 @@ corenet_udp_sendrecv_generic_node(postfix_master_t) corenet_tcp_sendrecv_all_ports(postfix_master_t) corenet_udp_sendrecv_all_ports(postfix_master_t) @@ -17888,7 +17913,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_node(postfix_master_t) corenet_tcp_bind_amavisd_send_port(postfix_master_t) corenet_tcp_bind_smtp_port(postfix_master_t) -@@ -170,6 +191,8 @@ +@@ -170,6 +192,8 @@ domain_use_interactive_fds(postfix_master_t) files_read_usr_files(postfix_master_t) @@ -17897,7 +17922,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_dontaudit_search_ptys(postfix_master_t) -@@ -181,15 +204,14 @@ +@@ -181,15 +205,14 @@ mta_rw_aliases(postfix_master_t) mta_read_sendmail_bin(postfix_master_t) @@ -17917,7 +17942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -202,9 +224,29 @@ +@@ -202,9 +225,29 @@ ') optional_policy(` @@ -17947,7 +17972,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix bounce local policy -@@ -245,6 +287,10 @@ +@@ -219,6 +262,7 @@ + manage_dirs_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_t, postfix_spool_t) ++files_spool_filetrans(postfix_bounce_t, postfix_spool_t, dir) + + manage_dirs_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) + manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) +@@ -240,11 +284,16 @@ + manage_dirs_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_cleanup_t, postfix_spool_t, postfix_spool_t) ++files_spool_filetrans(postfix_cleanup_t, postfix_spool_t, dir) + + allow postfix_cleanup_t postfix_spool_bounce_t:dir list_dir_perms; corecmd_exec_bin(postfix_cleanup_t) @@ -17958,7 +17997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix local local policy -@@ -270,18 +316,29 @@ +@@ -270,18 +319,29 @@ files_read_etc_files(postfix_local_t) @@ -17988,7 +18027,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -292,8 +349,7 @@ +@@ -292,8 +352,7 @@ # # Postfix map local policy # @@ -17998,7 +18037,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow postfix_map_t self:unix_stream_socket create_stream_socket_perms; allow postfix_map_t self:unix_dgram_socket create_socket_perms; allow postfix_map_t self:tcp_socket create_stream_socket_perms; -@@ -340,10 +396,6 @@ +@@ -340,10 +399,6 @@ miscfiles_read_localization(postfix_map_t) @@ -18009,7 +18048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`read_default_t',` files_list_default(postfix_map_t) files_read_default_files(postfix_map_t) -@@ -356,6 +408,11 @@ +@@ -356,6 +411,11 @@ locallogin_dontaudit_use_fds(postfix_map_t) ') @@ -18021,7 +18060,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix pickup local policy -@@ -380,6 +437,7 @@ +@@ -380,6 +440,7 @@ # allow postfix_pipe_t self:fifo_file rw_fifo_file_perms; @@ -18029,7 +18068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol write_sock_files_pattern(postfix_pipe_t, postfix_private_t, postfix_private_t) -@@ -387,6 +445,12 @@ +@@ -387,6 +448,12 @@ rw_files_pattern(postfix_pipe_t, postfix_spool_t, postfix_spool_t) @@ -18042,7 +18081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -396,6 +460,15 @@ +@@ -396,6 +463,15 @@ ') optional_policy(` @@ -18058,7 +18097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -432,8 +505,11 @@ +@@ -432,8 +508,11 @@ ') optional_policy(` @@ -18072,7 +18111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -459,6 +535,15 @@ +@@ -459,6 +538,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -18088,7 +18127,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -513,7 +598,7 @@ +@@ -472,6 +560,7 @@ + manage_dirs_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + manage_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) + manage_lnk_files_pattern(postfix_qmgr_t, postfix_spool_t, postfix_spool_t) ++files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir) + + allow postfix_qmgr_t postfix_spool_bounce_t:dir list_dir_perms; + allow postfix_qmgr_t postfix_spool_bounce_t:file read_file_perms; +@@ -513,7 +602,7 @@ allow postfix_smtp_t postfix_spool_t:file rw_file_perms; @@ -18097,7 +18144,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` cyrus_stream_connect(postfix_smtp_t) -@@ -543,9 +628,18 @@ +@@ -543,9 +632,18 @@ # for OpenSSL certificates files_read_usr_files(postfix_smtpd_t) @@ -18116,7 +18163,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -572,15 +666,21 @@ +@@ -572,15 +670,21 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -25240,7 +25287,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-01-05 15:39:43.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-13 10:35:22.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/init.if 2009-04-16 10:03:08.000000000 -0400 @@ -280,6 +280,29 @@ kernel_dontaudit_use_fds($1) ') @@ -25432,7 +25479,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te --- nsaserefpolicy/policy/modules/system/init.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-13 08:06:15.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/init.te 2009-04-16 10:02:04.000000000 -0400 @@ -17,6 +17,20 @@ ## gen_tunable(init_upstart,false) @@ -25570,7 +25617,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_sendrecv_all_ports(initrc_t) corenet_udp_sendrecv_all_ports(initrc_t) corenet_tcp_connect_all_ports(initrc_t) -@@ -274,12 +312,14 @@ +@@ -270,16 +308,19 @@ + dev_rw_sysfs(initrc_t) + dev_list_usbfs(initrc_t) + dev_read_framebuffer(initrc_t) ++dev_write_framebuffer(initrc_t) + dev_read_realtime_clock(initrc_t) dev_read_sound_mixer(initrc_t) dev_write_sound_mixer(initrc_t) dev_setattr_all_chr_files(initrc_t) @@ -25586,7 +25638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_register_binary_executable_type(initrc_t) # rhgb-console writes to ramfs -@@ -328,7 +368,7 @@ +@@ -328,7 +369,7 @@ domain_sigchld_all_domains(initrc_t) domain_read_all_domains_state(initrc_t) domain_getattr_all_domains(initrc_t) @@ -25595,7 +25647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_getsession_all_domains(initrc_t) domain_use_interactive_fds(initrc_t) # for lsof which is used by alsa shutdown: -@@ -343,14 +383,13 @@ +@@ -343,14 +384,13 @@ files_getattr_all_pipes(initrc_t) files_getattr_all_sockets(initrc_t) files_purge_tmp(initrc_t) @@ -25611,7 +25663,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_exec_etc_files(initrc_t) files_read_usr_files(initrc_t) files_manage_urandom_seed(initrc_t) -@@ -366,7 +405,9 @@ +@@ -366,7 +406,9 @@ libs_rw_ld_so_cache(initrc_t) libs_exec_lib_files(initrc_t) @@ -25621,7 +25673,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(initrc_t) logging_manage_generic_logs(initrc_t) logging_read_all_logs(initrc_t) -@@ -451,7 +492,7 @@ +@@ -451,7 +493,7 @@ # Red Hat systems seem to have a stray # fd open from the initrd @@ -25630,7 +25682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_dontaudit_read_root_files(initrc_t) selinux_set_enforce_mode(initrc_t) -@@ -465,6 +506,7 @@ +@@ -465,6 +507,7 @@ storage_raw_read_fixed_disk(initrc_t) storage_raw_write_fixed_disk(initrc_t) @@ -25638,7 +25690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_create_boot_flag(initrc_t) files_rw_boot_symlinks(initrc_t) # wants to read /.fonts directory -@@ -498,6 +540,7 @@ +@@ -498,6 +541,7 @@ optional_policy(` #for /etc/rc.d/init.d/nfs to create /etc/exports rpc_write_exports(initrc_t) @@ -25646,7 +25698,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -516,6 +559,31 @@ +@@ -516,6 +560,31 @@ ') ') @@ -25678,7 +25730,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` amavis_search_lib(initrc_t) amavis_setattr_pid_files(initrc_t) -@@ -570,6 +638,10 @@ +@@ -570,6 +639,10 @@ dbus_read_config(initrc_t) optional_policy(` @@ -25689,7 +25741,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol networkmanager_dbus_chat(initrc_t) ') ') -@@ -647,6 +719,11 @@ +@@ -647,6 +720,11 @@ ') optional_policy(` @@ -25701,7 +25753,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_list_data(initrc_t) mailman_read_data_symlinks(initrc_t) ') -@@ -655,12 +732,6 @@ +@@ -655,12 +733,6 @@ mta_read_config(initrc_t) mta_dontaudit_read_spool_symlinks(initrc_t) ') @@ -25714,7 +25766,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ifdef(`distro_redhat',` -@@ -721,6 +792,9 @@ +@@ -721,6 +793,9 @@ # why is this needed: rpm_manage_db(initrc_t) @@ -25724,7 +25776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -733,10 +807,12 @@ +@@ -733,10 +808,12 @@ squid_manage_logs(initrc_t) ') @@ -25737,7 +25789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` ssh_dontaudit_read_server_keys(initrc_t) -@@ -754,6 +830,11 @@ +@@ -754,6 +831,11 @@ uml_setattr_util_sockets(initrc_t) ') @@ -25749,7 +25801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` unconfined_domain(initrc_t) -@@ -761,6 +842,8 @@ +@@ -761,6 +843,8 @@ # system-config-services causes avc messages that should be dontaudited unconfined_dontaudit_rw_pipes(daemon) ') @@ -25758,7 +25810,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` mono_domtrans(initrc_t) -@@ -768,6 +851,10 @@ +@@ -768,6 +852,10 @@ ') optional_policy(` @@ -25769,7 +25821,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol vmware_read_system_config(initrc_t) vmware_append_system_config(initrc_t) ') -@@ -790,3 +877,25 @@ +@@ -790,3 +878,25 @@ optional_policy(` zebra_read_config(initrc_t) ') @@ -28315,7 +28367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.12/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-11-11 16:13:48.000000000 -0500 -+++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-14 14:03:29.000000000 -0400 ++++ serefpolicy-3.6.12/policy/modules/system/unconfined.if 2009-04-15 10:11:28.000000000 -0400 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -28373,8 +28425,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow making the stack executable via mprotect; - # execstack implies execmem; - allow $1 self:process { execstack execmem }; -+ # execstack implies execmem; Turned off for F11 -+ allow $1 self:process { execstack }; ++ # execstack implies execmem; Bugzilla #211271 ++ allow $1 self:process { execmem execstack }; # auditallow $1 self:process execstack; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index c1b97f49..56325f62 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.12 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -440,6 +440,9 @@ exit 0 %endif %changelog +* Tue Apr 14 2009 Dan Walsh 3.6.12-6 +- Allow cupsd_t to create link files in print_spool_t + * Tue Apr 14 2009 Dan Walsh 3.6.12-5 - Allow audioentroy to read etc files