rpms
/
selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Update to upstream

This commit is contained in:
Miroslav Grepl 2011-01-17 18:42:12 +00:00
parent f16c69cb48
commit 86b1f12f92
4 changed files with 148 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -233,3 +233,4 @@ serefpolicy*
/serefpolicy-3.9.10.tgz
/serefpolicy-3.9.11.tgz
/serefpolicy-3.9.12.tgz
/serefpolicy-3.9.13.tgz

288
policy-F15.patch
View File

@ -1,18 +1,18 @@
diff --git a/Makefile b/Makefile
index 376acee..c5bb5f8 100644
index b8486a0..bec48d7 100644
--- a/Makefile
+++ b/Makefile
@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers
appdir := $(contextpath)
user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)
user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types) $(contextpath)/files/media $(user_default_contexts_names)
+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)
net_contexts := $(builddir)net_contexts
all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)
diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6760c95..1a4fe06 100644
index ae29de3..d09e734 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -153,6 +153,8 @@ inherits file
@ -104,7 +104,7 @@ index 111d004..9df7b5e 100644
## have to reboot to set it back
## </p>
diff --git a/policy/global_tunables b/policy/global_tunables
index 3316f6e..6e82b1e 100644
index 4705ab6..262b5ba 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -13,21 +13,21 @@ gen_tunable(allow_execheap,false)
@ -132,7 +132,7 @@ index 3316f6e..6e82b1e 100644
## </p>
## </desc>
gen_tunable(allow_execstack,false)
@@ -61,15 +61,6 @@ gen_tunable(global_ssp,false)
@@ -68,15 +68,6 @@ gen_tunable(global_ssp,false)
## <desc>
## <p>
@ -148,7 +148,7 @@ index 3316f6e..6e82b1e 100644
## Allow any files/directories to be exported read/write via NFS.
## </p>
## </desc>
@@ -98,9 +89,24 @@ gen_tunable(use_samba_home_dirs,false)
@@ -105,9 +96,24 @@ gen_tunable(use_samba_home_dirs,false)
## <desc>
## <p>
@ -174,7 +174,7 @@ index 3316f6e..6e82b1e 100644
+gen_tunable(allow_console_login,false)
+
diff --git a/policy/mcs b/policy/mcs
index af90ef2..7534872 100644
index 358ce7c..60afbfe 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,10 +86,10 @@ mlsconstrain file { create relabelto }
@ -200,7 +200,7 @@ index af90ef2..7534872 100644
#
# MCS policy for SELinux-enabled databases
#
@@ -132,4 +135,7 @@ mlsconstrain db_procedure { drop getattr setattr execute install }
@@ -144,4 +147,7 @@ mlsconstrain db_language { drop getattr setattr relabelfrom execute }
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
( h1 dom h2 );
@ -8214,7 +8214,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index b06df19..c0763c2 100644
index 5a07a43..e97e47f 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -86,6 +86,33 @@ interface(`corenet_rpc_port',`
@ -8251,7 +8251,7 @@ index b06df19..c0763c2 100644
## Define type to be a network client packet type
## </summary>
## <desc>
@@ -2149,9 +2176,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
@@ -2168,9 +2195,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@ -8266,7 +8266,7 @@ index b06df19..c0763c2 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
@@ -2503,6 +2535,30 @@ interface(`corenet_all_recvfrom_netlabel',`
@@ -2522,6 +2554,30 @@ interface(`corenet_all_recvfrom_netlabel',`
########################################
## <summary>
@ -8298,10 +8298,10 @@ index b06df19..c0763c2 100644
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index edefaf3..900fc3d 100644
index f12e087..bb37cd3 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@@ -16,6 +16,7 @@ attribute rpc_port_type;
attribute server_packet_type;
attribute corenet_unconfined_type;
@ -8309,7 +8309,7 @@ index edefaf3..900fc3d 100644
type ppp_device_t;
dev_node(ppp_device_t)
@@ -24,6 +25,7 @@ dev_node(ppp_device_t)
@@ -25,6 +26,7 @@ dev_node(ppp_device_t)
#
type tun_tap_device_t;
dev_node(tun_tap_device_t)
@ -8317,7 +8317,7 @@ index edefaf3..900fc3d 100644
########################################
#
@@ -33,6 +35,18 @@ dev_node(tun_tap_device_t)
@@ -34,6 +36,18 @@ dev_node(tun_tap_device_t)
#
# client_packet_t is the default type of IPv4 and IPv6 client packets.
#
@ -8336,7 +8336,7 @@ index edefaf3..900fc3d 100644
type client_packet_t, packet_type, client_packet_type;
#
@@ -64,20 +78,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
@@ -65,20 +79,25 @@ type hi_reserved_port_t, port_type, reserved_port_type, rpc_port_type;
type server_packet_t, packet_type, server_packet_type;
network_port(afs_bos, udp,7007,s0)
@ -8350,8 +8350,9 @@ index edefaf3..900fc3d 100644
network_port(amanda, udp,10080-10082,s0, tcp,10080-10083,s0)
network_port(amavisd_recv, tcp,10024,s0)
network_port(amavisd_send, tcp,10025,s0)
-network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
+network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
+network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
@ -8362,7 +8363,7 @@ index edefaf3..900fc3d 100644
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(certmaster, tcp,51235,s0)
network_port(chronyd, udp,323,s0)
@@ -85,6 +104,7 @@ network_port(clamd, tcp,3310,s0)
@@ -86,6 +105,7 @@ network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006-50008,s0, udp,50006-50008,s0)
network_port(cobbler, tcp,25151,s0)
@ -8370,7 +8371,7 @@ index edefaf3..900fc3d 100644
network_port(comsat, udp,512,s0)
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, tcp,6780-6799,s0, udp,32771,s0)
@@ -97,7 +117,9 @@ network_port(dict, tcp,2628,s0)
@@ -98,7 +118,9 @@ network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(epmap, tcp,135,s0, udp,135,s0)
@ -8380,7 +8381,7 @@ index edefaf3..900fc3d 100644
network_port(ftp, tcp,21,s0, tcp,990,s0, udp,990,s0)
network_port(ftp_data, tcp,20,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
@@ -111,7 +133,7 @@ network_port(hddtemp, tcp,7634,s0)
@@ -112,7 +134,7 @@ network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
@ -8389,7 +8390,7 @@ index edefaf3..900fc3d 100644
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
network_port(inetd_child, tcp,1,s0, udp,1,s0, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
@@ -125,43 +147,57 @@ network_port(iscsi, tcp,3260,s0)
@@ -126,43 +148,57 @@ network_port(iscsi, tcp,3260,s0)
network_port(isns, tcp,3205,s0, udp,3205,s0)
network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
network_port(jabber_interserver, tcp,5269,s0)
@ -8451,7 +8452,7 @@ index edefaf3..900fc3d 100644
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
@@ -176,43 +212,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
@@ -177,43 +213,49 @@ network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@ -8508,7 +8509,7 @@ index edefaf3..900fc3d 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
@@ -274,5 +316,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
@@ -275,5 +317,5 @@ allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_conn
allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
# Bind to any network address.
@ -11128,7 +11129,7 @@ index e49c148..4d6bbf4 100644
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index b4ad6d7..67e89f0 100644
index d7468b3..5d2f9a1 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@ -11201,7 +11202,7 @@ index b4ad6d7..67e89f0 100644
')
########################################
@@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
@@ -2890,6 +2928,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
## <summary>
@ -11226,7 +11227,7 @@ index b4ad6d7..67e89f0 100644
## Unconfined access to kernel module resources.
## </summary>
## <param name="domain">
@@ -2897,3 +2953,23 @@ interface(`kernel_unconfined',`
@@ -2905,3 +2961,23 @@ interface(`kernel_unconfined',`
typeattribute $1 kern_unconfined;
')
@ -11251,7 +11252,7 @@ index b4ad6d7..67e89f0 100644
+')
+
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 9e2e6d7..d5c4f76 100644
index 5001b89..d513268 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@ -11502,10 +11503,10 @@ index 3994e57..43aa641 100644
+
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 492bf76..00b786e 100644
index f3acfee..4cbc36c 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
@@ -274,7 +274,6 @@ interface(`term_dontaudit_read_console',`
## Domain allowed access.
## </summary>
## </param>
@ -11513,7 +11514,7 @@ index 492bf76..00b786e 100644
#
interface(`term_use_console',`
gen_require(`
@@ -292,9 +291,11 @@ interface(`term_use_console',`
@@ -299,9 +298,11 @@ interface(`term_use_console',`
interface(`term_dontaudit_use_console',`
gen_require(`
type console_device_t;
@ -11526,7 +11527,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -334,7 +335,7 @@ interface(`term_relabel_console',`
@@ -341,7 +342,7 @@ interface(`term_relabel_console',`
')
dev_list_all_dev_nodes($1)
@ -11535,7 +11536,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -651,6 +652,25 @@ interface(`term_use_controlling_term',`
@@ -658,6 +659,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
@ -11561,7 +11562,7 @@ index 492bf76..00b786e 100644
########################################
## <summary>
## Do not audit attempts to get attributes
@@ -848,7 +868,7 @@ interface(`term_dontaudit_use_all_ptys',`
@@ -855,7 +875,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode;
')
@ -11570,7 +11571,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -1116,7 +1136,7 @@ interface(`term_relabel_unallocated_ttys',`
@@ -1123,7 +1143,7 @@ interface(`term_relabel_unallocated_ttys',`
')
dev_list_all_dev_nodes($1)
@ -11579,7 +11580,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -1215,7 +1235,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
@@ -1222,7 +1242,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t;
')
@ -11588,7 +11589,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -1231,11 +1251,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
@@ -1238,11 +1258,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
#
interface(`term_getattr_all_ttys',`
gen_require(`
@ -11602,7 +11603,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -1252,10 +1274,12 @@ interface(`term_getattr_all_ttys',`
@@ -1259,10 +1281,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',`
gen_require(`
attribute ttynode;
@ -11615,7 +11616,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -1294,7 +1318,7 @@ interface(`term_relabel_all_ttys',`
@@ -1301,7 +1325,7 @@ interface(`term_relabel_all_ttys',`
')
dev_list_all_dev_nodes($1)
@ -11624,7 +11625,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -1352,7 +1376,7 @@ interface(`term_dontaudit_use_all_ttys',`
@@ -1359,7 +1383,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode;
')
@ -11633,7 +11634,7 @@ index 492bf76..00b786e 100644
')
########################################
@@ -1468,3 +1492,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
@@ -1475,3 +1499,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1)
')
@ -11657,7 +11658,7 @@ index 492bf76..00b786e 100644
+ allow $1 virtio_device_t:chr_file rw_chr_file_perms;
+')
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index e004757..b5be387 100644
index 361692e..0f09fb5 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -29,6 +29,7 @@ files_mountpoint(devpts_t)
@ -13478,7 +13479,7 @@ index 0000000..ec21f9a
+
+gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 1e0753e..4ae4116 100644
index e5bfdd4..f8785a0 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -12,15 +12,51 @@ role user_r;
@ -13533,7 +13534,7 @@ index 1e0753e..4ae4116 100644
vlock_run(user_t, user_r)
')
@@ -114,7 +150,7 @@ ifndef(`distro_redhat',`
@@ -118,7 +154,7 @@ ifndef(`distro_redhat',`
')
optional_policy(`
@ -13542,7 +13543,7 @@ index 1e0753e..4ae4116 100644
')
optional_policy(`
@@ -153,3 +189,4 @@ ifndef(`distro_redhat',`
@@ -157,3 +193,4 @@ ifndef(`distro_redhat',`
wireshark_role(user_r, user_t)
')
')
@ -31196,7 +31197,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 539a7c9..4782bdb 100644
index 09aeffa..12d4432 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -10,7 +10,7 @@
@ -31208,37 +31209,40 @@ index 539a7c9..4782bdb 100644
## The type of the user domain.
## </summary>
## </param>
@@ -45,14 +45,6 @@ interface(`postgresql_role',`
@@ -51,15 +51,6 @@ interface(`postgresql_role',`
# Client local policy
#
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
- allow $2 user_sepgsql_table_t:db_table { create drop setattr };
- allow $2 user_sepgsql_table_t:db_column { create drop setattr };
-
- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
- allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
- allow $2 user_sepgsql_view_t:db_view { create drop setattr };
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
-
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
@@ -69,6 +61,14 @@ interface(`postgresql_role',`
allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
@@ -88,6 +79,16 @@ interface(`postgresql_role',`
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_table { create drop setattr };
+ allow $2 user_sepgsql_table_t:db_column { create drop setattr };
+
+ allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };
+ allow $2 user_sepgsql_view_t:db_view { create drop setattr };
+ allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ ')
')
########################################
@@ -195,7 +195,7 @@ interface(`postgresql_search_db',`
@@ -286,7 +287,7 @@ interface(`postgresql_search_db',`
type postgresql_db_t;
')
@ -31247,7 +31251,7 @@ index 539a7c9..4782bdb 100644
')
########################################
@@ -207,6 +207,7 @@ interface(`postgresql_search_db',`
@@ -298,6 +299,7 @@ interface(`postgresql_search_db',`
## Domain allowed access.
## </summary>
## </param>
@ -31255,7 +31259,7 @@ index 539a7c9..4782bdb 100644
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
@@ -214,7 +215,7 @@ interface(`postgresql_manage_db',`
@@ -305,7 +307,7 @@ interface(`postgresql_manage_db',`
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
@ -31264,7 +31268,7 @@ index 539a7c9..4782bdb 100644
')
########################################
@@ -304,7 +305,6 @@ interface(`postgresql_tcp_connect',`
@@ -395,7 +397,6 @@ interface(`postgresql_tcp_connect',`
## Domain allowed access.
## </summary>
## </param>
@ -31272,7 +31276,7 @@ index 539a7c9..4782bdb 100644
#
interface(`postgresql_stream_connect',`
gen_require(`
@@ -312,10 +312,8 @@ interface(`postgresql_stream_connect',`
@@ -403,10 +404,8 @@ interface(`postgresql_stream_connect',`
')
files_search_pids($1)
@ -31285,21 +31289,24 @@ index 539a7c9..4782bdb 100644
')
########################################
@@ -361,13 +359,6 @@ interface(`postgresql_unpriv_client',`
@@ -459,6 +458,8 @@ interface(`postgresql_unpriv_client',`
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
- allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
- allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
- allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
- ')
-
+<<<<<<< .merge_file_hr5C3y
+=======
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
@@ -471,6 +472,7 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+>>>>>>> .merge_file_bHSs2v
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
@@ -381,6 +372,13 @@ interface(`postgresql_unpriv_client',`
@@ -492,6 +494,13 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
@ -31313,7 +31320,7 @@ index 539a7c9..4782bdb 100644
')
########################################
@@ -420,13 +418,10 @@ interface(`postgresql_unconfined',`
@@ -531,13 +540,10 @@ interface(`postgresql_unconfined',`
#
interface(`postgresql_admin',`
gen_require(`
@ -31331,7 +31338,7 @@ index 539a7c9..4782bdb 100644
')
typeattribute $1 sepgsql_admin_type;
@@ -439,14 +434,19 @@ interface(`postgresql_admin',`
@@ -550,14 +556,19 @@ interface(`postgresql_admin',`
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
@ -31352,10 +31359,10 @@ index 539a7c9..4782bdb 100644
postgresql_tcp_connect($1)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 4b18978..1ab2e1d 100644
index 8ed5067..f31634f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -15,16 +15,16 @@ gen_require(`
@@ -19,16 +19,16 @@ gen_require(`
#
## <desc>
@ -31378,7 +31385,7 @@ index 4b18978..1ab2e1d 100644
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)
@@ -185,7 +185,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
@@ -241,7 +241,7 @@ allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
@ -31387,7 +31394,7 @@ index 4b18978..1ab2e1d 100644
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file manage_file_perms;
@@ -251,8 +251,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
@@ -307,8 +307,7 @@ domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
@ -43044,14 +43051,13 @@ index a442acc..133f7f8 100644
xen_rw_image_files(fsadm_t)
')
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 408f4e6..55c2d03 100644
index ede3231..6cdbda3 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -83,7 +83,7 @@ term_use_unallocated_ttys(getty_t)
@@ -83,6 +83,7 @@ term_use_unallocated_ttys(getty_t)
term_setattr_all_ttys(getty_t)
term_setattr_unallocated_ttys(getty_t)
term_setattr_console(getty_t)
-term_dontaudit_use_console(getty_t)
+term_use_console(getty_t)
auth_rw_login_records(getty_t)
@ -44494,10 +44500,10 @@ index 8232f91..cba1b30 100644
+ allow ipsec_mgmt_t $1:dbus send_msg;
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d82ff45..6de1ab4 100644
index 98d6081..fbc8601 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -72,7 +72,7 @@ role system_r types setkey_t;
@@ -73,7 +73,7 @@ role system_r types setkey_t;
#
allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
@ -44506,9 +44512,9 @@ index d82ff45..6de1ab4 100644
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
@@ -94,9 +94,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
@@ -95,9 +95,10 @@ manage_dirs_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
manage_files_pattern(ipsec_t, ipsec_tmp_t, ipsec_tmp_t)
files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
files_tmp_filetrans(ipsec_t, ipsec_tmp_t, { dir file })
+manage_dirs_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
@ -44518,7 +44524,7 @@ index d82ff45..6de1ab4 100644
can_exec(ipsec_t, ipsec_mgmt_exec_t)
@@ -107,7 +108,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
@@ -108,7 +109,7 @@ can_exec(ipsec_t, ipsec_mgmt_exec_t)
corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
allow ipsec_mgmt_t ipsec_t:fd use;
allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
@ -44527,7 +44533,7 @@ index d82ff45..6de1ab4 100644
allow ipsec_mgmt_t ipsec_t:process sigchld;
kernel_read_kernel_sysctls(ipsec_t)
@@ -149,6 +150,7 @@ domain_use_interactive_fds(ipsec_t)
@@ -150,6 +151,7 @@ domain_use_interactive_fds(ipsec_t)
files_list_tmp(ipsec_t)
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
@ -44535,7 +44541,7 @@ index d82ff45..6de1ab4 100644
fs_getattr_all_fs(ipsec_t)
fs_search_auto_mountpoints(ipsec_t)
@@ -166,6 +168,8 @@ logging_send_syslog_msg(ipsec_t)
@@ -167,6 +169,8 @@ logging_send_syslog_msg(ipsec_t)
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@ -44544,7 +44550,7 @@ index d82ff45..6de1ab4 100644
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
@@ -184,8 +188,8 @@ optional_policy(`
@@ -185,8 +189,8 @@ optional_policy(`
#
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@ -44555,7 +44561,7 @@ index d82ff45..6de1ab4 100644
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
@@ -224,7 +228,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
@@ -225,7 +229,6 @@ allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@ -44563,7 +44569,7 @@ index d82ff45..6de1ab4 100644
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
@@ -243,6 +246,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
@@ -244,6 +247,17 @@ kernel_read_kernel_sysctls(ipsec_mgmt_t)
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@ -44581,7 +44587,7 @@ index d82ff45..6de1ab4 100644
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
@@ -257,7 +271,7 @@ dev_read_urand(ipsec_mgmt_t)
@@ -258,7 +272,7 @@ dev_read_urand(ipsec_mgmt_t)
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@ -44590,7 +44596,7 @@ index d82ff45..6de1ab4 100644
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
@@ -275,8 +289,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
@@ -276,8 +290,11 @@ fs_getattr_xattr_fs(ipsec_mgmt_t)
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@ -44603,7 +44609,7 @@ index d82ff45..6de1ab4 100644
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -290,7 +307,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t)
@@ -291,7 +308,9 @@ modutils_domtrans_insmod(ipsec_mgmt_t)
seutil_dontaudit_search_config(ipsec_mgmt_t)
@ -44613,7 +44619,7 @@ index d82ff45..6de1ab4 100644
userdom_use_user_terminals(ipsec_mgmt_t)
@@ -299,6 +318,23 @@ optional_policy(`
@@ -300,6 +319,23 @@ optional_policy(`
')
optional_policy(`
@ -44637,7 +44643,7 @@ index d82ff45..6de1ab4 100644
nscd_socket_use(ipsec_mgmt_t)
')
@@ -385,6 +421,8 @@ miscfiles_read_localization(racoon_t)
@@ -386,6 +422,8 @@ miscfiles_read_localization(racoon_t)
sysnet_exec_ifconfig(racoon_t)
@ -44646,19 +44652,20 @@ index d82ff45..6de1ab4 100644
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
@@ -411,6 +449,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
@@ -412,6 +450,7 @@ domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
+init_read_script_tmp_files(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
@@ -422,3 +461,4 @@ miscfiles_read_localization(setkey_t)
corenet_setcontext_all_spds(setkey_t)
@@ -423,4 +462,5 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+userdom_read_user_tmp_files(setkey_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 13f62a6..fd99a6e 100644
--- a/policy/modules/system/iptables.fc
@ -45252,7 +45259,7 @@ index 7570583..be6a81b 100644
/sbin/sulogin -- gen_context(system_u:object_r:sulogin_exec_t,s0)
+/sbin/sushell -- gen_context(system_u:object_r:sulogin_exec_t,s0)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 3fb1915..26e9f79 100644
index 2b7e5f3..76b4ce1 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,9 +32,8 @@ role system_r types sulogin_t;
@ -45284,7 +45291,7 @@ index 3fb1915..26e9f79 100644
miscfiles_read_localization(local_login_t)
@@ -151,6 +153,12 @@ tunable_policy(`use_samba_home_dirs',`
@@ -156,6 +158,12 @@ tunable_policy(`use_samba_home_dirs',`
fs_read_cifs_symlinks(local_login_t)
')
@ -45297,7 +45304,7 @@ index 3fb1915..26e9f79 100644
optional_policy(`
alsa_domtrans(local_login_t)
')
@@ -180,7 +188,7 @@ optional_policy(`
@@ -185,7 +193,7 @@ optional_policy(`
')
optional_policy(`
@ -45306,7 +45313,7 @@ index 3fb1915..26e9f79 100644
')
optional_policy(`
@@ -197,9 +205,10 @@ optional_policy(`
@@ -202,9 +210,10 @@ optional_policy(`
# Sulogin local policy
#
@ -45318,7 +45325,7 @@ index 3fb1915..26e9f79 100644
allow sulogin_t self:unix_dgram_socket create_socket_perms;
allow sulogin_t self:unix_stream_socket create_stream_socket_perms;
allow sulogin_t self:unix_dgram_socket sendto;
@@ -219,6 +228,7 @@ files_read_etc_files(sulogin_t)
@@ -224,6 +233,7 @@ files_read_etc_files(sulogin_t)
files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
@ -45326,7 +45333,7 @@ index 3fb1915..26e9f79 100644
init_getpgid_script(sulogin_t)
@@ -232,14 +242,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
@@ -237,14 +247,23 @@ userdom_use_unpriv_users_fds(sulogin_t)
userdom_search_user_home_dirs(sulogin_t)
userdom_use_user_ptys(sulogin_t)
@ -45352,7 +45359,7 @@ index 3fb1915..26e9f79 100644
init_getpgid(sulogin_t)
', `
allow sulogin_t self:process setexec;
@@ -250,11 +269,3 @@ ifdef(`sulogin_no_pam', `
@@ -255,11 +274,3 @@ ifdef(`sulogin_no_pam', `
selinux_compute_relabel_context(sulogin_t)
selinux_compute_user_contexts(sulogin_t)
')
@ -46366,7 +46373,7 @@ index 8b5c196..83107f9 100644
+ role $2 types showmount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 1899313..c6b6821 100644
index 15832c7..6ee04e2 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -17,8 +17,15 @@ type mount_exec_t;
@ -46416,7 +46423,7 @@ index 1899313..c6b6821 100644
allow mount_t mount_loopback_t:file read_file_perms;
@@ -46,59 +68,96 @@ can_exec(mount_t, mount_exec_t)
@@ -46,9 +68,23 @@ can_exec(mount_t, mount_exec_t)
files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
@ -46440,7 +46447,8 @@ index 1899313..c6b6821 100644
+kernel_request_load_module(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
@@ -57,50 +93,73 @@ kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@ -46522,7 +46530,7 @@ index 1899313..c6b6821 100644
selinux_get_enforce_mode(mount_t)
@@ -106,6 +165,7 @@ storage_raw_read_fixed_disk(mount_t)
@@ -108,6 +167,7 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
@ -46530,7 +46538,7 @@ index 1899313..c6b6821 100644
term_use_all_terms(mount_t)
@@ -114,6 +174,8 @@ auth_use_nsswitch(mount_t)
@@ -116,6 +176,8 @@ auth_use_nsswitch(mount_t)
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
init_dontaudit_getattr_initctl(mount_t)
@ -46539,7 +46547,7 @@ index 1899313..c6b6821 100644
logging_send_syslog_msg(mount_t)
@@ -124,6 +186,12 @@ sysnet_use_portmap(mount_t)
@@ -126,6 +188,12 @@ sysnet_use_portmap(mount_t)
seutil_read_config(mount_t)
userdom_use_all_users_fds(mount_t)
@ -46552,7 +46560,7 @@ index 1899313..c6b6821 100644
ifdef(`distro_redhat',`
optional_policy(`
@@ -139,10 +207,17 @@ ifdef(`distro_ubuntu',`
@@ -141,10 +209,17 @@ ifdef(`distro_ubuntu',`
')
')
@ -46570,7 +46578,7 @@ index 1899313..c6b6821 100644
')
optional_policy(`
@@ -172,6 +247,8 @@ optional_policy(`
@@ -174,6 +249,8 @@ optional_policy(`
fs_search_rpc(mount_t)
rpc_stub(mount_t)
@ -46579,7 +46587,7 @@ index 1899313..c6b6821 100644
')
optional_policy(`
@@ -179,6 +256,28 @@ optional_policy(`
@@ -181,6 +258,28 @@ optional_policy(`
')
optional_policy(`
@ -46608,7 +46616,7 @@ index 1899313..c6b6821 100644
ifdef(`hide_broken_symptoms',`
# for a bug in the X server
rhgb_dontaudit_rw_stream_sockets(mount_t)
@@ -186,13 +285,44 @@ optional_policy(`
@@ -188,13 +287,44 @@ optional_policy(`
')
')
@ -46653,7 +46661,7 @@ index 1899313..c6b6821 100644
')
########################################
@@ -201,6 +331,42 @@ optional_policy(`
@@ -203,6 +333,42 @@ optional_policy(`
#
optional_policy(`
@ -47202,7 +47210,7 @@ index 170e2c7..bbaa8cf 100644
+')
+')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ff5d72d..8526f19 100644
index 7ed9819..ad1d4ca 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@ -47393,16 +47401,16 @@ index ff5d72d..8526f19 100644
-allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
-files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
-
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
+seutil_semanage_policy(semanage_t)
+allow semanage_t self:fifo_file rw_fifo_file_perms;
-corecmd_exec_bin(semanage_t)
-kernel_read_system_state(semanage_t)
-kernel_read_kernel_sysctls(semanage_t)
+manage_dirs_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
+manage_files_pattern(semanage_t, selinux_var_lib_t, selinux_var_lib_t)
-corecmd_exec_bin(semanage_t)
-
-dev_read_urand(semanage_t)
-
-domain_use_interactive_fds(semanage_t)
@ -47428,13 +47436,13 @@ index ff5d72d..8526f19 100644
-auth_use_nsswitch(semanage_t)
-
-locallogin_use_fds(semanage_t)
-
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
+# Admins are creating pp files in random locations
+auth_read_all_files_except_shadow(semanage_t)
-logging_send_syslog_msg(semanage_t)
-
-miscfiles_read_localization(semanage_t)
-
-seutil_libselinux_linked(semanage_t)
seutil_manage_file_contexts(semanage_t)
seutil_manage_config(semanage_t)
@ -47449,7 +47457,7 @@ index ff5d72d..8526f19 100644
# netfilter_contexts:
seutil_manage_default_contexts(semanage_t)
@@ -483,12 +468,23 @@ ifdef(`distro_debian',`
@@ -487,118 +472,64 @@ ifdef(`distro_debian',`
files_read_var_lib_symlinks(semanage_t)
')
@ -47465,21 +47473,7 @@ index ff5d72d..8526f19 100644
')
')
+optional_policy(`
+ #signal mcstrans on reload
+ init_spec_domtrans_script(semanage_t)
+')
+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
@@ -498,112 +494,54 @@ ifdef(`enable_mls',`
userdom_read_user_tmp_files(semanage_t)
')
-########################################
+userdom_search_admin_dir(semanage_t)
+
+####################################n####
#
-# Setfiles local policy
@ -47523,12 +47517,18 @@ index ff5d72d..8526f19 100644
-fs_list_all(setfiles_t)
-fs_search_auto_mountpoints(setfiles_t)
-fs_relabelfrom_noxattr_fs(setfiles_t)
-
+init_dontaudit_use_fds(setsebool_t)
-mls_file_read_all_levels(setfiles_t)
-mls_file_write_all_levels(setfiles_t)
-mls_file_upgrade(setfiles_t)
-mls_file_downgrade(setfiles_t)
-
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-selinux_validate_context(setfiles_t)
-selinux_compute_access_vector(setfiles_t)
-selinux_compute_create_context(setfiles_t)
@ -47548,15 +47548,9 @@ index ff5d72d..8526f19 100644
-init_exec_script_files(setfiles_t)
-
-logging_send_syslog_msg(setfiles_t)
+init_dontaudit_use_fds(setsebool_t)
-
-miscfiles_read_localization(setfiles_t)
+# Bug in semanage
+seutil_domtrans_setfiles(setsebool_t)
+seutil_manage_file_contexts(setsebool_t)
+seutil_manage_default_contexts(setsebool_t)
+seutil_manage_config(setsebool_t)
-
-seutil_libselinux_linked(setfiles_t)
+########################################
+#

7
selinux-policy.spec
View File

@ -20,8 +20,8 @@
%define CHECKPOLICYVER 2.0.21-1
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.12
Release: 8%{?dist}
Version: 3.9.13
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -471,6 +471,9 @@ exit 0
%endif
%changelog
* Mon Jan 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.13-1
- Update to upstream
* Mon Jan 17 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.12-8
- Add oracle ports and allow apache to connect to them if the connect_db boolean is turned on
- Add puppetmaster_use_db boolean

2
sources
View File

@ -1,2 +1,2 @@
409b40c8102b1617681ba17c31032e66 config.tgz
eeb4ff0fe3beb456f6eb5d11fcc1d247 serefpolicy-3.9.12.tgz
7133b9fde2dd7620e2985afaf4e3b00e serefpolicy-3.9.13.tgz