- New paths for upstart

This commit is contained in:
Daniel J Walsh 2010-07-26 21:46:12 +00:00
parent 8d55a410dc
commit a1ef703492
2 changed files with 118 additions and 54 deletions

View File

@ -1272,6 +1272,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shorewa
optional_policy(`
hostname_exec(shorewall_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.fc serefpolicy-3.8.8/policy/modules/admin/shutdown.fc
--- nsaserefpolicy/policy/modules/admin/shutdown.fc 2010-07-14 11:21:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.fc 2010-07-26 16:52:20.000000000 -0400
@@ -3,3 +3,5 @@
/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/var/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_var_run_t,s0)
+
+/lib/upstart/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.if serefpolicy-3.8.8/policy/modules/admin/shutdown.if
--- nsaserefpolicy/policy/modules/admin/shutdown.if 2010-07-14 11:21:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/admin/shutdown.if 2010-07-20 10:46:10.000000000 -0400
@ -5383,8 +5392,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.8.8/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-07-20 10:46:10.000000000 -0400
@@ -5,40 +5,39 @@
+++ serefpolicy-3.8.8/policy/modules/apps/seunshare.te 2010-07-26 17:02:42.000000000 -0400
@@ -5,40 +5,41 @@
# Declarations
#
@ -5419,16 +5428,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
-files_read_etc_files(seunshare_t)
-files_mounton_all_poly_members(seunshare_t)
+auth_use_nsswitch(seunshare_domain)
+fs_manage_cgroup_dirs(seunshare_domain)
-auth_use_nsswitch(seunshare_t)
+logging_send_syslog_msg(seunshare_domain)
+auth_use_nsswitch(seunshare_domain)
-logging_send_syslog_msg(seunshare_t)
+miscfiles_read_localization(seunshare_domain)
+logging_send_syslog_msg(seunshare_domain)
-miscfiles_read_localization(seunshare_t)
-
+miscfiles_read_localization(seunshare_domain)
-userdom_use_user_terminals(seunshare_t)
+userdom_use_user_terminals(seunshare_domain)
@ -6519,8 +6529,33 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.8.8/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2010-06-08 10:35:48.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-26 14:00:19.000000000 -0400
@@ -606,6 +606,24 @@
+++ serefpolicy-3.8.8/policy/modules/kernel/devices.if 2010-07-26 16:44:30.000000000 -0400
@@ -497,6 +497,24 @@
########################################
## <summary>
+## Read generic character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_read_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
## Read and write generic character device files.
## </summary>
## <param name="domain">
@@ -606,6 +624,24 @@
########################################
## <summary>
@ -6545,7 +6580,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Create, delete, read, and write symbolic links in device directories.
## </summary>
## <param name="domain">
@@ -1015,6 +1033,42 @@
@@ -1015,6 +1051,42 @@
########################################
## <summary>
@ -6588,7 +6623,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Delete all block device files.
## </summary>
## <param name="domain">
@@ -3540,6 +3594,24 @@
@@ -3540,6 +3612,24 @@
########################################
## <summary>
@ -6613,7 +6648,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Get the attributes of sysfs directories.
## </summary>
## <param name="domain">
@@ -3851,6 +3923,24 @@
@@ -3851,6 +3941,24 @@
########################################
## <summary>
@ -6638,7 +6673,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device
## Mount a usbfs filesystem.
## </summary>
## <param name="domain">
@@ -4161,11 +4251,10 @@
@@ -4161,11 +4269,10 @@
#
interface(`dev_rw_vhost',`
gen_require(`
@ -7584,7 +7619,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
+/cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.8.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2010-07-14 11:21:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-21 11:43:41.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.if 2010-07-26 17:02:26.000000000 -0400
@@ -1233,7 +1233,7 @@
type cifs_t;
')
@ -17349,7 +17384,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.8.8/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2010-05-25 16:28:22.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-21 08:47:33.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/mta.if 2010-07-26 17:39:52.000000000 -0400
@@ -220,6 +220,25 @@
application_executable_file($1)
')
@ -17400,7 +17435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
@@ -391,12 +408,13 @@
@@ -391,12 +408,15 @@
#
interface(`mta_sendmail_domtrans',`
gen_require(`
@ -17412,11 +17447,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
+ allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
corecmd_read_bin_symlinks($1)
- domain_auto_trans($1, sendmail_exec_t, $2)
+
+ allow $2 mta_exec_type:file entrypoint;
+ domtrans_pattern($1, mta_exec_type, $2)
')
########################################
@@ -474,7 +492,8 @@
@@ -474,7 +494,8 @@
type etc_mail_t;
')
@ -17426,7 +17463,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
')
########################################
@@ -698,7 +717,7 @@
@@ -698,7 +719,7 @@
files_search_spool($1)
allow $1 mail_spool_t:dir list_dir_perms;
allow $1 mail_spool_t:file setattr;
@ -17437,7 +17474,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.8.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-20 10:46:10.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/mta.te 2010-07-26 17:09:17.000000000 -0400
@@ -21,7 +21,7 @@
files_config_file(etc_mail_t)
@ -17447,6 +17484,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
type mqueue_spool_t;
files_mountpoint(mqueue_spool_t)
@@ -62,9 +62,9 @@
can_exec(system_mail_t, mta_exec_type)
-kernel_read_system_state(system_mail_t)
-kernel_read_network_state(system_mail_t)
-kernel_request_load_module(system_mail_t)
+kernel_read_system_state(user_mail_domain)
+kernel_read_network_state(user_mail_domain)
+kernel_request_load_module(user_mail_domain)
dev_read_sysfs(system_mail_t)
dev_read_rand(system_mail_t)
@@ -82,6 +82,9 @@
userdom_use_user_terminals(system_mail_t)
@ -21487,7 +21537,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.8.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2010-06-18 13:07:19.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-20 10:46:11.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/samba.te 2010-07-26 17:19:57.000000000 -0400
@@ -152,9 +152,6 @@
type winbind_log_t;
logging_log_file(winbind_log_t)
@ -21585,7 +21635,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
@@ -754,6 +750,8 @@
@@ -710,6 +706,7 @@
domtrans_pattern(swat_t, winbind_exec_t, winbind_t)
allow swat_t winbind_t:process { signal signull };
+read_files_pattern(swat_t, winbind_var_run_t, winbind_var_run_t)
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
@@ -754,6 +751,8 @@
miscfiles_read_localization(swat_t)
@ -21594,7 +21652,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
@@ -806,14 +804,14 @@
@@ -806,14 +805,14 @@
allow winbind_t winbind_log_t:file manage_file_perms;
logging_log_filetrans(winbind_t, winbind_log_t, file)
@ -21614,7 +21672,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_read_kernel_sysctls(winbind_t)
kernel_read_system_state(winbind_t)
@@ -833,6 +831,7 @@
@@ -833,6 +832,7 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@ -21622,7 +21680,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
corenet_tcp_connect_epmap_port(winbind_t)
corenet_tcp_connect_all_unreserved_ports(winbind_t)
@@ -922,6 +921,18 @@
@@ -922,6 +922,18 @@
#
optional_policy(`
@ -21641,7 +21699,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
@@ -932,9 +943,12 @@
@@ -932,9 +944,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@ -26302,8 +26360,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplu
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.8.8/policy/modules/system/init.fc
--- nsaserefpolicy/policy/modules/system/init.fc 2010-03-18 10:35:11.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-20 10:46:11.000000000 -0400
@@ -24,6 +24,11 @@
+++ serefpolicy-3.8.8/policy/modules/system/init.fc 2010-07-26 16:50:56.000000000 -0400
@@ -24,7 +24,13 @@
#
# /sbin
#
@ -26313,9 +26371,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.f
+# /sbin
+#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
@@ -44,6 +49,9 @@
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -44,6 +50,9 @@
/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
@ -26693,7 +26753,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.i
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.8.8/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-07-14 11:21:53.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-26 14:00:27.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/system/init.te 2010-07-26 16:44:55.000000000 -0400
@@ -16,6 +16,27 @@
## </desc>
gen_tunable(init_upstart, false)
@ -26805,7 +26865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_shell_domtrans(init_t, initrc_t)
',`
# Run the shell in the sysadm role for single-user mode.
@@ -185,15 +216,64 @@
@@ -185,15 +216,65 @@
sysadm_shell_domtrans(init_t)
')
@ -26826,6 +26886,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
+ dev_write_kmsg(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_read_generic_chr_files(init_t)
+
+ files_mounton_all_mountpoints(init_t)
+ files_manage_all_pids_dirs(init_t)
@ -26870,7 +26931,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
nscd_socket_use(init_t)
')
@@ -211,7 +291,7 @@
@@ -211,7 +292,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@ -26879,7 +26940,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -240,6 +320,7 @@
@@ -240,6 +321,7 @@
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
@ -26887,7 +26948,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -257,11 +338,22 @@
@@ -257,11 +339,22 @@
kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
@ -26910,7 +26971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
corecmd_exec_all_executables(initrc_t)
@@ -297,11 +389,13 @@
@@ -297,11 +390,13 @@
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
@ -26924,7 +26985,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
@@ -320,8 +414,10 @@
@@ -320,8 +415,10 @@
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
@ -26936,7 +26997,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -337,6 +433,8 @@
@@ -337,6 +434,8 @@
files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
@ -26945,7 +27006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
fs_delete_cgroup_dirs(initrc_t)
fs_list_cgroup_dirs(initrc_t)
@@ -350,6 +448,8 @@
@@ -350,6 +449,8 @@
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
@ -26954,7 +27015,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
@@ -362,6 +462,7 @@
@@ -362,6 +463,7 @@
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
@ -26962,7 +27023,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
selinux_get_enforce_mode(initrc_t)
@@ -393,13 +494,14 @@
@@ -393,13 +495,14 @@
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
@ -26978,7 +27039,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
@@ -472,7 +574,7 @@
@@ -472,7 +575,7 @@
# Red Hat systems seem to have a stray
# fd open from the initrd
@ -26987,7 +27048,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -518,6 +620,19 @@
@@ -518,6 +621,19 @@
optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
@ -27007,7 +27068,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -525,10 +640,17 @@
@@ -525,10 +641,17 @@
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
@ -27025,7 +27086,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -543,6 +665,35 @@
@@ -543,6 +666,35 @@
')
')
@ -27061,7 +27122,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
@@ -555,6 +706,8 @@
@@ -555,6 +707,8 @@
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
@ -27070,7 +27131,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -571,6 +724,7 @@
@@ -571,6 +725,7 @@
optional_policy(`
cgroup_stream_connect(initrc_t)
@ -27078,7 +27139,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -583,6 +737,11 @@
@@ -583,6 +738,11 @@
')
optional_policy(`
@ -27090,7 +27151,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -599,6 +758,7 @@
@@ -599,6 +759,7 @@
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
@ -27098,7 +27159,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
consolekit_dbus_chat(initrc_t)
@@ -700,7 +860,12 @@
@@ -700,7 +861,12 @@
')
optional_policy(`
@ -27111,7 +27172,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -723,6 +888,10 @@
@@ -723,6 +889,10 @@
')
optional_policy(`
@ -27122,7 +27183,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -765,8 +934,6 @@
@@ -765,8 +935,6 @@
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
@ -27131,7 +27192,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -779,10 +946,12 @@
@@ -779,10 +947,12 @@
squid_manage_logs(initrc_t)
')
@ -27144,7 +27205,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
@@ -804,11 +973,19 @@
@@ -804,11 +974,19 @@
')
optional_policy(`
@ -27165,7 +27226,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
ifdef(`distro_redhat',`
# system-config-services causes avc messages that should be dontaudited
@@ -818,6 +995,25 @@
@@ -818,6 +996,25 @@
optional_policy(`
mono_domtrans(initrc_t)
')
@ -27191,7 +27252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t
')
optional_policy(`
@@ -843,3 +1039,55 @@
@@ -843,3 +1040,55 @@
optional_policy(`
zebra_read_config(initrc_t)
')

View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
Release: 5%{?dist}
Release: 6%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -469,6 +469,9 @@ exit 0
%endif
%changelog
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-6
- New paths for upstart
* Mon Jul 26 2010 Dan Walsh <dwalsh@redhat.com> 3.8.8-5
- New permissions for syslog
- New labels for /lib/upstart