- Fixes for podsleuth

2009-04-18 12:13:36 +00:00 · 2009-04-18 12:13:36 +00:00 · d982e7e091
parent dc00fc32b6
commit d982e7e091
4 changed files with 92 additions and 61 deletions
--- a/booleans-minimum.conf
+++ b/booleans-minimum.conf
@ -8,7 +8,7 @@ allow_execmod = false

 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false

 # Allow ftpd to read cifs directories.
 # 
@ -56,7 +56,7 @@ allow_ypbind = false

 # Allow zebra to write it own configuration files
 # 
-allow_zebra_write_config = true
+allow_zebra_write_config = false

 # Enable extra rules in the cron domainto support fcron.
 # 
@ -96,7 +96,7 @@ httpd_enable_ftp_server = false

 # Allow httpd to read home directories
 # 
-httpd_enable_homedirs = true
+httpd_enable_homedirs = false

 # Run SSI execs in system CGI script domain.
 # 
@ -104,11 +104,11 @@ httpd_ssi_exec = false

 # Allow http daemon to communicate with the TTY
 # 
-httpd_tty_comm = true
+httpd_tty_comm = false

 # Run CGI in the main httpd domain
 # 
-httpd_unified = true
+httpd_unified = false

 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
@ -128,7 +128,7 @@ pppd_can_insmod = false

 # Allow reading of default_t files.
 # 
-read_default_t = true
+read_default_t = false

 # Allow samba to export user home directories.
 # 
@ -148,7 +148,7 @@ use_samba_home_dirs = false

 # Control users use of ping and traceroute
 # 
-user_ping = true
+user_ping = false

 # allow host key based authentication
 # 
@ -164,7 +164,7 @@ read_untrusted_content = false

 # Allow spamd to write to users homedirs
 # 
-spamd_enable_home_dirs = true
+spamd_enable_home_dirs = false

 # Allow regular users direct mouse access
 # 
@ -192,7 +192,7 @@ write_untrusted_content = false

 # Allow all domains to talk to ttys
 # 
-allow_daemons_use_tty = true
+allow_daemons_use_tty = false

 # Allow login domains to polyinstatiate directories
 # 
@ -208,11 +208,11 @@ samba_domain_controller = false

 # Allow samba to export user home directories.
 # 
-samba_run_unconfined = true
+samba_run_unconfined = false

 # Allows XServer to execute writable memory
 # 
-allow_xserver_execmem = true
+allow_xserver_execmem = false

 # disallow guest accounts to execute files that they can create 
 # 
@ -225,7 +225,7 @@ browser_confine_xguest=false

 # Allow postfix locat to write to mail spool
 # 
-allow_postfix_local_write_mail_spool=true
+allow_postfix_local_write_mail_spool=false

 # Allow common users to read/write noexattrfile systems
 # 
--- a/booleans-targeted.conf
+++ b/booleans-targeted.conf
@ -8,7 +8,7 @@ allow_execmod = false

 # Allow making the stack executable via mprotect.Also requires allow_execmem.
 # 
-allow_execstack = true
+allow_execstack = false

 # Allow ftpd to read cifs directories.
 # 
@ -56,7 +56,7 @@ allow_ypbind = false

 # Allow zebra to write it own configuration files
 # 
-allow_zebra_write_config = true
+allow_zebra_write_config = false

 # Enable extra rules in the cron domainto support fcron.
 # 
@ -96,7 +96,7 @@ httpd_enable_ftp_server = false

 # Allow httpd to read home directories
 # 
-httpd_enable_homedirs = true
+httpd_enable_homedirs = false

 # Run SSI execs in system CGI script domain.
 # 
@ -104,11 +104,11 @@ httpd_ssi_exec = false

 # Allow http daemon to communicate with the TTY
 # 
-httpd_tty_comm = true
+httpd_tty_comm = false

 # Run CGI in the main httpd domain
 # 
-httpd_unified = true
+httpd_unified = false

 # Allow BIND to write the master zone files.Generally this is used for dynamic DNS.
 # 
@ -128,7 +128,7 @@ pppd_can_insmod = false

 # Allow reading of default_t files.
 # 
-read_default_t = true
+read_default_t = false

 # Allow samba to export user home directories.
 # 
@ -148,7 +148,7 @@ use_samba_home_dirs = false

 # Control users use of ping and traceroute
 # 
-user_ping = true
+user_ping = false

 # allow host key based authentication
 # 
@ -164,7 +164,7 @@ read_untrusted_content = false

 # Allow spamd to write to users homedirs
 # 
-spamd_enable_home_dirs = true
+spamd_enable_home_dirs = false

 # Allow regular users direct mouse access
 # 
@ -192,7 +192,7 @@ write_untrusted_content = false

 # Allow all domains to talk to ttys
 # 
-allow_daemons_use_tty = true
+allow_daemons_use_tty = false

 # Allow login domains to polyinstatiate directories
 # 
@ -208,11 +208,11 @@ samba_domain_controller = false

 # Allow samba to export user home directories.
 # 
-samba_run_unconfined = true
+samba_run_unconfined = false

 # Allows XServer to execute writable memory
 # 
-allow_xserver_execmem = true
+allow_xserver_execmem = false

 # disallow guest accounts to execute files that they can create 
 # 
@ -225,7 +225,7 @@ browser_confine_xguest=false

 # Allow postfix locat to write to mail spool
 # 
-allow_postfix_local_write_mail_spool=true
+allow_postfix_local_write_mail_spool=false

 # Allow common users to read/write noexattrfile systems
 # 
--- a/policy-20090105.patch
+++ b/policy-20090105.patch
@ -3001,8 +3001,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.6.12/policy/modules/apps/nsplugin.te
 --- nsaserefpolicy/policy/modules/apps/nsplugin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te	2009-04-07 16:01:44.000000000 -0400
-@@ -0,0 +1,292 @@
+++ serefpolicy-3.6.12/policy/modules/apps/nsplugin.te	2009-04-17 11:13:07.000000000 -0400
+@@ -0,0 +1,293 @@
 +
 +policy_module(nsplugin, 1.0.0)
 +
@ -3138,6 +3138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +miscfiles_read_localization(nsplugin_t)
 +miscfiles_read_fonts(nsplugin_t)
+miscfiles_dontaudit_write_fonts(nsplugin_t)
 +
 +userdom_manage_user_tmp_dirs(nsplugin_t)
 +userdom_manage_user_tmp_files(nsplugin_t)
@ -3462,8 +3463,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.12/policy/modules/apps/podsleuth.te
 --- nsaserefpolicy/policy/modules/apps/podsleuth.te	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te	2009-04-07 16:01:44.000000000 -0400
-@@ -11,21 +11,68 @@
+++ serefpolicy-3.6.12/policy/modules/apps/podsleuth.te	2009-04-18 06:04:47.000000000 -0400
+@@ -11,25 +11,80 @@
 application_domain(podsleuth_t, podsleuth_exec_t)
 role system_r types podsleuth_t;
 
@ -3483,7 +3484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 -
 -allow podsleuth_t self:process { signal getsched execheap execmem };
-+allow podsleuth_t self:capability { sys_admin sys_rawio };
+allow podsleuth_t self:capability { kill dac_override sys_admin sys_rawio };
 +allow podsleuth_t self:process { ptrace signal getsched execheap execmem execstack };
 allow podsleuth_t self:fifo_file rw_file_perms;
 allow podsleuth_t self:unix_stream_socket create_stream_socket_perms;
@ -3533,7 +3534,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 miscfiles_read_localization(podsleuth_t)
 
- dbus_system_bus_client(podsleuth_t)
+-dbus_system_bus_client(podsleuth_t)
+userdom_signal_all_users(podsleuth_t)
+ 
+-mono_exec(podsleuth_t)
+optional_policy(`
+	dbus_system_bus_client(podsleuth_t)
+')
+ 
+optional_policy(`
+ hal_dbus_chat(podsleuth_t)
+')
+
+optional_policy(`
+	mono_exec(podsleuth_t)
+')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.fc serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc
 --- nsaserefpolicy/policy/modules/apps/pulseaudio.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/apps/pulseaudio.fc	2009-04-07 16:01:44.000000000 -0400
@ -4923,7 +4938,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type urandom_device_t;
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.12/policy/modules/kernel/domain.if
 --- nsaserefpolicy/policy/modules/kernel/domain.if	2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-04-15 08:01:57.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/kernel/domain.if	2009-04-18 06:12:57.000000000 -0400
@@ -525,7 +525,7 @@
 	')
 
@ -6552,7 +6567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.if serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if
 --- nsaserefpolicy/policy/modules/roles/unconfineduser.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if	2009-04-14 14:12:12.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/roles/unconfineduser.if	2009-04-18 06:06:56.000000000 -0400
@@ -0,0 +1,638 @@
 +## <summary>Unconfiend user role</summary>
 +
@ -22979,7 +22994,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-04-07 16:01:44.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/virt.te	2009-04-17 11:32:56.000000000 -0400
@@ -8,19 +8,24 @@
 
 ## <desc>
@ -23190,7 +23205,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -198,5 +271,78 @@
+@@ -198,5 +271,80 @@
 ')
 
 optional_policy(`
@ -23226,6 +23241,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
 +read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+dontaudit svirt_t virt_content_t:file write_file_perms;
+dontaudit svirt_t virt_content_t:dir write;
 +
 +storage_raw_write_removable_device(svirt_t)
 +storage_raw_read_removable_device(svirt_t)
@ -25303,8 +25320,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
 --- nsaserefpolicy/policy/modules/system/init.if	2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-16 10:03:08.000000000 -0400
-@@ -280,6 +280,29 @@
+++ serefpolicy-3.6.12/policy/modules/system/init.if	2009-04-17 11:04:53.000000000 -0400
+@@ -280,6 +280,36 @@
 			kernel_dontaudit_use_fds($1)
 		')
 	')
@ -25330,11 +25347,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	 optional_policy(`
 +	 	xserver_rw_xdm_home_files($1)
 +	')
+
+	optional_policy(`
+		unconfined_dontaudit_rw_pipes($1)
+		unconfined_dontaudit_rw_stream($1)
+		userdom_dontaudit_read_user_tmp_files($1)
+	')
+
 +	init_rw_script_stream_sockets($1)
 ')
 
 ########################################
-@@ -546,7 +569,7 @@
+@@ -546,7 +576,7 @@
 
 		# upstart uses a datagram socket instead of initctl pipe
 		allow $1 self:unix_dgram_socket create_socket_perms;
@ -25343,7 +25367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -619,18 +642,19 @@
+@@ -619,18 +649,19 @@
 #
 interface(`init_spec_domtrans_script',`
 	gen_require(`
@ -25367,7 +25391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -646,23 +670,43 @@
+@@ -646,23 +677,43 @@
 #
 interface(`init_domtrans_script',`
 	gen_require(`
@ -25415,7 +25439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Execute a init script in a specified domain.
 ## </summary>
 ## <desc>
-@@ -1291,6 +1335,25 @@
+@@ -1291,6 +1342,25 @@
 
 ########################################
 ## <summary>
@ -25441,7 +25465,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>
-@@ -1521,3 +1584,51 @@
+@@ -1521,3 +1591,51 @@
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
@ -25495,7 +25519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
 --- nsaserefpolicy/policy/modules/system/init.te	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/init.te	2009-04-17 07:33:11.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/init.te	2009-04-17 11:41:15.000000000 -0400
@@ -17,6 +17,20 @@
 ## </desc>
 gen_tunable(init_upstart,false)
@ -25714,7 +25738,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 
 	optional_policy(`
-@@ -516,6 +560,31 @@
+@@ -516,6 +560,33 @@
 	')
 ')
 
@ -25741,12 +25765,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +optional_policy(`
 +	unconfined_dontaudit_rw_pipes(daemon)
+	unconfined_dontaudit_rw_stream(daemon)
+	userdom_dontaudit_read_user_tmp_files(daemon)
 +')
 + 
 optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
-@@ -570,6 +639,10 @@
+@@ -570,6 +641,10 @@
 	dbus_read_config(initrc_t)
 
 	optional_policy(`
@ -25757,7 +25783,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 		networkmanager_dbus_chat(initrc_t)
 	')
 ')
-@@ -591,6 +664,10 @@
+@@ -591,6 +666,10 @@
 ')
 
 optional_policy(`
@ -25768,7 +25794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	dev_read_usbfs(initrc_t)
 
 	# init scripts run /etc/hotplug/usb.rc
-@@ -647,6 +724,11 @@
+@@ -647,6 +726,11 @@
 ')
 
 optional_policy(`
@ -25780,7 +25806,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	mailman_list_data(initrc_t)
 	mailman_read_data_symlinks(initrc_t)
 ')
-@@ -655,12 +737,6 @@
+@@ -655,12 +739,6 @@
 	mta_read_config(initrc_t)
 	mta_dontaudit_read_spool_symlinks(initrc_t)
 ')
@ -25793,7 +25819,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	ifdef(`distro_redhat',`
-@@ -721,6 +797,9 @@
+@@ -721,6 +799,9 @@
 
 	# why is this needed:
 	rpm_manage_db(initrc_t)
@ -25803,7 +25829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -733,10 +812,12 @@
+@@ -733,10 +814,12 @@
 	squid_manage_logs(initrc_t)
 ')
 
@ -25816,7 +25842,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 optional_policy(`
 	ssh_dontaudit_read_server_keys(initrc_t)
-@@ -754,6 +835,11 @@
+@@ -754,6 +837,11 @@
 	uml_setattr_util_sockets(initrc_t)
 ')
 
@ -25828,7 +25854,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 optional_policy(`
 	unconfined_domain(initrc_t)
 
-@@ -761,6 +847,8 @@
+@@ -761,6 +849,8 @@
 		# system-config-services causes avc messages that should be dontaudited
 		unconfined_dontaudit_rw_pipes(daemon)
 	')
@ -25837,7 +25863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	optional_policy(`
 		mono_domtrans(initrc_t)
-@@ -768,6 +856,10 @@
+@@ -768,6 +858,10 @@
 ')
 
 optional_policy(`
@ -25848,7 +25874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	vmware_read_system_config(initrc_t)
 	vmware_append_system_config(initrc_t)
 ')
-@@ -790,3 +882,25 @@
+@@ -790,3 +884,25 @@
 optional_policy(`
 	zebra_read_config(initrc_t)
 ')
@ -29135,7 +29161,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/dev/shm/mono.*		gen_context(system_u:object_r:user_tmpfs_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.12/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-16 11:03:07.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/userdomain.if	2009-04-18 06:14:35.000000000 -0400
@@ -30,8 +30,9 @@
 	')
 
@ -30542,7 +30568,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	kernel_search_proc($1)
 ')
 
-@@ -2981,3 +3187,482 @@
+@@ -2981,3 +3187,481 @@
 
 	allow $1 userdomain:dbus send_msg;
 ')
@ -31024,7 +31050,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +	dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
 +')
-+
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.12/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2009-01-19 11:07:34.000000000 -0500
 +++ serefpolicy-3.6.12/policy/modules/system/userdomain.te	2009-04-07 16:01:44.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.12
-Release: 6%{?dist}
+Release: 8%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -311,9 +311,9 @@ SELinux Reference policy targeted base module.
 %saveFileContext targeted

 %post targeted
-set -x
 if [ $1 -eq 1 ]; then
-%loadpolicy targeted "unconfined.pp.bz2 unconfineduser.pp.bz2"
+packages="unconfined.pp.bz2 unconfineduser.pp.bz2"
+%loadpolicy targeted $packages
 restorecon -R /root /var/log /var/run 2> /dev/null
 else
 semodule -n -s targeted -r moilscanner -r mailscanner -r gamin -r audio_entropy -r iscsid 2>/dev/null
@ -401,7 +401,7 @@ SELinux Reference policy olpc base module.
 %saveFileContext olpc

 %post olpc 
-%loadpolicy olpc
+%loadpolicy olpc ""

 if [ $1 -ne 1 ]; then
 %relabel olpc
@ -432,7 +432,7 @@ SELinux Reference policy mls base module.

 %post mls 
 semodule -n -s mls -r mailscanner 2>/dev/null
-%loadpolicy mls
+%loadpolicy mls ""

 if [ $1 != 1 ]; then
 %relabel mls
@ -446,6 +446,12 @@ exit 0
 %endif

 %changelog
+* Sat Apr 18 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-8
+- Fixes for podsleuth
+
+* Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-7
+- Turn off nsplugin transition
+- Remove Konsole leaked file descriptors for release

 * Fri Apr 17 2009 Dan Walsh <dwalsh@redhat.com> 3.6.12-6
 - Allow cupsd_t to create link files in print_spool_t