- Update selinux policy to handle new /usr/share/sandbox/start script

This commit is contained in:
Dan Walsh 2010-12-16 11:25:39 -05:00
parent b4f1891ade
commit f3f61efb0b
2 changed files with 185 additions and 94 deletions

View File

@ -1990,9 +1990,18 @@ index 441cf22..e1b55f8 100644
mta_manage_spool(useradd_t) mta_manage_spool(useradd_t)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index ebf4b26..c7cb8c5 100644 index ebf4b26..f663276 100644
--- a/policy/modules/admin/vpn.te --- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te +++ b/policy/modules/admin/vpn.te
@@ -21,7 +21,7 @@ files_pid_file(vpnc_var_run_t)
# Local policy
#
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
allow vpnc_t self:process { getsched signal };
allow vpnc_t self:fifo_file rw_fifo_file_perms;
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t) @@ -106,7 +106,8 @@ sysnet_etc_filetrans_config(vpnc_t)
sysnet_manage_config(vpnc_t) sysnet_manage_config(vpnc_t)
@ -2249,13 +2258,12 @@ index 0457de1..f702cfe 100644
dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t)
diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc diff --git a/policy/modules/apps/execmem.fc b/policy/modules/apps/execmem.fc
new file mode 100644 new file mode 100644
index 0000000..4ef897d index 0000000..09f0673
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/execmem.fc +++ b/policy/modules/apps/execmem.fc
@@ -0,0 +1,50 @@ @@ -0,0 +1,49 @@
+ +
+/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/aticonfig -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/compiz -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/dosbox -- gen_context(system_u:object_r:execmem_exec_t,s0)
+/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0)
@ -5040,10 +5048,10 @@ index 0000000..4f9cb05
+') +')
diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te diff --git a/policy/modules/apps/nsplugin.te b/policy/modules/apps/nsplugin.te
new file mode 100644 new file mode 100644
index 0000000..182e476 index 0000000..7b483f3
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/nsplugin.te +++ b/policy/modules/apps/nsplugin.te
@@ -0,0 +1,312 @@ @@ -0,0 +1,314 @@
+policy_module(nsplugin, 1.0.0) +policy_module(nsplugin, 1.0.0)
+ +
+######################################## +########################################
@ -5105,8 +5113,10 @@ index 0000000..182e476
+allow nsplugin_t self:sem create_sem_perms; +allow nsplugin_t self:sem create_sem_perms;
+allow nsplugin_t self:shm create_shm_perms; +allow nsplugin_t self:shm create_shm_perms;
+allow nsplugin_t self:msgq create_msgq_perms; +allow nsplugin_t self:msgq create_msgq_perms;
+allow nsplugin_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; +allow nsplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms }; +allow nsplugin_t self:unix_dgram_socket { sendto create_socket_perms };
+allow nsplugin_t self:tcp_socket create_stream_socket_perms;
+allow nsplugin_t nsplugin_rw_t:dir list_dir_perms; +allow nsplugin_t nsplugin_rw_t:dir list_dir_perms;
+read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) +read_lnk_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
+read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t) +read_files_pattern(nsplugin_t, nsplugin_rw_t, nsplugin_rw_t)
@ -5158,7 +5168,7 @@ index 0000000..182e476
+dev_write_video_dev(nsplugin_t) +dev_write_video_dev(nsplugin_t)
+dev_getattr_dri_dev(nsplugin_t) +dev_getattr_dri_dev(nsplugin_t)
+dev_rwx_zero(nsplugin_t) +dev_rwx_zero(nsplugin_t)
+dev_search_sysfs(nsplugin_t) +dev_read_sysfs(nsplugin_t)
+ +
+kernel_read_kernel_sysctls(nsplugin_t) +kernel_read_kernel_sysctls(nsplugin_t)
+kernel_read_system_state(nsplugin_t) +kernel_read_system_state(nsplugin_t)
@ -5934,17 +5944,18 @@ index 9ec1478..26bb71c 100644
') ')
diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc diff --git a/policy/modules/apps/sandbox.fc b/policy/modules/apps/sandbox.fc
new file mode 100644 new file mode 100644
index 0000000..15778fd index 0000000..6caef63
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/sandbox.fc +++ b/policy/modules/apps/sandbox.fc
@@ -0,0 +1 @@ @@ -0,0 +1,2 @@
+# No types are sandbox_exec_t +
+/usr/share/sandbox/start -- gen_context(system_u:object_r:sandbox_exec_t,s0)
diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if diff --git a/policy/modules/apps/sandbox.if b/policy/modules/apps/sandbox.if
new file mode 100644 new file mode 100644
index 0000000..0c411b4 index 0000000..5f09eb9
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/sandbox.if +++ b/policy/modules/apps/sandbox.if
@@ -0,0 +1,334 @@ @@ -0,0 +1,335 @@
+ +
+## <summary>policy for sandbox</summary> +## <summary>policy for sandbox</summary>
+ +
@ -6065,6 +6076,7 @@ index 0000000..0c411b4
+ gen_require(` + gen_require(`
+ type xserver_exec_t, sandbox_devpts_t; + type xserver_exec_t, sandbox_devpts_t;
+ type sandbox_xserver_t; + type sandbox_xserver_t;
+ type sandbox_exec_t;
+ attribute sandbox_domain, sandbox_x_domain; + attribute sandbox_domain, sandbox_x_domain;
+ attribute sandbox_file_type, sandbox_tmpfs_type; + attribute sandbox_file_type, sandbox_tmpfs_type;
+ attribute sandbox_type; + attribute sandbox_type;
@ -6107,8 +6119,8 @@ index 0000000..0c411b4
+ domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t) + domtrans_pattern($1_t, xserver_exec_t, sandbox_xserver_t)
+ allow $1_t sandbox_xserver_t:process signal_perms; + allow $1_t sandbox_xserver_t:process signal_perms;
+ +
+ domtrans_pattern($1_t, $1_file_t, $1_client_t) + domtrans_pattern($1_t, sandbox_exec_t, $1_client_t)
+ domain_entry_file($1_client_t, $1_file_t) + domain_entry_file($1_client_t, sandbox_exec_t)
+ +
+ # Random tmpfs_t that gets created when you run X. + # Random tmpfs_t that gets created when you run X.
+ fs_rw_tmpfs_files($1_t) + fs_rw_tmpfs_files($1_t)
@ -6281,10 +6293,10 @@ index 0000000..0c411b4
+') +')
diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te diff --git a/policy/modules/apps/sandbox.te b/policy/modules/apps/sandbox.te
new file mode 100644 new file mode 100644
index 0000000..6b46acd index 0000000..5259647
--- /dev/null --- /dev/null
+++ b/policy/modules/apps/sandbox.te +++ b/policy/modules/apps/sandbox.te
@@ -0,0 +1,448 @@ @@ -0,0 +1,451 @@
+policy_module(sandbox,1.0.0) +policy_module(sandbox,1.0.0)
+dbus_stub() +dbus_stub()
+attribute sandbox_domain; +attribute sandbox_domain;
@ -6294,6 +6306,9 @@ index 0000000..6b46acd
+attribute sandbox_tmpfs_type; +attribute sandbox_tmpfs_type;
+attribute sandbox_type; +attribute sandbox_type;
+ +
+type sandbox_exec_t;
+files_type(sandbox_exec_t)
+
+######################################## +########################################
+# +#
+# Declarations +# Declarations
@ -10919,7 +10934,7 @@ index 3994e57..43aa641 100644
+ +
+/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) +/lib/udev/devices/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 492bf76..525563a 100644 index 492bf76..00b786e 100644
--- a/policy/modules/kernel/terminal.if --- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if
@@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',` @@ -267,7 +267,6 @@ interface(`term_dontaudit_read_console',`
@ -10952,7 +10967,33 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -848,7 +849,7 @@ interface(`term_dontaudit_use_all_ptys',` @@ -651,6 +652,25 @@ interface(`term_use_controlling_term',`
allow $1 devtty_t:chr_file { rw_term_perms lock append };
')
+#######################################
+## <summary>
+## Allow attempts to get attributes
+## on the pty multiplexor (/dev/ptmx).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`term_getattr_ptmx',`
+ gen_require(`
+ type ptmx_t;
+ ')
+
+ allow $1 ptmx_t:chr_file getattr;
+')
+
########################################
## <summary>
## Do not audit attempts to get attributes
@@ -848,7 +868,7 @@ interface(`term_dontaudit_use_all_ptys',`
attribute ptynode; attribute ptynode;
') ')
@ -10961,7 +11002,7 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -1116,7 +1117,7 @@ interface(`term_relabel_unallocated_ttys',` @@ -1116,7 +1136,7 @@ interface(`term_relabel_unallocated_ttys',`
') ')
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
@ -10970,7 +11011,7 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -1215,7 +1216,7 @@ interface(`term_dontaudit_use_unallocated_ttys',` @@ -1215,7 +1235,7 @@ interface(`term_dontaudit_use_unallocated_ttys',`
type tty_device_t; type tty_device_t;
') ')
@ -10979,7 +11020,7 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -1231,11 +1232,13 @@ interface(`term_dontaudit_use_unallocated_ttys',` @@ -1231,11 +1251,13 @@ interface(`term_dontaudit_use_unallocated_ttys',`
# #
interface(`term_getattr_all_ttys',` interface(`term_getattr_all_ttys',`
gen_require(` gen_require(`
@ -10993,7 +11034,7 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -1252,10 +1255,12 @@ interface(`term_getattr_all_ttys',` @@ -1252,10 +1274,12 @@ interface(`term_getattr_all_ttys',`
interface(`term_dontaudit_getattr_all_ttys',` interface(`term_dontaudit_getattr_all_ttys',`
gen_require(` gen_require(`
attribute ttynode; attribute ttynode;
@ -11006,7 +11047,7 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -1294,7 +1299,7 @@ interface(`term_relabel_all_ttys',` @@ -1294,7 +1318,7 @@ interface(`term_relabel_all_ttys',`
') ')
dev_list_all_dev_nodes($1) dev_list_all_dev_nodes($1)
@ -11015,7 +11056,7 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -1352,7 +1357,7 @@ interface(`term_dontaudit_use_all_ttys',` @@ -1352,7 +1376,7 @@ interface(`term_dontaudit_use_all_ttys',`
attribute ttynode; attribute ttynode;
') ')
@ -11024,7 +11065,7 @@ index 492bf76..525563a 100644
') ')
######################################## ########################################
@@ -1468,3 +1473,22 @@ interface(`term_dontaudit_use_all_user_ttys',` @@ -1468,3 +1492,22 @@ interface(`term_dontaudit_use_all_user_ttys',`
refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.') refpolicywarn(`$0() is deprecated, use term_dontaudit_use_all_ttys() instead.')
term_dontaudit_use_all_ttys($1) term_dontaudit_use_all_ttys($1)
') ')
@ -11336,7 +11377,7 @@ index 2be17d2..96d3fbf 100644
') ')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1ae9a94..27404e7 100644 index 4a8d146..a0a91fe 100644
--- a/policy/modules/roles/sysadm.te --- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te
@@ -24,20 +24,41 @@ ifndef(`enable_mls',` @@ -24,20 +24,41 @@ ifndef(`enable_mls',`
@ -11508,7 +11549,7 @@ index 1ae9a94..27404e7 100644
optional_policy(` optional_policy(`
rsync_exec(sysadm_t) rsync_exec(sysadm_t)
@@ -303,7 +326,7 @@ optional_policy(` @@ -307,7 +330,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -11517,7 +11558,7 @@ index 1ae9a94..27404e7 100644
') ')
optional_policy(` optional_policy(`
@@ -328,10 +351,6 @@ optional_policy(` @@ -332,10 +355,6 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -11528,7 +11569,7 @@ index 1ae9a94..27404e7 100644
tripwire_run_siggen(sysadm_t, sysadm_r) tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r) tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r) tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -339,18 +358,10 @@ optional_policy(` @@ -343,18 +362,10 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -11547,7 +11588,7 @@ index 1ae9a94..27404e7 100644
unconfined_domtrans(sysadm_t) unconfined_domtrans(sysadm_t)
') ')
@@ -363,17 +374,14 @@ optional_policy(` @@ -367,17 +378,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -11567,7 +11608,7 @@ index 1ae9a94..27404e7 100644
') ')
optional_policy(` optional_policy(`
@@ -385,7 +393,7 @@ optional_policy(` @@ -389,7 +397,7 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
@ -11576,7 +11617,7 @@ index 1ae9a94..27404e7 100644
') ')
optional_policy(` optional_policy(`
@@ -400,8 +408,15 @@ optional_policy(` @@ -404,8 +412,15 @@ optional_policy(`
yam_run(sysadm_t, sysadm_r) yam_run(sysadm_t, sysadm_r)
') ')
@ -11592,7 +11633,7 @@ index 1ae9a94..27404e7 100644
auth_role(sysadm_r, sysadm_t) auth_role(sysadm_r, sysadm_t)
') ')
@@ -448,5 +463,60 @@ ifndef(`distro_redhat',` @@ -452,5 +467,60 @@ ifndef(`distro_redhat',`
optional_policy(` optional_policy(`
java_role(sysadm_r, sysadm_t) java_role(sysadm_r, sysadm_t)
') ')
@ -16148,10 +16189,10 @@ index 0000000..fa9b95a
+') +')
diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te diff --git a/policy/modules/services/boinc.te b/policy/modules/services/boinc.te
new file mode 100644 new file mode 100644
index 0000000..3b58d07 index 0000000..6d8fdeb
--- /dev/null --- /dev/null
+++ b/policy/modules/services/boinc.te +++ b/policy/modules/services/boinc.te
@@ -0,0 +1,169 @@ @@ -0,0 +1,173 @@
+policy_module(boinc, 1.0.0) +policy_module(boinc, 1.0.0)
+ +
+######################################## +########################################
@ -16216,6 +16257,7 @@ index 0000000..3b58d07
+manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t)
+ +
+# needs read /proc/interrupts
+kernel_read_system_state(boinc_t) +kernel_read_system_state(boinc_t)
+ +
+files_getattr_all_dirs(boinc_t) +files_getattr_all_dirs(boinc_t)
@ -16253,7 +16295,10 @@ index 0000000..3b58d07
+ +
+fs_getattr_all_fs(boinc_t) +fs_getattr_all_fs(boinc_t)
+ +
+term_dontaudit_getattr_ptmx(boinc_t) +term_getattr_all_ptys(boinc_t)
+term_getattr_unallocated_ttys(boinc_t)
+
+init_read_utmp(boinc_t)
+ +
+miscfiles_read_localization(boinc_t) +miscfiles_read_localization(boinc_t)
+miscfiles_read_generic_certs(boinc_t) +miscfiles_read_generic_certs(boinc_t)
@ -25485,10 +25530,10 @@ index 0000000..311aaed
+') +')
diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te
new file mode 100644 new file mode 100644
index 0000000..ba77ba5 index 0000000..f2e8836
--- /dev/null --- /dev/null
+++ b/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te
@@ -0,0 +1,125 @@ @@ -0,0 +1,126 @@
+policy_module(mpd, 1.0.0) +policy_module(mpd, 1.0.0)
+ +
+######################################## +########################################
@ -25570,6 +25615,7 @@ index 0000000..ba77ba5
+corenet_tcp_bind_mpd_port(mpd_t) +corenet_tcp_bind_mpd_port(mpd_t)
+corenet_tcp_bind_soundd_port(mpd_t) +corenet_tcp_bind_soundd_port(mpd_t)
+ +
+dev_read_sound(mpd_t)
+dev_read_sysfs(mpd_t) +dev_read_sysfs(mpd_t)
+ +
+files_read_usr_files(mpd_t) +files_read_usr_files(mpd_t)
@ -26116,10 +26162,18 @@ index 64268e4..ce7924b 100644
+ exim_manage_log(user_mail_domain) + exim_manage_log(user_mail_domain)
+') +')
diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index fd71d69..bad9920 100644 index fd71d69..2e9f2a3 100644
--- a/policy/modules/services/munin.fc --- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc
@@ -63,6 +63,7 @@ @@ -51,6 +51,7 @@
/usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@@ -63,6 +64,7 @@
/usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/yum -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
/var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0)
@ -26216,7 +26270,7 @@ index c358d8f..fec6a97 100644
allow $1 munin_t:process { ptrace signal_perms }; allow $1 munin_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index f17583b..bdeea89 100644 index f17583b..8f01394 100644
--- a/policy/modules/services/munin.te --- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te
@@ -5,6 +5,8 @@ policy_module(munin, 1.8.0) @@ -5,6 +5,8 @@ policy_module(munin, 1.8.0)
@ -26333,7 +26387,15 @@ index f17583b..bdeea89 100644
') ')
optional_policy(` optional_policy(`
@@ -255,10 +263,6 @@ corenet_tcp_connect_http_port(services_munin_plugin_t) @@ -245,6 +253,7 @@ optional_policy(`
# local policy for service plugins
#
+allow services_munin_plugin_t self:sem create_sem_perms;
allow services_munin_plugin_t self:tcp_socket create_stream_socket_perms;
allow services_munin_plugin_t self:udp_socket create_socket_perms;
allow services_munin_plugin_t self:netlink_route_socket r_netlink_socket_perms;
@@ -255,13 +264,10 @@ corenet_tcp_connect_http_port(services_munin_plugin_t)
dev_read_urand(services_munin_plugin_t) dev_read_urand(services_munin_plugin_t)
dev_read_rand(services_munin_plugin_t) dev_read_rand(services_munin_plugin_t)
@ -26344,7 +26406,11 @@ index f17583b..bdeea89 100644
sysnet_read_config(services_munin_plugin_t) sysnet_read_config(services_munin_plugin_t)
optional_policy(` optional_policy(`
@@ -286,6 +290,10 @@ optional_policy(` + cups_read_config(services_munin_plugin_t)
cups_stream_connect(services_munin_plugin_t)
')
@@ -286,6 +292,10 @@ optional_policy(`
snmp_read_snmp_var_lib_files(services_munin_plugin_t) snmp_read_snmp_var_lib_files(services_munin_plugin_t)
') ')
@ -26355,7 +26421,13 @@ index f17583b..bdeea89 100644
################################## ##################################
# #
# local policy for system plugins # local policy for system plugins
@@ -298,10 +306,6 @@ rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) @@ -295,13 +305,12 @@ allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
+# needed by munin_* plugins
+allow system_munin_plugin_t munin_log_t:file r_file_perms;
+
kernel_read_network_state(system_munin_plugin_t) kernel_read_network_state(system_munin_plugin_t)
kernel_read_all_sysctls(system_munin_plugin_t) kernel_read_all_sysctls(system_munin_plugin_t)
@ -26366,10 +26438,11 @@ index f17583b..bdeea89 100644
dev_read_sysfs(system_munin_plugin_t) dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t) dev_read_urand(system_munin_plugin_t)
@@ -313,3 +317,30 @@ init_read_utmp(system_munin_plugin_t) @@ -313,3 +322,31 @@ init_read_utmp(system_munin_plugin_t)
sysnet_exec_ifconfig(system_munin_plugin_t) sysnet_exec_ifconfig(system_munin_plugin_t)
term_getattr_unallocated_ttys(system_munin_plugin_t) term_getattr_unallocated_ttys(system_munin_plugin_t)
+term_getattr_all_ttys(system_munin_plugin_t)
+term_getattr_all_ptys(system_munin_plugin_t) +term_getattr_all_ptys(system_munin_plugin_t)
+ +
+################################ +################################
@ -26616,10 +26689,18 @@ index 8581040..cfcdf10 100644
allow $1 nagios_t:process { ptrace signal_perms }; allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index bf64a4c..55b3ce7 100644 index bf64a4c..86c9cba 100644
--- a/policy/modules/services/nagios.te --- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te +++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t) @@ -79,6 +79,7 @@ files_spool_filetrans(nagios_t, nagios_spool_t, fifo_file)
kernel_read_system_state(nagios_t)
kernel_read_kernel_sysctls(nagios_t)
+kernel_read_software_raid_state(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
@@ -107,13 +108,11 @@ files_read_etc_files(nagios_t)
files_read_etc_runtime_files(nagios_t) files_read_etc_runtime_files(nagios_t)
files_read_kernel_symbol_table(nagios_t) files_read_kernel_symbol_table(nagios_t)
files_search_spool(nagios_t) files_search_spool(nagios_t)
@ -26634,7 +26715,7 @@ index bf64a4c..55b3ce7 100644
auth_use_nsswitch(nagios_t) auth_use_nsswitch(nagios_t)
logging_send_syslog_msg(nagios_t) logging_send_syslog_msg(nagios_t)
@@ -124,10 +122,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t) @@ -124,10 +123,10 @@ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_user_home_dirs(nagios_t) userdom_dontaudit_search_user_home_dirs(nagios_t)
mta_send_mail(nagios_t) mta_send_mail(nagios_t)
@ -26647,7 +26728,7 @@ index bf64a4c..55b3ce7 100644
netutils_kill_ping(nagios_t) netutils_kill_ping(nagios_t)
') ')
@@ -143,6 +141,7 @@ optional_policy(` @@ -143,6 +142,7 @@ optional_policy(`
# #
# Nagios CGI local policy # Nagios CGI local policy
# #
@ -26655,7 +26736,7 @@ index bf64a4c..55b3ce7 100644
optional_policy(` optional_policy(`
apache_content_template(nagios) apache_content_template(nagios)
typealias httpd_nagios_script_t alias nagios_cgi_t; typealias httpd_nagios_script_t alias nagios_cgi_t;
@@ -180,11 +179,13 @@ optional_policy(` @@ -180,11 +180,13 @@ optional_policy(`
# #
allow nrpe_t self:capability { setuid setgid }; allow nrpe_t self:capability { setuid setgid };
@ -26670,7 +26751,7 @@ index bf64a4c..55b3ce7 100644
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t) domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t) read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
@@ -201,7 +202,8 @@ corecmd_exec_shell(nrpe_t) @@ -201,7 +203,8 @@ corecmd_exec_shell(nrpe_t)
corenet_tcp_bind_generic_node(nrpe_t) corenet_tcp_bind_generic_node(nrpe_t)
corenet_tcp_bind_inetd_child_port(nrpe_t) corenet_tcp_bind_inetd_child_port(nrpe_t)
@ -26680,7 +26761,7 @@ index bf64a4c..55b3ce7 100644
dev_read_sysfs(nrpe_t) dev_read_sysfs(nrpe_t)
dev_read_urand(nrpe_t) dev_read_urand(nrpe_t)
@@ -270,7 +272,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t) @@ -270,7 +273,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
# #
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override }; allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@ -26688,7 +26769,7 @@ index bf64a4c..55b3ce7 100644
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms; allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms; allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
@@ -299,7 +300,7 @@ optional_policy(` @@ -299,7 +301,7 @@ optional_policy(`
optional_policy(` optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t) postfix_stream_connect_master(nagios_mail_plugin_t)
@ -26697,7 +26778,7 @@ index bf64a4c..55b3ce7 100644
') ')
###################################### ######################################
@@ -310,6 +311,9 @@ optional_policy(` @@ -310,6 +312,9 @@ optional_policy(`
# needed by ioctl() # needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio }; allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@ -26707,7 +26788,7 @@ index bf64a4c..55b3ce7 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t) files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t) fs_getattr_all_fs(nagios_checkdisk_plugin_t)
@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t) @@ -323,7 +328,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw }; allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill }; allow nagios_services_plugin_t self:process { signal sigkill };
@ -26715,7 +26796,7 @@ index bf64a4c..55b3ce7 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms; allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms; allow nagios_services_plugin_t self:udp_socket create_socket_perms;
@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t) @@ -340,6 +344,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(` optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t) netutils_domtrans_ping(nagios_services_plugin_t)
@ -28796,14 +28877,16 @@ index 9759ed8..07dd3ff 100644
admin_pattern($1, plymouthd_var_run_t) admin_pattern($1, plymouthd_var_run_t)
') ')
diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te diff --git a/policy/modules/services/plymouthd.te b/policy/modules/services/plymouthd.te
index fb8dc84..cf0e3d1 100644 index fb8dc84..56cc327 100644
--- a/policy/modules/services/plymouthd.te --- a/policy/modules/services/plymouthd.te
+++ b/policy/modules/services/plymouthd.te +++ b/policy/modules/services/plymouthd.te
@@ -60,10 +60,18 @@ domain_use_interactive_fds(plymouthd_t) @@ -60,10 +60,20 @@ domain_use_interactive_fds(plymouthd_t)
files_read_etc_files(plymouthd_t) files_read_etc_files(plymouthd_t)
files_read_usr_files(plymouthd_t) files_read_usr_files(plymouthd_t)
+term_use_unallocated_ttys(plymouthd_t) +term_use_unallocated_ttys(plymouthd_t)
+
+logging_delete_generic_logs(plymouthd_t)
+ +
miscfiles_read_localization(plymouthd_t) miscfiles_read_localization(plymouthd_t)
miscfiles_read_fonts(plymouthd_t) miscfiles_read_fonts(plymouthd_t)
@ -28818,7 +28901,7 @@ index fb8dc84..cf0e3d1 100644
######################################## ########################################
# #
# Plymouth private policy # Plymouth private policy
@@ -74,6 +82,7 @@ allow plymouth_t self:fifo_file rw_file_perms; @@ -74,6 +84,7 @@ allow plymouth_t self:fifo_file rw_file_perms;
allow plymouth_t self:unix_stream_socket create_stream_socket_perms; allow plymouth_t self:unix_stream_socket create_stream_socket_perms;
kernel_read_system_state(plymouth_t) kernel_read_system_state(plymouth_t)
@ -28826,15 +28909,7 @@ index fb8dc84..cf0e3d1 100644
domain_use_interactive_fds(plymouth_t) domain_use_interactive_fds(plymouth_t)
@@ -81,13 +90,15 @@ files_read_etc_files(plymouth_t) @@ -87,7 +98,7 @@ sysnet_read_config(plymouth_t)
term_use_ptmx(plymouth_t)
+logging_delete_generic_logs(plymouth_t)
+
miscfiles_read_localization(plymouth_t)
sysnet_read_config(plymouth_t)
plymouthd_stream_connect(plymouth_t) plymouthd_stream_connect(plymouth_t)
@ -41371,7 +41446,7 @@ index a97a096..ab1e16a 100644
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/bin/scsi_unique_id -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a442acc..949f5ff 100644 index a442acc..133f7f8 100644
--- a/policy/modules/system/fstools.te --- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te
@@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; @@ -55,6 +55,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
@ -41438,10 +41513,14 @@ index a442acc..949f5ff 100644
nis_use_ypbind(fsadm_t) nis_use_ypbind(fsadm_t)
') ')
@@ -175,6 +193,10 @@ optional_policy(` @@ -175,6 +193,14 @@ optional_policy(`
') ')
optional_policy(` optional_policy(`
+ udev_read_db(fsadm_t)
+')
+
+optional_policy(`
+ virt_read_blk_images(fsadm_t) + virt_read_blk_images(fsadm_t)
+') +')
+ +
@ -45546,7 +45625,7 @@ index 170e2c7..bbaa8cf 100644
+') +')
+') +')
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ff5d72d..9cd171a 100644 index ff5d72d..f5fdb63 100644
--- a/policy/modules/system/selinuxutil.te --- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te
@@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy; @@ -22,6 +22,9 @@ attribute can_relabelto_binary_policy;
@ -45626,6 +45705,15 @@ index ff5d72d..9cd171a 100644
miscfiles_read_localization(load_policy_t) miscfiles_read_localization(load_policy_t)
@@ -204,7 +218,7 @@ ifdef(`hide_broken_symptoms',`
# Newrole local policy
#
-allow newrole_t self:capability { fowner setuid setgid dac_override };
+allow newrole_t self:capability { fowner setpcap setuid setgid dac_override };
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
@@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms; @@ -216,7 +230,7 @@ allow newrole_t self:msgq create_msgq_perms;
allow newrole_t self:msg { send receive }; allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto; allow newrole_t self:unix_dgram_socket sendto;
@ -47610,7 +47698,7 @@ index db75976..392d1ee 100644
+HOME_DIR/\.gvfs(/.*)? <<none>> +HOME_DIR/\.gvfs(/.*)? <<none>>
+HOME_DIR/\.debug(/.*)? <<none>> +HOME_DIR/\.debug(/.*)? <<none>>
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 35f1476..1571559 100644 index 28b88de..10340bc 100644
--- a/policy/modules/system/userdomain.if --- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if
@@ -30,8 +30,9 @@ template(`userdom_base_user_template',` @@ -30,8 +30,9 @@ template(`userdom_base_user_template',`
@ -48821,7 +48909,7 @@ index 35f1476..1571559 100644
seutil_run_setfiles($1, $2) seutil_run_setfiles($1, $2)
optional_policy(` optional_policy(`
@@ -1275,12 +1510,15 @@ template(`userdom_security_admin_template',` @@ -1279,12 +1514,15 @@ template(`userdom_security_admin_template',`
interface(`userdom_user_home_content',` interface(`userdom_user_home_content',`
gen_require(` gen_require(`
type user_home_t; type user_home_t;
@ -48838,7 +48926,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -1391,6 +1629,7 @@ interface(`userdom_search_user_home_dirs',` @@ -1395,6 +1633,7 @@ interface(`userdom_search_user_home_dirs',`
') ')
allow $1 user_home_dir_t:dir search_dir_perms; allow $1 user_home_dir_t:dir search_dir_perms;
@ -48846,7 +48934,7 @@ index 35f1476..1571559 100644
files_search_home($1) files_search_home($1)
') ')
@@ -1437,6 +1676,14 @@ interface(`userdom_list_user_home_dirs',` @@ -1441,6 +1680,14 @@ interface(`userdom_list_user_home_dirs',`
allow $1 user_home_dir_t:dir list_dir_perms; allow $1 user_home_dir_t:dir list_dir_perms;
files_search_home($1) files_search_home($1)
@ -48861,7 +48949,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -1452,9 +1699,11 @@ interface(`userdom_list_user_home_dirs',` @@ -1456,9 +1703,11 @@ interface(`userdom_list_user_home_dirs',`
interface(`userdom_dontaudit_list_user_home_dirs',` interface(`userdom_dontaudit_list_user_home_dirs',`
gen_require(` gen_require(`
type user_home_dir_t; type user_home_dir_t;
@ -48873,7 +48961,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -1511,6 +1760,42 @@ interface(`userdom_relabelto_user_home_dirs',` @@ -1515,6 +1764,42 @@ interface(`userdom_relabelto_user_home_dirs',`
allow $1 user_home_dir_t:dir relabelto; allow $1 user_home_dir_t:dir relabelto;
') ')
@ -48916,7 +49004,7 @@ index 35f1476..1571559 100644
######################################## ########################################
## <summary> ## <summary>
## Create directories in the home dir root with ## Create directories in the home dir root with
@@ -1585,6 +1870,8 @@ interface(`userdom_dontaudit_search_user_home_content',` @@ -1589,6 +1874,8 @@ interface(`userdom_dontaudit_search_user_home_content',`
') ')
dontaudit $1 user_home_t:dir search_dir_perms; dontaudit $1 user_home_t:dir search_dir_perms;
@ -48925,7 +49013,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -1599,10 +1886,12 @@ interface(`userdom_dontaudit_search_user_home_content',` @@ -1603,10 +1890,12 @@ interface(`userdom_dontaudit_search_user_home_content',`
# #
interface(`userdom_list_user_home_content',` interface(`userdom_list_user_home_content',`
gen_require(` gen_require(`
@ -48940,7 +49028,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -1645,30 +1934,49 @@ interface(`userdom_delete_user_home_content_dirs',` @@ -1649,30 +1938,49 @@ interface(`userdom_delete_user_home_content_dirs',`
######################################## ########################################
## <summary> ## <summary>
@ -48997,7 +49085,7 @@ index 35f1476..1571559 100644
## </summary> ## </summary>
## </param> ## </param>
# #
@@ -1696,12 +2004,32 @@ interface(`userdom_read_user_home_content_files',` @@ -1700,12 +2008,32 @@ interface(`userdom_read_user_home_content_files',`
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -49030,7 +49118,7 @@ index 35f1476..1571559 100644
## Do not audit attempts to read user home files. ## Do not audit attempts to read user home files.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -1712,11 +2040,14 @@ interface(`userdom_read_user_home_content_files',` @@ -1716,11 +2044,14 @@ interface(`userdom_read_user_home_content_files',`
# #
interface(`userdom_dontaudit_read_user_home_content_files',` interface(`userdom_dontaudit_read_user_home_content_files',`
gen_require(` gen_require(`
@ -49048,7 +49136,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -1806,8 +2137,7 @@ interface(`userdom_read_user_home_content_symlinks',` @@ -1810,8 +2141,7 @@ interface(`userdom_read_user_home_content_symlinks',`
type user_home_dir_t, user_home_t; type user_home_dir_t, user_home_t;
') ')
@ -49058,7 +49146,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -1823,20 +2153,14 @@ interface(`userdom_read_user_home_content_symlinks',` @@ -1827,20 +2157,14 @@ interface(`userdom_read_user_home_content_symlinks',`
# #
interface(`userdom_exec_user_home_content_files',` interface(`userdom_exec_user_home_content_files',`
gen_require(` gen_require(`
@ -49083,7 +49171,7 @@ index 35f1476..1571559 100644
######################################## ########################################
## <summary> ## <summary>
@@ -2178,7 +2502,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',` @@ -2182,7 +2506,7 @@ interface(`userdom_dontaudit_read_user_tmp_files',`
type user_tmp_t; type user_tmp_t;
') ')
@ -49092,7 +49180,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -2431,13 +2755,14 @@ interface(`userdom_read_user_tmpfs_files',` @@ -2435,13 +2759,14 @@ interface(`userdom_read_user_tmpfs_files',`
') ')
read_files_pattern($1, user_tmpfs_t, user_tmpfs_t) read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
@ -49108,7 +49196,7 @@ index 35f1476..1571559 100644
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@@ -2458,26 +2783,6 @@ interface(`userdom_rw_user_tmpfs_files',` @@ -2462,26 +2787,6 @@ interface(`userdom_rw_user_tmpfs_files',`
######################################## ########################################
## <summary> ## <summary>
@ -49135,7 +49223,7 @@ index 35f1476..1571559 100644
## Get the attributes of a user domain tty. ## Get the attributes of a user domain tty.
## </summary> ## </summary>
## <param name="domain"> ## <param name="domain">
@@ -2811,7 +3116,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` @@ -2815,7 +3120,7 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
domain_entry_file_spec_domtrans($1, unpriv_userdomain) domain_entry_file_spec_domtrans($1, unpriv_userdomain)
allow unpriv_userdomain $1:fd use; allow unpriv_userdomain $1:fd use;
@ -49144,7 +49232,7 @@ index 35f1476..1571559 100644
allow unpriv_userdomain $1:process sigchld; allow unpriv_userdomain $1:process sigchld;
') ')
@@ -2827,11 +3132,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',` @@ -2831,11 +3136,13 @@ interface(`userdom_entry_spec_domtrans_unpriv_users',`
# #
interface(`userdom_search_user_home_content',` interface(`userdom_search_user_home_content',`
gen_require(` gen_require(`
@ -49160,7 +49248,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -2913,7 +3220,7 @@ interface(`userdom_dontaudit_use_user_ptys',` @@ -2917,7 +3224,7 @@ interface(`userdom_dontaudit_use_user_ptys',`
type user_devpts_t; type user_devpts_t;
') ')
@ -49169,7 +49257,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -2968,7 +3275,45 @@ interface(`userdom_write_user_tmp_files',` @@ -2972,7 +3279,45 @@ interface(`userdom_write_user_tmp_files',`
type user_tmp_t; type user_tmp_t;
') ')
@ -49216,7 +49304,7 @@ index 35f1476..1571559 100644
') ')
######################################## ########################################
@@ -3005,6 +3350,7 @@ interface(`userdom_read_all_users_state',` @@ -3009,6 +3354,7 @@ interface(`userdom_read_all_users_state',`
') ')
read_files_pattern($1, userdomain, userdomain) read_files_pattern($1, userdomain, userdomain)
@ -49224,7 +49312,7 @@ index 35f1476..1571559 100644
kernel_search_proc($1) kernel_search_proc($1)
') ')
@@ -3135,3 +3481,873 @@ interface(`userdom_dbus_send_all_users',` @@ -3139,3 +3485,873 @@ interface(`userdom_dbus_send_all_users',`
allow $1 userdomain:dbus send_msg; allow $1 userdomain:dbus send_msg;
') ')

View File

@ -21,7 +21,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.9.11 Version: 3.9.11
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -471,6 +471,9 @@ exit 0
%endif %endif
%changelog %changelog
* Wed Dec 15 2010 Dan Walsh <dwalsh@redhat.com> 3.9.11-2
- Update selinux policy to handle new /usr/share/sandbox/start script
* Wed Dec 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.11-1 * Wed Dec 15 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.11-1
- Update to upstream - Update to upstream
- Fix version of policy in spec file - Fix version of policy in spec file