Merge branch 'master' of ssh://pkgs.fedoraproject.org/selinux-policy

2011-05-06 10:51:56 -04:00 · 2011-05-06 10:51:56 -04:00 · ff120d7be5
commit ff120d7be5
parent e81c7996c4 cfc00b53cb
2 changed files with 82 additions and 46 deletions
--- a/policy-F16.patch
+++ b/policy-F16.patch
@ -3875,7 +3875,7 @@ index 00a19e3..55075f9 100644
 +/usr/libexec/gnome-system-monitor-mechanism 	--      gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper	--		gen_context(system_u:object_r:gnomesystemmm_exec_t,s0)
 diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
-index f5afe78..3ca01ec 100644
+index f5afe78..c9f63b0 100644
 --- a/policy/modules/apps/gnome.if
 +++ b/policy/modules/apps/gnome.if
@@ -1,44 +1,623 @@
@ -3981,7 +3981,7 @@ index f5afe78..3ca01ec 100644
 +	allow $1_gkeyringd_t $3:dbus send_msg;
 +	allow $3 $1_gkeyringd_t:dbus send_msg;
 +	optional_policy(`
-+	       	dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t)
+	       	dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
 +		dbus_session_bus_client($1_gkeyringd_t)
 +		gnome_home_dir_filetrans($1_gkeyringd_t)
 +		gnome_manage_generic_home_dirs($1_gkeyringd_t)
@ -9466,10 +9466,10 @@ index 0000000..8a7ed4f
 +/usr/libexec/telepathy-sunshine			--		gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0)
 diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
 new file mode 100644
-index 0000000..6878d68
+index 0000000..f6acf24
 --- /dev/null
 +++ b/policy/modules/apps/telepathy.if
-@@ -0,0 +1,193 @@
+@@ -0,0 +1,191 @@
 +
 +## <summary>Telepathy framework.</summary>
 +
@ -9500,8 +9500,6 @@ index 0000000..6878d68
 +	type telepathy_$1_tmp_t;
 +	files_tmp_file(telepathy_$1_tmp_t)
 +	ubac_constrained(telepathy_$1_tmp_t)
 +
 +	dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t)
 +')
 +
 +#######################################
@ -15378,7 +15376,7 @@ index 069d36c..8cbeefb 100644
 +')
 +
 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
-index 5001b89..e1fe78d 100644
+index 5001b89..c90e93e 100644
 --- a/policy/modules/kernel/kernel.te
 +++ b/policy/modules/kernel/kernel.te
@@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh)
@ -15403,7 +15401,7 @@ index 5001b89..e1fe78d 100644
 dev_delete_generic_chr_files(kernel_t)
 dev_mounton(kernel_t)
 +dev_filetrans_all_named_dev(kernel_t)
-+storage_filetrans_all_named_dev(kernel_t)
+#storage_filetrans_all_named_dev(kernel_t)
 +term_filetrans_all_named_dev(kernel_t)
 # Mount root file system. Used when loading a policy
@ -16818,7 +16816,7 @@ index be4de58..cce681a 100644
 ########################################
 #
 diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
-index 2be17d2..ddb6f0a 100644
+index 2be17d2..1663532 100644
 --- a/policy/modules/roles/staff.te
 +++ b/policy/modules/roles/staff.te
@@ -8,12 +8,51 @@ policy_module(staff, 2.2.0)
@ -16873,7 +16871,7 @@ index 2be17d2..ddb6f0a 100644
 optional_policy(`
 	apache_role(staff_r, staff_t)
 ')
-@@ -27,25 +66,139 @@ optional_policy(`
+@@ -27,25 +66,138 @@ optional_policy(`
 ')
 optional_policy(`
@ -16895,7 +16893,6 @@ index 2be17d2..ddb6f0a 100644
 +
 +optional_policy(`
 +	gnome_role(staff_r, staff_t)
 +	gnome_role_gkeyringd(staff, staff_r, staff_t)
 +')
 +
 +optional_policy(`
@ -17015,7 +17012,7 @@ index 2be17d2..ddb6f0a 100644
 optional_policy(`
 	vlock_run(staff_t, staff_r)
-@@ -89,10 +242,6 @@ ifndef(`distro_redhat',`
+@@ -89,10 +241,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -17026,7 +17023,7 @@ index 2be17d2..ddb6f0a 100644
 		gpg_role(staff_r, staff_t)
 	')
-@@ -137,10 +286,6 @@ ifndef(`distro_redhat',`
+@@ -137,10 +285,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -17037,7 +17034,7 @@ index 2be17d2..ddb6f0a 100644
 		spamassassin_role(staff_r, staff_t)
 	')
-@@ -172,3 +317,7 @@ ifndef(`distro_redhat',`
+@@ -172,3 +316,7 @@ ifndef(`distro_redhat',`
 		wireshark_role(staff_r, staff_t)
 	')
 ')
@ -18656,10 +18653,10 @@ index 0000000..4cf791b
 +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 +
 diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
-index e5bfdd4..dc6b88f 100644
+index e5bfdd4..425ea6f 100644
 --- a/policy/modules/roles/unprivuser.te
 +++ b/policy/modules/roles/unprivuser.te
-@@ -12,15 +12,75 @@ role user_r;
+@@ -12,15 +12,74 @@ role user_r;
 userdom_unpriv_user_template(user)
@ -18686,7 +18683,6 @@ index e5bfdd4..dc6b88f 100644
 +
 +optional_policy(`
 +	gnome_role(user_r, user_t)
 +
 +')
 +
 +optional_policy(`
@ -18727,15 +18723,15 @@ index e5bfdd4..dc6b88f 100644
 +	setroubleshoot_dontaudit_stream_connect(user_t)
 +')
 +
-+optional_policy(`
+#optional_policy(`
-+	telepathy_dbus_session_role(user_r, user_t)
+#	telepathy_dbus_session_role(user_r, user_t)
-+')
+#')
 +
 +optional_policy(`
 	vlock_run(user_t, user_r)
 ')
-@@ -62,10 +122,6 @@ ifndef(`distro_redhat',`
+@@ -62,10 +121,6 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -18746,7 +18742,7 @@ index e5bfdd4..dc6b88f 100644
 		gpg_role(user_r, user_t)
 	')
-@@ -118,11 +174,7 @@ ifndef(`distro_redhat',`
+@@ -118,11 +173,7 @@ ifndef(`distro_redhat',`
 	')
 	optional_policy(`
@ -18759,7 +18755,7 @@ index e5bfdd4..dc6b88f 100644
 	')
 	optional_policy(`
-@@ -157,3 +209,4 @@ ifndef(`distro_redhat',`
+@@ -157,3 +208,4 @@ ifndef(`distro_redhat',`
 		wireshark_role(user_r, user_t)
 	')
 ')
@ -24810,7 +24806,7 @@ index 0000000..939d76e
 +')
 diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
 new file mode 100644
-index 0000000..13278c0
+index 0000000..d8c9b6e
 --- /dev/null
 +++ b/policy/modules/services/colord.te
@@ -0,0 +1,106 @@
@ -24838,9 +24834,7 @@ index 0000000..13278c0
 +#
 +# colord local policy
 +#
 +
 +allow colord_t self:process signal;
 +
 +allow colord_t self:fifo_file rw_fifo_file_perms;
 +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
 +allow colord_t self:udp_socket create_socket_perms;
@ -24858,6 +24852,7 @@ index 0000000..13278c0
 +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t)
 +files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir })
 +
 +kernel_getattr_proc_files(colord_t)
 +kernel_read_device_sysctls(colord_t)
 +
 +corenet_udp_bind_generic_node(colord_t)
@ -24879,6 +24874,7 @@ index 0000000..13278c0
 +
 +domain_use_interactive_fds(colord_t)
 +
 +files_list_mnt(colord_t)
 +files_read_etc_files(colord_t)
 +files_read_usr_files(colord_t)
 +
@ -26521,7 +26517,7 @@ index 81eba14..d0ab56c 100644
 /usr/bin/dbus-daemon(-1)? --	gen_context(system_u:object_r:dbusd_exec_t,s0)
 /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
 diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
-index 0d5711c..85a1dc0 100644
+index 0d5711c..a0c951e 100644
 --- a/policy/modules/services/dbus.if
 +++ b/policy/modules/services/dbus.if
@@ -41,9 +41,9 @@ interface(`dbus_stub',`
@ -26682,6 +26678,24 @@ index 0d5711c..85a1dc0 100644
 +	allow session_bus_type $1:process sigkill;
 ')
 ########################################
@@ -335,13 +377,13 @@ interface(`dbus_connect_session_bus',`
 #
 interface(`dbus_session_domain',`
 	gen_require(`
 -		attribute session_bus_type;
 +		type $1_dbusd_t;
 	')
 -	domtrans_pattern(session_bus_type, $2, $1)
 +	domtrans_pattern($1_dbusd_t, $2, $3)
 -	dbus_session_bus_client($1)
 -	dbus_connect_session_bus($1)
 +	dbus_session_bus_client($3)
 +	dbus_connect_session_bus($3)
 ')
 ########################################
@@ -431,14 +473,28 @@ interface(`dbus_system_domain',`
@ -28914,7 +28928,7 @@ index 6bef7f8..464669c 100644
 +	admin_pattern($1, exim_var_run_t)
 +')
 diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
-index f28f64b..18c3c33 100644
+index f28f64b..0b19f11 100644
 --- a/policy/modules/services/exim.te
 +++ b/policy/modules/services/exim.te
@@ -6,24 +6,24 @@ policy_module(exim, 1.5.0)
@ -28925,7 +28939,7 @@ index f28f64b..18c3c33 100644
 -## Allow exim to connect to databases (postgres, mysql)
 -## </p>
 +##	<p>
-+##	Allow exim to connect to databases (postgres, mysql)
+##	Allow exim to connect to databases (PostgreSQL, MySQL)
 +##	</p>
 ## </desc>
 gen_tunable(exim_can_connect_db, false)
@ -29196,7 +29210,7 @@ index 0000000..84d1768
 +')
 diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
 new file mode 100644
-index 0000000..a63cabe
+index 0000000..8dcd6e4
 --- /dev/null
 +++ b/policy/modules/services/firewalld.te
@@ -0,0 +1,68 @@
@ -29225,7 +29239,7 @@ index 0000000..a63cabe
 +#
 +# firewalld local policy
 +#
-+
+dontaudit firewalld_t self:capability sys_tty_config;
 +allow firewalld_t self:fifo_file rw_fifo_file_perms;
 +allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
 +
@ -34861,14 +34875,14 @@ index 64268e4..9ddac52 100644
 +	exim_manage_log(user_mail_domain)
 +')
 diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
-index fd71d69..2e9f2a3 100644
+index fd71d69..bf90863 100644
 --- a/policy/modules/services/munin.fc
 +++ b/policy/modules/services/munin.fc
@@ -51,6 +51,7 @@
 /usr/share/munin/plugins/irqstats --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/load	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/memory	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
-+/usr/share/munin/plugins/munin_*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
+/usr/share/munin/plugins/munin_.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/netstat --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/nfs.*	--	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
 /usr/share/munin/plugins/open_files --	gen_context(system_u:object_r:system_munin_plugin_exec_t,s0)
@ -39522,7 +39536,7 @@ index 09aeffa..dd70b14 100644
 	postgresql_tcp_connect($1)
 diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
-index 8ed5067..f31634f 100644
+index 8ed5067..a5603cd 100644
 --- a/policy/modules/services/postgresql.te
 +++ b/policy/modules/services/postgresql.te
@@ -19,16 +19,16 @@ gen_require(`
@ -39533,7 +39547,7 @@ index 8ed5067..f31634f 100644
 -## Allow unprived users to execute DDL statement
 -## </p>
 +##	<p>
-+##	Allow unprived users to execute DDL statement
+##	Allow unprivileged users to execute DDL statement
 +##	</p>
 ## </desc>
 gen_tunable(sepgsql_enable_users_ddl, true)
@ -40250,7 +40264,7 @@ index 2855a44..0456b11 100644
 		type puppet_tmp_t;
 	')
 diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
-index 64c5f95..69fa687 100644
+index 64c5f95..ebb9b4d 100644
 --- a/policy/modules/services/puppet.te
 +++ b/policy/modules/services/puppet.te
@@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0)
@ -40268,7 +40282,7 @@ index 64c5f95..69fa687 100644
 ## <p>
 -## Allow Puppet client to manage all file
 -## types.
-+## Allow Puppet master to use connect to mysql and postgresql database
+## Allow Puppet master to use connect to MySQL and PostgreSQL database
 ## </p>
 ## </desc>
 -gen_tunable(puppet_manage_all_files, false)
@ -50995,10 +51009,10 @@ index c26ecf5..b906c48 100644
 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
 new file mode 100644
-index 0000000..72059b2
+index 0000000..28cd477
 --- /dev/null
 +++ b/policy/modules/services/zarafa.fc
-@@ -0,0 +1,29 @@
+@@ -0,0 +1,33 @@
 +
 +/etc/zarafa(/.*)?			gen_context(system_u:object_r:zarafa_etc_t,s0)
 +
@ -51012,6 +51026,8 @@ index 0000000..72059b2
 +
 +/usr/bin/zarafa-ical	--	gen_context(system_u:object_r:zarafa_ical_exec_t,s0)
 +
 +/usr/bin/zarafa-indexer --	gen_context(system_u:object_r:zarafa_indexer_exec_t,s0)
 +
 +/usr/bin/zarafa-monitor	--	gen_context(system_u:object_r:zarafa_monitor_exec_t,s0)
 +
 +/var/lib/zarafa-.*   			gen_context(system_u:object_r:zarafa_var_lib_t,s0)
@ -51020,6 +51036,7 @@ index 0000000..72059b2
 +/var/log/zarafa/spooler\.log	--	gen_context(system_u:object_r:zarafa_spooler_log_t,s0)
 +/var/log/zarafa/gateway\.log	--	gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
 +/var/log/zarafa/ical\.log		--	gen_context(system_u:object_r:zarafa_ical_log_t,s0)
 +/var/log/zarafa/indexer\.log       --  gen_context(system_u:object_r:zarafa_indexer_log_t,s0)
 +/var/log/zarafa/monitor\.log	--	gen_context(system_u:object_r:zarafa_monitor_log_t,s0)
 +
 +/var/run/zarafa		     		-s      gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
@ -51027,6 +51044,7 @@ index 0000000..72059b2
 +/var/run/zarafa-server\.pid     --      gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
 +/var/run/zarafa-spooler\.pid    --      gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
 +/var/run/zarafa-ical\.pid       --      gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
 +/var/run/zarafa-indexer			--		gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
 +/var/run/zarafa-monitor\.pid    --      gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
 diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
 new file mode 100644
@ -51158,10 +51176,10 @@ index 0000000..8a909f5
 +')
 diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te
 new file mode 100644
-index 0000000..fec9997
+index 0000000..850b8b5
 --- /dev/null
 +++ b/policy/modules/services/zarafa.te
-@@ -0,0 +1,141 @@
+@@ -0,0 +1,146 @@
 +policy_module(zarafa, 1.0.0)
 +
 +########################################
@ -51172,6 +51190,7 @@ index 0000000..fec9997
 +attribute zarafa_domain;
 +
 +zarafa_domain_template(monitor)
 +zarafa_domain_template(indexer)
 +zarafa_domain_template(ical)
 +zarafa_domain_template(server)
 +zarafa_domain_template(spooler)
@ -51193,6 +51212,8 @@ index 0000000..fec9997
 +type zarafa_share_t;
 +files_type(zarafa_share_t)
 +
 +permissive zarafa_indexer_t;
 +
 +########################################
 +#
 +# zarafa-deliver local policy
@ -51221,6 +51242,8 @@ index 0000000..fec9997
 +manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t)
 +files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir })
 +
 +stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t)
 +
 +corenet_tcp_bind_zarafa_port(zarafa_server_t)
 +
 +files_read_usr_files(zarafa_server_t)
@ -52473,10 +52496,10 @@ index 882c6a2..d0ff4ec 100644
 ')
 diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
-index 354ce93..f97fbb7 100644
+index 354ce93..b8b14b9 100644
 --- a/policy/modules/system/init.fc
 +++ b/policy/modules/system/init.fc
-@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', `
+@@ -33,9 +33,24 @@ ifdef(`distro_gentoo', `
 #
 # /sbin
 #
@ -52496,7 +52519,12 @@ index 354ce93..f97fbb7 100644
 /sbin/init(ng)?		--	gen_context(system_u:object_r:init_exec_t,s0)
 # because nowadays, /sbin/init is often a symlink to /sbin/upstart
 /sbin/upstart		--	gen_context(system_u:object_r:init_exec_t,s0)
-@@ -55,6 +68,9 @@ ifdef(`distro_gentoo', `
+# for Fedora
 +/lib/upstart/init   --  gen_context(system_u:object_r:init_exec_t,s0)
 ifdef(`distro_gentoo', `
 /sbin/rc		--	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -55,6 +70,9 @@ ifdef(`distro_gentoo', `
 /usr/sbin/apachectl	-- 	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
@ -52506,7 +52534,7 @@ index 354ce93..f97fbb7 100644
 #
 # /var
-@@ -76,3 +92,4 @@ ifdef(`distro_suse', `
+@@ -76,3 +94,4 @@ ifdef(`distro_suse', `
 /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -21,7 +21,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.9.16
-Release: 19%{?dist}
+Release: 20%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -472,6 +472,14 @@ exit 0
 %endif
 %changelog
 * Thu May 5 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-20
 - Fix label for /usr/share/munin/plugins/munin_* plugins
 - Add support for zarafa-indexer
 - Fix boolean description
 - Allow colord to getattr on /proc/scsi/scsi
 - Add label for /lib/upstart/init
 - Colord needs to list /mnt
 * Tue May 3 2011 Miroslav Grepl <mgrepl@redhat.com> 3.9.16-19
 - Forard port changes from F15 for telepathy
 - NetworkManager should be allowed to use /dev/rfkill