From 0f72363f6a00119d3e1aae197ba3697e38a9db76 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 02 2009 18:59:36 +0000 Subject: - Allow setroubleshoot-fix to signull user domains --- diff --git a/policy-F12.patch b/policy-F12.patch index 33375bc..205a406 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -306,8 +306,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.6.32/policy/modules/admin/netutils.te --- nsaserefpolicy/policy/modules/admin/netutils.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2009-09-30 16:12:48.000000000 -0400 -@@ -85,6 +85,7 @@ ++++ serefpolicy-3.6.32/policy/modules/admin/netutils.te 2009-10-30 14:18:10.000000000 -0400 +@@ -44,6 +44,7 @@ + allow netutils_t self:packet_socket create_socket_perms; + allow netutils_t self:udp_socket create_socket_perms; + allow netutils_t self:tcp_socket create_stream_socket_perms; ++allow netutils_t self:socket create_socket_perms; + + manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) + manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) +@@ -85,6 +86,7 @@ miscfiles_read_localization(netutils_t) @@ -1046,7 +1054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-10-27 11:12:12.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-11-02 09:42:29.000000000 -0500 @@ -15,6 +15,9 @@ domain_interactive_fd(rpm_t) role system_r types rpm_t; @@ -6630,7 +6638,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/nfs/rpc_pipefs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if --- nsaserefpolicy/policy/modules/kernel/files.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-10-23 09:23:13.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-02 09:23:57.000000000 -0500 @@ -110,6 +110,11 @@ ## # @@ -9664,7 +9672,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-10-30 09:36:32.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-02 13:58:48.000000000 -0500 +@@ -38,7 +38,7 @@ + # abrt local policy + # + +-allow abrt_t self:capability { setuid setgid sys_nice dac_override }; ++allow abrt_t self:capability { chown setuid setgid sys_nice dac_override }; + allow abrt_t self:process { signal signull setsched getsched }; + + allow abrt_t self:fifo_file rw_fifo_file_perms; @@ -60,8 +60,9 @@ files_tmp_filetrans(abrt_t, abrt_tmp_t, { file dir }) @@ -10006,7 +10023,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.32/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-10-23 08:20:45.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apache.fc 2009-10-30 16:21:42.000000000 -0400 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -10051,15 +10068,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/cache/mod_proxy(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/mod_ssl(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) /var/cache/php-eaccelerator(/.*)? gen_context(system_u:object_r:httpd_cache_t,s0) -@@ -47,6 +55,7 @@ +@@ -46,7 +54,9 @@ + /var/cache/ssl.*\.sem -- gen_context(system_u:object_r:httpd_cache_t,s0) /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) ++/var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) +/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0) /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) -@@ -50,8 +59,10 @@ +@@ -50,8 +60,10 @@ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -10070,7 +10089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +75,33 @@ +@@ -64,11 +76,33 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) @@ -10713,7 +10732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.32/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-10-29 17:36:37.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/apache.te 2009-10-30 16:16:22.000000000 -0400 @@ -19,6 +19,8 @@ # Declarations # @@ -10987,7 +11006,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -10998,8 +11018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') @@ -11104,10 +11123,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t, httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -451,6 +583,10 @@ +@@ -451,6 +583,14 @@ ') optional_policy(` ++ cobbler_search_lib(httpd_t) ++') ++ ++optional_policy(` + cvs_read_data(httpd_t) +') + @@ -11115,7 +11138,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cron_system_entry(httpd_t, httpd_exec_t) ') -@@ -459,8 +595,13 @@ +@@ -459,8 +599,13 @@ ') optional_policy(` @@ -11131,7 +11154,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -468,22 +609,19 @@ +@@ -468,22 +613,19 @@ mailman_domtrans_cgi(httpd_t) # should have separate types for public and private archives mailman_search_data(httpd_t) @@ -11157,7 +11180,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -494,12 +632,23 @@ +@@ -494,12 +636,23 @@ ') optional_policy(` @@ -11181,7 +11204,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +657,7 @@ +@@ -508,6 +661,7 @@ ') optional_policy(` @@ -11189,7 +11212,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +685,23 @@ +@@ -535,6 +689,23 @@ userdom_use_user_terminals(httpd_helper_t) @@ -11213,7 +11236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +731,25 @@ +@@ -564,20 +735,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -11245,7 +11268,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +767,24 @@ +@@ -595,23 +771,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -11274,7 +11297,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +797,7 @@ +@@ -624,6 +801,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -11282,7 +11305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -631,22 +805,31 @@ +@@ -631,22 +809,31 @@ corenet_all_recvfrom_unlabeled(httpd_suexec_t) corenet_all_recvfrom_netlabel(httpd_suexec_t) @@ -11321,7 +11344,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +855,14 @@ +@@ -672,15 +859,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -11340,7 +11363,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +881,24 @@ +@@ -699,12 +885,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -11367,7 +11390,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +906,35 @@ +@@ -712,6 +910,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -11403,7 +11426,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +947,10 @@ +@@ -724,6 +951,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -11414,7 +11437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +962,8 @@ +@@ -735,6 +966,8 @@ # httpd_rotatelogs local policy # @@ -11423,7 +11446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,11 +983,88 @@ +@@ -754,11 +987,88 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -11443,7 +11466,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + userdom_search_user_home_content(httpd_t) + userdom_search_user_home_content(httpd_suexec_t) + userdom_search_user_home_content(httpd_user_script_t) - ') ++') + +tunable_policy(`httpd_read_user_content',` + userdom_read_user_home_content_files(httpd_user_script_t) @@ -11497,7 +11520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +optional_policy(` + postgresql_stream_connect(httpd_bugzilla_script_t) -+') + ') + +manage_dirs_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) +manage_files_pattern(httpd_sys_script_t,httpdcontent,httpd_rw_content) @@ -12237,14 +12260,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.6.32/policy/modules/services/cobbler.fc --- nsaserefpolicy/policy/modules/services/cobbler.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/cobbler.fc 2009-10-30 16:16:35.000000000 -0400 @@ -0,0 +1,2 @@ + +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.6.32/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2009-09-30 16:12:48.000000000 -0400 -@@ -0,0 +1,24 @@ ++++ serefpolicy-3.6.32/policy/modules/services/cobbler.if 2009-10-30 16:15:49.000000000 -0400 +@@ -0,0 +1,44 @@ +## +## Cobbler var_lib_t +## @@ -12269,6 +12292,26 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_search_var_lib($1) +') + ++ ++######################################## ++## ++## Read cobbler lib files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`cobbler_search_lib',` ++ gen_require(` ++ type cobbler_var_lib_t; ++ ') ++ ++ allow $1 cobbler_var_lib_t:dir search_dir_perms; ++ files_search_var_lib($1) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.6.32/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/services/cobbler.te 2009-09-30 16:12:48.000000000 -0400 @@ -12336,7 +12379,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.32/policy/modules/services/consolekit.te --- nsaserefpolicy/policy/modules/services/consolekit.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-10-29 14:34:49.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/consolekit.te 2009-11-02 09:43:56.000000000 -0500 +@@ -21,7 +21,7 @@ + # consolekit local policy + # + +-allow consolekit_t self:capability { setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; ++allow consolekit_t self:capability { chown setuid setgid sys_tty_config dac_override sys_nice sys_ptrace }; + allow consolekit_t self:process { getsched signal }; + allow consolekit_t self:fifo_file rw_fifo_file_perms; + allow consolekit_t self:unix_stream_socket create_stream_socket_perms; @@ -59,15 +59,19 @@ term_use_all_terms(consolekit_t) @@ -15330,7 +15382,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-3.6.32/policy/modules/services/mysql.te --- nsaserefpolicy/policy/modules/services/mysql.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/mysql.te 2009-11-02 09:22:10.000000000 -0500 @@ -136,7 +136,12 @@ domtrans_pattern(mysqld_safe_t, mysqld_exec_t, mysqld_t) @@ -15339,7 +15391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow mysqld_safe_t mysqld_log_t:file manage_file_perms; + -+domain_getattr_all_domains(mysqld_safe_t) ++domain_read_all_domains_state(mysqld_safe_t) + logging_log_filetrans(mysqld_safe_t, mysqld_log_t, file) @@ -20960,7 +21012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te --- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-10-27 17:49:35.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/setroubleshoot.te 2009-11-02 08:56:55.000000000 -0500 @@ -22,13 +22,19 @@ type setroubleshoot_var_run_t; files_pid_file(setroubleshoot_var_run_t) @@ -21002,7 +21054,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_getattr_all_chr_files(setroubleshootd_t) domain_dontaudit_search_all_domains_state(setroubleshootd_t) -+ domain_signull_all_domains(setroubleshootd_t) ++domain_signull_all_domains(setroubleshootd_t) files_read_usr_files(setroubleshootd_t) files_read_etc_files(setroubleshootd_t) @@ -21022,7 +21074,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_get_enforce_mode(setroubleshootd_t) selinux_validate_context(setroubleshootd_t) -@@ -94,23 +113,75 @@ +@@ -94,23 +113,76 @@ locallogin_dontaudit_use_fds(setroubleshootd_t) @@ -21049,7 +21101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -+ rpm_signull(setroubleshootd_t) ++ rpm_signull(setroubleshootd_t) rpm_read_db(setroubleshootd_t) rpm_dontaudit_manage_db(setroubleshootd_t) rpm_use_script_fds(setroubleshootd_t) @@ -21089,6 +21141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(setroubleshoot_fixit_t) + +userdom_dontaudit_search_admin_dir(setroubleshoot_fixit_t) ++userdom_signull_unpriv_users(setroubleshoot_fixit_t) + +optional_policy(` + rpm_signull(setroubleshoot_fixit_t) @@ -24249,7 +24302,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.32/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2009-08-28 14:58:20.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-10-29 11:16:45.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/xserver.te 2009-11-02 09:24:58.000000000 -0500 @@ -34,6 +34,13 @@ ## @@ -24388,7 +24441,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmpfs_file(xserver_tmpfs_t) ubac_constrained(xserver_tmpfs_t) -@@ -250,19 +269,21 @@ +@@ -250,23 +269,26 @@ # Xauth local policy # @@ -24413,7 +24466,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_use_interactive_fds(xauth_t) files_read_etc_files(xauth_t) -@@ -279,6 +300,12 @@ + files_search_pids(xauth_t) ++files_dontaudit_getattr_all_dirs(xauth_t) + + fs_getattr_xattr_fs(xauth_t) + fs_search_auto_mountpoints(xauth_t) +@@ -279,6 +301,12 @@ userdom_use_user_terminals(xauth_t) userdom_read_user_tmp_files(xauth_t) @@ -24426,7 +24484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_xdm_tmp_files(xauth_t) tunable_policy(`use_nfs_home_dirs',` -@@ -300,20 +327,31 @@ +@@ -300,20 +328,31 @@ # XDM Local policy # @@ -24461,7 +24519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow gdm to run gdm-binary can_exec(xdm_t, xdm_exec_t) -@@ -325,26 +363,43 @@ +@@ -325,26 +364,43 @@ # this is ugly, daemons should not create files under /etc! manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t) @@ -24512,7 +24570,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xdm_t xserver_t:process signal; allow xdm_t xserver_t:unix_stream_socket connectto; -@@ -358,6 +413,7 @@ +@@ -358,6 +414,7 @@ allow xdm_t xserver_t:process { noatsecure siginh rlimitinh signal sigkill }; allow xdm_t xserver_t:shm rw_shm_perms; @@ -24520,7 +24578,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t, xserver_t) -@@ -366,10 +422,14 @@ +@@ -366,10 +423,14 @@ delete_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) delete_sock_files_pattern(xdm_t, xserver_tmp_t, xserver_tmp_t) @@ -24536,7 +24594,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) -@@ -389,11 +449,13 @@ +@@ -389,11 +450,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_generic_node(xdm_t) corenet_udp_bind_generic_node(xdm_t) @@ -24550,7 +24608,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(xdm_t) dev_read_sysfs(xdm_t) dev_getattr_framebuffer_dev(xdm_t) -@@ -401,6 +463,7 @@ +@@ -401,6 +464,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -24558,7 +24616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -413,14 +476,17 @@ +@@ -413,14 +477,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -24578,7 +24636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -431,9 +497,13 @@ +@@ -431,9 +498,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -24592,7 +24650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -442,6 +512,7 @@ +@@ -442,6 +513,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -24600,7 +24658,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -450,6 +521,7 @@ +@@ -450,6 +522,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -24608,7 +24666,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -460,10 +532,11 @@ +@@ -460,10 +533,11 @@ logging_read_generic_logs(xdm_t) @@ -24622,7 +24680,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(xdm_t) userdom_create_all_users_keys(xdm_t) -@@ -472,6 +545,9 @@ +@@ -472,6 +546,9 @@ # Search /proc for any user domain processes. userdom_read_all_users_state(xdm_t) userdom_signal_all_users(xdm_t) @@ -24632,7 +24690,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session(xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -504,10 +580,12 @@ +@@ -504,10 +581,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -24645,7 +24703,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -515,12 +593,46 @@ +@@ -515,12 +594,46 @@ ') optional_policy(` @@ -24692,7 +24750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol hostname_exec(xdm_t) ') -@@ -542,6 +654,38 @@ +@@ -542,6 +655,38 @@ ') optional_policy(` @@ -24731,7 +24789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_sigchld_newrole(xdm_t) ') -@@ -550,8 +694,9 @@ +@@ -550,8 +695,9 @@ ') optional_policy(` @@ -24743,7 +24801,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -560,7 +705,6 @@ +@@ -560,7 +706,6 @@ ifdef(`distro_rhel4',` allow xdm_t self:process { execheap execmem }; ') @@ -24751,7 +24809,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` userhelper_dontaudit_search_config(xdm_t) -@@ -571,6 +715,10 @@ +@@ -571,6 +716,10 @@ ') optional_policy(` @@ -24762,7 +24820,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -587,10 +735,9 @@ +@@ -587,10 +736,9 @@ # execheap needed until the X module loader is fixed. # NVIDIA Needs execstack @@ -24774,7 +24832,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t self:fd use; allow xserver_t self:fifo_file rw_fifo_file_perms; allow xserver_t self:sock_file read_sock_file_perms; -@@ -602,9 +749,12 @@ +@@ -602,9 +750,12 @@ allow xserver_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow xserver_t self:tcp_socket create_stream_socket_perms; allow xserver_t self:udp_socket create_socket_perms; @@ -24787,7 +24845,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow xserver_t { input_xevent_t input_xevent_type }:x_event send; -@@ -616,13 +766,14 @@ +@@ -616,13 +767,14 @@ type_transition xserver_t xserver_t:{ x_drawable x_colormap } rootwindow_t; allow xserver_t { rootwindow_t x_domain }:x_drawable send; @@ -24803,7 +24861,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) manage_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t) -@@ -635,9 +786,19 @@ +@@ -635,9 +787,19 @@ manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t) files_search_var_lib(xserver_t) @@ -24823,7 +24881,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) -@@ -671,7 +832,6 @@ +@@ -671,7 +833,6 @@ dev_rw_agp(xserver_t) dev_rw_framebuffer(xserver_t) dev_manage_dri_dev(xserver_t) @@ -24831,7 +24889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_create_generic_dirs(xserver_t) dev_setattr_generic_dirs(xserver_t) # raw memory access is needed if not using the frame buffer -@@ -681,9 +841,12 @@ +@@ -681,9 +842,12 @@ dev_rw_xserver_misc(xserver_t) # read events - the synaptics touchpad driver reads raw events dev_rw_input_dev(xserver_t) @@ -24845,7 +24903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xserver_t) files_read_etc_runtime_files(xserver_t) -@@ -698,8 +861,12 @@ +@@ -698,8 +862,12 @@ fs_search_nfs(xserver_t) fs_search_auto_mountpoints(xserver_t) fs_search_ramfs(xserver_t) @@ -24858,7 +24916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol selinux_validate_context(xserver_t) selinux_compute_access_vector(xserver_t) -@@ -721,6 +888,7 @@ +@@ -721,6 +889,7 @@ miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) @@ -24866,7 +24924,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol modutils_domtrans_insmod(xserver_t) -@@ -743,7 +911,7 @@ +@@ -743,7 +912,7 @@ ') ifdef(`enable_mls',` @@ -24875,7 +24933,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol range_transition xserver_t xserver_t:x_drawable s0 - mls_systemhigh; ') -@@ -775,12 +943,20 @@ +@@ -775,12 +944,20 @@ ') optional_policy(` @@ -24897,7 +24955,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domtrans(xserver_t) ') -@@ -807,12 +983,12 @@ +@@ -807,12 +984,12 @@ allow xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xserver_t xdm_var_lib_t:dir search; @@ -24914,7 +24972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Run xkbcomp. allow xserver_t xkb_var_lib_t:lnk_file read; -@@ -828,9 +1004,14 @@ +@@ -828,9 +1005,14 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -24929,7 +24987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) fs_manage_nfs_files(xserver_t) -@@ -845,11 +1026,14 @@ +@@ -845,11 +1027,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -24945,7 +25003,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -882,6 +1066,8 @@ +@@ -882,6 +1067,8 @@ # X Server # can read server-owned resources allow x_domain xserver_t:x_resource read; @@ -24954,7 +25012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # can mess with own clients allow x_domain self:x_client { manage destroy }; -@@ -906,6 +1092,8 @@ +@@ -906,6 +1093,8 @@ # operations allowed on my windows allow x_domain self:x_drawable { create destroy getattr setattr read write show hide list_child add_child remove_child manage send receive }; @@ -24963,7 +25021,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # X Colormaps # can use the default colormap allow x_domain rootwindow_t:x_colormap { read use add_color }; -@@ -973,17 +1161,49 @@ +@@ -973,17 +1162,49 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -25528,16 +25586,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # /var diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.32/policy/modules/system/init.if --- nsaserefpolicy/policy/modules/system/init.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-10-19 14:27:28.000000000 -0400 -@@ -174,6 +174,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/init.if 2009-11-02 13:55:55.000000000 -0500 +@@ -162,6 +162,7 @@ + gen_require(` + attribute direct_run_init, direct_init, direct_init_entry; + type initrc_t; ++ type init_t; + role system_r; + attribute daemon; + ') +@@ -174,6 +175,11 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) + allow initrc_t $1:process siginh; ++ ++ # Handle upstart direct transition to a executable ++ domtrans_pattern(init_t,$2,$1) ++ allow init_t $1:process siginh; # daemons started from init will # inherit fds from init for the console -@@ -272,6 +273,7 @@ +@@ -272,6 +278,7 @@ role system_r types $1; domtrans_pattern(initrc_t,$2,$1) @@ -25545,7 +25615,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` # RHEL4 systems seem to have a stray -@@ -280,6 +282,36 @@ +@@ -280,6 +287,36 @@ kernel_dontaudit_use_fds($1) ') ') @@ -25582,7 +25652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -546,7 +578,7 @@ +@@ -546,7 +583,7 @@ # upstart uses a datagram socket instead of initctl pipe allow $1 self:unix_dgram_socket create_socket_perms; @@ -25591,7 +25661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -619,18 +651,19 @@ +@@ -619,18 +656,19 @@ # interface(`init_spec_domtrans_script',` gen_require(` @@ -25615,7 +25685,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -646,23 +679,43 @@ +@@ -646,19 +684,39 @@ # interface(`init_domtrans_script',` gen_require(` @@ -25636,11 +25706,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`enable_mls',` - range_transition $1 initrc_exec_t:process s0 - mls_systemhigh; + range_transition $1 init_script_file_type:process s0 - mls_systemhigh; - ') - ') - - ######################################## - ## ++ ') ++') ++ ++######################################## ++## +## Execute a file in a bin directory +## in the initrc_t domain +## @@ -25653,17 +25723,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`init_bin_domtrans_spec',` + gen_require(` + type initrc_t; -+ ') + ') + + corecmd_bin_domtrans($1, initrc_t) -+') -+ -+######################################## -+## - ## Execute a init script in a specified domain. - ## - ## -@@ -904,6 +957,24 @@ + ') + + ######################################## +@@ -904,6 +962,24 @@ allow $1 init_script_file_type:file read_file_perms; ') @@ -25688,7 +25754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Execute all init scripts in the caller domain. -@@ -1123,7 +1194,7 @@ +@@ -1123,7 +1199,7 @@ type initrc_t; ') @@ -25697,7 +25763,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1291,6 +1362,25 @@ +@@ -1291,6 +1367,25 @@ ######################################## ## @@ -25723,7 +25789,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create files in a init script ## temporary data directory. ## -@@ -1521,3 +1611,51 @@ +@@ -1521,3 +1616,51 @@ ') corenet_udp_recvfrom_labeled($1, daemon) ') @@ -26855,7 +26921,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-10-26 15:31:02.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-11-02 10:06:15.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -26905,7 +26971,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?java/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) -@@ -115,27 +120,30 @@ +@@ -115,27 +120,32 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26933,6 +26999,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/nvidia-graphics(-[^/]*/)?libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26944,7 +27012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(local/)?.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:lib_t,s0) /usr/(local/)?lib(64)?/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -143,11 +151,8 @@ +@@ -143,11 +153,8 @@ /usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26956,7 +27024,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,12 +173,12 @@ +@@ -168,12 +175,12 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php @@ -26971,7 +27039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/mozilla/plugins/libvlcplugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/nx/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -185,15 +190,10 @@ +@@ -185,15 +192,10 @@ /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26988,7 +27056,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libHermes\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/hp2ps -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/valgrind/stage2 -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -228,31 +228,17 @@ +@@ -228,31 +230,17 @@ /usr/lib(64)?/ladspa/sc3_1427\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/sc4_1882\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/ladspa/se4_1883\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27024,7 +27092,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Jai, Sun Microsystems (Jpackage SPRM) /usr/lib(64)?/libmlib_jai\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -268,8 +254,8 @@ +@@ -268,8 +256,8 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27035,7 +27103,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -295,6 +281,8 @@ +@@ -295,6 +283,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27044,7 +27112,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +295,102 @@ +@@ -307,10 +297,103 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -27110,6 +27178,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib/libADM_coreImage\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +ifdef(`fixed',` +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30471,7 +30540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-29 11:16:09.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-11-02 08:56:44.000000000 -0500 @@ -30,8 +30,9 @@ ') diff --git a/selinux-policy.spec b/selinux-policy.spec index d6c2ede..26675e0 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 38%{?dist} +Release: 39%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,9 @@ exit 0 %endif %changelog +* Mon Nov 2 2009 Dan Walsh 3.6.32-39 +- Allow setroubleshoot-fix to signull user domains + * Fri Oct 30 2009 Dan Walsh 3.6.32-38 - Allow abrt to create link files in /var/cache/abrt