From 7b2cfda48b1dac6bcd1d35be76d11ec736b1c754 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 26 2009 19:31:24 +0000 Subject: - Turn allow_postfix_local_write_mail_spool on by default - Allow bluetooth setpcap - Allow dbus to transiton to rpm_t when executing debuginfo-install - Allow chrome-sandbox to sends it self signals. - Fix the labeling of /usr/lib/libswscale.so.0.7.1 --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 86562cf..bf72b62 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -56,7 +56,7 @@ allow_ypbind = false # Allow zebra to write it own configuration files # -allow_zebra_write_config = false +allow_zebra_write_config = true # Enable extra rules in the cron domainto support fcron. # @@ -104,7 +104,7 @@ httpd_ssi_exec = false # Allow http daemon to communicate with the TTY # -httpd_tty_comm = false +httpd_tty_comm = true # Run CGI in the main httpd domain # @@ -130,10 +130,6 @@ openvpn_enable_homedirs = true # pppd_can_insmod = false -# Allow reading of default_t files. -# -read_default_t = false - # Allow samba to export user home directories. # samba_enable_home_dirs = false @@ -152,7 +148,7 @@ use_samba_home_dirs = false # Control users use of ping and traceroute # -user_ping = false +user_ping = true # allow host key based authentication # @@ -168,7 +164,7 @@ read_untrusted_content = false # Allow spamd to write to users homedirs # -spamd_enable_home_dirs = false +spamd_enable_home_dirs = true # Allow regular users direct mouse access # @@ -200,7 +196,7 @@ write_untrusted_content = false # Allow all domains to talk to ttys # -allow_daemons_use_tty = false +allow_daemons_use_tty = true # Allow login domains to polyinstatiate directories # @@ -233,7 +229,7 @@ browser_confine_xguest=false # Allow postfix locat to write to mail spool # -allow_postfix_local_write_mail_spool=false +allow_postfix_local_write_mail_spool=true # Allow common users to read/write noexattrfile systems # diff --git a/policy-F12.patch b/policy-F12.patch index c4f79b3..4da30e8 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -1034,7 +1034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-3.6.32/policy/modules/admin/rpm.te --- nsaserefpolicy/policy/modules/admin/rpm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-10-01 17:14:31.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.te 2009-10-26 09:07:41.000000000 -0400 @@ -15,6 +15,9 @@ domain_interactive_fd(rpm_t) role system_r types rpm_t; @@ -1141,7 +1141,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) -@@ -174,44 +202,37 @@ +@@ -174,44 +202,41 @@ ') optional_policy(` @@ -1159,7 +1159,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - # yum-updatesd requires this - unconfined_dbus_chat(rpm_t) + dbus_system_domain(rpm_t, rpm_exec_t) -+ ') ') -ifdef(`TODO',` @@ -1172,7 +1171,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow rpm_t fs_type:dir { setattr rw_dir_perms }; - -allow rpm_t mount_t:tcp_socket write; -- ++ optional_policy(` ++ dbus_system_domain(rpm_t, debuginfo_exec_t) ++ ') ++') + -allow rpm_t rpc_pipefs_t:dir search; +optional_policy(` + prelink_domtrans(rpm_t) @@ -1199,7 +1202,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow rpm_script_t self:fd use; allow rpm_script_t self:fifo_file rw_fifo_file_perms; allow rpm_script_t self:unix_dgram_socket create_socket_perms; -@@ -222,12 +243,15 @@ +@@ -222,12 +247,15 @@ allow rpm_script_t self:sem create_sem_perms; allow rpm_script_t self:msgq create_msgq_perms; allow rpm_script_t self:msg { send receive }; @@ -1215,7 +1218,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir }) manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t) -@@ -239,6 +263,9 @@ +@@ -239,6 +267,9 @@ kernel_read_kernel_sysctls(rpm_script_t) kernel_read_system_state(rpm_script_t) @@ -1225,7 +1228,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_list_sysfs(rpm_script_t) -@@ -255,6 +282,7 @@ +@@ -255,6 +286,7 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) @@ -1233,7 +1236,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mcs_killall(rpm_script_t) mcs_ptrace_all(rpm_script_t) -@@ -272,14 +300,19 @@ +@@ -272,14 +304,19 @@ storage_raw_read_fixed_disk(rpm_script_t) storage_raw_write_fixed_disk(rpm_script_t) @@ -1253,7 +1256,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_read_all_domains_state(rpm_script_t) domain_getattr_all_domains(rpm_script_t) -@@ -291,8 +324,10 @@ +@@ -291,8 +328,10 @@ files_exec_etc_files(rpm_script_t) files_read_etc_runtime_files(rpm_script_t) files_exec_usr_files(rpm_script_t) @@ -1264,7 +1267,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_exec_ld_so(rpm_script_t) libs_exec_lib_files(rpm_script_t) -@@ -308,12 +343,15 @@ +@@ -308,12 +347,15 @@ seutil_domtrans_loadpolicy(rpm_script_t) seutil_domtrans_setfiles(rpm_script_t) seutil_domtrans_semanage(rpm_script_t) @@ -1280,7 +1283,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -326,13 +364,22 @@ +@@ -326,13 +368,22 @@ ') optional_policy(` @@ -1845,7 +1848,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-10-13 17:35:54.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2009-10-26 09:18:12.000000000 -0400 @@ -0,0 +1,61 @@ +policy_module(chrome,1.0.0) + @@ -1873,7 +1876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# chrome_sandbox local policy +# +allow chrome_sandbox_t self:capability { setuid sys_admin dac_override sys_chroot chown fsetid setgid }; -+allow chrome_sandbox_t self:process { setrlimit execmem }; ++allow chrome_sandbox_t self:process { signal_perms setrlimit execmem }; +allow chrome_sandbox_t self:fifo_file manage_file_perms; +allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; +allow chrome_sandbox_t self:unix_dgram_socket { create_socket_perms sendto }; @@ -1922,8 +1925,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dbus_system_domain(cpufreqselector_t, cpufreqselector_exec_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.fc serefpolicy-3.6.32/policy/modules/apps/execmem.fc --- nsaserefpolicy/policy/modules/apps/execmem.fc 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-12 09:13:42.000000000 -0400 -@@ -0,0 +1,31 @@ ++++ serefpolicy-3.6.32/policy/modules/apps/execmem.fc 2009-10-26 15:10:42.000000000 -0400 +@@ -0,0 +1,35 @@ +/usr/bin/darcs -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) @@ -1935,8 +1938,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/sbin/vboxadd-service -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/sbin/VBox.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+ +ifdef(`distro_gentoo',` +/usr/lib32/openoffice/program/[^/]+\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) +') @@ -1947,14 +1948,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/R/bin/exec/R -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)?/ghc-[^/]+/ghc.* -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/ia32el/ia32x_loader -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib(64)/virtualbox/VirtualBox -- gen_context(system_u:object_r:execmem_exec_t,s0) + ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/real/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ +/usr/local/RealPlayer/realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) + +/usr/lib/wingide-[^/]+/bin/PyCore/python -- gen_context(system_u:object_r:execmem_exec_t,s0) ++ ++/opt/Adobe/Reader9/Reader/intellinux/bin/acroread -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/execmem.if serefpolicy-3.6.32/policy/modules/apps/execmem.if --- nsaserefpolicy/policy/modules/apps/execmem.if 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.6.32/policy/modules/apps/execmem.if 2009-10-23 09:23:30.000000000 -0400 @@ -4099,7 +4106,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.if serefpolicy-3.6.32/policy/modules/apps/qemu.if --- nsaserefpolicy/policy/modules/apps/qemu.if 2009-08-31 13:44:40.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/qemu.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/qemu.if 2009-10-26 13:31:02.000000000 -0400 @@ -40,6 +40,10 @@ qemu_domtrans($1) @@ -4111,7 +4118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -211,3 +215,189 @@ +@@ -211,3 +215,188 @@ # xserver_xdm_rw_shm($1_t) ') ') @@ -4300,10 +4307,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) +') -+ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/qemu.te serefpolicy-3.6.32/policy/modules/apps/qemu.te --- nsaserefpolicy/policy/modules/apps/qemu.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/apps/qemu.te 2009-10-26 15:14:29.000000000 -0400 @@ -13,15 +13,46 @@ ## gen_tunable(qemu_full_network, false) @@ -5540,7 +5546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-07-30 13:09:10.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-21 09:33:05.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/corecommands.fc 2009-10-24 08:27:37.000000000 -0400 @@ -1,4 +1,4 @@ - +c @@ -5563,7 +5569,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /opt -@@ -142,6 +144,9 @@ +@@ -135,13 +137,15 @@ + + /opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) + +-/opt/real/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) + ifdef(`distro_gentoo',` + /opt/RealPlayer/realplay(\.bin)? gen_context(system_u:object_r:bin_t,s0) + /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -5573,7 +5586,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # # /usr # -@@ -211,6 +216,8 @@ +@@ -211,6 +215,8 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -5582,7 +5595,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -221,6 +228,9 @@ +@@ -221,6 +227,9 @@ /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) @@ -5592,7 +5605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -263,6 +273,7 @@ +@@ -263,6 +272,7 @@ /usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -5600,7 +5613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0) -@@ -315,3 +326,21 @@ +@@ -315,3 +325,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -7044,7 +7057,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-10-13 10:09:53.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-10-26 14:40:22.000000000 -0400 @@ -1149,6 +1149,44 @@ domain_auto_transition_pattern($1, cifs_t, $2) ') @@ -11452,6 +11465,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_rw_fuse(automount_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.32/policy/modules/services/avahi.te +--- nsaserefpolicy/policy/modules/services/avahi.te 2009-08-14 16:14:31.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/avahi.te 2009-10-24 08:21:35.000000000 -0400 +@@ -24,7 +24,7 @@ + # Local policy + # + +-allow avahi_t self:capability { dac_override setgid chown fowner kill setuid sys_chroot }; ++allow avahi_t self:capability { dac_override setgid chown fowner kill net_admin setuid sys_chroot }; + dontaudit avahi_t self:capability sys_tty_config; + allow avahi_t self:process { setrlimit signal_perms getcap setcap }; + allow avahi_t self:fifo_file rw_fifo_file_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.32/policy/modules/services/bind.if --- nsaserefpolicy/policy/modules/services/bind.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/bind.if 2009-09-30 16:12:48.000000000 -0400 @@ -11549,10 +11574,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.32/policy/modules/services/bluetooth.te --- nsaserefpolicy/policy/modules/services/bluetooth.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-09-30 16:12:48.000000000 -0400 -@@ -56,7 +56,7 @@ ++++ serefpolicy-3.6.32/policy/modules/services/bluetooth.te 2009-10-26 09:03:29.000000000 -0400 +@@ -54,9 +54,9 @@ + # Bluetooth services local policy + # - allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; +-allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock }; ++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw setpcap sys_tty_config ipc_lock }; dontaudit bluetooth_t self:capability sys_tty_config; -allow bluetooth_t self:process { getsched signal_perms }; +allow bluetooth_t self:process { getcap setcap getsched signal_perms }; @@ -21210,7 +21238,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.32/policy/modules/services/spamassassin.te --- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/spamassassin.te 2009-10-26 09:38:33.000000000 -0400 @@ -20,6 +20,35 @@ ## gen_tunable(spamd_enable_home_dirs, true) @@ -21328,11 +21356,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(spamc_t) corenet_all_recvfrom_netlabel(spamc_t) -@@ -246,9 +307,15 @@ +@@ -246,9 +307,16 @@ files_dontaudit_search_var(spamc_t) # cjp: this may be removable: files_list_home(spamc_t) +files_list_var_lib(spamc_t) ++list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t) + +fs_search_auto_mountpoints(spamc_t) @@ -21344,7 +21373,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(spamc_t) # cjp: this should probably be removed: -@@ -256,27 +323,40 @@ +@@ -256,27 +324,40 @@ sysnet_read_config(spamc_t) @@ -21391,7 +21420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -288,7 +368,7 @@ +@@ -288,7 +369,7 @@ # setuids to the user running spamc. Comment this if you are not # using this ability. @@ -21400,7 +21429,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit spamd_t self:capability sys_tty_config; allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow spamd_t self:fd use; -@@ -304,10 +384,17 @@ +@@ -304,10 +385,17 @@ allow spamd_t self:unix_stream_socket connectto; allow spamd_t self:tcp_socket create_stream_socket_perms; allow spamd_t self:udp_socket create_socket_perms; @@ -21419,7 +21448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_spool_filetrans(spamd_t, spamd_spool_t, { file dir }) manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t) -@@ -316,10 +403,12 @@ +@@ -316,10 +404,12 @@ # var/lib files for spamd allow spamd_t spamd_var_lib_t:dir list_dir_perms; @@ -21433,7 +21462,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file }) kernel_read_all_sysctls(spamd_t) -@@ -369,22 +458,27 @@ +@@ -369,22 +459,27 @@ init_dontaudit_rw_utmp(spamd_t) @@ -21465,7 +21494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_manage_cifs_files(spamd_t) ') -@@ -402,23 +496,16 @@ +@@ -402,23 +497,16 @@ optional_policy(` dcc_domtrans_client(spamd_t) @@ -21490,7 +21519,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol postfix_read_config(spamd_t) ') -@@ -433,6 +520,10 @@ +@@ -433,6 +521,10 @@ optional_policy(` razor_domtrans(spamd_t) @@ -21501,7 +21530,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -445,5 +536,9 @@ +@@ -445,5 +537,9 @@ ') optional_policy(` @@ -22237,10 +22266,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.if serefpolicy-3.6.32/policy/modules/services/tuned.if --- nsaserefpolicy/policy/modules/services/tuned.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/tuned.if 2009-10-23 09:38:54.000000000 -0400 -@@ -0,0 +1,136 @@ ++++ serefpolicy-3.6.32/policy/modules/services/tuned.if 2009-10-26 11:31:09.000000000 -0400 +@@ -0,0 +1,140 @@ + -+## policy for tuned - dynamic adaptive system tuning daemon ++## Dynamic adaptive system tuning daemon ++## ++##

++## The tuned package contains a daemon that tunes system settings dynamicaly. ++## It does so by monitoring the usage of several system components periodiclly. ++## Based on that information components will then be put into lower or higher ++## power saving modes to adapt to the current usage. Currently only etherne ++## network and ATA harddisk devices are implemented. ++##

++## + +######################################## +## @@ -22355,16 +22393,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +interface(`tuned_admin',` + gen_require(` + type tuned_t, tuned_var_run_t; ++ type tuned_initrc_exec_t; + ') + + allow $1 tuned_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, tuned_t, tuned_t) + -+ -+ gen_require(` -+ type tuned_initrc_exec_t; -+ ') -+ + tuned_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 tuned_initrc_exec_t system_r; @@ -22372,13 +22406,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + + files_search_pids($1) + admin_pattern($1, tuned_var_run_t) -+ +') + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tuned.te serefpolicy-3.6.32/policy/modules/services/tuned.te --- nsaserefpolicy/policy/modules/services/tuned.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-10-23 09:38:54.000000000 -0400 -@@ -0,0 +1,59 @@ ++++ serefpolicy-3.6.32/policy/modules/services/tuned.te 2009-10-26 11:31:38.000000000 -0400 +@@ -0,0 +1,58 @@ + +policy_module(tuned,1.0.0) + @@ -22411,19 +22444,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +corecmd_exec_shell(tuned_t) + -+kernel_read_system_state(tuned_t) +kernel_read_network_state(tuned_t) ++kernel_read_system_state(tuned_t) + +dev_read_sysfs(tuned_t) + +# to allow cpu tuning +dev_rw_netcontrol(tuned_t) + ++files_dontaudit_search_home(tuned_t) +files_read_etc_files(tuned_t) +files_read_usr_files(tuned_t) + -+files_dontaudit_search_home(tuned_t) -+ +userdom_dontaudit_search_user_home_dirs(tuned_t) + +miscfiles_read_localization(tuned_t) @@ -22471,8 +22503,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.32/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.fc 2009-09-30 16:12:48.000000000 -0400 -@@ -8,5 +8,17 @@ ++++ serefpolicy-3.6.32/policy/modules/services/virt.fc 2009-10-26 13:22:08.000000000 -0400 +@@ -8,5 +8,18 @@ /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) @@ -22482,6 +22514,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) ++/var/vdsm(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) + +HOME_DIR/VirtualMachines(/.*)? gen_context(system_u:object_r:virt_image_t,s0) +HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) @@ -22492,7 +22525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-22 14:44:38.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-26 13:38:47.000000000 -0400 @@ -136,7 +136,7 @@ ') @@ -22614,7 +22647,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_read_cifs_symlinks($1) ') ') -@@ -346,3 +419,79 @@ +@@ -346,3 +419,94 @@ virt_manage_log($1) ') @@ -22632,6 +22665,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# +template(`virt_domain_template',` + gen_require(` ++ type virtd_t; + attribute virt_image_type; + attribute virt_domain; + ') @@ -22652,6 +22686,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + files_type($1_image_t) + dev_node($1_image_t) + ++ type $1_var_run_t; ++ files_pid_file($1_var_run_t) ++ + manage_dirs_pattern($1_t, $1_image_t, $1_image_t) + manage_files_pattern($1_t, $1_image_t, $1_image_t) + read_lnk_files_pattern($1_t, $1_image_t, $1_image_t) @@ -22667,6 +22704,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t) + fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file }) + ++ stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain) ++ manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t) ++ ++ manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t) ++ files_pid_filetrans($1_t, $1_var_run_t, { dir file }) ++ stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t) ++ + optional_policy(` + xserver_rw_shm($1_t) + xserver_common_app($1_t) @@ -22696,7 +22744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-22 13:55:08.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-26 15:19:55.000000000 -0400 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -22742,7 +22790,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type virt_log_t; logging_log_file(virt_log_t) -@@ -48,27 +75,58 @@ +@@ -48,27 +75,55 @@ type virtd_initrc_exec_t; init_script_file(virtd_initrc_exec_t) @@ -22760,9 +22808,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +type svirt_cache_t; +files_type(svirt_cache_t) + -+type svirt_var_run_t; -+files_pid_file(svirt_var_run_t) -+ ######################################## # # virtd local policy @@ -22770,16 +22815,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace }; -allow virtd_t self:process { getsched sigkill signal execmem }; +-allow virtd_t self:fifo_file rw_file_perms; +allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched }; + - allow virtd_t self:fifo_file rw_file_perms; ++allow virtd_t self:fifo_file rw_fifo_file_perms; allow virtd_t self:unix_stream_socket create_stream_socket_perms; allow virtd_t self:tcp_socket create_stream_socket_perms; - allow virtd_t self:tun_socket create; - -+allow virtd_t virt_domain:process { setsched transition signal signull sigkill }; +-allow virtd_t self:tun_socket create; ++allow virtd_t self:tun_socket create_socket_perms; + ++allow virtd_t virt_domain:process { setsched transition signal signull sigkill }; + read_files_pattern(virtd_t, virt_etc_t, virt_etc_t) read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t) @@ -22803,7 +22850,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -76,6 +134,7 @@ +@@ -76,6 +131,7 @@ manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) @@ -22811,7 +22858,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) -@@ -86,7 +145,8 @@ +@@ -86,7 +142,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -22821,7 +22868,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -97,30 +157,55 @@ +@@ -97,30 +154,50 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -22857,16 +22904,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +# Manages /etc/sysconfig/system-config-firewall +iptables_manage_config(virtd_t) +files_manage_etc_files(virtd_t) -+ -+modutils_read_module_deps(virtd_t) -+modutils_read_module_config(virtd_t) fs_list_auto_mountpoints(virtd_t) +fs_getattr_xattr_fs(virtd_t) +fs_rw_anon_inodefs_files(virtd_t) +fs_list_inotifyfs(virtd_t) -+ -+modutils_manage_module_config(virtd_t) +storage_manage_fixed_disk(virtd_t) +storage_relabel_fixed_disk(virtd_t) @@ -22880,8 +22922,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -130,7 +215,16 @@ +@@ -128,9 +205,22 @@ + miscfiles_read_localization(virtd_t) + miscfiles_read_certs(virtd_t) ++modutils_read_module_deps(virtd_t) ++modutils_read_module_config(virtd_t) ++modutils_manage_module_config(virtd_t) ++ logging_send_syslog_msg(virtd_t) +sysnet_domtrans_ifconfig(virtd_t) @@ -22897,7 +22945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -168,22 +262,36 @@ +@@ -168,22 +258,36 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -22908,14 +22956,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` iptables_domtrans(virtd_t) + iptables_initrc_domtrans(virtd_t) -+') -+ -+optional_policy(` -+ kerberos_keytab_template(virtd, virtd_t) -+') -+ -+optional_policy(` -+ lvm_domtrans(virtd_t) ') -#optional_policy(` @@ -22923,14 +22963,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -# polkit_domtrans_resolve(virtd_t) -#') +optional_policy(` ++ kerberos_keytab_template(virtd, virtd_t) ++') + + optional_policy(` +- qemu_domtrans(virtd_t) ++ lvm_domtrans(virtd_t) ++') ++ ++optional_policy(` + policykit_dbus_chat(virtd_t) + policykit_domtrans_auth(virtd_t) + policykit_domtrans_resolve(virtd_t) + policykit_read_lib(virtd_t) +') - - optional_policy(` -- qemu_domtrans(virtd_t) ++ ++optional_policy(` + qemu_spec_domtrans(virtd_t, svirt_t) qemu_read_state(virtd_t) qemu_signal(virtd_t) @@ -22939,7 +22987,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -196,8 +304,162 @@ +@@ -196,8 +300,150 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -22954,9 +23002,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol unconfined_domain(virtd_t) ') + -+manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -+manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) -+ +######################################## +# +# svirt local policy @@ -22965,13 +23010,6 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t) +files_var_filetrans(svirt_t, svirt_cache_t, { file dir }) + -+manage_dirs_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_sock_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+manage_lnk_files_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t) -+files_pid_filetrans(svirt_t, svirt_var_run_t, { dir file }) -+stream_connect_pattern(svirt_t, svirt_var_run_t, svirt_var_run_t, virtd_t) -+ +read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t) + +allow svirt_t svirt_image_t:dir search_dir_perms; @@ -22986,14 +23024,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +userdom_search_user_home_content(svirt_t) +userdom_read_all_users_state(svirt_t) + -+append_files_pattern(svirt_t, virt_log_t, virt_log_t) -+append_files_pattern(svirt_t, virt_var_lib_t, virt_var_lib_t) -+ +allow svirt_t self:udp_socket create_socket_perms; + -+corecmd_exec_bin(svirt_t) -+corecmd_exec_shell(svirt_t) -+ +corenet_udp_sendrecv_generic_if(svirt_t) +corenet_udp_sendrecv_generic_node(svirt_t) +corenet_udp_sendrecv_all_ports(svirt_t) @@ -23049,10 +23081,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; +allow virt_domain self:tcp_socket create_stream_socket_perms; + -+stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) ++append_files_pattern(virt_domain, virt_log_t, virt_log_t) ++append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) + +kernel_read_system_state(virt_domain) + ++corecmd_exec_bin(virt_domain) ++corecmd_exec_shell(virt_domain) ++ +corenet_all_recvfrom_unlabeled(virt_domain) +corenet_all_recvfrom_netlabel(virt_domain) +corenet_tcp_sendrecv_generic_if(virt_domain) @@ -26347,7 +26383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ipsec_setcontext_default_spd(setkey_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.32/policy/modules/system/iptables.fc --- nsaserefpolicy/policy/modules/system/iptables.fc 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/iptables.fc 2009-10-26 15:13:26.000000000 -0400 @@ -1,7 +1,16 @@ -/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0) + @@ -26371,7 +26407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.if serefpolicy-3.6.32/policy/modules/system/iptables.if --- nsaserefpolicy/policy/modules/system/iptables.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/iptables.if 2009-10-26 15:11:55.000000000 -0400 @@ -19,6 +19,24 @@ domtrans_pattern($1, iptables_exec_t, iptables_t) ') @@ -26482,7 +26518,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-10-20 11:08:22.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-10-26 15:12:43.000000000 -0400 @@ -11,6 +11,12 @@ init_system_domain(iptables_t, iptables_exec_t) role system_r types iptables_t; @@ -26608,7 +26644,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(iscsid_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.6.32/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-10-15 13:03:19.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.fc 2009-10-26 15:31:02.000000000 -0400 @@ -60,12 +60,15 @@ # # /opt @@ -26797,7 +26833,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -307,10 +295,98 @@ +@@ -307,10 +295,102 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -26858,6 +26894,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +/usr/lib(64)?/yafaray/libDarkSky.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + ++/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/usr/lib/libADM5avformat\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ +ifdef(`fixed',` +/usr/lib(64)?/libavfilter\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libavdevice\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -26875,9 +26917,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/X11R6/lib/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libOSMesa.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libmpeg2\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libpostproc\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -+/usr/lib(64)?/libswscale\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +HOME_DIR/\.gstreamer-.*/plugins/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -27548,7 +27588,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # gentoo init scripts still manage this file diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.32/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/modutils.if 2009-10-26 15:15:11.000000000 -0400 @@ -1,5 +1,24 @@ ## Policy for kernel module utilities diff --git a/selinux-policy.spec b/selinux-policy.spec index 371ec28..2ca9266 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 33%{?dist} +Release: 34%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -445,6 +445,13 @@ exit 0 %endif %changelog +* Fri Oct 23 2009 Dan Walsh 3.6.32-34 +- Turn allow_postfix_local_write_mail_spool on by default +- Allow bluetooth setpcap +- Allow dbus to transiton to rpm_t when executing debuginfo-install +- Allow chrome-sandbox to sends it self signals. +- Fix the labeling of /usr/lib/libswscale.so.0.7.1 + * Fri Oct 23 2009 Dan Walsh 3.6.32-33 - Allow firefox to transition to java