diff --git a/.cvsignore b/.cvsignore
index 6972be4..ef4def8 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -201,4 +201,3 @@ serefpolicy-3.7.7.tgz
serefpolicy-3.7.8.tgz
setroubleshoot-2.2.58.tar.gz
serefpolicy-3.7.9.tgz
-serefpolicy-3.7.10.tgz
diff --git a/modules-minimum.conf b/modules-minimum.conf
index b192a3c..fa24579 100644
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@@ -1454,7 +1454,7 @@ seunshare = module
#
shorewall = base
-# Layer: apps
+# Layer: admin
# Module: sectoolm
#
# Policy for sectool-mechanism
diff --git a/modules-targeted.conf b/modules-targeted.conf
index b192a3c..fa24579 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1454,7 +1454,7 @@ seunshare = module
#
shorewall = base
-# Layer: apps
+# Layer: admin
# Module: sectoolm
#
# Policy for sectool-mechanism
diff --git a/nsadiff b/nsadiff
index 6cc0190..8a38a9d 100755
--- a/nsadiff
+++ b/nsadiff
@@ -1 +1 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.9 > /tmp/diff
+diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.10 > /tmp/diff
diff --git a/policy-F13.patch b/policy-F13.patch
index c85bb53..8c91688 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -258,7 +258,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.7.10/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/admin/logrotate.te 2010-02-22 09:09:07.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/admin/logrotate.te 2010-02-22 15:26:07.000000000 -0500
@@ -32,7 +32,7 @@
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
@@ -348,6 +348,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
slrnpull_manage_spool(logrotate_t)
')
+@@ -191,5 +220,9 @@
+ ')
+
+ optional_policy(`
++ su_exec(logrotate_t)
++')
++
++optional_policy(`
+ varnishd_manage_log(logrotate_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.10/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2009-08-14 16:14:31.000000000 -0400
+++ serefpolicy-3.7.10/policy/modules/admin/logwatch.te 2010-02-22 09:09:07.000000000 -0500
@@ -2987,16 +2997,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.7.10/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 2010-02-22 08:30:53.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/apps/java.te 2010-02-22 10:10:13.000000000 -0500
-@@ -149,4 +149,12 @@
++++ serefpolicy-3.7.10/policy/modules/apps/java.te 2010-02-22 10:10:31.000000000 -0500
+@@ -147,6 +147,14 @@
+
+ init_dbus_chat_script(unconfined_java_t)
- unconfined_domain_noaudit(unconfined_java_t)
- unconfined_dbus_chat(unconfined_java_t)
-+
+ files_execmod_all_files(unconfined_java_t)
+
+ init_dbus_chat_script(unconfined_java_t)
+
+ unconfined_domain_noaudit(unconfined_java_t)
+ unconfined_dbus_chat(unconfined_java_t)
++
+ optional_policy(`
+ rpm_domtrans(unconfined_java_t)
+ ')
@@ -6445,7 +6457,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.10/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-22 09:09:07.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/kernel/domain.te 2010-02-22 16:34:55.000000000 -0500
@@ -5,6 +5,21 @@
#
# Declarations
@@ -6486,6 +6498,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
# Every domain gets the key ring, so we should default
# to no one allowed to look at it; afs kernel support creates
# a keyring
+@@ -87,7 +106,7 @@
+ kernel_dontaudit_link_key(domain)
+
+ # create child processes in the domain
+-allow domain self:process { fork sigchld };
++allow domain self:process { fork getsched sigchld };
+
+ # Use trusted objects in /dev
+ dev_rw_null(domain)
@@ -97,6 +116,13 @@
# list the root directory
files_list_root(domain)
@@ -8140,7 +8161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.7.10/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-02-18 14:06:31.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-22 09:09:07.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/kernel/terminal.if 2010-02-22 15:15:22.000000000 -0500
@@ -241,25 +241,6 @@
########################################
@@ -15121,6 +15142,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus
+ xserver_rw_xdm_pipes(session_bus_type)
+ xserver_append_xdm_home_files(session_bus_type)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-3.7.10/policy/modules/services/dcc.te
+--- nsaserefpolicy/policy/modules/services/dcc.te 2010-01-07 14:53:53.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/dcc.te 2010-02-22 12:42:23.000000000 -0500
+@@ -81,7 +81,7 @@
+ # dcc daemon controller local policy
+ #
+
+-allow cdcc_t self:capability setuid;
++allow cdcc_t self:capability { setuid setgid };
+ allow cdcc_t self:unix_dgram_socket create_socket_perms;
+ allow cdcc_t self:udp_socket create_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.fc serefpolicy-3.7.10/policy/modules/services/denyhosts.fc
--- nsaserefpolicy/policy/modules/services/denyhosts.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.7.10/policy/modules/services/denyhosts.fc 2010-02-22 09:09:07.000000000 -0500
@@ -20558,7 +20591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.7.10/policy/modules/services/policykit.te
--- nsaserefpolicy/policy/modules/services/policykit.te 2009-11-17 10:54:26.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/services/policykit.te 2010-02-22 09:09:07.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/policykit.te 2010-02-22 16:23:10.000000000 -0500
@@ -36,11 +36,12 @@
# policykit local policy
#
@@ -20566,7 +20599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/poli
-allow policykit_t self:capability { setgid setuid };
-allow policykit_t self:process getattr;
-allow policykit_t self:fifo_file rw_file_perms;
-+allow policykit_t self:capability { setgid setuid sys_ptrace };
++allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_ptrace };
+allow policykit_t self:process { getsched getattr signal };
+allow policykit_t self:fifo_file rw_fifo_file_perms;
+
@@ -23221,7 +23254,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
## Read NFS exported content.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.7.10/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/rpc.te 2010-02-22 09:09:07.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/rpc.te 2010-02-22 15:33:53.000000000 -0500
@@ -8,7 +8,7 @@
##
@@ -23271,11 +23304,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
files_manage_mounttab(rpcd_t)
files_getattr_all_dirs(rpcd_t)
-@@ -91,14 +100,21 @@
+@@ -91,14 +100,22 @@
seutil_dontaudit_search_config(rpcd_t)
+userdom_signal_unpriv_users(rpcd_t)
++userdom_read_user_home_content_files(rpcd_t)
+
optional_policy(`
automount_signal(rpcd_t)
@@ -23293,7 +23327,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
########################################
#
# NFSD local policy
-@@ -127,6 +143,7 @@
+@@ -127,6 +144,7 @@
files_getattr_tmp_dirs(nfsd_t)
# cjp: this should really have its own type
files_manage_mounttab(nfsd_t)
@@ -23301,7 +23335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
-@@ -135,6 +152,7 @@
+@@ -135,6 +153,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -23309,7 +23343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -151,6 +169,7 @@
+@@ -151,6 +170,7 @@
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
')
@@ -23317,7 +23351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
tunable_policy(`nfs_export_all_ro',`
dev_getattr_all_blk_files(nfsd_t)
-@@ -182,6 +201,7 @@
+@@ -182,6 +202,7 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
@@ -23325,7 +23359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
corecmd_exec_bin(gssd_t)
-@@ -189,8 +209,10 @@
+@@ -189,8 +210,10 @@
fs_rw_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
@@ -23336,7 +23370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.
auth_use_nsswitch(gssd_t)
auth_manage_cache(gssd_t)
-@@ -199,10 +221,14 @@
+@@ -199,10 +222,14 @@
mount_signal(gssd_t)
@@ -23705,7 +23739,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.7.10/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.10/policy/modules/services/samba.te 2010-02-22 09:09:07.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/services/samba.te 2010-02-22 17:36:14.000000000 -0500
@@ -66,6 +66,13 @@
##
gen_tunable(samba_share_nfs, false)
@@ -23748,7 +23782,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
kernel_read_network_state(smbd_t)
-@@ -316,6 +327,7 @@
+@@ -306,6 +317,8 @@
+ dev_read_urand(smbd_t)
+ dev_getattr_mtrr_dev(smbd_t)
+ dev_dontaudit_getattr_usbfs_dirs(smbd_t)
++dev_getattr_all_blk_files(smbd_t)
++dev_getattr_all_chr_files(smbd_t)
+
+ fs_getattr_all_fs(smbd_t)
+ fs_get_xattr_fs_quotas(smbd_t)
+@@ -316,6 +329,7 @@
auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
auth_domtrans_upd_passwd(smbd_t)
@@ -23756,7 +23799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -325,6 +337,8 @@
+@@ -325,6 +339,8 @@
files_read_etc_runtime_files(smbd_t)
files_read_usr_files(smbd_t)
files_search_spool(smbd_t)
@@ -23765,7 +23808,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
# Allow samba to list mnt_t for potential mounted dirs
files_list_mnt(smbd_t)
-@@ -337,10 +351,13 @@
+@@ -337,10 +353,13 @@
miscfiles_read_public_files(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -23780,7 +23823,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -352,19 +369,19 @@
+@@ -352,19 +371,19 @@
')
tunable_policy(`samba_domain_controller',`
@@ -23806,7 +23849,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
')
# Support Samba sharing of NFS mount points
-@@ -376,6 +393,15 @@
+@@ -376,6 +395,15 @@
fs_manage_nfs_named_sockets(smbd_t)
')
@@ -23822,7 +23865,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(smbd_t)
cups_stream_connect(smbd_t)
-@@ -391,6 +417,11 @@
+@@ -391,6 +419,11 @@
')
optional_policy(`
@@ -23834,7 +23877,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
rpc_search_nfs_state_data(smbd_t)
')
-@@ -405,13 +436,15 @@
+@@ -405,13 +438,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
@@ -23851,7 +23894,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
auth_read_all_files_except_shadow(nmbd_t)
')
-@@ -420,8 +453,8 @@
+@@ -420,8 +455,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
@@ -23861,7 +23904,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
-@@ -525,6 +558,7 @@
+@@ -525,6 +560,7 @@
allow smbcontrol_t winbind_t:process { signal signull };
@@ -23869,7 +23912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
samba_read_config(smbcontrol_t)
samba_rw_var_files(smbcontrol_t)
samba_search_var(smbcontrol_t)
-@@ -536,6 +570,8 @@
+@@ -536,6 +572,8 @@
miscfiles_read_localization(smbcontrol_t)
@@ -23878,7 +23921,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
########################################
#
# smbmount Local policy
-@@ -618,7 +654,7 @@
+@@ -618,7 +656,7 @@
# SWAT Local policy
#
@@ -23887,7 +23930,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t self:process { setrlimit signal_perms };
allow swat_t self:fifo_file rw_fifo_file_perms;
allow swat_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-@@ -626,23 +662,23 @@
+@@ -626,23 +664,23 @@
allow swat_t self:udp_socket create_socket_perms;
allow swat_t self:unix_stream_socket connectto;
@@ -23920,7 +23963,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t smbd_exec_t:file mmap_file_perms ;
allow swat_t smbd_t:process signull;
-@@ -657,7 +693,7 @@
+@@ -657,7 +695,7 @@
files_pid_filetrans(swat_t, swat_var_run_t, file)
allow swat_t winbind_exec_t:file mmap_file_perms;
@@ -23929,7 +23972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
allow swat_t winbind_var_run_t:dir { write add_name remove_name };
allow swat_t winbind_var_run_t:sock_file { create unlink };
-@@ -700,6 +736,8 @@
+@@ -700,6 +738,8 @@
miscfiles_read_localization(swat_t)
@@ -23938,7 +23981,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -713,12 +751,23 @@
+@@ -713,12 +753,23 @@
kerberos_use(swat_t)
')
@@ -23963,7 +24006,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process { signal_perms getsched setsched };
allow winbind_t self:fifo_file rw_fifo_file_perms;
-@@ -779,6 +828,9 @@
+@@ -779,6 +830,9 @@
corenet_tcp_bind_generic_node(winbind_t)
corenet_udp_bind_generic_node(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
@@ -23973,7 +24016,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
dev_read_sysfs(winbind_t)
dev_read_urand(winbind_t)
-@@ -788,7 +840,7 @@
+@@ -788,7 +842,7 @@
auth_domtrans_chk_passwd(winbind_t)
auth_use_nsswitch(winbind_t)
@@ -23982,7 +24025,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
domain_use_interactive_fds(winbind_t)
-@@ -866,6 +918,18 @@
+@@ -866,6 +920,18 @@
#
optional_policy(`
@@ -24001,7 +24044,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -876,9 +940,12 @@
+@@ -876,9 +942,12 @@
allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
allow smbd_t samba_unconfined_script_exec_t:file ioctl;
@@ -33748,7 +33791,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
+HOME_DIR/\.gvfs(/.*)? <>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.7.10/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2010-02-12 10:33:09.000000000 -0500
-+++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-02-22 09:09:07.000000000 -0500
++++ serefpolicy-3.7.10/policy/modules/system/userdomain.if 2010-02-22 15:33:37.000000000 -0500
@@ -30,8 +30,9 @@
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1cae429..9eeea5e 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.10
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,9 @@ exit 0
%endif
%changelog
+* Mon Feb 22 2010 Dan Walsh 3.7.10-2
+- Allow sshd to setattr on pseudo terms
+
* Mon Feb 22 2010 Dan Walsh 3.7.10-1
- Update to upstream