diff --git a/.cvsignore b/.cvsignore index f1ecbfe..24a668d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -196,3 +196,4 @@ serefpolicy-3.7.2.tgz serefpolicy-3.7.3.tgz serefpolicy-3.7.4.tgz serefpolicy-3.7.5.tgz +serefpolicy-3.7.6.tgz diff --git a/policy-F13.patch b/policy-F13.patch index a28d95b..ffd7c0f 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -437,7 +437,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.7.6/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2009-11-17 10:54:26.000000000 -0500 -+++ serefpolicy-3.7.6/policy/modules/admin/prelink.te 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/admin/prelink.te 2010-01-08 12:08:33.000000000 -0500 @@ -21,8 +21,21 @@ type prelink_tmp_t; files_tmp_file(prelink_tmp_t) @@ -501,7 +501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink optional_policy(` amanda_manage_lib(prelink_t) -@@ -99,5 +117,57 @@ +@@ -99,5 +117,58 @@ ') optional_policy(` @@ -524,6 +524,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink +allow prelink_cron_system_t self:unix_dgram_socket { write bind create setopt }; + +domtrans_pattern(prelink_cron_system_t, prelink_exec_t, prelink_t) ++allow prelink_cron_system_t prelink_t:process noatsecure; + +read_files_pattern(prelink_cron_system_t, prelink_cache_t, prelink_cache_t) +allow prelink_cron_system_t prelink_cache_t:file unlink; @@ -5985,7 +5986,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corene #network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.7.6/policy/modules/kernel/devices.fc --- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-11-20 10:51:41.000000000 -0500 -+++ serefpolicy-3.7.6/policy/modules/kernel/devices.fc 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/kernel/devices.fc 2010-01-08 15:36:31.000000000 -0500 @@ -16,13 +16,16 @@ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/autofs.* -c gen_context(system_u:object_r:autofs_device_t,s0) @@ -6011,9 +6012,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device /dev/usb.+ -c gen_context(system_u:object_r:usb_device_t,s0) /dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0) ifdef(`distro_suse', ` +@@ -159,6 +163,8 @@ + /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) + /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) + ++/dev/uio[0-9]+ -c gen_context(system_u:object_r:userio_device_t,s0) ++ + /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) + /dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.7.6/policy/modules/kernel/devices.if --- nsaserefpolicy/policy/modules/kernel/devices.if 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.6/policy/modules/kernel/devices.if 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/kernel/devices.if 2010-01-08 15:36:31.000000000 -0500 @@ -801,6 +801,24 @@ ######################################## @@ -6114,10 +6124,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device ## Mount a usbfs filesystem. ## ## +@@ -3703,6 +3775,24 @@ + getattr_chr_files_pattern($1, device_t, v4l_device_t) + ') + ++###################################### ++## ++## Read or write userio device. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`dev_rw_userio_dev',` ++ gen_require(` ++ type device_t, userio_device_t; ++ ') ++ ++ rw_chr_files_pattern($1, device_t, userio_device_t) ++') ++ + ######################################## + ## + ## Do not audit attempts to get the attributes diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-3.7.6/policy/modules/kernel/devices.te --- nsaserefpolicy/policy/modules/kernel/devices.te 2009-12-18 11:38:25.000000000 -0500 -+++ serefpolicy-3.7.6/policy/modules/kernel/devices.te 2010-01-07 15:28:30.000000000 -0500 -@@ -227,6 +227,12 @@ ++++ serefpolicy-3.7.6/policy/modules/kernel/devices.te 2010-01-08 15:36:31.000000000 -0500 +@@ -227,11 +227,23 @@ genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0) # @@ -6130,6 +6165,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/device # usb_device_t is the type for /dev/bus/usb/[0-9]+/[0-9]+ # type usb_device_t; + dev_node(usb_device_t) + ++# ++# userio_device_t is the type for /dev/uio[0-9]+ ++# ++type userio_device_t; ++dev_node(userio_device_t) ++ + type v4l_device_t; + dev_node(v4l_device_t) + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.7.6/policy/modules/kernel/domain.if --- nsaserefpolicy/policy/modules/kernel/domain.if 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.7.6/policy/modules/kernel/domain.if 2010-01-07 15:28:30.000000000 -0500 @@ -10009,7 +10055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt ## All of the rules required to administrate diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.6/policy/modules/services/abrt.te --- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 09:09:20.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/services/abrt.te 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/services/abrt.te 2010-01-08 08:37:25.000000000 -0500 @@ -33,12 +33,24 @@ type abrt_var_run_t; files_pid_file(abrt_var_run_t) @@ -10057,7 +10103,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir }) kernel_read_ring_buffer(abrt_t) -@@ -75,18 +90,36 @@ +@@ -75,18 +90,37 @@ corecmd_exec_bin(abrt_t) corecmd_exec_shell(abrt_t) @@ -10067,6 +10113,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt +corenet_tcp_connect_ftp_port(abrt_t) +corenet_tcp_connect_all_ports(abrt_t) ++dev_getattr_all_chr_files(abrt_t) dev_read_urand(abrt_t) +dev_rw_sysfs(abrt_t) +dev_dontaudit_read_memory_dev(abrt_t) @@ -10094,7 +10141,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt sysnet_read_config(abrt_t) -@@ -96,22 +129,93 @@ +@@ -96,22 +130,93 @@ miscfiles_read_certs(abrt_t) miscfiles_read_localization(abrt_t) @@ -14695,7 +14742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.7.6/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/services/cups.te 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/services/cups.te 2010-01-08 11:58:33.000000000 -0500 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -14870,7 +14917,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups ######################################## # # Cups lpd support -@@ -542,6 +576,8 @@ +@@ -520,6 +554,7 @@ + logging_send_syslog_msg(cupsd_lpd_t) + + miscfiles_read_localization(cupsd_lpd_t) ++miscfiles_setattr_fonts_cache_dirs(cupsd_lpd_t) + + cups_stream_connect(cupsd_lpd_t) + +@@ -542,6 +577,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -14879,7 +14934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +592,15 @@ +@@ -556,11 +593,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -14895,7 +14950,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +641,9 @@ +@@ -601,6 +642,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -14905,7 +14960,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups manage_fifo_files_pattern(hplip_t, hplip_tmp_t, hplip_tmp_t) files_tmp_filetrans(hplip_t, hplip_tmp_t, fifo_file ) -@@ -627,6 +670,7 @@ +@@ -627,6 +671,7 @@ corenet_tcp_connect_ipp_port(hplip_t) corenet_sendrecv_hplip_client_packets(hplip_t) corenet_receive_hplip_server_packets(hplip_t) @@ -15365,7 +15420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.7.6/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2009-07-29 15:15:33.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/services/devicekit.te 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/services/devicekit.te 2010-01-08 09:11:11.000000000 -0500 @@ -42,6 +42,8 @@ files_read_etc_files(devicekit_t) @@ -15380,7 +15435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi # -allow devicekit_disk_t self:capability { chown dac_override fowner fsetid sys_nice sys_ptrace sys_rawio }; -+allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_nice sys_ptrace sys_rawio }; ++allow devicekit_disk_t self:capability { chown setuid setgid dac_override fowner fsetid net_admin sys_admin sys_nice sys_ptrace sys_rawio }; +allow devicekit_disk_t self:process signal_perms; allow devicekit_disk_t self:fifo_file rw_fifo_file_perms; +allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -15832,7 +15887,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.7.6/policy/modules/services/fail2ban.if --- nsaserefpolicy/policy/modules/services/fail2ban.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/services/fail2ban.if 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/services/fail2ban.if 2010-01-08 09:57:24.000000000 -0500 @@ -98,6 +98,46 @@ allow $1 fail2ban_var_run_t:file read_file_perms; ') @@ -15880,6 +15935,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail ######################################## ## ## All of the rules required to administrate +@@ -135,3 +175,21 @@ + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) + ') ++ ++######################################## ++## ++## Read and write to an fail2ban unix stream socket. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fail2ban_rw_stream_sockets',` ++ gen_require(` ++ type fail2ban_t; ++ ') ++ ++ allow $1 fail2ban_t:unix_stream_socket { getattr read write ioctl }; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-3.7.6/policy/modules/services/fetchmail.te --- nsaserefpolicy/policy/modules/services/fetchmail.te 2010-01-07 14:53:53.000000000 -0500 +++ serefpolicy-3.7.6/policy/modules/services/fetchmail.te 2010-01-07 15:28:30.000000000 -0500 @@ -23415,7 +23492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.7.6/policy/modules/services/sendmail.if --- nsaserefpolicy/policy/modules/services/sendmail.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/services/sendmail.if 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/services/sendmail.if 2010-01-08 09:57:13.000000000 -0500 @@ -59,20 +59,20 @@ ######################################## @@ -23590,7 +23667,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.7.6/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/services/sendmail.te 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/services/sendmail.te 2010-01-08 09:55:32.000000000 -0500 @@ -20,13 +20,17 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -23650,7 +23727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send auth_use_nsswitch(sendmail_t) -@@ -89,23 +100,46 @@ +@@ -89,23 +100,47 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) @@ -23692,6 +23769,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send + +optional_policy(` + fail2ban_read_lib_files(sendmail_t) ++ fail2ban_rw_stream_sockets(sendmail_t) +') + +optional_policy(` @@ -23699,7 +23777,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -113,13 +147,20 @@ +@@ -113,13 +148,20 @@ ') optional_policy(` @@ -23721,7 +23799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -127,24 +168,29 @@ +@@ -127,24 +169,29 @@ ') optional_policy(` @@ -29582,11 +29660,48 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl udev_read_db(iptables_t) ') + +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.7.6/policy/modules/system/iscsi.fc +--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.7.6/policy/modules/system/iscsi.fc 2010-01-08 15:36:31.000000000 -0500 +@@ -1,4 +1,6 @@ +-/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++ ++/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) ++/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0) + + /var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0) + /var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.7.6/policy/modules/system/iscsi.te --- nsaserefpolicy/policy/modules/system/iscsi.te 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.6/policy/modules/system/iscsi.te 2010-01-07 15:28:30.000000000 -0500 -@@ -69,11 +69,18 @@ ++++ serefpolicy-3.7.6/policy/modules/system/iscsi.te 2010-01-08 15:37:25.000000000 -0500 +@@ -35,10 +35,13 @@ + allow iscsid_t self:unix_dgram_socket create_socket_perms; + allow iscsid_t self:sem create_sem_perms; + allow iscsid_t self:shm create_shm_perms; +-allow iscsid_t self:netlink_socket create_socket_perms; ++allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; + allow iscsid_t self:netlink_route_socket rw_netlink_socket_perms; ++allow iscsid_t self:netlink_socket create_socket_perms; + allow iscsid_t self:tcp_socket create_stream_socket_perms; + ++can_exec(iscsid_t, iscsid_exec_t) ++ + manage_files_pattern(iscsid_t, iscsi_lock_t, iscsi_lock_t) + files_lock_filetrans(iscsid_t, iscsi_lock_t, file) + +@@ -54,6 +57,7 @@ + manage_files_pattern(iscsid_t, iscsi_var_run_t, iscsi_var_run_t) + files_pid_filetrans(iscsid_t, iscsi_var_run_t, file) + ++kernel_read_network_state(iscsid_t) + kernel_read_system_state(iscsid_t) + kernel_search_debugfs(iscsid_t) + +@@ -67,13 +71,21 @@ + corenet_tcp_connect_isns_port(iscsid_t) + dev_rw_sysfs(iscsid_t) ++dev_rw_userio_dev(iscsid_t) domain_use_interactive_fds(iscsid_t) +domain_dontaudit_read_all_domains_state(iscsid_t) @@ -29606,7 +29721,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.6/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/system/libraries.fc 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/system/libraries.fc 2010-01-08 09:16:04.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -29823,7 +29938,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -307,10 +317,131 @@ +@@ -307,10 +317,132 @@ /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? -- gen_context(system_u:object_r:lib_t,s0) @@ -29936,6 +30051,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar + +/usr/lib(64)?/nmm/liba52\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/lampp/lib/libct\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/lampp/lib/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/opt/VirtualBox(/.*)?/VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +/usr/lib(64)?/chromium-browser/.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -30385,7 +30501,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.6/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2009-11-25 11:47:19.000000000 -0500 -+++ serefpolicy-3.7.6/policy/modules/system/miscfiles.if 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/system/miscfiles.if 2010-01-08 11:59:54.000000000 -0500 @@ -73,7 +73,8 @@ # interface(`miscfiles_read_fonts',` @@ -30407,7 +30523,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ') ######################################## -@@ -167,6 +172,32 @@ +@@ -167,6 +172,51 @@ manage_dirs_pattern($1, fonts_t, fonts_t) manage_files_pattern($1, fonts_t, fonts_t) manage_lnk_files_pattern($1, fonts_t, fonts_t) @@ -30416,6 +30532,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi + +######################################## +## ++## Set the attributes on a fonts cache directory. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`miscfiles_setattr_fonts_cache_dirs',` ++ gen_require(` ++ type fonts_cache_t; ++ ') ++ ++ allow $1 fonts_cache_t:dir setattr; ++') ++ ++######################################## ++## +## Create, read, write, and delete fonts cache. +## +## @@ -30427,7 +30562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi +# +interface(`miscfiles_manage_fonts_cache',` + gen_require(` -+ type fonts_t; ++ type fonts_cache_t; + ') + + # cjp: fonts can be in either of these dirs @@ -32190,7 +32325,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.7.6/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.7.6/policy/modules/system/unconfined.if 2010-01-07 15:28:30.000000000 -0500 ++++ serefpolicy-3.7.6/policy/modules/system/unconfined.if 2010-01-08 10:06:25.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -32207,7 +32342,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. -@@ -27,12 +26,13 @@ +@@ -27,12 +26,14 @@ # Write access is for setting attributes under /proc/self/attr. allow $1 self:file rw_file_perms; @@ -32222,10 +32357,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf + allow $1 self:dbus all_dbus_perms; + allow $1 self:passwd all_passwd_perms; + allow $1 self:association all_association_perms; ++ allow $1 self:socket_class_set create_socket_perms; kernel_unconfined($1) corenet_unconfined($1) -@@ -44,6 +44,16 @@ +@@ -44,6 +45,16 @@ fs_unconfined($1) selinux_unconfined($1) @@ -32242,7 +32378,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf tunable_policy(`allow_execheap',` # Allow making the stack executable via mprotect. allow $1 self:process execheap; -@@ -57,8 +67,8 @@ +@@ -57,8 +68,8 @@ tunable_policy(`allow_execstack',` # Allow making the stack executable via mprotect; @@ -32253,7 +32389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf # auditallow $1 self:process execstack; ') -@@ -69,6 +79,7 @@ +@@ -69,6 +80,7 @@ optional_policy(` # Communicate via dbusd. dbus_system_bus_unconfined($1) @@ -32261,7 +32397,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') optional_policy(` -@@ -111,16 +122,16 @@ +@@ -111,16 +123,16 @@ ## # interface(`unconfined_domain',` @@ -32282,7 +32418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconf ') ######################################## -@@ -173,411 +184,3 @@ +@@ -173,411 +185,3 @@ refpolicywarn(`$0($1) has been deprecated.') ') diff --git a/sources b/sources index dcd63d3..1e4a3c0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 3651679c4b12a31d2ba5f4305bba5540 config.tgz -d3b12775aaeafb96c96a6a74e85e96ba serefpolicy-3.7.5.tgz +0e56f0205d64ac083d61ec1d15873df7 serefpolicy-3.7.6.tgz