diff --git a/policy-20081111.patch b/policy-20081111.patch index b34f77f..9f124cb 100644 --- a/policy-20081111.patch +++ b/policy-20081111.patch @@ -2004,7 +2004,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-3.6.1/policy/modules/apps/java.te --- nsaserefpolicy/policy/modules/apps/java.te 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/apps/java.te 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/apps/java.te 2009-01-04 13:53:30.000000000 -0500 @@ -40,7 +40,7 @@ # Local policy # @@ -2014,7 +2014,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow java_t self:fifo_file rw_fifo_file_perms; allow java_t self:tcp_socket create_socket_perms; allow java_t self:udp_socket create_socket_perms; -@@ -147,4 +147,11 @@ +@@ -116,12 +116,13 @@ + + allow java_t java_tmp_t:file execute; + +- libs_legacy_use_shared_libs(java_t) + libs_legacy_use_ld_so(java_t) + + miscfiles_legacy_read_localization(java_t) + ') + ++libs_legacy_use_shared_libs(java_t) ++ + optional_policy(` + nis_use_ypbind(java_t) + ') +@@ -147,4 +148,11 @@ unconfined_domain_noaudit(unconfined_java_t) unconfined_dbus_chat(unconfined_java_t) @@ -5496,7 +5511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.1/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2008-11-11 16:13:41.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if 2008-12-01 16:27:54.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/kernel/filesystem.if 2009-01-04 12:00:43.000000000 -0500 @@ -534,6 +534,24 @@ ######################################## @@ -7814,7 +7829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +permissive afs_t; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.1/policy/modules/services/apache.fc --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-11-25 09:45:43.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/apache.fc 2008-12-29 10:16:33.000000000 -0500 @@ -1,12 +1,13 @@ -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) @@ -7874,10 +7889,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) /var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) -@@ -64,11 +71,21 @@ +@@ -64,11 +71,22 @@ /var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0) ++/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0) +/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0) /var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0) @@ -8432,7 +8448,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.1/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2008-11-11 16:13:46.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/apache.te 2008-12-08 16:47:30.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/apache.te 2009-01-04 12:50:52.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -12351,7 +12367,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.6.1/policy/modules/services/hal.te --- nsaserefpolicy/policy/modules/services/hal.te 2008-11-19 11:51:44.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/hal.te 2008-12-19 17:16:25.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/hal.te 2009-01-04 12:01:07.000000000 -0500 @@ -49,6 +49,15 @@ type hald_var_lib_t; files_type(hald_var_lib_t) @@ -12368,7 +12384,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Local policy -@@ -143,6 +152,7 @@ +@@ -143,11 +152,16 @@ files_getattr_all_dirs(hald_t) files_read_kernel_img(hald_t) files_rw_lock_dirs(hald_t) @@ -12376,7 +12392,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(hald_t) fs_search_all(hald_t) -@@ -195,6 +205,7 @@ + fs_list_inotifyfs(hald_t) + fs_list_auto_mountpoints(hald_t) ++fs_mount_dos_fs(hald_t) ++fs_unmount_dos_fs(hald_t) ++fs_manage_dos_files(hald_t) ++ + files_getattr_all_mountpoints(hald_t) + + mls_file_read_all_levels(hald_t) +@@ -195,6 +209,7 @@ seutil_read_file_contexts(hald_t) sysnet_read_config(hald_t) @@ -12384,7 +12409,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_use_unpriv_user_fds(hald_t) userdom_dontaudit_search_user_home_dirs(hald_t) -@@ -277,6 +288,12 @@ +@@ -277,6 +292,12 @@ ') optional_policy(` @@ -12397,7 +12422,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpc_search_nfs_state_data(hald_t) ') -@@ -301,12 +318,16 @@ +@@ -301,12 +322,16 @@ virt_manage_images(hald_t) ') @@ -12415,7 +12440,24 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow hald_acl_t self:process { getattr signal }; allow hald_acl_t self:fifo_file rw_fifo_file_perms; -@@ -346,12 +367,17 @@ +@@ -321,6 +346,7 @@ + manage_dirs_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) + manage_files_pattern(hald_acl_t, hald_var_run_t, hald_var_run_t) + files_pid_filetrans(hald_acl_t, hald_var_run_t, { dir file }) ++allow hald_t hald_var_run_t:dir mounton; + + corecmd_exec_bin(hald_acl_t) + +@@ -339,6 +365,8 @@ + + storage_getattr_removable_dev(hald_acl_t) + storage_setattr_removable_dev(hald_acl_t) ++storage_getattr_fixed_disk_dev(hald_acl_t) ++storage_setattr_fixed_disk_dev(hald_acl_t) + + auth_use_nsswitch(hald_acl_t) + +@@ -346,12 +374,17 @@ miscfiles_read_localization(hald_acl_t) @@ -12434,7 +12476,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domtrans_pattern(hald_t, hald_mac_exec_t, hald_mac_t) allow hald_t hald_mac_t:process signal; -@@ -418,3 +444,49 @@ +@@ -418,3 +451,49 @@ files_read_usr_files(hald_keymap_t) miscfiles_read_localization(hald_keymap_t) @@ -18108,6 +18150,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_search_user_home_dirs(pyzor_t) optional_policy(` +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/radvd.te serefpolicy-3.6.1/policy/modules/services/radvd.te +--- nsaserefpolicy/policy/modules/services/radvd.te 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/radvd.te 2009-01-04 12:30:51.000000000 -0500 +@@ -22,7 +22,7 @@ + # + # Local policy + # +-allow radvd_t self:capability { setgid setuid net_raw }; ++allow radvd_t self:capability { setgid setuid net_raw net_admin }; + dontaudit radvd_t self:capability sys_tty_config; + allow radvd_t self:process signal_perms; + allow radvd_t self:unix_dgram_socket create_socket_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.6.1/policy/modules/services/razor.if --- nsaserefpolicy/policy/modules/services/razor.if 2008-11-11 16:13:46.000000000 -0500 +++ serefpolicy-3.6.1/policy/modules/services/razor.if 2008-11-25 09:45:43.000000000 -0500 @@ -19423,7 +19477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.6.1/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2008-11-25 09:01:08.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/services/sendmail.te 2008-11-25 10:40:18.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/services/sendmail.te 2009-01-04 12:51:01.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(sendmail, 1.8.2) @@ -19459,11 +19513,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) -@@ -64,24 +69,29 @@ +@@ -64,24 +69,30 @@ fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) +fs_rw_anon_inodefs_files(sendmail_t) ++fs_list_inotifyfs(sendmail_t) term_dontaudit_use_console(sendmail_t) @@ -19489,7 +19544,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(sendmail_t) -@@ -89,23 +99,38 @@ +@@ -89,23 +100,38 @@ libs_read_lib_files(sendmail_t) logging_send_syslog_msg(sendmail_t) @@ -19530,7 +19585,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -113,13 +138,19 @@ +@@ -113,13 +139,19 @@ ') optional_policy(` @@ -19551,7 +19606,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -127,24 +158,29 @@ +@@ -127,24 +159,29 @@ ') optional_policy(` @@ -26456,7 +26511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.1/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2008-11-13 18:40:02.000000000 -0500 -+++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2008-12-27 06:28:18.000000000 -0500 ++++ serefpolicy-3.6.1/policy/modules/system/userdomain.if 2009-01-04 13:57:22.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -27133,7 +27188,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -722,15 +740,27 @@ +@@ -722,15 +740,29 @@ userdom_base_user_template($1) @@ -27148,26 +27203,28 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - userdom_exec_user_home_content_files($1_t) + userdom_manage_tmp_role($1_r, $1_usertype) + userdom_manage_tmpfs_role($1_r, $1_usertype) - -- userdom_change_password_template($1) -+ gen_tunable(allow_$1_exec_content, true) + -+ tunable_policy(`allow_$1_exec_content',` -+ userdom_exec_user_tmp_files($1_usertype) -+ userdom_exec_user_home_content_files($1_usertype) -+ ') ++ ifelse(`$1',`unconfined',`',` ++ gen_tunable(allow_$1_exec_content, true) + -+ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` -+ fs_exec_nfs_files($1_usertype) -+ ') ++ tunable_policy(`allow_$1_exec_content',` ++ userdom_exec_user_tmp_files($1_usertype) ++ userdom_exec_user_home_content_files($1_usertype) ++ ') ++ tunable_policy(`allow_$1_exec_content && use_nfs_home_dirs',` ++ fs_exec_nfs_files($1_usertype) ++ ') + -+ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` -+ fs_exec_cifs_files($1_usertype) ++ tunable_policy(`allow_$1_exec_content && use_samba_home_dirs',` ++ fs_exec_cifs_files($1_usertype) ++ ') + ') +- userdom_change_password_template($1) + ############################## # -@@ -746,70 +776,72 @@ +@@ -746,70 +778,72 @@ allow $1_t self:context contains; @@ -27273,7 +27330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -846,6 +878,28 @@ +@@ -846,6 +880,28 @@ # Local policy # @@ -27302,7 +27359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -876,7 +930,7 @@ +@@ -876,7 +932,7 @@ userdom_restricted_user_template($1) @@ -27311,17 +27368,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -884,14 +938,18 @@ +@@ -884,14 +940,18 @@ # auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) -+ -+ xserver_role($1_r, $1_t) - dev_read_sound($1_t) - dev_write_sound($1_t) ++ xserver_role($1_r, $1_t) ++ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -27335,7 +27392,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_dontaudit_send_audit_msgs($1_t) # Need to to this just so screensaver will work. Should be moved to screensaver domain -@@ -899,28 +957,24 @@ +@@ -899,28 +959,24 @@ selinux_get_enforce_mode($1_t) optional_policy(` @@ -27370,7 +27427,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -931,8 +985,7 @@ +@@ -931,8 +987,7 @@ ## ## ##

@@ -27380,7 +27437,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ##

##

## This template creates a user domain, types, and -@@ -954,8 +1007,8 @@ +@@ -954,8 +1009,8 @@ # Declarations # @@ -27390,7 +27447,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -964,11 +1017,10 @@ +@@ -964,11 +1019,10 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -27403,7 +27460,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # cjp: why? files_read_kernel_symbol_table($1_t) -@@ -986,37 +1038,43 @@ +@@ -986,37 +1040,43 @@ ') ') @@ -27460,7 +27517,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -1050,7 +1108,7 @@ +@@ -1050,7 +1110,7 @@ # template(`userdom_admin_user_template',` gen_require(` @@ -27469,7 +27526,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1059,8 +1117,7 @@ +@@ -1059,8 +1119,7 @@ # # Inherit rules for ordinary users. @@ -27479,7 +27536,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1083,7 +1140,8 @@ +@@ -1083,7 +1142,8 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -27489,7 +27546,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) -@@ -1106,8 +1164,6 @@ +@@ -1106,8 +1166,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -27498,7 +27555,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1162,20 +1218,6 @@ +@@ -1162,20 +1220,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -27519,7 +27576,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1221,6 +1263,7 @@ +@@ -1221,6 +1265,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -27527,7 +27584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1286,11 +1329,15 @@ +@@ -1286,11 +1331,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -27543,7 +27600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1387,7 +1434,7 @@ +@@ -1387,7 +1436,7 @@ ######################################## ##

@@ -27552,7 +27609,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1420,6 +1467,14 @@ +@@ -1420,6 +1469,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -27567,7 +27624,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1435,9 +1490,11 @@ +@@ -1435,9 +1492,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -27579,7 +27636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1494,6 +1551,25 @@ +@@ -1494,6 +1553,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -27605,7 +27662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1547,9 +1623,9 @@ +@@ -1547,9 +1625,9 @@ type user_home_dir_t, user_home_t; ') @@ -27617,7 +27674,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1568,6 +1644,8 @@ +@@ -1568,6 +1646,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -27626,7 +27683,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1643,6 +1721,7 @@ +@@ -1643,6 +1723,7 @@ type user_home_dir_t, user_home_t; ') @@ -27634,7 +27691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1741,6 +1820,62 @@ +@@ -1741,6 +1822,62 @@ ######################################## ## @@ -27697,7 +27754,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Execute user home files. ## ## -@@ -1757,14 +1892,6 @@ +@@ -1757,14 +1894,6 @@ files_search_home($1) exec_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) @@ -27712,7 +27769,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1787,6 +1914,46 @@ +@@ -1787,6 +1916,46 @@ ######################################## ## @@ -27759,7 +27816,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete files ## in a user home subdirectory. ## -@@ -2819,6 +2986,24 @@ +@@ -2819,6 +2988,24 @@ ######################################## ## @@ -27784,7 +27841,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to use user ttys. ## ## -@@ -2851,6 +3036,7 @@ +@@ -2851,6 +3038,7 @@ ') read_files_pattern($1,userdomain,userdomain) @@ -27792,7 +27849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -2965,6 +3151,24 @@ +@@ -2965,6 +3153,24 @@ ######################################## ## @@ -27817,7 +27874,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send a dbus message to all user domains. ## ## -@@ -2981,3 +3185,264 @@ +@@ -2981,3 +3187,264 @@ allow $1 userdomain:dbus send_msg; ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 999b5ab..5590314 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -1,4 +1,4 @@ -%define distro redhat + %define distro redhat %define polyinstatiate n %define monolithic n %if %{?BUILD_TARGETED:0}%{!?BUILD_TARGETED:1} @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.1 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -446,6 +446,9 @@ exit 0 %endif %changelog +* Sun Jan 4 2009 Dan Walsh 3.6.1-15 +- Allow hal_acl_t to getattr/setattr fixed_disk + * Sat Dec 27 2008 Dan Walsh 3.6.1-14 - Change userdom_read_all_users_state to include reading symbolic links in /proc