diff --git a/policy-F16.patch b/policy-F16.patch index f9e9883..f4b4dfe 100644 --- a/policy-F16.patch +++ b/policy-F16.patch @@ -3875,7 +3875,7 @@ index 00a19e3..55075f9 100644 +/usr/libexec/gnome-system-monitor-mechanism -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) +/usr/libexec/kde(3|4)/ksysguardprocesslist_helper -- gen_context(system_u:object_r:gnomesystemmm_exec_t,s0) diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if -index f5afe78..3ca01ec 100644 +index f5afe78..c9f63b0 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -1,44 +1,623 @@ @@ -3981,7 +3981,7 @@ index f5afe78..3ca01ec 100644 + allow $1_gkeyringd_t $3:dbus send_msg; + allow $3 $1_gkeyringd_t:dbus send_msg; + optional_policy(` -+ dbus_session_domain($1_gkeyringd_t, gkeyringd_exec_t) ++ dbus_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t) + dbus_session_bus_client($1_gkeyringd_t) + gnome_home_dir_filetrans($1_gkeyringd_t) + gnome_manage_generic_home_dirs($1_gkeyringd_t) @@ -9466,10 +9466,10 @@ index 0000000..8a7ed4f +/usr/libexec/telepathy-sunshine -- gen_context(system_u:object_r:telepathy_sunshine_exec_t, s0) diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if new file mode 100644 -index 0000000..6878d68 +index 0000000..f6acf24 --- /dev/null +++ b/policy/modules/apps/telepathy.if -@@ -0,0 +1,193 @@ +@@ -0,0 +1,191 @@ + +## Telepathy framework. + @@ -9500,8 +9500,6 @@ index 0000000..6878d68 + type telepathy_$1_tmp_t; + files_tmp_file(telepathy_$1_tmp_t) + ubac_constrained(telepathy_$1_tmp_t) -+ -+ dbus_session_domain(telepathy_$1_t, telepathy_$1_exec_t) +') + +####################################### @@ -15378,7 +15376,7 @@ index 069d36c..8cbeefb 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 5001b89..e1fe78d 100644 +index 5001b89..c90e93e 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -50,6 +50,8 @@ sid kernel gen_context(system_u:system_r:kernel_t,mls_systemhigh) @@ -15403,7 +15401,7 @@ index 5001b89..e1fe78d 100644 dev_delete_generic_chr_files(kernel_t) dev_mounton(kernel_t) +dev_filetrans_all_named_dev(kernel_t) -+storage_filetrans_all_named_dev(kernel_t) ++#storage_filetrans_all_named_dev(kernel_t) +term_filetrans_all_named_dev(kernel_t) # Mount root file system. Used when loading a policy @@ -16818,7 +16816,7 @@ index be4de58..cce681a 100644 ######################################## # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te -index 2be17d2..ddb6f0a 100644 +index 2be17d2..1663532 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -8,12 +8,51 @@ policy_module(staff, 2.2.0) @@ -16873,7 +16871,7 @@ index 2be17d2..ddb6f0a 100644 optional_policy(` apache_role(staff_r, staff_t) ') -@@ -27,25 +66,139 @@ optional_policy(` +@@ -27,25 +66,138 @@ optional_policy(` ') optional_policy(` @@ -16895,7 +16893,6 @@ index 2be17d2..ddb6f0a 100644 + +optional_policy(` + gnome_role(staff_r, staff_t) -+ gnome_role_gkeyringd(staff, staff_r, staff_t) +') + +optional_policy(` @@ -17015,7 +17012,7 @@ index 2be17d2..ddb6f0a 100644 optional_policy(` vlock_run(staff_t, staff_r) -@@ -89,10 +242,6 @@ ifndef(`distro_redhat',` +@@ -89,10 +241,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17026,7 +17023,7 @@ index 2be17d2..ddb6f0a 100644 gpg_role(staff_r, staff_t) ') -@@ -137,10 +286,6 @@ ifndef(`distro_redhat',` +@@ -137,10 +285,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -17037,7 +17034,7 @@ index 2be17d2..ddb6f0a 100644 spamassassin_role(staff_r, staff_t) ') -@@ -172,3 +317,7 @@ ifndef(`distro_redhat',` +@@ -172,3 +316,7 @@ ifndef(`distro_redhat',` wireshark_role(staff_r, staff_t) ') ') @@ -18656,10 +18653,10 @@ index 0000000..4cf791b +gen_user(unconfined_u, user, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats) + diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te -index e5bfdd4..dc6b88f 100644 +index e5bfdd4..425ea6f 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te -@@ -12,15 +12,75 @@ role user_r; +@@ -12,15 +12,74 @@ role user_r; userdom_unpriv_user_template(user) @@ -18686,7 +18683,6 @@ index e5bfdd4..dc6b88f 100644 + +optional_policy(` + gnome_role(user_r, user_t) -+ +') + +optional_policy(` @@ -18727,15 +18723,15 @@ index e5bfdd4..dc6b88f 100644 + setroubleshoot_dontaudit_stream_connect(user_t) +') + -+optional_policy(` -+ telepathy_dbus_session_role(user_r, user_t) -+') ++#optional_policy(` ++# telepathy_dbus_session_role(user_r, user_t) ++#') + +optional_policy(` vlock_run(user_t, user_r) ') -@@ -62,10 +122,6 @@ ifndef(`distro_redhat',` +@@ -62,10 +121,6 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18746,7 +18742,7 @@ index e5bfdd4..dc6b88f 100644 gpg_role(user_r, user_t) ') -@@ -118,11 +174,7 @@ ifndef(`distro_redhat',` +@@ -118,11 +173,7 @@ ifndef(`distro_redhat',` ') optional_policy(` @@ -18759,7 +18755,7 @@ index e5bfdd4..dc6b88f 100644 ') optional_policy(` -@@ -157,3 +209,4 @@ ifndef(`distro_redhat',` +@@ -157,3 +208,4 @@ ifndef(`distro_redhat',` wireshark_role(user_r, user_t) ') ') @@ -24810,7 +24806,7 @@ index 0000000..939d76e +') diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te new file mode 100644 -index 0000000..13278c0 +index 0000000..d8c9b6e --- /dev/null +++ b/policy/modules/services/colord.te @@ -0,0 +1,106 @@ @@ -24838,9 +24834,7 @@ index 0000000..13278c0 +# +# colord local policy +# -+ +allow colord_t self:process signal; -+ +allow colord_t self:fifo_file rw_fifo_file_perms; +allow colord_t self:netlink_kobject_uevent_socket create_socket_perms; +allow colord_t self:udp_socket create_socket_perms; @@ -24858,6 +24852,7 @@ index 0000000..13278c0 +manage_files_pattern(colord_t, colord_var_lib_t, colord_var_lib_t) +files_var_lib_filetrans(colord_t, colord_var_lib_t, { file dir }) + ++kernel_getattr_proc_files(colord_t) +kernel_read_device_sysctls(colord_t) + +corenet_udp_bind_generic_node(colord_t) @@ -24879,6 +24874,7 @@ index 0000000..13278c0 + +domain_use_interactive_fds(colord_t) + ++files_list_mnt(colord_t) +files_read_etc_files(colord_t) +files_read_usr_files(colord_t) + @@ -26521,7 +26517,7 @@ index 81eba14..d0ab56c 100644 /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0) /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0) diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if -index 0d5711c..85a1dc0 100644 +index 0d5711c..a0c951e 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -41,9 +41,9 @@ interface(`dbus_stub',` @@ -26683,6 +26679,24 @@ index 0d5711c..85a1dc0 100644 ') ######################################## +@@ -335,13 +377,13 @@ interface(`dbus_connect_session_bus',` + # + interface(`dbus_session_domain',` + gen_require(` +- attribute session_bus_type; ++ type $1_dbusd_t; + ') + +- domtrans_pattern(session_bus_type, $2, $1) ++ domtrans_pattern($1_dbusd_t, $2, $3) + +- dbus_session_bus_client($1) +- dbus_connect_session_bus($1) ++ dbus_session_bus_client($3) ++ dbus_connect_session_bus($3) + ') + + ######################################## @@ -431,14 +473,28 @@ interface(`dbus_system_domain',` domtrans_pattern(system_dbusd_t, $2, $1) @@ -28914,7 +28928,7 @@ index 6bef7f8..464669c 100644 + admin_pattern($1, exim_var_run_t) +') diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te -index f28f64b..18c3c33 100644 +index f28f64b..0b19f11 100644 --- a/policy/modules/services/exim.te +++ b/policy/modules/services/exim.te @@ -6,24 +6,24 @@ policy_module(exim, 1.5.0) @@ -28925,7 +28939,7 @@ index f28f64b..18c3c33 100644 -## Allow exim to connect to databases (postgres, mysql) -##

+##

-+## Allow exim to connect to databases (postgres, mysql) ++## Allow exim to connect to databases (PostgreSQL, MySQL) +##

## gen_tunable(exim_can_connect_db, false) @@ -29196,7 +29210,7 @@ index 0000000..84d1768 +') diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te new file mode 100644 -index 0000000..a63cabe +index 0000000..8dcd6e4 --- /dev/null +++ b/policy/modules/services/firewalld.te @@ -0,0 +1,68 @@ @@ -29225,7 +29239,7 @@ index 0000000..a63cabe +# +# firewalld local policy +# -+ ++dontaudit firewalld_t self:capability sys_tty_config; +allow firewalld_t self:fifo_file rw_fifo_file_perms; +allow firewalld_t self:unix_stream_socket create_stream_socket_perms; + @@ -34861,14 +34875,14 @@ index 64268e4..9ddac52 100644 + exim_manage_log(user_mail_domain) +') diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc -index fd71d69..2e9f2a3 100644 +index fd71d69..bf90863 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -51,6 +51,7 @@ /usr/share/munin/plugins/irqstats -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/load -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/memory -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) -+/usr/share/munin/plugins/munin_* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) ++/usr/share/munin/plugins/munin_.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/netstat -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/nfs.* -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) /usr/share/munin/plugins/open_files -- gen_context(system_u:object_r:system_munin_plugin_exec_t,s0) @@ -39522,7 +39536,7 @@ index 09aeffa..dd70b14 100644 postgresql_tcp_connect($1) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te -index 8ed5067..f31634f 100644 +index 8ed5067..a5603cd 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -19,16 +19,16 @@ gen_require(` @@ -39533,7 +39547,7 @@ index 8ed5067..f31634f 100644 -## Allow unprived users to execute DDL statement -##

+##

-+## Allow unprived users to execute DDL statement ++## Allow unprivileged users to execute DDL statement +##

## gen_tunable(sepgsql_enable_users_ddl, true) @@ -40250,7 +40264,7 @@ index 2855a44..0456b11 100644 type puppet_tmp_t; ') diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te -index 64c5f95..69fa687 100644 +index 64c5f95..ebb9b4d 100644 --- a/policy/modules/services/puppet.te +++ b/policy/modules/services/puppet.te @@ -6,12 +6,19 @@ policy_module(puppet, 1.0.0) @@ -40268,7 +40282,7 @@ index 64c5f95..69fa687 100644 ##

-## Allow Puppet client to manage all file -## types. -+## Allow Puppet master to use connect to mysql and postgresql database ++## Allow Puppet master to use connect to MySQL and PostgreSQL database ##

## -gen_tunable(puppet_manage_all_files, false) @@ -50995,10 +51009,10 @@ index c26ecf5..b906c48 100644 diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc new file mode 100644 -index 0000000..72059b2 +index 0000000..28cd477 --- /dev/null +++ b/policy/modules/services/zarafa.fc -@@ -0,0 +1,29 @@ +@@ -0,0 +1,33 @@ + +/etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) + @@ -51012,6 +51026,8 @@ index 0000000..72059b2 + +/usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) + ++/usr/bin/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_exec_t,s0) ++ +/usr/bin/zarafa-monitor -- gen_context(system_u:object_r:zarafa_monitor_exec_t,s0) + +/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) @@ -51020,6 +51036,7 @@ index 0000000..72059b2 +/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) ++/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) + +/var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) @@ -51027,6 +51044,7 @@ index 0000000..72059b2 +/var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) +/var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) ++/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if new file mode 100644 @@ -51158,10 +51176,10 @@ index 0000000..8a909f5 +') diff --git a/policy/modules/services/zarafa.te b/policy/modules/services/zarafa.te new file mode 100644 -index 0000000..fec9997 +index 0000000..850b8b5 --- /dev/null +++ b/policy/modules/services/zarafa.te -@@ -0,0 +1,141 @@ +@@ -0,0 +1,146 @@ +policy_module(zarafa, 1.0.0) + +######################################## @@ -51172,6 +51190,7 @@ index 0000000..fec9997 +attribute zarafa_domain; + +zarafa_domain_template(monitor) ++zarafa_domain_template(indexer) +zarafa_domain_template(ical) +zarafa_domain_template(server) +zarafa_domain_template(spooler) @@ -51193,6 +51212,8 @@ index 0000000..fec9997 +type zarafa_share_t; +files_type(zarafa_share_t) + ++permissive zarafa_indexer_t; ++ +######################################## +# +# zarafa-deliver local policy @@ -51221,6 +51242,8 @@ index 0000000..fec9997 +manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) + ++stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) ++ +corenet_tcp_bind_zarafa_port(zarafa_server_t) + +files_read_usr_files(zarafa_server_t) @@ -52473,10 +52496,10 @@ index 882c6a2..d0ff4ec 100644 ') diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc -index 354ce93..f97fbb7 100644 +index 354ce93..b8b14b9 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc -@@ -33,6 +33,19 @@ ifdef(`distro_gentoo', ` +@@ -33,9 +33,24 @@ ifdef(`distro_gentoo', ` # # /sbin # @@ -52496,7 +52519,12 @@ index 354ce93..f97fbb7 100644 /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) # because nowadays, /sbin/init is often a symlink to /sbin/upstart /sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) -@@ -55,6 +68,9 @@ ifdef(`distro_gentoo', ` ++# for Fedora ++/lib/upstart/init -- gen_context(system_u:object_r:init_exec_t,s0) + + ifdef(`distro_gentoo', ` + /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0) +@@ -55,6 +70,9 @@ ifdef(`distro_gentoo', ` /usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) @@ -52506,7 +52534,7 @@ index 354ce93..f97fbb7 100644 # # /var -@@ -76,3 +92,4 @@ ifdef(`distro_suse', ` +@@ -76,3 +94,4 @@ ifdef(`distro_suse', ` /var/run/setleds-on -- gen_context(system_u:object_r:initrc_var_run_t,s0) /var/run/sysconfig(/.*)? gen_context(system_u:object_r:initrc_var_run_t,s0) ') diff --git a/selinux-policy.spec b/selinux-policy.spec index 436ed55..1921a1e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -21,7 +21,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.9.16 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -472,6 +472,14 @@ exit 0 %endif %changelog +* Thu May 5 2011 Miroslav Grepl 3.9.16-20 +- Fix label for /usr/share/munin/plugins/munin_* plugins +- Add support for zarafa-indexer +- Fix boolean description +- Allow colord to getattr on /proc/scsi/scsi +- Add label for /lib/upstart/init +- Colord needs to list /mnt + * Tue May 3 2011 Miroslav Grepl 3.9.16-19 - Forard port changes from F15 for telepathy - NetworkManager should be allowed to use /dev/rfkill