From 0753483dbe56390e0618a30ab5abf9970bc42cfa Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Jun 16 2010 21:24:33 +0000 Subject: - Fixes for cobbler policy - Allow Network Manager to transition to ipsec_mgmt domain - Add label for /usr/libexec/nm-openswan-service - Add label for /dev --- diff --git a/policy-F13.patch b/policy-F13.patch index 58292fd..39113c2 100644 --- a/policy-F13.patch +++ b/policy-F13.patch @@ -689,8 +689,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool.te serefpolicy-3.7.19/policy/modules/admin/ncftool.te --- nsaserefpolicy/policy/modules/admin/ncftool.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-06-15 18:46:57.405767946 +0200 -@@ -0,0 +1,78 @@ ++++ serefpolicy-3.7.19/policy/modules/admin/ncftool.te 2010-06-16 22:19:10.097109891 +0200 +@@ -0,0 +1,79 @@ + +policy_module(ncftool,1.0.0) + @@ -742,6 +742,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/ncftool +files_read_etc_runtime_files(ncftool_t) +files_read_usr_files(ncftool_t) + ++modutils_list_module_config(ncftool_t) +modutils_read_module_config(ncftool_t) + +term_use_all_terms(ncftool_t) @@ -6574,8 +6575,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-09 13:14:00.641506056 +0200 -@@ -0,0 +1,386 @@ ++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-06-16 18:43:19.954110079 +0200 +@@ -0,0 +1,388 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6888,6 +6889,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +fs_dontaudit_rw_anon_inodefs_files(sandbox_web_type) +fs_dontaudit_getattr_all_fs(sandbox_web_type) + ++storage_dontaudit_rw_fuse(sandbox_web_type) ++ +auth_use_nsswitch(sandbox_web_type) + +dbus_system_bus_client(sandbox_web_type) @@ -7624,7 +7627,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wm.if se ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-06-08 14:54:39.159871918 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/corecommands.fc 2010-06-16 18:40:09.826109969 +0200 @@ -49,7 +49,8 @@ /etc/cipe/ip-up.* -- gen_context(system_u:object_r:bin_t,s0) /etc/cipe/ip-down.* -- gen_context(system_u:object_r:bin_t,s0) @@ -7635,17 +7638,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/cron.daily(/.*)? gen_context(system_u:object_r:bin_t,s0) /etc/cron.hourly(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -70,6 +71,9 @@ +@@ -70,6 +71,12 @@ /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/pki/tls/certs/make-dummy-cert -- gen_context(system_u:object_r:bin_t,s0) ++/etc/pki/tls/misc(/.*)? -- gen_context(system_u:object_r:bin_t,s0) ++ +/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) +/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) /etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0) -@@ -147,6 +151,9 @@ +@@ -147,6 +154,9 @@ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -7655,7 +7661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -217,10 +224,15 @@ +@@ -217,10 +227,15 @@ /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) /usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) @@ -7671,7 +7677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) -@@ -240,6 +252,7 @@ +@@ -240,6 +255,7 @@ /usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -7679,7 +7685,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -297,6 +310,7 @@ +@@ -297,6 +313,7 @@ /usr/share/system-config-rootpassword/system-config-rootpassword -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-samba/system-config-samba\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-securitylevel/system-config-securitylevel\.py -- gen_context(system_u:object_r:bin_t,s0) @@ -7687,7 +7693,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/system-config-services/serviceconf\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-services/system-config-services -- gen_context(system_u:object_r:bin_t,s0) /usr/share/system-config-soundcard/system-config-soundcard -- gen_context(system_u:object_r:bin_t,s0) -@@ -331,3 +345,21 @@ +@@ -331,3 +348,21 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8553,7 +8559,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.19/policy/modules/kernel/files.fc --- nsaserefpolicy/policy/modules/kernel/files.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-05-28 09:42:00.027654091 +0200 ++++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-06-16 22:35:21.830110362 +0200 @@ -18,6 +18,7 @@ /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0) /halt -- gen_context(system_u:object_r:etc_runtime_t,s0) @@ -8607,7 +8613,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. HOME_ROOT/\.journal <> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) HOME_ROOT/lost\+found/.* <> -@@ -170,12 +179,6 @@ +@@ -156,6 +165,9 @@ + # + /proc -d <> + /proc/.* <> ++ifdef(`distro_redhat',` ++/rhev -d gen_context(system_u:object_r:mnt_t,s0) ++') + + # + # /selinux +@@ -170,12 +182,6 @@ /srv/.* gen_context(system_u:object_r:var_t,s0) # @@ -8620,7 +8636,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. # /tmp # /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) -@@ -205,15 +208,19 @@ +@@ -205,15 +211,19 @@ /usr/local/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh) /usr/local/lost\+found/.* <> @@ -8640,7 +8656,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.* <> -@@ -229,6 +236,8 @@ +@@ -229,6 +239,8 @@ /var/ftp/etc(/.*)? gen_context(system_u:object_r:etc_t,s0) @@ -8649,7 +8665,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. /var/lib(/.*)? gen_context(system_u:object_r:var_lib_t,s0) /var/lib/nfs/rpc_pipefs(/.*)? <> -@@ -254,3 +263,5 @@ +@@ -254,3 +266,5 @@ ifdef(`distro_debian',` /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0) ') @@ -11795,7 +11811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te --- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1970-01-01 01:00:00.000000000 +0100 -+++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-06-15 18:40:03.061767907 +0200 ++++ serefpolicy-3.7.19/policy/modules/roles/unconfineduser.te 2010-06-16 22:06:20.880860249 +0200 @@ -0,0 +1,443 @@ +policy_module(unconfineduser, 1.0.0) + @@ -11956,7 +11972,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfi + ') + + optional_policy(` -+ ncftool_run(unconfined_usertype, unconfined_r) ++ ncftool_run(unconfined_t, unconfined_r) + ') + + optional_policy(` @@ -13895,7 +13911,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-05-28 09:42:00.060610653 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-06-16 21:30:31.530110069 +0200 @@ -19,11 +19,13 @@ # Declarations # @@ -16567,9 +16583,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cmir +optional_policy(` + corosync_stream_connect(cmirrord_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.fc serefpolicy-3.7.19/policy/modules/services/cobbler.fc +--- nsaserefpolicy/policy/modules/services/cobbler.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.fc 2010-06-16 21:29:07.544874309 +0200 +@@ -5,3 +5,5 @@ + + /var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0) + /var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0) ++ ++/var/cache/cobbler(/.*)? gen_context(system_u:object_r:cobbler_cache_t, s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.if serefpolicy-3.7.19/policy/modules/services/cobbler.if --- nsaserefpolicy/policy/modules/services/cobbler.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-05-28 09:42:00.081612483 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.if 2010-06-16 21:29:07.544874309 +0200 +@@ -68,7 +68,7 @@ + ######################################## + ## + ## Do not audit attempts to read and write +-## Cobbler log files (leaked fd). ++## Cobbler log files (leaked fd). + ## + ## + ## +@@ -143,7 +143,7 @@ + + ######################################## + ## +-## All of the rules required to administrate ++## All of the rules required to administrate + ## an cobblerd environment + ## + ## @@ -173,9 +173,11 @@ files_list_var_lib($1) admin_pattern($1, cobbler_var_lib_t) @@ -16585,25 +16628,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb role_transition $2 cobblerd_initrc_exec_t system_r; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.7.19/policy/modules/services/cobbler.te --- nsaserefpolicy/policy/modules/services/cobbler.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-05-28 09:42:00.083611512 +0200 -@@ -40,6 +40,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/cobbler.te 2010-06-16 21:29:07.568859893 +0200 +@@ -1,5 +1,5 @@ + +-policy_module(cobbler, 1.0.0) ++policy_module(cobbler, 1.1.0) + + ######################################## + # +@@ -24,6 +24,9 @@ + type cobbler_etc_t; + files_config_file(cobbler_etc_t) + ++type cobbler_cache_t; ++logging_log_file(cobbler_cache_t) ++ + type cobbler_var_log_t; + logging_log_file(cobbler_var_log_t) + +@@ -36,12 +39,18 @@ + # + + allow cobblerd_t self:capability { chown dac_override fowner sys_nice }; ++dontaudit cobblerd_t self:capability sys_tty_config; + allow cobblerd_t self:process { getsched setsched signal }; allow cobblerd_t self:fifo_file rw_fifo_file_perms; allow cobblerd_t self:tcp_socket create_stream_socket_perms; +list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t) ++manage_dirs_pattern(cobblerd_t, cobbler_cache_t, cobbler_cache_t) ++manage_files_pattern(cobblerd_t, cobbler_cache_t, cobbler_cache_t) ++files_var_filetrans(cobblerd_t, cobbler_cache_t, dir) ++ manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) -@@ -68,6 +69,8 @@ - - dev_read_urand(cobblerd_t) - -+# read /etc/nsswitch.conf -+files_read_etc_files(cobblerd_t) + manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t) + files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file }) +@@ -71,6 +80,10 @@ files_read_usr_files(cobblerd_t) files_list_boot(cobblerd_t) files_list_tmp(cobblerd_t) -@@ -84,7 +87,7 @@ ++# read /etc/nsswitch.conf ++files_read_etc_files(cobblerd_t) ++ ++term_use_console(cobblerd_t) + + miscfiles_read_localization(cobblerd_t) + miscfiles_read_public_files(cobblerd_t) +@@ -84,7 +97,7 @@ ') optional_policy(` @@ -16612,7 +16685,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb ') optional_policy(` -@@ -119,3 +122,12 @@ +@@ -112,10 +125,21 @@ + ') + + optional_policy(` ++ rsync_exec(cobblerd_t) + rsync_read_config(cobblerd_t) + rsync_write_config(cobblerd_t) ++ rsync_filetrans_config(cobblerd_t, file) + ') + optional_policy(` tftp_manage_rw_content(cobblerd_t) ') @@ -16623,8 +16705,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb +# + +apache_content_template(cobbler) -+manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) -+manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) ++manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) ++manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.fc serefpolicy-3.7.19/policy/modules/services/consolekit.fc --- nsaserefpolicy/policy/modules/services/consolekit.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/consolekit.fc 2010-05-28 09:42:00.084613262 +0200 @@ -18633,12 +18715,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.7.19/policy/modules/services/dhcp.te --- nsaserefpolicy/policy/modules/services/dhcp.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-05-28 09:42:00.100610800 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dhcp.te 2010-06-16 21:55:51.478859909 +0200 @@ -112,6 +112,10 @@ ') optional_policy(` -+ cobbler_dontaudit_rw_log(dhcpd_t) ++ cobbler_dontaudit_rw_log(dhcpd_t) +') + +optional_policy(` @@ -18746,7 +18828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsm diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.7.19/policy/modules/services/dnsmasq.te --- nsaserefpolicy/policy/modules/services/dnsmasq.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2010-05-28 09:42:00.103610809 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/dnsmasq.te 2010-06-16 21:56:20.245859614 +0200 @@ -19,6 +19,9 @@ type dnsmasq_lease_t; files_type(dnsmasq_lease_t) @@ -20722,7 +20804,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap files_pid_filetrans(slapd_t, slapd_var_run_t, { file sock_file }) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lircd.te serefpolicy-3.7.19/policy/modules/services/lircd.te --- nsaserefpolicy/policy/modules/services/lircd.te 2010-04-13 20:44:36.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/lircd.te 2010-05-28 09:42:00.122610872 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/lircd.te 2010-06-16 22:26:45.652869735 +0200 @@ -24,8 +24,11 @@ # lircd local policy # @@ -20736,7 +20818,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc # etc file read_files_pattern(lircd_t, lircd_etc_t, lircd_etc_t) -@@ -34,21 +37,31 @@ +@@ -34,21 +37,32 @@ manage_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) manage_sock_files_pattern(lircd_t, lircd_var_run_t, lircd_var_run_t) files_pid_filetrans(lircd_t, lircd_var_run_t, { dir file }) @@ -20765,6 +20847,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lirc +files_read_etc_files(lircd_t) term_use_ptmx(lircd_t) ++term_use_unallocated_ttys(lircd_t) logging_send_syslog_msg(lircd_t) @@ -22787,7 +22870,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.7.19/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-05-28 09:42:00.135610774 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.te 2010-06-16 23:01:53.144859835 +0200 @@ -19,6 +19,9 @@ type NetworkManager_tmp_t; files_tmp_file(NetworkManager_tmp_t) @@ -22969,11 +23052,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -155,23 +212,51 @@ +@@ -155,23 +212,55 @@ ') optional_policy(` - nis_use_ypbind(NetworkManager_t) ++ ipsec_domtrans_mgmt(NetworkManager_t) ++') ++ ++optional_policy(` + iptables_domtrans(NetworkManager_t) ') @@ -23024,7 +23111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw ') optional_policy(` -@@ -179,12 +264,16 @@ +@@ -179,12 +268,16 @@ ') optional_policy(` @@ -25996,6 +26083,36 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/proc ') optional_policy(` +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.if serefpolicy-3.7.19/policy/modules/services/psad.if +--- nsaserefpolicy/policy/modules/services/psad.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/psad.if 2010-06-16 22:24:51.305109719 +0200 +@@ -174,6 +174,26 @@ + append_files_pattern($1, psad_var_log_t, psad_var_log_t) + ') + ++####################################### ++## ++## Allow the specified domain to write to psad's log files. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`psad_write_log',` ++ gen_require(` ++ type psad_var_log_t; ++ ') ++ ++ logging_search_logs($1) ++ write_files_pattern($1, psad_var_log_t, psad_var_log_t) ++') ++ + ######################################## + ## + ## Read and write psad fifo files. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/psad.te serefpolicy-3.7.19/policy/modules/services/psad.te --- nsaserefpolicy/policy/modules/services/psad.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/psad.te 2010-06-03 10:24:19.786161096 +0200 @@ -28008,8 +28125,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.if serefpolicy-3.7.19/policy/modules/services/rsync.if --- nsaserefpolicy/policy/modules/services/rsync.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/rsync.if 2010-05-28 09:42:00.176610979 +0200 -@@ -119,7 +119,7 @@ ++++ serefpolicy-3.7.19/policy/modules/services/rsync.if 2010-06-16 23:07:29.041110161 +0200 +@@ -119,25 +119,68 @@ type rsync_etc_t; ') @@ -28018,13 +28135,74 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsyn files_search_etc($1) ') -@@ -138,6 +138,6 @@ - type rsync_etc_t; - ') +-######################################## ++####################################### + ## +-## Write to rsync config files. ++## Write to rsync config files. + ## + ## + ## +-## Domain allowed. ++## Domain allowed. + ## + ## + # + interface(`rsync_write_config',` +- gen_require(` +- type rsync_etc_t; +- ') ++ gen_require(` ++ type rsync_etc_t; ++ ') - allow $1 rsync_etc_t:file read_file_perms; -+ write_files_pattern($1, rsync_etc_t, rsync_etc_t) - files_search_etc($1) +- files_search_etc($1) ++ write_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ++') ++ ++####################################### ++## ++## Manage rsync config files. ++## ++## ++## ++## Domain allowed. ++## ++## ++# ++interface(`rsync_manage_config',` ++ gen_require(` ++ type rsync_etc_t; ++ ') ++ ++ manage_files_pattern($1, rsync_etc_t, rsync_etc_t) ++ files_search_etc($1) ++') ++ ++####################################### ++## ++## Create objects in the amavis spool directories ++## with a private type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Class of the object being created. ++## ++## ++# ++interface(`rsync_filetrans_config',` ++ gen_require(` ++ type rsync_etc_t; ++ ') ++ ++ files_etc_filetrans($1, rsync_etc_t, $2) ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.7.19/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2010-04-13 20:44:37.000000000 +0200 @@ -30270,6 +30448,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/syss +optional_policy(` + nscd_socket_use(sysstat_t) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.if serefpolicy-3.7.19/policy/modules/services/tftp.if +--- nsaserefpolicy/policy/modules/services/tftp.if 2010-04-13 20:44:36.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/tftp.if 2010-06-16 22:52:47.839870308 +0200 +@@ -20,6 +20,25 @@ + + ######################################## + ## ++## Search tftp /var/lib directories. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tftp_search_rw_content',` ++ gen_require(` ++ type tftpdir_rw_t; ++ ') ++ ++ search_dirs_pattern($1, tftpdir_rw_t, tftpdir_rw_t) ++ files_search_var_lib($1) ++') ++ ++######################################## ++## + ## Manage tftp /var/lib files. + ## + ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tgtd.te serefpolicy-3.7.19/policy/modules/services/tgtd.te --- nsaserefpolicy/policy/modules/services/tgtd.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/tgtd.te 2010-05-28 09:42:00.195610901 +0200 @@ -30798,7 +31005,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.7.19/policy/modules/services/w3c.te --- nsaserefpolicy/policy/modules/services/w3c.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/services/w3c.te 2010-05-28 09:42:00.202610575 +0200 ++++ serefpolicy-3.7.19/policy/modules/services/w3c.te 2010-06-16 16:52:11.832865080 +0200 @@ -8,11 +8,18 @@ apache_content_template(w3c_validator) @@ -30818,6 +31025,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c. corenet_tcp_connect_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_sendrecv_ftp_port(httpd_w3c_validator_script_t) corenet_tcp_connect_http_port(httpd_w3c_validator_script_t) +@@ -23,3 +30,5 @@ + miscfiles_read_certs(httpd_w3c_validator_script_t) + + sysnet_dns_name_resolve(httpd_w3c_validator_script_t) ++ ++apache_dontaudit_rw_tmp_files(httpd_w3c_validator_script_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.7.19/policy/modules/services/xserver.fc --- nsaserefpolicy/policy/modules/services/xserver.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/services/xserver.fc 2010-05-28 09:42:00.203610788 +0200 @@ -32874,6 +33087,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostna xen_append_log(hostname_t) xen_dontaudit_use_fds(hostname_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.7.19/policy/modules/system/hotplug.te +--- nsaserefpolicy/policy/modules/system/hotplug.te 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/hotplug.te 2010-06-16 22:36:40.831110052 +0200 +@@ -24,7 +24,7 @@ + # + + allow hotplug_t self:capability { net_admin sys_tty_config mknod sys_rawio }; +-dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config }; ++dontaudit hotplug_t self:capability { sys_module sys_admin sys_tty_config sys_ptrace }; + # for access("/etc/bashrc", X_OK) on Red Hat + dontaudit hotplug_t self:capability { dac_override dac_read_search }; + allow hotplug_t self:process { setpgid getsession getattr signal_perms }; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.fc serefpolicy-3.7.19/policy/modules/system/init.fc --- nsaserefpolicy/policy/modules/system/init.fc 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/init.fc 2010-05-28 09:42:00.214610824 +0200 @@ -33641,6 +33866,45 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.t +optional_policy(` + fail2ban_read_lib_files(daemon) +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.7.19/policy/modules/system/ipsec.fc +--- nsaserefpolicy/policy/modules/system/ipsec.fc 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.fc 2010-06-16 22:14:29.964859861 +0200 +@@ -25,6 +25,7 @@ + /usr/libexec/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/pluto -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/libexec/ipsec/spi -- gen_context(system_u:object_r:ipsec_exec_t,s0) ++/usr/libexec/nm-openswan-service -- gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0) + + /usr/local/lib(64)?/ipsec/eroute -- gen_context(system_u:object_r:ipsec_exec_t,s0) + /usr/local/lib(64)?/ipsec/klipsdebug -- gen_context(system_u:object_r:ipsec_exec_t,s0) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.if serefpolicy-3.7.19/policy/modules/system/ipsec.if +--- nsaserefpolicy/policy/modules/system/ipsec.if 2010-04-13 20:44:37.000000000 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/ipsec.if 2010-06-16 22:59:08.426110312 +0200 +@@ -18,6 +18,24 @@ + domtrans_pattern($1, ipsec_exec_t, ipsec_t) + ') + ++####################################### ++## ++## Execute ipsec in the ipsec_mgmt domain. ++## ++## ++## ++## The type of the process performing this action. ++## ++## ++# ++interface(`ipsec_domtrans_mgmt',` ++ gen_require(` ++ type ipsec_mgmt_t, ipsec_mgmt_exec_t; ++ ') ++ ++ domtrans_pattern($1, ipsec_mgmt_exec_t, ipsec_mgmt_t) ++') ++ + ######################################## + ## + ## Connect to IPSEC using a unix domain stream socket. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.7.19/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/ipsec.te 2010-05-28 09:42:00.219610910 +0200 @@ -33767,7 +34031,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.7.19/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-05-28 09:42:00.221610567 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/iptables.te 2010-06-16 22:25:36.553110244 +0200 @@ -14,9 +14,6 @@ type iptables_initrc_exec_t; init_script_file(iptables_initrc_exec_t) @@ -33843,6 +34107,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptabl ') optional_policy(` +@@ -113,6 +122,7 @@ + + optional_policy(` + psad_rw_tmp_files(iptables_t) ++ psad_write_log(iptables_t) + ') + + optional_policy(` diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.if serefpolicy-3.7.19/policy/modules/system/iscsi.if --- nsaserefpolicy/policy/modules/system/iscsi.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/iscsi.if 2010-05-28 09:42:00.221610567 +0200 @@ -33882,7 +34154,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. domain_dontaudit_read_all_domains_state(iscsid_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.19/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-05-28 09:42:00.223612180 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/libraries.fc 2010-06-16 22:39:22.642859150 +0200 @@ -131,13 +131,13 @@ /usr/lib/vlc/codec/libdmo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/vlc/codec/librealaudio_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -33899,7 +34171,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libADM5.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libatiadlxx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/win32/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -208,6 +208,7 @@ +@@ -151,6 +151,7 @@ + /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/sse2/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/libzita-convolver\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) +@@ -208,6 +209,7 @@ /usr/lib(64)?/libstdc\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libg\+\+\.so\.2\.7\.2\.8 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -33907,7 +34187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/libglide3\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libglide3-v[0-9]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -302,13 +303,8 @@ +@@ -302,13 +304,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -33923,7 +34203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ') dnl end distro_redhat # -@@ -319,14 +315,148 @@ +@@ -319,14 +316,148 @@ /var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -34536,8 +34816,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.7.19/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-05-28 09:42:00.506610871 +0200 -@@ -76,6 +76,8 @@ ++++ serefpolicy-3.7.19/policy/modules/system/miscfiles.fc 2010-06-16 23:04:05.990110101 +0200 +@@ -76,12 +76,16 @@ /var/cache/man(/.*)? gen_context(system_u:object_r:man_t,s0) /var/lib/cobbler/webui_sessions(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) @@ -34546,6 +34826,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) + /var/spool/texmf(/.*)? gen_context(system_u:object_r:tetex_data_t,s0) + + /var/www/cobbler/images(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) ++/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) ++/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:public_content_rw_t, s0) + + ifdef(`distro_debian',` + /var/lib/msttcorefonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.7.19/policy/modules/system/miscfiles.if --- nsaserefpolicy/policy/modules/system/miscfiles.if 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/miscfiles.if 2010-05-28 09:42:00.507610874 +0200 @@ -34561,15 +34849,34 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi ######################################## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.7.19/policy/modules/system/modutils.if --- nsaserefpolicy/policy/modules/system/modutils.if 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/modutils.if 2010-06-15 18:40:03.063767415 +0200 -@@ -59,6 +59,7 @@ - files_search_etc($1) - files_search_boot($1) - -+ list_dirs_pattern($1, modules_conf_t, modules_conf_t) - read_files_pattern($1, modules_conf_t, modules_conf_t) - read_lnk_files_pattern($1, modules_conf_t, modules_conf_t) ++++ serefpolicy-3.7.19/policy/modules/system/modutils.if 2010-06-16 22:16:32.597859978 +0200 +@@ -37,6 +37,26 @@ + allow $1 modules_dep_t:file read_file_perms; ') + ++####################################### ++## ++## list the configuration options used when ++## loading modules. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++# ++interface(`modutils_list_module_config',` ++ gen_require(` ++ type modules_conf_t; ++ ') ++ ++ list_dirs_pattern($1, modules_conf_t, modules_conf_t) ++') ++ + ######################################## + ## + ## Read the configuration options used when diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.7.19/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-04-13 20:44:37.000000000 +0200 +++ serefpolicy-3.7.19/policy/modules/system/modutils.te 2010-05-28 09:42:00.507610874 +0200 @@ -34871,7 +35178,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.7.19/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2010-04-13 20:44:37.000000000 +0200 -+++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-06-08 14:39:55.422610327 +0200 ++++ serefpolicy-3.7.19/policy/modules/system/mount.te 2010-06-16 22:37:37.073110200 +0200 @@ -18,8 +18,15 @@ init_system_domain(mount_t, mount_exec_t) role system_r types mount_t; @@ -34975,7 +35282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) # for when /etc/mtab loses its type -@@ -80,15 +125,18 @@ +@@ -80,15 +125,19 @@ files_read_usr_files(mount_t) files_list_mnt(mount_t) @@ -34993,11 +35300,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. +fs_manage_tmpfs_dirs(mount_t) fs_read_tmpfs_symlinks(mount_t) +fs_read_fusefs_files(mount_t) ++fs_read_nfs_symlinks(mount_t) +fs_manage_nfs_dirs(mount_t) mls_file_read_all_levels(mount_t) mls_file_write_all_levels(mount_t) -@@ -99,6 +147,7 @@ +@@ -99,6 +148,7 @@ storage_raw_write_fixed_disk(mount_t) storage_raw_read_removable_device(mount_t) storage_raw_write_removable_device(mount_t) @@ -35005,7 +35313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. term_use_all_terms(mount_t) -@@ -107,6 +156,8 @@ +@@ -107,6 +157,8 @@ init_use_fds(mount_t) init_use_script_ptys(mount_t) init_dontaudit_getattr_initctl(mount_t) @@ -35014,7 +35322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. logging_send_syslog_msg(mount_t) -@@ -117,6 +168,12 @@ +@@ -117,6 +169,12 @@ seutil_read_config(mount_t) userdom_use_all_users_fds(mount_t) @@ -35027,7 +35335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`distro_redhat',` optional_policy(` -@@ -132,10 +189,17 @@ +@@ -132,10 +190,17 @@ ') ') @@ -35045,7 +35353,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -165,6 +229,8 @@ +@@ -165,6 +230,8 @@ fs_search_rpc(mount_t) rpc_stub(mount_t) @@ -35054,7 +35362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -172,6 +238,25 @@ +@@ -172,6 +239,25 @@ ') optional_policy(` @@ -35080,7 +35388,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ifdef(`hide_broken_symptoms',` # for a bug in the X server rhgb_dontaudit_rw_stream_sockets(mount_t) -@@ -179,6 +264,11 @@ +@@ -179,6 +265,11 @@ ') ') @@ -35092,7 +35400,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -186,6 +276,19 @@ +@@ -186,6 +277,19 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -35112,7 +35420,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') ######################################## -@@ -194,6 +297,42 @@ +@@ -194,6 +298,42 @@ # optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 3a0da96..e584b5d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -471,6 +471,10 @@ exit 0 %changelog * Wed Jun 16 2010 Miroslav Grepl 3.7.19-30 - Allow sysadm to run ncftool +- Fixes for cobbler policy +- Allow Network Manager to transition to ipsec_mgmt domain +- Add label for /usr/libexec/nm-openswan-service +- Add label for /dev * Tue Jun 15 2010 Miroslav Grepl 3.7.19-29 - Allow abrt sigkill