From 40d128e5a8853f0ee5593b9aef0d02d4caa286e1 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 20 2009 22:59:51 +0000 Subject: - Fixes found for confined users day --- diff --git a/booleans-targeted.conf b/booleans-targeted.conf index 39cfd0c..3e7696a 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -174,6 +174,10 @@ spamd_enable_home_dirs = false # user_direct_mouse = false +# Allow regular users direct dri access +# +user_direct_dri = true + # Allow users to read system messages. # user_dmesg = false diff --git a/policy-F12.patch b/policy-F12.patch index d78a57d..31522dc 100644 --- a/policy-F12.patch +++ b/policy-F12.patch @@ -641,7 +641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if --- nsaserefpolicy/policy/modules/admin/rpm.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-10-20 10:47:48.000000000 -0400 @@ -13,11 +13,34 @@ interface(`rpm_domtrans',` gen_require(` @@ -689,7 +689,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_run_loadpolicy(rpm_script_t, $2) seutil_run_semanage(rpm_script_t, $2) seutil_run_setfiles(rpm_script_t, $2) -@@ -146,6 +174,35 @@ +@@ -146,6 +174,36 @@ ######################################## ## @@ -718,6 +718,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dontaudit $1 rpm_t:shm rw_shm_perms; + dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms; + dontaudit $1 rpm_tmpfs_t:file write_file_perms; ++ dontaudit $1 rpm_t:tcp_socket rw_socket_perms; +') + +######################################## @@ -725,7 +726,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## rpm over dbus. ## -@@ -167,6 +224,48 @@ +@@ -167,6 +225,48 @@ ######################################## ## @@ -774,7 +775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Create, read, write, and delete the RPM log. ## ## -@@ -186,6 +285,24 @@ +@@ -186,6 +286,24 @@ ######################################## ## @@ -799,7 +800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Inherit and use file descriptors from RPM scripts. ## ## -@@ -219,7 +336,51 @@ +@@ -219,7 +337,51 @@ ') files_search_tmp($1) @@ -851,7 +852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -241,6 +402,25 @@ +@@ -241,6 +403,25 @@ allow $1 rpm_var_lib_t:dir list_dir_perms; read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t) @@ -877,7 +878,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -265,6 +445,47 @@ +@@ -265,6 +446,47 @@ ######################################## ## @@ -925,7 +926,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Do not audit attempts to create, read, ## write, and delete the RPM package database. ## -@@ -283,3 +504,46 @@ +@@ -283,3 +505,46 @@ dontaudit $1 rpm_var_lib_t:file manage_file_perms; dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms; ') @@ -7310,7 +7311,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.6.32/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-13 18:05:04.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/kernel/terminal.if 2009-10-20 18:45:22.000000000 -0400 @@ -196,7 +196,7 @@ dev_list_all_dev_nodes($1) @@ -12649,7 +12650,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/local/linuxprinter/ppd(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.6.32/policy/modules/services/cups.te --- nsaserefpolicy/policy/modules/services/cups.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-14 10:29:26.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/cups.te 2009-10-20 18:48:38.000000000 -0400 @@ -23,6 +23,9 @@ type cupsd_initrc_exec_t; init_script_file(cupsd_initrc_exec_t) @@ -12703,7 +12704,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol seutil_read_config(cupsd_t) sysnet_exec_ifconfig(cupsd_t) -@@ -327,7 +338,7 @@ +@@ -317,6 +328,10 @@ + ') + + optional_policy(` ++ snmp_read_snmp_var_lib_files(cupsd_t) ++') ++ ++optional_policy(` + udev_read_db(cupsd_t) + ') + +@@ -327,7 +342,7 @@ allow cupsd_config_t self:capability { chown dac_override sys_tty_config }; dontaudit cupsd_config_t self:capability sys_tty_config; @@ -12712,7 +12724,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow cupsd_config_t self:fifo_file rw_fifo_file_perms; allow cupsd_config_t self:unix_stream_socket create_socket_perms; allow cupsd_config_t self:unix_dgram_socket create_socket_perms; -@@ -407,6 +418,7 @@ +@@ -407,6 +422,7 @@ userdom_dontaudit_use_unpriv_user_fds(cupsd_config_t) userdom_dontaudit_search_user_home_dirs(cupsd_config_t) @@ -12720,7 +12732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol cups_stream_connect(cupsd_config_t) -@@ -419,12 +431,15 @@ +@@ -419,12 +435,15 @@ ') optional_policy(` @@ -12738,7 +12750,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` hal_dbus_chat(cupsd_config_t) -@@ -446,6 +461,10 @@ +@@ -446,6 +465,10 @@ ') optional_policy(` @@ -12749,7 +12761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol rpm_read_db(cupsd_config_t) ') -@@ -542,6 +561,8 @@ +@@ -542,6 +565,8 @@ manage_dirs_pattern(cups_pdf_t, cups_pdf_tmp_t, cups_pdf_tmp_t) files_tmp_filetrans(cups_pdf_t, cups_pdf_tmp_t, { file dir }) @@ -12758,7 +12770,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_system_state(cups_pdf_t) files_read_etc_files(cups_pdf_t) -@@ -556,11 +577,15 @@ +@@ -556,11 +581,15 @@ miscfiles_read_fonts(cups_pdf_t) userdom_home_filetrans_user_home_dir(cups_pdf_t) @@ -12774,7 +12786,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(cups_pdf_t) -@@ -601,6 +626,9 @@ +@@ -601,6 +630,9 @@ read_lnk_files_pattern(hplip_t, hplip_etc_t, hplip_etc_t) files_search_etc(hplip_t) @@ -13304,7 +13316,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.6.32/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-10-05 09:17:34.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/dovecot.te 2009-10-20 14:55:45.000000000 -0400 @@ -56,7 +56,7 @@ allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot }; @@ -13347,6 +13359,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # dovecot deliver local policy +@@ -260,3 +267,14 @@ + optional_policy(` + mta_manage_spool(dovecot_deliver_t) + ') ++ ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_files(dovecot_t) ++ fs_manage_nfs_symlinks(dovecot_t) ++') ++ ++tunable_policy(`use_samba_home_dirs',` ++ fs_manage_cifs_files(dovecot_t) ++ fs_manage_cifs_symlinks(dovecot_t) ++') ++ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.6.32/policy/modules/services/exim.te --- nsaserefpolicy/policy/modules/services/exim.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/exim.te 2009-09-30 16:12:48.000000000 -0400 @@ -13858,6 +13885,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_list_proc(howl_t) kernel_read_proc_symlinks(howl_t) +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.fc serefpolicy-3.6.32/policy/modules/services/inetd.fc +--- nsaserefpolicy/policy/modules/services/inetd.fc 2009-07-14 14:19:57.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/inetd.fc 2009-10-20 08:54:47.000000000 -0400 +@@ -9,4 +9,4 @@ + + /var/log/(x)?inetd\.log -- gen_context(system_u:object_r:inetd_log_t,s0) + +-/var/run/inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) ++/var/run/(x)?inetd\.pid -- gen_context(system_u:object_r:inetd_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.6.32/policy/modules/services/inetd.te --- nsaserefpolicy/policy/modules/services/inetd.te 2009-08-14 16:14:31.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/services/inetd.te 2009-09-30 16:12:48.000000000 -0400 @@ -18949,7 +18985,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/samba.te 2009-10-20 15:50:54.000000000 -0400 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -21199,7 +21235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if --- nsaserefpolicy/policy/modules/services/virt.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-20 18:38:58.000000000 -0400 @@ -136,7 +136,7 @@ ') @@ -21364,7 +21400,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.32/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-01 16:59:54.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/services/virt.te 2009-10-20 18:29:08.000000000 -0400 @@ -20,6 +20,28 @@ ## gen_tunable(virt_use_samba, false) @@ -21471,7 +21507,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t) manage_files_pattern(virtd_t, virt_log_t, virt_log_t) -@@ -86,7 +144,8 @@ +@@ -76,6 +134,7 @@ + + manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) + manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) ++manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t) + files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir }) + + manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t) +@@ -86,7 +145,8 @@ kernel_read_system_state(virtd_t) kernel_read_network_state(virtd_t) kernel_rw_net_sysctls(virtd_t) @@ -21481,7 +21525,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(virtd_t) corecmd_exec_shell(virtd_t) -@@ -97,30 +156,55 @@ +@@ -97,30 +157,55 @@ corenet_tcp_sendrecv_generic_node(virtd_t) corenet_tcp_sendrecv_all_ports(virtd_t) corenet_tcp_bind_generic_node(virtd_t) @@ -21540,7 +21584,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_use_ptmx(virtd_t) auth_use_nsswitch(virtd_t) -@@ -130,7 +214,14 @@ +@@ -130,7 +215,14 @@ logging_send_syslog_msg(virtd_t) @@ -21555,7 +21599,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`virt_use_nfs',` fs_manage_nfs_dirs(virtd_t) -@@ -168,22 +259,36 @@ +@@ -168,22 +260,36 @@ dnsmasq_domtrans(virtd_t) dnsmasq_signal(virtd_t) dnsmasq_kill(virtd_t) @@ -21597,7 +21641,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -196,8 +301,162 @@ +@@ -196,8 +302,162 @@ xen_stream_connect(virtd_t) xen_stream_connect_xenstore(virtd_t) @@ -24656,7 +24700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.32/policy/modules/system/ipsec.te --- nsaserefpolicy/policy/modules/system/ipsec.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/ipsec.te 2009-10-20 11:08:58.000000000 -0400 @@ -6,6 +6,13 @@ # Declarations # @@ -24699,7 +24743,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow ipsec_t self:capability { net_admin dac_override dac_read_search sys_nice }; dontaudit ipsec_t self:capability sys_tty_config; -allow ipsec_t self:process { signal setsched }; -+allow ipsec_t self:process { getsched signal setsched }; ++allow ipsec_t self:process { getcap setcap getsched signal setsched }; allow ipsec_t self:tcp_socket create_stream_socket_perms; allow ipsec_t self:udp_socket create_socket_perms; allow ipsec_t self:key_socket create_socket_perms; @@ -24718,7 +24762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_lnk_files_pattern(ipsec_t, ipsec_key_file_t, ipsec_key_file_t) manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -82,7 +97,7 @@ +@@ -82,16 +97,17 @@ # so try flipping back into the ipsec_mgmt_t domain corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) allow ipsec_mgmt_t ipsec_t:fd use; @@ -24726,8 +24770,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms; allow ipsec_mgmt_t ipsec_t:process sigchld; - kernel_read_kernel_sysctls(ipsec_t) -@@ -120,7 +135,9 @@ +-kernel_read_kernel_sysctls(ipsec_t) + kernel_list_proc(ipsec_t) ++kernel_read_kernel_sysctls(ipsec_t) + kernel_read_proc_symlinks(ipsec_t) + # allow pluto to access /proc/net/ipsec_eroute; + kernel_read_system_state(ipsec_t) + kernel_read_network_state(ipsec_t) + kernel_read_software_raid_state(ipsec_t) ++kernel_request_load_module(ipsec_t) + kernel_getattr_core_if(ipsec_t) + kernel_getattr_message_if(ipsec_t) + +@@ -120,7 +136,9 @@ domain_use_interactive_fds(ipsec_t) @@ -24737,7 +24792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_fs(ipsec_t) fs_search_auto_mountpoints(ipsec_t) -@@ -154,12 +171,12 @@ +@@ -154,12 +172,12 @@ # allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search }; @@ -24752,7 +24807,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms; files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file) -@@ -241,6 +258,7 @@ +@@ -241,6 +259,7 @@ init_use_script_ptys(ipsec_mgmt_t) init_exec_script_files(ipsec_mgmt_t) init_use_fds(ipsec_mgmt_t) @@ -24760,7 +24815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(ipsec_mgmt_t) -@@ -280,6 +298,13 @@ +@@ -280,6 +299,13 @@ allow racoon_t self:netlink_selinux_socket { bind create read }; allow racoon_t self:udp_socket create_socket_perms; allow racoon_t self:key_socket create_socket_perms; @@ -24774,7 +24829,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # manage pid file manage_files_pattern(racoon_t, ipsec_var_run_t, ipsec_var_run_t) -@@ -297,6 +322,13 @@ +@@ -297,6 +323,13 @@ kernel_read_system_state(racoon_t) kernel_read_network_state(racoon_t) @@ -24788,7 +24843,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(racoon_t) corenet_tcp_sendrecv_all_if(racoon_t) corenet_udp_sendrecv_all_if(racoon_t) -@@ -314,6 +346,8 @@ +@@ -314,6 +347,8 @@ files_read_etc_files(racoon_t) @@ -24797,7 +24852,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # allow racoon to use avc_has_perm to check context on proposed SA selinux_compute_access_vector(racoon_t) -@@ -328,6 +362,14 @@ +@@ -328,6 +363,14 @@ miscfiles_read_localization(racoon_t) @@ -24812,7 +24867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Setkey local policy -@@ -347,6 +389,7 @@ +@@ -347,6 +390,7 @@ files_read_etc_files(setkey_t) init_dontaudit_use_fds(setkey_t) @@ -24957,7 +25012,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.32/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2009-09-09 09:23:16.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/iptables.te 2009-10-20 11:08:22.000000000 -0400 @@ -11,6 +11,12 @@ init_system_domain(iptables_t, iptables_exec_t) role system_r types iptables_t; @@ -25373,8 +25428,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.6.32/policy/modules/system/libraries.if --- nsaserefpolicy/policy/modules/system/libraries.if 2009-07-14 14:19:57.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-15 15:48:13.000000000 -0400 -@@ -247,7 +247,7 @@ ++++ serefpolicy-3.6.32/policy/modules/system/libraries.if 2009-10-20 14:41:55.000000000 -0400 +@@ -17,6 +17,7 @@ + + corecmd_search_bin($1) + domtrans_pattern($1, ldconfig_exec_t, ldconfig_t) ++ allow $1 ldconfig_t:process noatsecure; + ') + + ######################################## +@@ -247,7 +248,7 @@ type lib_t; ') @@ -25383,7 +25446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol list_dirs_pattern($1, lib_t, lib_t) read_files_pattern($1, lib_t, lib_t) read_lnk_files_pattern($1, lib_t, lib_t) -@@ -401,7 +401,7 @@ +@@ -401,7 +402,7 @@ type lib_t, textrel_shlib_t; ') @@ -25394,7 +25457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mmap_files_pattern($1, lib_t, { lib_t textrel_shlib_t }) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.6.32/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/libraries.te 2009-10-20 18:45:39.000000000 -0400 @@ -58,11 +58,11 @@ # ldconfig local policy # @@ -25409,7 +25472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_etc_filetrans(ldconfig_t, ld_so_cache_t, file) manage_dirs_pattern(ldconfig_t, ldconfig_tmp_t, ldconfig_tmp_t) -@@ -76,16 +76,21 @@ +@@ -76,21 +76,27 @@ fs_getattr_xattr_fs(ldconfig_t) @@ -25431,7 +25494,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol miscfiles_read_localization(ldconfig_t) -@@ -100,6 +105,10 @@ + logging_send_syslog_msg(ldconfig_t) + ++term_use_console(ldconfig_t) + userdom_use_user_terminals(ldconfig_t) + userdom_use_all_users_fds(ldconfig_t) + +@@ -100,6 +106,10 @@ ') ') @@ -25442,7 +25511,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`hide_broken_symptoms',` optional_policy(` unconfined_dontaudit_rw_tcp_sockets(ldconfig_t) -@@ -123,3 +132,7 @@ +@@ -123,3 +133,7 @@ # blow up. rpm_manage_script_tmp_files(ldconfig_t) ') @@ -25777,7 +25846,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.6.32/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2009-08-14 16:14:31.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/lvm.te 2009-10-20 18:39:22.000000000 -0400 @@ -10,6 +10,9 @@ type clvmd_exec_t; init_daemon_domain(clvmd_t, clvmd_exec_t) @@ -25886,6 +25955,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` modutils_domtrans_insmod(lvm_t) +@@ -329,6 +352,10 @@ + ') + + optional_policy(` ++ virt_manage_images(lvm_t) ++') ++ ++optional_policy(` + xen_append_log(lvm_t) + xen_dontaudit_rw_unix_stream_sockets(lvm_t) + ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.6.32/policy/modules/system/miscfiles.fc --- nsaserefpolicy/policy/modules/system/miscfiles.fc 2009-07-14 14:19:57.000000000 -0400 +++ serefpolicy-3.6.32/policy/modules/system/miscfiles.fc 2009-10-09 09:06:59.000000000 -0400 @@ -28652,7 +28732,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +HOME_DIR/\.gvfs(/.*)? <> diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 08:04:43.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2009-10-20 14:59:26.000000000 -0400 @@ -30,8 +30,9 @@ ') @@ -29022,7 +29102,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -420,35 +414,48 @@ +@@ -420,35 +414,54 @@ ## is the prefix for user_t). ## ## @@ -29052,7 +29132,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol - dev_getattr_agp_dev($1_t) - dev_dontaudit_rw_dri($1_t) + dev_getattr_agp_dev($1) -+ dev_dontaudit_rw_dri($1) ++ ++ tunable_policy(`user_direct_dri',` ++ dev_rw_dri($1) ++ ',` ++ dev_dontaudit_rw_dri($1) ++ ') ++ # GNOME checks for usb and other devices: - dev_rw_usbfs($1_t) + dev_rw_usbfs($1) @@ -29090,7 +29176,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -498,7 +505,7 @@ +@@ -498,7 +511,7 @@ attribute unpriv_userdomain; ') @@ -29099,7 +29185,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ############################## # -@@ -508,182 +515,213 @@ +@@ -508,182 +521,213 @@ # evolution and gnome-session try to create a netlink socket dontaudit $1_t self:netlink_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown }; dontaudit $1_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; @@ -29386,7 +29472,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -711,13 +749,26 @@ +@@ -711,13 +755,26 @@ userdom_base_user_template($1) @@ -29418,7 +29504,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_change_password_template($1) -@@ -735,70 +786,72 @@ +@@ -735,70 +792,72 @@ allow $1_t self:context contains; @@ -29524,7 +29610,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -826,6 +879,8 @@ +@@ -826,6 +885,8 @@ ') userdom_login_user_template($1) @@ -29533,18 +29619,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol typeattribute $1_t unpriv_userdomain; domain_interactive_fd($1_t) -@@ -835,6 +890,32 @@ - # Local policy +@@ -836,6 +897,25 @@ # -+ tunable_policy(`user_rw_noexattrfile',` -+ fs_manage_noxattr_fs_files($1_usertype) -+ fs_manage_noxattr_fs_dirs($1_usertype) -+ fs_manage_dos_dirs($1_usertype) -+ fs_manage_dos_files($1_usertype) -+ ') -+ -+ optional_policy(` + optional_policy(` + dbus_role_template($1, $1_r, $1_usertype) + dbus_system_bus_client($1_usertype) + allow $1_usertype $1_usertype:dbus send_msg; @@ -29563,10 +29641,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + ') + ') + - optional_policy(` ++ optional_policy(` loadkeys_run($1_t,$1_r) ') -@@ -865,51 +946,84 @@ + ') +@@ -865,51 +945,93 @@ userdom_restricted_user_template($1) @@ -29583,12 +29662,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_role($1_r, $1_t) - auth_search_pam_console_data($1_t) + auth_search_pam_console_data($1_usertype) -+ -+ xserver_role($1_r, $1_t) -+ xserver_communicate($1_usertype, $1_usertype) - dev_read_sound($1_t) - dev_write_sound($1_t) ++ xserver_role($1_r, $1_t) ++ xserver_communicate($1_usertype, $1_usertype) ++ + dev_read_sound($1_usertype) + dev_write_sound($1_usertype) # gnome keyring wants to read this. @@ -29601,6 +29680,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + dev_read_video_dev($1_usertype) + dev_write_video_dev($1_usertype) + ++ tunable_policy(`user_rw_noexattrfile',` ++ fs_manage_noxattr_fs_files($1_usertype) ++ fs_manage_noxattr_fs_dirs($1_usertype) ++ fs_manage_dos_dirs($1_usertype) ++ fs_manage_dos_files($1_usertype) ++ storage_raw_read_removable_device($1_usertype) ++ storage_raw_write_removable_device($1_usertype) ++ ') ++ + logging_send_syslog_msg($1_usertype) logging_dontaudit_send_audit_msgs($1_t) @@ -29664,7 +29752,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -943,8 +1057,8 @@ +@@ -943,8 +1065,8 @@ # Declarations # @@ -29674,7 +29762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_common_user_template($1) ############################## -@@ -953,58 +1067,67 @@ +@@ -953,58 +1075,67 @@ # # port access is audited even if dac would not have allowed it, so dontaudit it here @@ -29772,7 +29860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -1040,7 +1163,7 @@ +@@ -1040,7 +1171,7 @@ template(`userdom_admin_user_template',` gen_require(` attribute admindomain; @@ -29781,7 +29869,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ############################## -@@ -1049,8 +1172,7 @@ +@@ -1049,8 +1180,7 @@ # # Inherit rules for ordinary users. @@ -29791,7 +29879,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol domain_obj_id_change_exemption($1_t) role system_r types $1_t; -@@ -1075,6 +1197,9 @@ +@@ -1075,6 +1205,9 @@ # Skip authentication when pam_rootok is specified. allow $1_t self:passwd rootok; @@ -29801,7 +29889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_read_software_raid_state($1_t) kernel_getattr_core_if($1_t) kernel_getattr_message_if($1_t) -@@ -1089,6 +1214,7 @@ +@@ -1089,6 +1222,7 @@ kernel_sigstop_unlabeled($1_t) kernel_signull_unlabeled($1_t) kernel_sigchld_unlabeled($1_t) @@ -29809,7 +29897,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_bind_generic_port($1_t) # allow setting up tunnels -@@ -1096,8 +1222,6 @@ +@@ -1096,8 +1230,6 @@ dev_getattr_generic_blk_files($1_t) dev_getattr_generic_chr_files($1_t) @@ -29818,7 +29906,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Allow MAKEDEV to work dev_create_all_blk_files($1_t) dev_create_all_chr_files($1_t) -@@ -1124,6 +1248,8 @@ +@@ -1124,12 +1256,11 @@ files_exec_usr_src_files($1_t) fs_getattr_all_fs($1_t) @@ -29827,7 +29915,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_set_all_quotas($1_t) fs_exec_noxattr($1_t) -@@ -1152,20 +1278,6 @@ +- storage_raw_read_removable_device($1_t) +- storage_raw_write_removable_device($1_t) +- + term_use_all_terms($1_t) + + auth_getattr_shadow($1_t) +@@ -1152,20 +1283,6 @@ # But presently necessary for installing the file_contexts file. seutil_manage_bin_policy($1_t) @@ -29848,7 +29942,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` postgresql_unconfined($1_t) ') -@@ -1211,6 +1323,7 @@ +@@ -1211,6 +1328,7 @@ dev_relabel_all_dev_nodes($1) files_create_boot_flag($1) @@ -29856,7 +29950,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Necessary for managing /boot/efi fs_manage_dos_files($1) -@@ -1276,11 +1389,15 @@ +@@ -1276,11 +1394,15 @@ interface(`userdom_user_home_content',` gen_require(` type user_home_t; @@ -29872,7 +29966,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1391,12 +1508,13 @@ +@@ -1391,12 +1513,13 @@ ') allow $1 user_home_dir_t:dir search_dir_perms; @@ -29887,7 +29981,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -1429,6 +1547,14 @@ +@@ -1429,6 +1552,14 @@ allow $1 user_home_dir_t:dir list_dir_perms; files_search_home($1) @@ -29902,7 +29996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1444,9 +1570,11 @@ +@@ -1444,9 +1575,11 @@ interface(`userdom_dontaudit_list_user_home_dirs',` gen_require(` type user_home_dir_t; @@ -29914,7 +30008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1503,6 +1631,25 @@ +@@ -1503,6 +1636,25 @@ allow $1 user_home_dir_t:dir relabelto; ') @@ -29940,7 +30034,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## ## ## Create directories in the home dir root with -@@ -1577,6 +1724,8 @@ +@@ -1577,6 +1729,8 @@ ') dontaudit $1 user_home_t:dir search_dir_perms; @@ -29949,7 +30043,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1670,6 +1819,7 @@ +@@ -1670,6 +1824,7 @@ type user_home_dir_t, user_home_t; ') @@ -29957,7 +30051,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) files_search_home($1) ') -@@ -1797,19 +1947,32 @@ +@@ -1797,19 +1952,32 @@ # interface(`userdom_exec_user_home_content_files',` gen_require(` @@ -29997,7 +30091,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -1844,6 +2007,7 @@ +@@ -1844,6 +2012,7 @@ interface(`userdom_manage_user_home_content_files',` gen_require(` type user_home_dir_t, user_home_t; @@ -30005,7 +30099,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') manage_files_pattern($1, user_home_t, user_home_t) -@@ -2391,27 +2555,7 @@ +@@ -2391,27 +2560,7 @@ ######################################## ## @@ -30034,7 +30128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## ## ## -@@ -2749,7 +2893,7 @@ +@@ -2749,7 +2898,7 @@ domain_entry_file_spec_domtrans($1, unpriv_userdomain) allow unpriv_userdomain $1:fd use; @@ -30043,7 +30137,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow unpriv_userdomain $1:process sigchld; ') -@@ -2765,11 +2909,32 @@ +@@ -2765,11 +2914,32 @@ # interface(`userdom_search_user_home_content',` gen_require(` @@ -30078,17 +30172,59 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -2897,7 +3062,25 @@ +@@ -2897,12 +3067,12 @@ type user_tmp_t; ') - allow $1 user_tmp_t:file write_file_perms; + write_files_pattern($1, user_tmp_t, user_tmp_t) + ') + + ######################################## + ## +-## Do not audit attempts to use user ttys. ++## Delete all users files in /tmp + ## + ## + ## +@@ -2910,17 +3080,17 @@ + ## + ## + # +-interface(`userdom_dontaudit_use_user_ttys',` ++interface(`userdom_delete_user_tmp_files',` + gen_require(` +- type user_tty_device_t; ++ type user_tmp_t; + ') + +- dontaudit $1 user_tty_device_t:chr_file rw_file_perms; ++ allow $1 user_tmp_t:file delete_file_perms; + ') + + ######################################## + ## +-## Read the process state of all user domains. ++## Do not audit attempts to use user ttys. + ## + ## + ## +@@ -2928,12 +3098,31 @@ + ## + ## + # +-interface(`userdom_read_all_users_state',` ++interface(`userdom_dontaudit_use_user_ttys',` ++ gen_require(` ++ type user_tty_device_t; ++ ') ++ ++ dontaudit $1 user_tty_device_t:chr_file rw_file_perms; +') + +######################################## +## -+## Delete all users files in /tmp ++## Read the process state of all user domains. +## +## +## @@ -30096,16 +30232,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +## +# -+interface(`userdom_delete_user_tmp_files',` -+ gen_require(` -+ type user_tmp_t; -+ ') -+ -+ allow $1 user_tmp_t:file delete_file_perms; - ') - - ######################################## -@@ -2934,6 +3117,7 @@ ++interface(`userdom_read_all_users_state',` + gen_require(` + attribute userdomain; ') read_files_pattern($1, userdomain, userdomain) @@ -30113,7 +30242,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol kernel_search_proc($1) ') -@@ -3064,3 +3248,559 @@ +@@ -3064,3 +3253,559 @@ allow $1 userdomain:dbus send_msg; ') @@ -30675,7 +30804,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.6.32/policy/modules/system/userdomain.te --- nsaserefpolicy/policy/modules/system/userdomain.te 2009-08-31 13:30:04.000000000 -0400 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-09-30 16:12:48.000000000 -0400 ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.te 2009-10-20 14:58:48.000000000 -0400 @@ -8,13 +8,6 @@ ## @@ -30690,21 +30819,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Allow users to connect to PostgreSQL ##

## -@@ -29,13 +22,6 @@ +@@ -29,10 +22,10 @@ ## ##

-## Allow users to read system messages. --##

--## --gen_tunable(user_dmesg, false) -- --## --##

- ## Allow user to r/w files on filesystems - ## that do not have extended attributes (FAT, CDROM, FLOPPY) ++## Allow regular users direct dri device access ##

-@@ -54,11 +40,20 @@ + ## +-gen_tunable(user_dmesg, false) ++gen_tunable(user_direct_dri, false) + + ## + ##

+@@ -54,11 +47,20 @@ # all user domains attribute userdomain; @@ -30727,7 +30855,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t }; fs_associate_tmpfs(user_home_dir_t) -@@ -72,6 +67,7 @@ +@@ -72,6 +74,7 @@ type user_home_t alias { staff_home_t sysadm_home_t secadm_home_t auditadm_home_t unconfined_home_t }; typealias user_home_t alias { staff_untrusted_content_t sysadm_untrusted_content_t secadm_untrusted_content_t auditadm_untrusted_content_t unconfined_untrusted_content_t }; @@ -30735,7 +30863,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_user_home_content(user_home_t) fs_associate_tmpfs(user_home_t) files_associate_tmp(user_home_t) -@@ -97,3 +93,25 @@ +@@ -97,3 +100,25 @@ type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t }; dev_node(user_tty_device_t) ubac_constrained(user_tty_device_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6590467..e2bca5d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 29%{?dist} +Release: 30%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -449,6 +449,9 @@ exit 0 %endif %changelog +* Tue Oct 20 2009 Dan Walsh 3.6.32-30 +- Fixes found for confined users day + * Sat Oct 17 2009 Dan Walsh 3.6.32-29 - Allow ccs to communicate with userdomains, and create tmpfs_t - Add /dev/noz* as a modem_device_t and allow modemmanager to rw it.