From 69e2c2dad09756b4bef32c48f04422a3d51f1cac Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Dec 01 2008 22:28:28 +0000 Subject: - Allow iptables dac permissions - Allow awstates to use inotify --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 03f3fca..d0e7e7c 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -1737,6 +1737,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send and receive messages from ## Vpnc over dbus. ## +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.5.13/policy/modules/apps/awstats.te +--- nsaserefpolicy/policy/modules/apps/awstats.te 2008-10-17 08:49:14.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/apps/awstats.te 2008-11-27 06:11:59.000000000 -0500 +@@ -47,6 +47,8 @@ + # e.g. /usr/share/awstats/lang/awstats-en.txt + files_read_usr_files(awstats_t) + ++fs_list_inotifyfs(awstats_t) ++ + libs_read_lib_files(awstats_t) + libs_use_ld_so(awstats_t) + libs_use_shared_libs(awstats_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ethereal.fc serefpolicy-3.5.13/policy/modules/apps/ethereal.fc --- nsaserefpolicy/policy/modules/apps/ethereal.fc 2008-10-17 08:49:14.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/apps/ethereal.fc 2008-11-24 10:49:49.000000000 -0500 @@ -4495,8 +4507,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te --- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-11-24 10:49:49.000000000 -0500 -@@ -0,0 +1,274 @@ ++++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-12-01 16:31:11.000000000 -0500 +@@ -0,0 +1,276 @@ + +policy_module(nsplugin, 1.0.0) + @@ -4732,6 +4744,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +unprivuser_read_home_content_files(nsplugin_config_t) + +tunable_policy(`use_nfs_home_dirs',` ++ fs_getattr_nfs(nsplugin_t) + fs_manage_nfs_dirs(nsplugin_t) + fs_manage_nfs_files(nsplugin_t) + fs_read_nfs_symlinks(nsplugin_t) @@ -4743,6 +4756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') + +tunable_policy(`use_samba_home_dirs',` ++ fs_getattr_cifs(nsplugin_t) + fs_manage_cifs_dirs(nsplugin_t) + fs_manage_cifs_files(nsplugin_t) + fs_read_cifs_symlinks(nsplugin_t) @@ -4770,7 +4784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + allow nsplugin_t unconfined_mono_t:process signull; +') + -+ ++unconfined_execmem_exec(nsplugin_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/openoffice.fc serefpolicy-3.5.13/policy/modules/apps/openoffice.fc --- nsaserefpolicy/policy/modules/apps/openoffice.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-3.5.13/policy/modules/apps/openoffice.fc 2008-11-24 10:49:49.000000000 -0500 @@ -6480,7 +6494,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.if.in 2008-11-27 17:36:06.000000000 -0500 @@ -1441,10 +1441,11 @@ # interface(`corenet_tcp_bind_all_unreserved_ports',` @@ -6509,9 +6523,34 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## +@@ -1560,6 +1562,24 @@ + + ######################################## + ## ++## Getattr the point-to-point device. ++## ++## ++## ++## The domain allowed access. ++## ++## ++# ++interface(`corenet_getattr_ppp_dev',` ++ gen_require(` ++ type ppp_device_t; ++ ') ++ ++ allow $1 ppp_device_t:chr_file getattr; ++') ++ ++######################################## ++## + ## Read and write the point-to-point device. + ## + ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-24 11:48:40.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-12-01 15:41:38.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(corenetwork, 1.10.0) @@ -6519,7 +6558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -65,6 +65,7 @@ +@@ -65,10 +65,13 @@ type server_packet_t, packet_type, server_packet_type; network_port(afs_bos, udp,7007,s0) @@ -6527,7 +6566,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0) network_port(afs_ka, udp,7004,s0) network_port(afs_pt, udp,7002,s0) -@@ -79,26 +80,31 @@ + network_port(afs_vl, udp,7003,s0) ++network_port(agentx, udp,705,s0, tcp,705,s0) ++ + network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0) + network_port(amavisd_recv, tcp,10024,s0) + network_port(amavisd_send, tcp,10025,s0) +@@ -79,26 +82,31 @@ network_port(auth, tcp,113,s0) network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict @@ -6560,7 +6605,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) -@@ -109,6 +115,7 @@ +@@ -109,6 +117,7 @@ network_port(ipp, tcp,631,s0, udp,631,s0) network_port(ipsecnat, tcp,4500,s0, udp,4500,s0) network_port(ircd, tcp,6667,s0) @@ -6568,7 +6613,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(isakmp, udp,500,s0) network_port(iscsi, tcp,3260,s0) network_port(isns, tcp,3205,s0, udp,3205,s0) -@@ -117,6 +124,8 @@ +@@ -117,6 +126,8 @@ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0) network_port(kerberos_master, tcp,4444,s0, udp,4444,s0) network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0) @@ -6577,7 +6622,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(ktalkd, udp,517,s0, udp,518,s0) network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0) type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon -@@ -126,6 +135,7 @@ +@@ -126,6 +137,7 @@ network_port(mmcc, tcp,5050,s0, udp,5050,s0) network_port(monopd, tcp,1234,s0) network_port(msnp, tcp,1863,s0, udp,1863,s0) @@ -6585,7 +6630,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(mysqld, tcp,1186,s0, tcp,3306,s0) portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0) network_port(nessus, tcp,1241,s0) -@@ -136,12 +146,21 @@ +@@ -136,12 +148,21 @@ network_port(openvpn, tcp,1194,s0, udp,1194,s0) network_port(pegasus_http, tcp,5988,s0) network_port(pegasus_https, tcp,5989,s0) @@ -6607,7 +6652,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(printer, tcp,515,s0) network_port(ptal, tcp,5703,s0) network_port(pxe, udp,4011,s0) -@@ -159,9 +178,10 @@ +@@ -159,9 +180,10 @@ network_port(rwho, udp,513,s0) network_port(smbd, tcp,137-139,s0, tcp,445,s0) network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0) @@ -6619,7 +6664,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0) type socks_port_t, port_type; dnl network_port(socks) # no defined portcon type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict -@@ -170,13 +190,16 @@ +@@ -170,13 +192,16 @@ network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) @@ -7340,7 +7385,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## all protocols (TCP, UDP, etc) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.5.13/policy/modules/kernel/domain.te --- nsaserefpolicy/policy/modules/kernel/domain.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/kernel/domain.te 2008-12-01 16:51:03.000000000 -0500 @@ -5,6 +5,13 @@ # # Declarations @@ -7412,7 +7457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + cron_rw_pipes(domain) +ifdef(`hide_broken_symptoms',` + cron_dontaudit_rw_tcp_sockets(domain) -+ allow domain domain:key search; ++ allow domain domain:key { link search }; +') +') + @@ -17844,7 +17889,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te --- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2008-11-27 17:38:06.000000000 -0500 @@ -33,9 +33,9 @@ # networkmanager will ptrace itself if gdb is installed @@ -17877,11 +17922,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_all_recvfrom_unlabeled(NetworkManager_t) corenet_all_recvfrom_netlabel(NetworkManager_t) -@@ -81,13 +83,17 @@ +@@ -81,13 +83,18 @@ corenet_sendrecv_isakmp_server_packets(NetworkManager_t) corenet_sendrecv_dhcpc_server_packets(NetworkManager_t) corenet_sendrecv_all_client_packets(NetworkManager_t) +corenet_rw_tun_tap_dev(NetworkManager_t) ++corenet_getattr_ppp_dev(NetworkManager_t) dev_read_sysfs(NetworkManager_t) dev_read_rand(NetworkManager_t) @@ -17895,7 +17941,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mls_file_read_all_levels(NetworkManager_t) -@@ -104,9 +110,14 @@ +@@ -104,9 +111,14 @@ files_read_etc_runtime_files(NetworkManager_t) files_read_usr_files(NetworkManager_t) @@ -17910,7 +17956,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(NetworkManager_t) libs_use_shared_libs(NetworkManager_t) -@@ -119,27 +130,41 @@ +@@ -119,27 +131,41 @@ seutil_read_config(NetworkManager_t) @@ -17959,7 +18005,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -151,8 +176,25 @@ +@@ -151,8 +177,25 @@ ') optional_policy(` @@ -17987,7 +18033,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -160,23 +202,48 @@ +@@ -160,23 +203,48 @@ ') optional_policy(` @@ -18038,7 +18084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -194,7 +261,9 @@ +@@ -194,7 +262,9 @@ optional_policy(` vpn_domtrans(NetworkManager_t) @@ -22632,7 +22678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.5.13/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/ricci.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/ricci.te 2008-12-01 14:00:58.000000000 -0500 @@ -133,6 +133,8 @@ dev_read_urand(ricci_t) @@ -22695,6 +22741,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol #Needed for editing /etc/fstab files_manage_etc_files(ricci_modstorage_t) +@@ -473,6 +475,10 @@ + + modutils_read_module_deps(ricci_modstorage_t) + ++consoletype_exec(ricci_modstorage_t) ++ ++mount_domtrans(ricci_modstorage_t) ++ + optional_policy(` + ccs_stream_connect(ricci_modstorage_t) + ccs_read_config(ricci_modstorage_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.5.13/policy/modules/services/rlogin.te --- nsaserefpolicy/policy/modules/services/rlogin.te 2008-10-17 08:49:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/rlogin.te 2008-11-24 10:49:49.000000000 -0500 @@ -24501,7 +24558,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.5.13/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2008-10-17 08:49:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/snmp.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/snmp.te 2008-12-01 15:41:14.000000000 -0500 @@ -9,6 +9,9 @@ type snmpd_exec_t; init_daemon_domain(snmpd_t, snmpd_exec_t) @@ -24537,7 +24594,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_bin(snmpd_t) corecmd_exec_shell(snmpd_t) -@@ -76,13 +83,14 @@ +@@ -66,6 +73,7 @@ + corenet_tcp_bind_snmp_port(snmpd_t) + corenet_udp_bind_snmp_port(snmpd_t) + corenet_sendrecv_snmp_server_packets(snmpd_t) ++corenet_tcp_connect_agentx_port(snmpd_t) + + dev_list_sysfs(snmpd_t) + dev_read_sysfs(snmpd_t) +@@ -76,13 +84,14 @@ domain_use_interactive_fds(snmpd_t) domain_signull_all_domains(snmpd_t) domain_read_all_domains_state(snmpd_t) @@ -24554,7 +24619,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol fs_getattr_all_dirs(snmpd_t) fs_getattr_all_fs(snmpd_t) -@@ -94,6 +102,8 @@ +@@ -94,6 +103,8 @@ init_read_utmp(snmpd_t) init_dontaudit_write_utmp(snmpd_t) @@ -24563,7 +24628,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol libs_use_ld_so(snmpd_t) libs_use_shared_libs(snmpd_t) -@@ -121,7 +131,7 @@ +@@ -121,7 +132,7 @@ ') optional_policy(` @@ -24572,7 +24637,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -152,3 +162,12 @@ +@@ -152,3 +163,12 @@ optional_policy(` udev_read_db(snmpd_t) ') @@ -26171,6 +26236,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +miscfiles_read_localization(ulogd_t) + +permissive ulogd_t; +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.5.13/policy/modules/services/uucp.te +--- nsaserefpolicy/policy/modules/services/uucp.te 2008-10-17 08:49:13.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/uucp.te 2008-11-25 14:26:42.000000000 -0500 +@@ -127,6 +127,7 @@ + + optional_policy(` + mta_send_mail(uux_t) ++ mta_read_queue(uux_t) + ') + + optional_policy(` diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.5.13/policy/modules/services/virt.fc --- nsaserefpolicy/policy/modules/services/virt.fc 2008-10-17 08:49:11.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/services/virt.fc 2008-11-24 10:49:49.000000000 -0500 @@ -27854,7 +27930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.5.13/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-25 11:13:22.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/services/xserver.te 2008-11-27 06:38:45.000000000 -0500 @@ -8,6 +8,14 @@ ## @@ -28042,7 +28118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # connect to xdm xserver over stream socket stream_connect_pattern(xdm_t, xdm_xserver_tmp_t, xdm_xserver_tmp_t, xdm_xserver_t) -@@ -229,6 +309,7 @@ +@@ -229,11 +309,13 @@ corenet_udp_sendrecv_all_ports(xdm_t) corenet_tcp_bind_all_nodes(xdm_t) corenet_udp_bind_all_nodes(xdm_t) @@ -28050,7 +28126,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corenet_tcp_connect_all_ports(xdm_t) corenet_sendrecv_all_client_packets(xdm_t) # xdm tries to bind to biff_port_t -@@ -241,6 +322,7 @@ + corenet_dontaudit_tcp_bind_all_ports(xdm_t) + ++dev_rwx_zero(xdm_t) + dev_read_rand(xdm_t) + dev_read_sysfs(xdm_t) + dev_getattr_framebuffer_dev(xdm_t) +@@ -241,6 +323,7 @@ dev_getattr_mouse_dev(xdm_t) dev_setattr_mouse_dev(xdm_t) dev_rw_apm_bios(xdm_t) @@ -28058,7 +28140,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_setattr_apm_bios_dev(xdm_t) dev_rw_dri(xdm_t) dev_rw_agp(xdm_t) -@@ -253,14 +335,17 @@ +@@ -253,14 +336,17 @@ dev_setattr_video_dev(xdm_t) dev_getattr_scanner_dev(xdm_t) dev_setattr_scanner_dev(xdm_t) @@ -28078,7 +28160,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(xdm_t) files_read_var_files(xdm_t) -@@ -271,9 +356,13 @@ +@@ -271,9 +357,13 @@ files_read_usr_files(xdm_t) # Poweroff wants to create the /poweroff file when run from xdm files_create_boot_flag(xdm_t) @@ -28092,7 +28174,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol storage_dontaudit_read_fixed_disk(xdm_t) storage_dontaudit_write_fixed_disk(xdm_t) -@@ -282,6 +371,7 @@ +@@ -282,6 +372,7 @@ storage_dontaudit_raw_write_removable_device(xdm_t) storage_dontaudit_setattr_removable_dev(xdm_t) storage_dontaudit_rw_scsi_generic(xdm_t) @@ -28100,7 +28182,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol term_setattr_console(xdm_t) term_use_unallocated_ttys(xdm_t) -@@ -290,6 +380,7 @@ +@@ -290,6 +381,7 @@ auth_domtrans_pam_console(xdm_t) auth_manage_pam_pid(xdm_t) auth_manage_pam_console_data(xdm_t) @@ -28108,7 +28190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_rw_faillog(xdm_t) auth_write_login_records(xdm_t) -@@ -301,21 +392,26 @@ +@@ -301,21 +393,26 @@ libs_exec_lib_files(xdm_t) logging_read_generic_logs(xdm_t) @@ -28140,7 +28222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xserver_rw_session_template(xdm, xdm_t, xdm_tmpfs_t) xserver_unconfined(xdm_t) -@@ -348,10 +444,12 @@ +@@ -348,10 +445,12 @@ optional_policy(` alsa_domtrans(xdm_t) @@ -28153,7 +28235,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -359,6 +457,22 @@ +@@ -359,6 +458,22 @@ ') optional_policy(` @@ -28176,7 +28258,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Talk to the console mouse server. gpm_stream_connect(xdm_t) gpm_setattr_gpmctl(xdm_t) -@@ -382,16 +496,34 @@ +@@ -382,16 +497,34 @@ ') optional_policy(` @@ -28212,7 +28294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_t self:process { execheap execmem }; -@@ -411,6 +543,10 @@ +@@ -411,6 +544,10 @@ ') optional_policy(` @@ -28223,7 +28305,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xfs_stream_connect(xdm_t) ') -@@ -427,7 +563,7 @@ +@@ -427,7 +564,7 @@ allow xdm_xserver_t xdm_var_lib_t:file { getattr read }; dontaudit xdm_xserver_t xdm_var_lib_t:dir search; @@ -28232,7 +28314,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Label pid and temporary files with derived types. manage_files_pattern(xdm_xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -439,6 +575,15 @@ +@@ -439,6 +576,15 @@ can_exec(xdm_xserver_t, xkb_var_lib_t) files_search_var_lib(xdm_xserver_t) @@ -28248,7 +28330,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # VNC v4 module in X server corenet_tcp_bind_vnc_port(xdm_xserver_t) -@@ -450,10 +595,19 @@ +@@ -450,10 +596,19 @@ # xdm_xserver_t may no longer have any reason # to read ROLE_home_t - examine this in more detail # (xauth?) @@ -28269,7 +28351,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xdm_xserver_t) fs_manage_nfs_files(xdm_xserver_t) -@@ -468,8 +622,19 @@ +@@ -468,8 +623,19 @@ optional_policy(` dbus_system_bus_client_template(xdm_xserver, xdm_xserver_t) @@ -28289,7 +28371,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` resmgr_stream_connect(xdm_t) -@@ -481,8 +646,25 @@ +@@ -481,8 +647,25 @@ ') optional_policy(` @@ -28317,7 +28399,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifndef(`distro_redhat',` allow xdm_xserver_t self:process { execheap execmem }; -@@ -491,7 +673,6 @@ +@@ -491,7 +674,6 @@ ifdef(`distro_rhel4',` allow xdm_xserver_t self:process { execheap execmem }; ') @@ -28325,7 +28407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # -@@ -512,6 +693,27 @@ +@@ -512,6 +694,27 @@ allow xserver_unconfined_type { x_domain x_server_domain }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -28353,7 +28435,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`TODO',` # Need to further investigate these permissions and # perhaps define derived types. -@@ -544,3 +746,73 @@ +@@ -544,3 +747,73 @@ # allow pam_t xdm_t:fifo_file { getattr ioctl write }; ') dnl end TODO @@ -29696,8 +29778,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow setkey_t ipsec_conf_file_t:dir list_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.5.13/policy/modules/system/iptables.te --- nsaserefpolicy/policy/modules/system/iptables.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/iptables.te 2008-11-24 14:40:10.000000000 -0500 -@@ -27,7 +27,7 @@ ++++ serefpolicy-3.5.13/policy/modules/system/iptables.te 2008-11-27 06:12:54.000000000 -0500 +@@ -22,12 +22,12 @@ + # Iptables local policy + # + +-allow iptables_t self:capability { net_admin net_raw }; ++allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; + dontaudit iptables_t self:capability sys_tty_config; allow iptables_t self:process { sigchld sigkill sigstop signull signal }; allow iptables_t self:rawip_socket create_socket_perms; @@ -29737,7 +29825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow iscsid_t iscsi_tmp_t:dir manage_dir_perms; diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.5.13/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/libraries.fc 2008-12-01 16:41:03.000000000 -0500 @@ -60,12 +60,15 @@ # # /opt @@ -29754,7 +29842,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ifdef(`distro_gentoo',` # despite the extensions, they are actually libs /opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:lib_t,s0) -@@ -84,7 +87,8 @@ +@@ -75,16 +78,18 @@ + /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) + /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) +-/opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/opt/RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0) +-/opt/RealPlayer/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0) + ') ++/opt/(real/)?RealPlayer/codecs(/.*)? gen_context(system_u:object_r:textrel_shlib_t,s0) ++/opt/(real/)?RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/opt/(real/)?RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/opt/(real/)?RealPlayer/mozilla(/.*)? gen_context(system_u:object_r:lib_t,s0) ++/opt/(real/)?RealPlayer/plugins(/.*)? gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ifdef(`distro_redhat',` /opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29764,7 +29867,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/f-secure/fspms/libexec/librapi\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -115,9 +119,17 @@ +@@ -115,9 +120,17 @@ /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29782,7 +29885,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -127,12 +139,14 @@ +@@ -127,12 +140,14 @@ /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libjs\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libx264\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29797,7 +29900,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/xulrunner-[^/]*/libgtkembedmoz\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xulrunner-[^/]*/libxul\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -168,7 +182,8 @@ +@@ -168,7 +183,8 @@ # Fedora Core packages: gstreamer-plugins, compat-libstdc++, Glide3, libdv # HelixPlayer, SDL, xorg-x11, xorg-x11-libs, Hermes, valgrind, openoffice.org-libs, httpd - php /usr/lib(64)?/gstreamer-.*/[^/]*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29807,7 +29910,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib/firefox-[^/]*/plugins/nppdf.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/libFLAC\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -187,6 +202,7 @@ +@@ -187,6 +203,7 @@ /usr/lib(64)?/libdv\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/plugins/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/helix/codecs/[^/]*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29815,7 +29918,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/libSDL-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/xorg/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/modules/dri/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -246,7 +262,7 @@ +@@ -246,7 +263,7 @@ # Flash plugin, Macromedia HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29824,7 +29927,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -267,6 +283,8 @@ +@@ -267,6 +284,8 @@ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29833,7 +29936,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # Java, Sun Microsystems (JPackage SRPM) /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -291,6 +309,8 @@ +@@ -291,6 +310,8 @@ /usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -29842,7 +29945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') dnl end distro_redhat # -@@ -310,3 +330,19 @@ +@@ -310,3 +331,21 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -29862,6 +29965,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib/sse2/libav.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0) +/usr/lib(64)?/sse2/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ ++/opt/google-earth/.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.5.13/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2008-10-17 08:49:13.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/libraries.te 2008-11-24 10:49:49.000000000 -0500 @@ -30520,7 +30625,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol samba_run_smbmount($1, $2, $3) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.5.13/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/mount.te 2008-11-27 06:39:45.000000000 -0500 @@ -18,17 +18,18 @@ init_system_domain(mount_t,mount_exec_t) role system_r types mount_t; @@ -30647,7 +30752,22 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -181,6 +198,11 @@ +@@ -174,6 +191,14 @@ + ') + + optional_policy(` ++ dbus_system_bus_client_template(mount, mount_t) ++ ++ optional_policy(` ++ hal_dbus_chat(mount_t) ++ ') ++') ++ ++optional_policy(` + ifdef(`hide_broken_symptoms',` + # for a bug in the X server + rhgb_dontaudit_rw_stream_sockets(mount_t) +@@ -181,6 +206,11 @@ ') ') @@ -30659,7 +30779,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # for kernel package installation optional_policy(` rpm_rw_pipes(mount_t) -@@ -188,6 +210,7 @@ +@@ -188,6 +218,7 @@ optional_policy(` samba_domtrans_smbmount(mount_t) @@ -30667,14 +30787,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -198,4 +221,26 @@ +@@ -198,4 +229,26 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) + optional_policy(` + hal_dbus_chat(unconfined_mount_t) -+ ') ') ++') + +######################################## +# @@ -31876,7 +31996,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol xen_append_log(ifconfig_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-3.5.13/policy/modules/system/udev.fc --- nsaserefpolicy/policy/modules/system/udev.fc 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/udev.fc 2008-11-25 16:15:15.000000000 -0500 @@ -13,8 +13,11 @@ /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0) /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0) @@ -31888,7 +32008,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/bin/udevinfo -- gen_context(system_u:object_r:udev_exec_t,s0) + -+/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) ++/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.if serefpolicy-3.5.13/policy/modules/system/udev.if --- nsaserefpolicy/policy/modules/system/udev.if 2008-10-17 08:49:13.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/udev.if 2008-11-24 10:49:49.000000000 -0500 @@ -32049,7 +32169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib(64)?/gcl-[^/]+/unixport/saved_.* -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-10-17 08:49:13.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-11-24 10:49:49.000000000 -0500 ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-12-01 16:30:54.000000000 -0500 @@ -12,14 +12,13 @@ # interface(`unconfined_domain_noaudit',` @@ -32129,7 +32249,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## Send generic signals to the unconfined domain. ## ## -@@ -654,3 +678,248 @@ +@@ -654,3 +678,267 @@ allow $1 unconfined_tmp_t:file { getattr write append }; ') @@ -32209,6 +32329,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + +######################################## +## ++## execute the execmem applications ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`unconfined_execmem_exec',` ++ ++ gen_require(` ++ type execmem_exec_t; ++ ') ++ ++ can_exec($1, execmem_exec_t) ++') ++ ++######################################## ++## +## allow attempts to use unconfined ttys and ptys. +## +## diff --git a/selinux-policy.spec b/selinux-policy.spec index c87eac4..d5f5f08 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 26%{?dist} +Release: 27%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,6 +457,11 @@ exit 0 %endif %changelog +* Thu Nov 27 2008 Dan Walsh 3.5.13-27 +- Allow iptables dac permissions +- Allow awstates to use inotify + + * Tue Nov 25 2008 Dan Walsh 3.5.13-26 - Allow dhcpc to read ypbind.pid