From cc138e86b5d73e58a8c1feb1a5ae2254eebfbd30 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Aug 25 2010 02:48:06 +0000 Subject: - Allow cron to look at user_cron_spool links - Lots of fixes for mozilla_plugin_t - Add sysv file system - Turn unconfined domains to permissive to find additional avcs --- diff --git a/policy-F14.patch b/policy-F14.patch index f0caa77..7b7cb6e 100644 --- a/policy-F14.patch +++ b/policy-F14.patch @@ -4846,7 +4846,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.8.8/policy/modules/apps/mozilla.te --- nsaserefpolicy/policy/modules/apps/mozilla.te 2010-07-27 16:06:04.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-23 18:10:04.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/mozilla.te 2010-08-24 10:04:03.000000000 -0400 @@ -25,6 +25,7 @@ type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; @@ -4910,7 +4910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. pulseaudio_exec(mozilla_t) pulseaudio_stream_connect(mozilla_t) pulseaudio_manage_home_files(mozilla_t) -@@ -266,3 +284,42 @@ +@@ -266,3 +284,46 @@ optional_policy(` thunderbird_domtrans(mozilla_t) ') @@ -4924,10 +4924,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +allow mozilla_plugin_t self:sem create_sem_perms; +allow mozilla_plugin_t self:shm create_shm_perms; +allow mozilla_plugin_t self:fifo_file manage_fifo_file_perms; -+allow mozilla_plugin_t self:unix_stream_socket create_stream_socket_perms; ++allow mozilla_plugin_t self:unix_stream_socket { connectto create_stream_socket_perms }; + +read_files_pattern(mozilla_plugin_t, mozilla_home_t, mozilla_home_t) + ++kernel_read_kernel_sysctls(mozilla_plugin_t) ++kernel_read_system_state(mozilla_plugin_t) +kernel_request_load_module(mozilla_plugin_t) + +corecmd_exec_bin(mozilla_plugin_t) @@ -4942,16 +4944,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla. +files_read_usr_files(mozilla_plugin_t) + +miscfiles_read_localization(mozilla_plugin_t) -+allow mozilla_plugin_t self:process setsched; + -+allow mozilla_plugin_t self:unix_stream_socket connectto; ++term_getattr_all_ttys(mozilla_plugin_t) ++term_getattr_all_ptys(mozilla_plugin_t) + +optional_policy(` + nsplugin_domtrans(mozilla_plugin_t) ++ nsplugin_rw_exec(mozilla_plugin_t) +') + +optional_policy(` + xserver_read_xdm_pid(mozilla_plugin_t) ++ xserver_stream_connect(mozilla_plugin_t) +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mplayer.if serefpolicy-3.8.8/policy/modules/apps/mplayer.if --- nsaserefpolicy/policy/modules/apps/mplayer.if 2010-07-27 16:06:04.000000000 -0400 @@ -5051,7 +5055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin +/usr/lib(64)?/mozilla/plugins-wrapped(/.*)? gen_context(system_u:object_r:nsplugin_rw_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.if serefpolicy-3.8.8/policy/modules/apps/nsplugin.if --- nsaserefpolicy/policy/modules/apps/nsplugin.if 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-23 17:57:01.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/apps/nsplugin.if 2010-08-24 10:00:03.000000000 -0400 @@ -0,0 +1,391 @@ + +## policy for nsplugin @@ -6544,8 +6548,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.8.8/policy/modules/apps/sandbox.te --- nsaserefpolicy/policy/modules/apps/sandbox.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 17:16:41.000000000 -0400 -@@ -0,0 +1,400 @@ ++++ serefpolicy-3.8.8/policy/modules/apps/sandbox.te 2010-08-23 18:24:37.000000000 -0400 +@@ -0,0 +1,401 @@ +policy_module(sandbox,1.0.0) +dbus_stub() +attribute sandbox_domain; @@ -6826,6 +6830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox. +allow sandbox_web_type self:netlink_selinux_socket create_socket_perms; + +kernel_dontaudit_search_kernel_sysctl(sandbox_web_type) ++kernel_request_load_module(sandbox_web_type) + +dev_read_rand(sandbox_web_type) +dev_write_sound(sandbox_web_type) @@ -9690,7 +9695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.8.8/policy/modules/kernel/filesystem.te --- nsaserefpolicy/policy/modules/kernel/filesystem.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/filesystem.te 2010-08-24 10:24:43.000000000 -0400 @@ -52,6 +52,7 @@ fs_type(anon_inodefs_t) files_mountpoint(anon_inodefs_t) @@ -9724,7 +9729,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy type inotifyfs_t; fs_type(inotifyfs_t) genfscon inotifyfs / gen_context(system_u:object_r:inotifyfs_t,s0) -@@ -248,6 +258,7 @@ +@@ -148,6 +158,12 @@ + genfscon squash / gen_context(system_u:object_r:squash_t,s0) + files_mountpoint(squash_t) + ++type sysv_t; ++fs_noxattr_type(sysv_t) ++files_mountpoint(sysv_t) ++genfscon sysv / gen_context(system_u:object_r:sysv_t,s0) ++genfscon v7 / gen_context(system_u:object_r:sysv_t,s0) ++ + type vmblock_t; + fs_noxattr_type(vmblock_t) + files_mountpoint(vmblock_t) +@@ -248,6 +264,7 @@ type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -10027,7 +10045,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if --- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-07-27 16:12:33.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-03 13:44:23.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-24 10:01:21.000000000 -0400 @@ -292,9 +292,11 @@ interface(`term_dontaudit_use_console',` gen_require(` @@ -13745,7 +13763,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm.te serefpolicy-3.8.8/policy/modules/services/apm.te --- nsaserefpolicy/policy/modules/services/apm.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/apm.te 2010-08-24 15:48:30.000000000 -0400 @@ -62,6 +62,7 @@ dontaudit apmd_t self:capability { setuid dac_override dac_read_search sys_ptrace sys_tty_config }; allow apmd_t self:process { signal_perms getsession }; @@ -13773,6 +13791,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apm. sysnet_domtrans_ifconfig(apmd_t) ') +@@ -218,9 +224,13 @@ + udev_read_state(apmd_t) #necessary? + ') + ++ifdef(`enforcing',` + optional_policy(` + unconfined_domain(apmd_t) + ') ++', ` ++ permissive apmd_t; ++') + + optional_policy(` + vbetool_domtrans(apmd_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.8.8/policy/modules/services/arpwatch.te --- nsaserefpolicy/policy/modules/services/arpwatch.te 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/arpwatch.te 2010-08-03 09:15:01.000000000 -0400 @@ -14223,7 +14255,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.8/policy/modules/services/boinc.te --- nsaserefpolicy/policy/modules/services/boinc.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-23 09:55:03.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/boinc.te 2010-08-24 22:47:01.000000000 -0400 @@ -0,0 +1,152 @@ +policy_module(boinc,1.0.0) + @@ -14281,7 +14313,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin +exec_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_dirs_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) +manage_files_pattern(boinc_t, boinc_var_lib_t, boinc_var_lib_t) -+files_var_lib_filetrans(boinc_t, boinc_var_lib_t, { file dir } ) ++filetrans_pattern(boinc_t, boinc_var_lib_t, boinc_project_var_lib_t, { dir }) + +manage_dirs_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) +manage_files_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_var_lib_t) @@ -16315,7 +16347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.8.8/policy/modules/services/cron.te --- nsaserefpolicy/policy/modules/services/cron.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-13 11:29:11.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/cron.te 2010-08-24 09:31:07.000000000 -0400 @@ -63,9 +63,12 @@ type crond_tmp_t; @@ -16601,14 +16633,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron unconfined_domain(system_cronjob_t) userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) ') -@@ -590,6 +675,7 @@ +@@ -590,7 +675,9 @@ #userdom_user_home_dir_filetrans_user_home_content(cronjob_t, notdevfile_class_set) list_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) +rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) ++read_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t) tunable_policy(`fcron_crond', ` + allow crond_t user_cron_spool_t:file manage_file_perms; diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.fc serefpolicy-3.8.8/policy/modules/services/cups.fc --- nsaserefpolicy/policy/modules/services/cups.fc 2010-07-27 16:06:05.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/cups.fc 2010-07-30 14:06:53.000000000 -0400 @@ -17031,7 +17065,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devicekit.te serefpolicy-3.8.8/policy/modules/services/devicekit.te --- nsaserefpolicy/policy/modules/services/devicekit.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-10 11:09:06.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/devicekit.te 2010-08-24 15:48:30.000000000 -0400 @@ -75,10 +75,12 @@ manage_files_pattern(devicekit_disk_t, devicekit_var_lib_t, devicekit_var_lib_t) files_var_lib_filetrans(devicekit_disk_t, devicekit_var_lib_t, dir) @@ -17057,15 +17091,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/devi files_manage_isid_type_dirs(devicekit_disk_t) files_manage_mnt_dirs(devicekit_disk_t) files_read_etc_files(devicekit_disk_t) -@@ -178,13 +182,19 @@ +@@ -178,13 +182,25 @@ virt_manage_images(devicekit_disk_t) ') ++ifdef(`enforcing',` +optional_policy(` + unconfined_domain(devicekit_t) + unconfined_domain(devicekit_power_t) + unconfined_domain(devicekit_disk_t) +') ++', ` ++ permissive devicekit_t; ++ permissive devicekit_power_t; ++ permissive devicekit_disk_t; ++') + ######################################## # @@ -17212,7 +17252,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.8.8/policy/modules/services/dovecot.te --- nsaserefpolicy/policy/modules/services/dovecot.te 2010-07-27 16:06:05.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-16 07:30:39.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/dovecot.te 2010-08-24 10:17:59.000000000 -0400 @@ -18,7 +18,7 @@ files_tmp_file(dovecot_auth_tmp_t) @@ -17254,7 +17294,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove kernel_read_kernel_sysctls(dovecot_t) kernel_read_system_state(dovecot_t) -@@ -242,6 +244,7 @@ +@@ -159,6 +161,11 @@ + ') + + optional_policy(` ++ postfix_manage_private_sockets(dovecot_t) ++ postfix_search_spool(dovecot_t) ++') ++ ++optional_policy(` + postgresql_stream_connect(dovecot_t) + ') + +@@ -242,6 +249,7 @@ ') optional_policy(` @@ -17262,7 +17314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove postfix_search_spool(dovecot_auth_t) ') -@@ -253,19 +256,26 @@ +@@ -253,19 +261,26 @@ allow dovecot_deliver_t dovecot_t:process signull; @@ -17291,7 +17343,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dove miscfiles_read_localization(dovecot_deliver_t) -@@ -302,4 +312,5 @@ +@@ -302,4 +317,5 @@ optional_policy(` mta_manage_spool(dovecot_deliver_t) @@ -23675,6 +23727,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remo ## ## # +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-3.8.8/policy/modules/services/remotelogin.te +--- nsaserefpolicy/policy/modules/services/remotelogin.te 2010-07-27 16:06:06.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/remotelogin.te 2010-08-24 09:11:29.000000000 -0400 +@@ -114,7 +114,6 @@ + ') + + optional_policy(` +- unconfined_domain(remote_login_t) + unconfined_shell_domtrans(remote_login_t) + ') + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.fc serefpolicy-3.8.8/policy/modules/services/rgmanager.fc --- nsaserefpolicy/policy/modules/services/rgmanager.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rgmanager.fc 2010-07-30 14:06:53.000000000 -0400 @@ -23754,7 +23817,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgmanager.te serefpolicy-3.8.8/policy/modules/services/rgmanager.te --- nsaserefpolicy/policy/modules/services/rgmanager.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/rgmanager.te 2010-08-24 09:12:13.000000000 -0400 @@ -17,6 +17,9 @@ domain_type(rgmanager_t) init_daemon_domain(rgmanager_t, rgmanager_exec_t) @@ -23814,6 +23877,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rgma mysql_domtrans_mysql_safe(rgmanager_t) mysql_stream_connect(rgmanager_t) ') +@@ -193,9 +209,13 @@ + virt_stream_connect(rgmanager_t) + ') + ++ifdef(`enforcing',` + optional_policy(` + unconfined_domain(rgmanager_t) + ') ++', ` ++ permissive rgmanager_t; ++') + + optional_policy(` + xen_domtrans_xm(rgmanager_t) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rhcs.fc serefpolicy-3.8.8/policy/modules/services/rhcs.fc --- nsaserefpolicy/policy/modules/services/rhcs.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/services/rhcs.fc 2010-08-10 11:56:57.000000000 -0400 @@ -24224,7 +24301,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-3.8.8/policy/modules/services/ricci.te --- nsaserefpolicy/policy/modules/services/ricci.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-10 05:23:35.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/ricci.te 2010-08-24 09:12:28.000000000 -0400 @@ -10,6 +10,9 @@ domain_type(ricci_t) init_daemon_domain(ricci_t, ricci_exec_t) @@ -24264,18 +24341,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc unconfined_use_fds(ricci_t) ') -@@ -241,6 +252,10 @@ +@@ -241,8 +252,7 @@ ') optional_policy(` +- # XXX This has got to go. +- unconfined_domain(ricci_modcluster_t) + rgmanager_stream_connect(ricci_modclusterd_t) -+') -+ -+optional_policy(` - # XXX This has got to go. - unconfined_domain(ricci_modcluster_t) ') -@@ -261,6 +276,10 @@ + + ######################################## +@@ -261,6 +271,10 @@ allow ricci_modclusterd_t ricci_modcluster_t:unix_stream_socket connectto; allow ricci_modclusterd_t ricci_modcluster_t:fifo_file rw_file_perms; @@ -24286,7 +24362,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc allow ricci_modclusterd_t ricci_modcluster_var_log_t:dir setattr; manage_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) manage_sock_files_pattern(ricci_modclusterd_t, ricci_modcluster_var_log_t, ricci_modcluster_var_log_t) -@@ -272,6 +291,7 @@ +@@ -272,6 +286,7 @@ kernel_read_kernel_sysctls(ricci_modclusterd_t) kernel_read_system_state(ricci_modclusterd_t) @@ -24294,7 +24370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricc corecmd_exec_bin(ricci_modclusterd_t) -@@ -444,6 +464,12 @@ +@@ -444,6 +459,12 @@ files_read_usr_files(ricci_modstorage_t) files_read_kernel_modules(ricci_modstorage_t) @@ -27185,7 +27261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.8.8/policy/modules/services/virt.te --- nsaserefpolicy/policy/modules/services/virt.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-10 05:23:35.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/virt.te 2010-08-24 09:12:59.000000000 -0400 @@ -4,6 +4,7 @@ # # Declarations @@ -27433,7 +27509,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt ') optional_policy(` -@@ -402,6 +459,19 @@ +@@ -385,9 +442,13 @@ + udev_read_db(virtd_t) + ') + ++ifdef(`enforcing',` + optional_policy(` + unconfined_domain(virtd_t) + ') ++', ` ++ permissive virtd_t; ++') + + ######################################## + # +@@ -402,6 +463,19 @@ allow virt_domain self:unix_dgram_socket { create_socket_perms sendto }; allow virt_domain self:tcp_socket create_stream_socket_perms; @@ -27453,7 +27543,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt append_files_pattern(virt_domain, virt_log_t, virt_log_t) append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t) -@@ -422,6 +492,7 @@ +@@ -422,6 +496,7 @@ corenet_tcp_bind_virt_migration_port(virt_domain) corenet_tcp_connect_virt_migration_port(virt_domain) @@ -27461,7 +27551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt dev_read_rand(virt_domain) dev_read_sound(virt_domain) dev_read_urand(virt_domain) -@@ -429,10 +500,12 @@ +@@ -429,10 +504,12 @@ dev_rw_ksm(virt_domain) dev_rw_kvm(virt_domain) dev_rw_qemu(virt_domain) @@ -27474,7 +27564,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt files_read_usr_files(virt_domain) files_read_var_files(virt_domain) files_search_all(virt_domain) -@@ -440,6 +513,11 @@ +@@ -440,6 +517,11 @@ fs_getattr_tmpfs(virt_domain) fs_rw_anon_inodefs_files(virt_domain) fs_rw_tmpfs_files(virt_domain) @@ -27486,7 +27576,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt term_use_all_terms(virt_domain) term_getattr_pty_fs(virt_domain) -@@ -457,8 +535,121 @@ +@@ -457,8 +539,121 @@ ') optional_policy(` @@ -27762,7 +27852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.8.8/policy/modules/services/xserver.if --- nsaserefpolicy/policy/modules/services/xserver.if 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-08-23 17:59:07.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/xserver.if 2010-08-24 10:28:17.000000000 -0400 @@ -19,9 +19,10 @@ interface(`xserver_restricted_role',` gen_require(` @@ -28375,7 +28465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.8.8/policy/modules/services/xserver.te --- nsaserefpolicy/policy/modules/services/xserver.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-11 08:03:36.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/services/xserver.te 2010-08-24 10:03:23.000000000 -0400 @@ -35,6 +35,13 @@ ## @@ -29177,7 +29267,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser userdom_search_user_home_dirs(xserver_t) userdom_use_user_ttys(xserver_t) -@@ -775,12 +1072,28 @@ +@@ -775,14 +1072,34 @@ ') optional_policy(` @@ -29202,12 +29292,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser + udev_read_db(xserver_t) +') + ++ifdef(`enforcing',` +optional_policy(` + unconfined_domain(xserver_t) unconfined_domtrans(xserver_t) ') ++', ` ++ permissive xserver_t; ++') -@@ -804,10 +1117,10 @@ + optional_policy(` + userhelper_search_config(xserver_t) +@@ -804,10 +1121,10 @@ # NB we do NOT allow xserver_t xdm_var_lib_t:dir, only access to an open # handle of a file inside the dir!!! @@ -29220,7 +29316,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser # Label pid and temporary files with derived types. manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -@@ -828,6 +1141,13 @@ +@@ -828,6 +1145,13 @@ # to read ROLE_home_t - examine this in more detail # (xauth?) userdom_read_user_home_content_files(xserver_t) @@ -29234,7 +29330,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(xserver_t) -@@ -843,11 +1163,14 @@ +@@ -843,11 +1167,14 @@ optional_policy(` dbus_system_bus_client(xserver_t) @@ -29251,7 +29347,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xser ') optional_policy(` -@@ -993,3 +1316,33 @@ +@@ -993,3 +1320,33 @@ allow xserver_unconfined_type xextension_type:x_extension *; allow xserver_unconfined_type { x_domain xserver_t }:x_resource *; allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *; @@ -30108,7 +30204,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-3.8.8/policy/modules/system/fstools.te --- nsaserefpolicy/policy/modules/system/fstools.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-23 08:25:15.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/fstools.te 2010-08-24 15:48:29.000000000 -0400 @@ -55,6 +55,7 @@ kernel_read_system_state(fsadm_t) @@ -30126,7 +30222,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool # Recreate /mnt/cdrom. files_manage_mnt_dirs(fsadm_t) # for tune2fs -@@ -147,7 +150,7 @@ +@@ -147,12 +150,16 @@ seutil_read_config(fsadm_t) @@ -30134,8 +30230,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool +term_use_all_terms(fsadm_t) ifdef(`distro_redhat',` ++ifdef(`enforcing',` optional_policy(` -@@ -166,6 +169,14 @@ + unconfined_domain(fsadm_t) + ') ++', ` ++ permissive fsadm_t; ++') + ') + + optional_policy(` +@@ -166,6 +173,14 @@ ') optional_policy(` @@ -32032,7 +32137,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar +/opt/google/picasa/.*\.yti -- gen_context(system_u:object_r:textrel_shlib_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.8.8/policy/modules/system/libraries.te --- nsaserefpolicy/policy/modules/system/libraries.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/libraries.te 2010-08-24 09:14:30.000000000 -0400 @@ -61,7 +61,7 @@ manage_files_pattern(ldconfig_t, ldconfig_cache_t, ldconfig_cache_t) @@ -32069,6 +32174,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar ifdef(`hide_broken_symptoms',` ifdef(`distro_gentoo',` # leaked fds from portage +@@ -141,6 +147,10 @@ + rpm_manage_script_tmp_files(ldconfig_t) + ') + ++ifdef(`enforcing',` + optional_policy(` + unconfined_domain(ldconfig_t) ++')' ++, ` ++ permissive ldconfig_t; + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.fc serefpolicy-3.8.8/policy/modules/system/locallogin.fc --- nsaserefpolicy/policy/modules/system/locallogin.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/locallogin.fc 2010-07-30 14:06:53.000000000 -0400 @@ -32490,20 +32606,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.if ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.8.8/policy/modules/system/lvm.te --- nsaserefpolicy/policy/modules/system/lvm.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-08-23 18:10:53.000000000 -0400 -@@ -141,6 +141,11 @@ - ') ++++ serefpolicy-3.8.8/policy/modules/system/lvm.te 2010-08-24 15:48:29.000000000 -0400 +@@ -135,9 +135,18 @@ + lvm_read_config(clvmd_t) - optional_policy(` -+ aisexec_stream_connect(clvmd_t) -+ corosync_stream_connect(clvmd_t) + ifdef(`distro_redhat',` ++ifdef(`enforcing',` + optional_policy(` + unconfined_domain(clvmd_t) + ') ++', ` ++ permissive clvmd_t; ++') +') + +optional_policy(` - ccs_stream_connect(clvmd_t) ++ aisexec_stream_connect(clvmd_t) ++ corosync_stream_connect(clvmd_t) ') -@@ -170,6 +175,7 @@ + optional_policy(` +@@ -170,6 +179,7 @@ allow lvm_t self:process { sigchld sigkill sigstop signull signal }; # LVM will complain a lot if it cannot set its priority. allow lvm_t self:process setsched; @@ -32511,7 +32634,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te allow lvm_t self:file rw_file_perms; allow lvm_t self:fifo_file manage_fifo_file_perms; allow lvm_t self:unix_dgram_socket create_socket_perms; -@@ -210,12 +216,15 @@ +@@ -210,12 +220,15 @@ files_etc_filetrans(lvm_t, lvm_metadata_t, file) files_search_mnt(lvm_t) @@ -32527,7 +32650,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te kernel_search_debugfs(lvm_t) corecmd_exec_bin(lvm_t) -@@ -242,6 +251,7 @@ +@@ -242,6 +255,7 @@ dev_dontaudit_getattr_generic_blk_files(lvm_t) dev_dontaudit_getattr_generic_pipes(lvm_t) dev_create_generic_dirs(lvm_t) @@ -32535,7 +32658,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te domain_use_interactive_fds(lvm_t) domain_read_all_domains_state(lvm_t) -@@ -251,8 +261,9 @@ +@@ -251,8 +265,9 @@ files_read_etc_runtime_files(lvm_t) # for when /usr is not mounted: files_dontaudit_search_isid_type_dirs(lvm_t) @@ -32546,7 +32669,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) fs_read_tmpfs_symlinks(lvm_t) -@@ -262,6 +273,7 @@ +@@ -262,6 +277,7 @@ mls_file_read_all_levels(lvm_t) mls_file_write_to_clearance(lvm_t) @@ -32554,19 +32677,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te selinux_get_fs_mount(lvm_t) selinux_validate_context(lvm_t) -@@ -309,6 +321,11 @@ - ') +@@ -303,9 +319,18 @@ + # this is from the initrd: + files_rw_isid_type_dirs(lvm_t) - optional_policy(` -+ aisexec_stream_connect(lvm_t) -+ corosync_stream_connect(lvm_t) ++ifdef(`enforcing',` + optional_policy(` + unconfined_domain(lvm_t) + ') ++', ` ++ permissive lvm_t; ++') +') + +optional_policy(` - bootloader_rw_tmp_files(lvm_t) ++ aisexec_stream_connect(lvm_t) ++ corosync_stream_connect(lvm_t) ') -@@ -329,6 +346,10 @@ + optional_policy(` +@@ -329,6 +354,10 @@ ') optional_policy(` @@ -32727,7 +32857,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.8.8/policy/modules/system/modutils.te --- nsaserefpolicy/policy/modules/system/modutils.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/modutils.te 2010-08-24 09:16:21.000000000 -0400 @@ -18,6 +18,7 @@ type insmod_exec_t; application_domain(insmod_t, insmod_exec_t) @@ -32759,7 +32889,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti ifdef(`distro_ubuntu',` optional_policy(` -@@ -104,7 +108,7 @@ +@@ -94,17 +98,21 @@ + rpm_manage_script_tmp_files(depmod_t) + ') + ++ifdef(`enforcing',` + optional_policy(` + # Read System.map from home directories. + unconfined_domain(depmod_t) + ') ++', ` ++ permissive depmod_t; ++') + + ######################################## + # # insmod local policy # @@ -32768,7 +32912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal }; allow insmod_t self:udp_socket create_socket_perms; -@@ -125,6 +129,7 @@ +@@ -125,6 +133,7 @@ kernel_mount_debugfs(insmod_t) kernel_mount_kvmfs(insmod_t) kernel_read_debugfs(insmod_t) @@ -32776,7 +32920,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) -@@ -142,6 +147,7 @@ +@@ -142,6 +151,7 @@ dev_read_sound(insmod_t) dev_write_sound(insmod_t) dev_rw_apm_bios(insmod_t) @@ -32784,7 +32928,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti domain_signal_all_domains(insmod_t) domain_use_interactive_fds(insmod_t) -@@ -160,11 +166,15 @@ +@@ -160,11 +170,15 @@ fs_getattr_xattr_fs(insmod_t) fs_dontaudit_use_tmpfs_chr_dev(insmod_t) @@ -32800,7 +32944,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti logging_send_syslog_msg(insmod_t) logging_search_logs(insmod_t) -@@ -173,8 +183,7 @@ +@@ -173,8 +187,7 @@ seutil_read_file_contexts(insmod_t) @@ -32810,17 +32954,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti userdom_dontaudit_search_user_home_dirs(insmod_t) if( ! secure_mode_insmod ) { -@@ -235,6 +244,10 @@ +@@ -229,10 +242,18 @@ + rpm_rw_pipes(insmod_t) ') ++ifdef(`enforcing',` optional_policy(` -+ virt_dontaudit_write_pipes(insmod_t) + unconfined_domain(insmod_t) + unconfined_dontaudit_rw_pipes(insmod_t) + ') ++', ` ++ permissive insmod_t; +') + +optional_policy(` - # cjp: why is this needed: - dev_rw_xserver_misc(insmod_t) ++ virt_dontaudit_write_pipes(insmod_t) ++') + optional_policy(` + # cjp: why is this needed: diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.8.8/policy/modules/system/mount.fc --- nsaserefpolicy/policy/modules/system/mount.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/mount.fc 2010-07-30 14:06:53.000000000 -0400 @@ -33416,7 +33568,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.i # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.8.8/policy/modules/system/raid.te --- nsaserefpolicy/policy/modules/system/raid.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/raid.te 2010-08-24 09:17:23.000000000 -0400 @@ -30,8 +30,9 @@ allow mdadm_t mdadm_map_t:file manage_file_perms; dev_filetrans(mdadm_t, mdadm_map_t, file) @@ -33436,6 +33588,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.t fs_search_auto_mountpoints(mdadm_t) fs_dontaudit_list_tmpfs(mdadm_t) +@@ -95,6 +97,10 @@ + udev_read_db(mdadm_t) + ') + ++ifdef(`enforcing',` + optional_policy(` + unconfined_domain(mdadm_t) + ') ++', ` ++ permissive mdadm_t; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc --- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.fc 2010-07-30 14:06:53.000000000 -0400 @@ -33859,7 +34022,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.8.8/policy/modules/system/selinuxutil.te --- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-13 15:47:08.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/selinuxutil.te 2010-08-24 09:17:28.000000000 -0400 @@ -22,6 +22,9 @@ type selinux_config_t; files_type(selinux_config_t) @@ -34098,7 +34261,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu # cjp: need a more general way to handle this: ifdef(`enable_mls',` # read secadm tmp files -@@ -498,112 +492,50 @@ +@@ -498,112 +492,54 @@ userdom_read_user_tmp_files(semanage_t) ') @@ -34239,9 +34402,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu ') ') ++ifdef(`enforcing',` optional_policy(` - hotplug_use_fds(setfiles_t) + unconfined_domain(setfiles_mac_t) ++') ++', ` ++ permissive lvm_t; ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.if serefpolicy-3.8.8/policy/modules/system/setrans.if --- nsaserefpolicy/policy/modules/system/setrans.if 2010-07-27 16:06:06.000000000 -0400 @@ -34421,8 +34588,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosreport.te serefpolicy-3.8.8/policy/modules/system/sosreport.te --- nsaserefpolicy/policy/modules/system/sosreport.te 1969-12-31 19:00:00.000000000 -0500 -+++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-07-30 14:06:53.000000000 -0400 -@@ -0,0 +1,154 @@ ++++ serefpolicy-3.8.8/policy/modules/system/sosreport.te 2010-08-24 15:48:28.000000000 -0400 +@@ -0,0 +1,158 @@ +policy_module(sosreport,1.0.0) + +######################################## @@ -34574,9 +34741,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sosrep + xserver_stream_connect(sosreport_t) +') + ++ifdef(`enforcing',` +optional_policy(` + unconfined_domain(sosreport_t) +') ++', ` ++ permissive sosreport_t; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.fc serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc --- nsaserefpolicy/policy/modules/system/sysnetwork.fc 2010-07-27 16:06:06.000000000 -0400 +++ serefpolicy-3.8.8/policy/modules/system/sysnetwork.fc 2010-07-30 14:06:53.000000000 -0400 @@ -35131,7 +35302,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.i # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.8.8/policy/modules/system/udev.te --- nsaserefpolicy/policy/modules/system/udev.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/udev.te 2010-08-24 09:18:25.000000000 -0400 @@ -52,6 +52,7 @@ allow udev_t self:unix_stream_socket connectto; allow udev_t self:netlink_kobject_uevent_socket create_socket_perms; @@ -35163,7 +35334,21 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t mcs_ptrace_all(udev_t) -@@ -216,6 +220,10 @@ +@@ -192,9 +196,13 @@ + # for arping used for static IP addresses on PCMCIA ethernet + netutils_domtrans(udev_t) + ++ ifdef(`enforcing',` + optional_policy(` + unconfined_domain(udev_t) + ') ++ ', ` ++ permissive udev_t; ++ ') + ') + + optional_policy(` +@@ -216,6 +224,10 @@ ') optional_policy(` @@ -35174,7 +35359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t consoletype_exec(udev_t) ') -@@ -259,6 +267,10 @@ +@@ -259,6 +271,10 @@ ') optional_policy(` @@ -35185,7 +35370,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t openct_read_pid_files(udev_t) openct_domtrans(udev_t) ') -@@ -273,6 +285,10 @@ +@@ -273,6 +289,10 @@ ') optional_policy(` @@ -38524,7 +38709,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-3.8.8/policy/modules/system/xen.te --- nsaserefpolicy/policy/modules/system/xen.te 2010-07-27 16:06:06.000000000 -0400 -+++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-07-30 14:06:53.000000000 -0400 ++++ serefpolicy-3.8.8/policy/modules/system/xen.te 2010-08-24 09:18:35.000000000 -0400 @@ -4,6 +4,7 @@ # # Declarations @@ -38680,6 +38865,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te #Should have a boolean wrapping these fs_list_auto_mountpoints(xend_t) files_search_mnt(xend_t) +@@ -469,8 +380,4 @@ + fs_manage_nfs_files(xend_t) + fs_read_nfs_symlinks(xend_t) + ') +- +- optional_policy(` +- unconfined_domain(xend_t) +- ') + ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/misc_patterns.spt serefpolicy-3.8.8/policy/support/misc_patterns.spt --- nsaserefpolicy/policy/support/misc_patterns.spt 2010-05-25 16:28:22.000000000 -0400 +++ serefpolicy-3.8.8/policy/support/misc_patterns.spt 2010-07-30 14:06:53.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index 266ac1d..e4dedb8 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.8.8 -Release: 19%{?dist} +Release: 20%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,12 @@ exit 0 %endif %changelog +* Tue Aug 24 2010 Dan Walsh 3.8.8-20 +- Allow cron to look at user_cron_spool links +- Lots of fixes for mozilla_plugin_t +- Add sysv file system +- Turn unconfined domains to permissive to find additional avcs + * Mon Aug 23 2010 Dan Walsh 3.8.8-19 - Update policy for mozilla_plugin_t