diff --git a/policy-20100106.patch b/policy-20100106.patch index 7e41d73..aa1cdf0 100644 --- a/policy-20100106.patch +++ b/policy-20100106.patch @@ -736,7 +736,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.6.32/policy/modules/admin/prelink.te --- nsaserefpolicy/policy/modules/admin/prelink.te 2010-01-18 18:24:22.564530406 +0100 -+++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-02-01 20:30:49.318160848 +0100 ++++ serefpolicy-3.6.32/policy/modules/admin/prelink.te 2010-03-26 07:56:32.448610343 +0100 @@ -108,6 +108,7 @@ miscfiles_read_localization(prelink_t) @@ -745,6 +745,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_manage_user_home_content(prelink_t) optional_policy(` +@@ -156,6 +157,8 @@ + files_search_var_lib(prelink_cron_system_t) + files_search_var_log(prelink_cron_system_t) + ++files_dontaudit_search_all_mountpoints(prelink_cron_system_t) ++ + init_chat(prelink_cron_system_t) + init_exec(prelink_cron_system_t) + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-3.6.32/policy/modules/admin/quota.te --- nsaserefpolicy/policy/modules/admin/quota.te 2009-09-16 16:01:19.000000000 +0200 +++ serefpolicy-3.6.32/policy/modules/admin/quota.te 2010-02-11 17:52:39.497458571 +0100 @@ -1182,7 +1191,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/chrome.te serefpolicy-3.6.32/policy/modules/apps/chrome.te --- nsaserefpolicy/policy/modules/apps/chrome.te 2010-01-18 18:24:22.588542189 +0100 -+++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-03-18 15:08:01.040764195 +0100 ++++ serefpolicy-3.6.32/policy/modules/apps/chrome.te 2010-03-26 07:54:33.452601074 +0100 @@ -23,8 +23,7 @@ # # chrome_sandbox local policy @@ -1193,12 +1202,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow chrome_sandbox_t self:process { signal_perms setrlimit execmem execstack }; allow chrome_sandbox_t self:fifo_file manage_file_perms; allow chrome_sandbox_t self:unix_stream_socket create_stream_socket_perms; -@@ -45,10 +44,13 @@ +@@ -45,10 +44,14 @@ domain_dontaudit_read_all_domains_state(chrome_sandbox_t) +dev_read_sysfs(chrome_sandbox_t) dev_read_urand(chrome_sandbox_t) ++dev_rwx_zero(chrome_sandbox_t) files_read_etc_files(chrome_sandbox_t) @@ -1207,7 +1217,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_rw_user_tmpfs_files(chrome_sandbox_t) userdom_use_user_ptys(chrome_sandbox_t) userdom_write_inherited_user_tmp_files(chrome_sandbox_t) -@@ -59,15 +61,17 @@ +@@ -59,15 +62,17 @@ miscfiles_read_fonts(chrome_sandbox_t) optional_policy(` @@ -10058,7 +10068,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/policykit.te serefpolicy-3.6.32/policy/modules/services/policykit.te --- nsaserefpolicy/policy/modules/services/policykit.te 2010-01-18 18:24:22.850542758 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-03-02 16:54:44.272615486 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/policykit.te 2010-03-26 07:58:03.235601446 +0100 @@ -1,5 +1,5 @@ -policy_module(policykit, 1.0.1) @@ -10118,7 +10128,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(policykit_auth_t) files_read_usr_files(policykit_auth_t) files_search_home(policykit_auth_t) -@@ -129,8 +135,10 @@ +@@ -129,8 +135,11 @@ miscfiles_read_localization(policykit_auth_t) miscfiles_read_fonts(policykit_auth_t) @@ -10126,6 +10136,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol userdom_dontaudit_read_user_home_content_files(policykit_auth_t) +userdom_read_admin_home_files(policykit_auth_t) ++userdom_dontaudit_write_user_tmp_files(policykit_auth_t) optional_policy(` dbus_system_domain( policykit_auth_t, policykit_auth_exec_t) @@ -10244,7 +10255,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.6.32/policy/modules/services/ppp.te --- nsaserefpolicy/policy/modules/services/ppp.te 2010-01-18 18:24:22.860530341 +0100 -+++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-02-16 17:01:56.727848442 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/ppp.te 2010-03-26 07:52:50.814601031 +0100 @@ -71,7 +71,7 @@ # PPPD Local policy # @@ -10254,7 +10265,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dontaudit pppd_t self:capability sys_tty_config; allow pppd_t self:process signal; allow pppd_t self:fifo_file rw_fifo_file_perms; -@@ -122,6 +122,7 @@ +@@ -122,9 +122,11 @@ kernel_read_network_state(pppd_t) kernel_request_load_module(pppd_t) @@ -10262,7 +10273,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_urand(pppd_t) dev_search_sysfs(pppd_t) dev_read_sysfs(pppd_t) -@@ -167,6 +168,7 @@ ++dev_rw_modem(pppd_t) + + corenet_all_recvfrom_unlabeled(pppd_t) + corenet_all_recvfrom_netlabel(pppd_t) +@@ -167,6 +169,7 @@ auth_use_nsswitch(pppd_t) @@ -10270,7 +10285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol logging_send_syslog_msg(pppd_t) miscfiles_read_localization(pppd_t) -@@ -192,6 +194,10 @@ +@@ -192,6 +195,10 @@ ') optional_policy(` @@ -11487,6 +11502,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + write_files_pattern($1, rsync_etc_t, rsync_etc_t) + files_search_etc($1) +') +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.32/policy/modules/services/rsync.te +--- nsaserefpolicy/policy/modules/services/rsync.te 2010-01-18 18:24:22.881530638 +0100 ++++ serefpolicy-3.6.32/policy/modules/services/rsync.te 2010-03-26 07:50:02.122850866 +0100 +@@ -124,6 +124,7 @@ + ') + + tunable_policy(`rsync_export_all_ro',` ++ files_getattr_all_pipes(rsync_t) + fs_read_noxattr_fs_files(rsync_t) + fs_read_nfs_files(rsync_t) + fs_read_cifs_files(rsync_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.32/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2010-01-18 18:24:22.886540773 +0100 +++ serefpolicy-3.6.32/policy/modules/services/samba.te 2010-03-18 14:27:30.841764712 +0100 @@ -16241,13 +16267,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-3.6.32/policy/modules/system/userdomain.fc --- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-01-18 18:24:22.977540055 +0100 -+++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-01-18 18:27:02.791532114 +0100 -@@ -6,4 +6,5 @@ ++++ serefpolicy-3.6.32/policy/modules/system/userdomain.fc 2010-03-26 15:26:10.081766491 +0100 +@@ -6,4 +6,6 @@ /dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) /dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) +HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:home_cert_t,s0) HOME_DIR/\.gvfs(/.*)? <> ++/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.32/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2010-01-18 18:24:22.983531669 +0100 +++ serefpolicy-3.6.32/policy/modules/system/userdomain.if 2010-03-09 16:30:07.806384243 +0100 diff --git a/selinux-policy.spec b/selinux-policy.spec index e5855ea..4ec9b0e 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.6.32 -Release: 106%{?dist} +Release: 107%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -469,6 +469,9 @@ exit 0 %endif %changelog +* Fri Mar 26 2010 Miroslav Grepl 3.6.32-107 +- Allow pppd to read and write to modem devices + * Thu Mar 23 2010 Miroslav Grepl 3.6.32-106 - Allow mysqld_safe setsched, getsched - Allow logrotate to transition to sssd