[COMMIT]refpolicy branch, master, updated. contrib-4-gf718181

[cpebenito at oss.tresys.com]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy".

The branch, master has been updated
       via  f71818193008cad39e280db257507d540220a501 (commit)
       via  f12ebf31e2497b098cb768c388a8eb9a1f56b303 (commit)
      from  b7e70f900f354dd05baf51dfe5b3d449fc30e4e6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f71818193008cad39e280db257507d540220a501
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Sep 13 12:43:37 2011 -0400

    Module version bump for semanage permissive mode feature support.

commit f12ebf31e2497b098cb768c388a8eb9a1f56b303
Author: Sven Vermeulen <sven.vermeulen at siphos.be>
Date:   Fri Sep 9 21:36:59 2011 +0200

    Support semanage permissive mode
    
    The semanage application supports a "semanage permissive" feature,
    allowing certain domains to be marked for running permissive (rather
    than the entire system).
    
    To support this feature, we introduce a semanage_var_lib_t type for the
    location where semanage will keep its permissive_<domain>.* files, and
    allow semanage_t to work with fifo_files (needed for the command to
    work).
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>

-----------------------------------------------------------------------

Summary of changes:
 policy/modules/system/selinuxutil.fc |    5 +++++
 policy/modules/system/selinuxutil.te |    9 ++++++++-
 2 files changed, 13 insertions(+), 1 deletions(-)

Detailed diffset:
:100644 100644 2cc4bda... 83848fc... M	policy/modules/system/selinuxutil.fc
:100644 100644 3ac9e80... d7855d3... M	policy/modules/system/selinuxutil.te

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 2cc4bda..83848fc 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -43,6 +43,11 @@
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
+# /var/lib
+#
+/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_var_lib_t,s0)
+
+#
 # /var/run
 #
 /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 3ac9e80..d7855d3 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.15.3)
+policy_module(selinuxutil, 1.15.4)
 
 gen_require(`
 	bool secure_mode;
@@ -103,6 +103,9 @@ files_tmp_file(semanage_tmp_t)
 type semanage_trans_lock_t;
 files_type(semanage_trans_lock_t)
 
+type semanage_var_lib_t;
+files_type(semanage_var_lib_t)
+
 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
 type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
@@ -430,6 +433,7 @@ allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow semanage_t self:fifo_file rw_fifo_file_perms;
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
@@ -437,6 +441,9 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
+manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
+
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 


hooks/post-receive
--
refpolicy