[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel policy-20050706.patch, 1.3, 1.4 selinux-policy-strict.spec, 1.345, 1.346



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv20404

Modified Files:
	policy-20050706.patch selinux-policy-strict.spec 
Log Message:
* Wed Jul 6 2005 Dan Walsh <dwalsh redhat com> 1.25.1-4
- Add boolean to allow sysadm_t to ptrace


policy-20050706.patch:
 domains/admin.te                     |    5 +++++
 domains/program/getty.te             |    7 +++++++
 domains/program/netutils.te          |    2 ++
 domains/program/passwd.te            |    5 +++++
 domains/program/unused/apache.te     |    1 +
 domains/program/unused/apmd.te       |    7 +++++--
 domains/program/unused/bluetooth.te  |    3 ++-
 domains/program/unused/ciped.te      |    3 +--
 domains/program/unused/cups.te       |    7 +++++--
 domains/program/unused/cyrus.te      |    5 +----
 domains/program/unused/dhcpc.te      |    1 +
 domains/program/unused/dovecot.te    |    1 +
 domains/program/unused/hald.te       |    3 ++-
 domains/program/unused/hotplug.te    |    4 +++-
 domains/program/unused/hwclock.te    |    3 ---
 domains/program/unused/nscd.te       |    1 +
 domains/program/unused/prelink.te    |    3 ---
 domains/program/unused/radvd.te      |    3 ++-
 domains/program/unused/rpcd.te       |    6 +++++-
 domains/program/unused/samba.te      |   27 +++++++++++++++++++++++++++
 domains/program/unused/squid.te      |    3 +++
 domains/program/unused/winbind.te    |   12 +++++++++++-
 file_contexts/program/cups.fc        |    2 ++
 file_contexts/program/samba.fc       |    1 +
 file_contexts/program/winbind.fc     |    1 +
 file_contexts/types.fc               |   14 +++++++-------
 macros/admin_macros.te               |    3 ---
 macros/base_user_macros.te           |    4 +---
 macros/global_macros.te              |    1 +
 macros/program/apache_macros.te      |    1 +
 macros/program/chkpwd_macros.te      |    7 +++++++
 macros/program/dbusd_macros.te       |    2 +-
 macros/program/evolution_macros.te   |    6 ------
 macros/program/games_domain.te       |    3 ---
 macros/program/java_macros.te        |    2 --
 macros/program/mail_client_macros.te |   10 ++++++++--
 macros/program/mozilla_macros.te     |    2 --
 macros/program/mplayer_macros.te     |    2 +-
 macros/program/xserver_macros.te     |    4 ----
 net_contexts                         |    2 ++
 targeted/domains/unconfined.te       |    5 +++++
 tunables/distro.tun                  |    2 +-
 tunables/tunable.tun                 |    4 ++--
 types/network.te                     |    1 -
 44 files changed, 131 insertions(+), 60 deletions(-)

Index: policy-20050706.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050706.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20050706.patch	6 Jul 2005 22:34:05 -0000	1.3
+++ policy-20050706.patch	6 Jul 2005 23:40:36 -0000	1.4
@@ -299,6 +299,47 @@
  
  can_udp_send(nfsd_t, portmap_t)
  can_udp_send(portmap_t, nfsd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.1/domains/program/unused/samba.te
+--- nsapolicy/domains/program/unused/samba.te	2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.1/domains/program/unused/samba.te	2005-07-06 19:34:44.000000000 -0400
+@@ -47,6 +47,8 @@
+ 
+ # Use the network.
+ can_network(smbd_t)
++can_ldap(smbd_t)
++can_kerberos(smbd_t)
+ allow smbd_t ipp_port_t:tcp_socket name_connect;
+ 
+ allow smbd_t urandom_device_t:chr_file { getattr read };
+@@ -182,3 +184,28 @@
+ allow smbmount_t userdomain:fd use;
+ allow smbmount_t local_login_t:fd use;
+ ')
++# Derive from app. domain. Transition from mount.
++application_domain(samba_net, `, nscd_client_domain, privfd')
++file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
++read_locale(samba_net_t) 
++allow samba_net_t samba_etc_t:file r_file_perms;
++r_dir_file(samba_net_t, samba_var_t)
++can_network_udp(samba_net_t)
++access_terminal(samba_net_t, sysadm)
++allow samba_net_t self:unix_dgram_socket create_socket_perms;
++allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
++rw_dir_create_file(samba_net_t, samba_var_t)
++allow samba_net_t etc_t:file { getattr read };
++can_network_client(samba_net_t)
++allow samba_net_t smbd_port_t:tcp_socket name_connect;
++can_ldap(samba_net_t)
++allow samba_net_t newrole_t:fd use;
++can_kerberos(samba_net_t)
++allow samba_net_t urandom_device_t:chr_file r_file_perms;
++allow samba_net_t proc_t:dir search;
++allow samba_net_t proc_t:lnk_file read;
++allow samba_net_t self:dir search;
++allow samba_net_t self:file read;
++allow samba_net_t self:process signal;
++tmp_domain(samba_net)
++dontaudit samba_net_t sysadm_home_dir_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.1/domains/program/unused/squid.te
 --- nsapolicy/domains/program/unused/squid.te	2005-07-06 17:15:07.000000000 -0400
 +++ policy-1.25.1/domains/program/unused/squid.te	2005-07-06 17:29:15.000000000 -0400
@@ -311,8 +352,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
 --- nsapolicy/domains/program/unused/winbind.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-06 17:29:15.000000000 -0400
-@@ -21,6 +21,9 @@
++++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-06 19:23:53.000000000 -0400
+@@ -21,8 +21,11 @@
  type samba_log_t, file_type, sysadmfile, logfile;
  type samba_var_t, file_type, sysadmfile;
  type samba_secrets_t, file_type, sysadmfile;
@@ -320,8 +361,11 @@
 +allow smbd_t winbind_var_run_t:dir r_dir_perms;
 +allow smbd_t winbind_var_run_t:sock_file getattr;
  ')
- rw_dir_file(winbind_t, samba_etc_t)
+-rw_dir_file(winbind_t, samba_etc_t)
++file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
  rw_dir_create_file(winbind_t, samba_log_t)
+ allow winbind_t samba_secrets_t:file rw_file_perms;
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
 @@ -33,3 +36,10 @@
  can_kerberos(winbind_t)
  allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
@@ -342,6 +386,17 @@
  /var/cache/foomatic(/.*)? 	--	system_u:object_r:cupsd_rw_etc_t
 +/var/run/hp.*\.pid		--	system_u:object_r:hplip_var_run_t
 +/var/run/hp.*\.port		--	system_u:object_r:hplip_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.25.1/file_contexts/program/samba.fc
+--- nsapolicy/file_contexts/program/samba.fc	2005-02-24 14:51:08.000000000 -0500
++++ policy-1.25.1/file_contexts/program/samba.fc	2005-07-06 18:52:13.000000000 -0400
+@@ -1,6 +1,7 @@
+ # samba scripts
+ /usr/sbin/smbd		--	system_u:object_r:smbd_exec_t
+ /usr/sbin/nmbd		--	system_u:object_r:nmbd_exec_t
++/usr/bin/net		--	system_u:object_r:samba_net_exec_t
+ /etc/samba(/.*)?		system_u:object_r:samba_etc_t
+ /var/log/samba(/.*)?		system_u:object_r:samba_log_t
+ /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.25.1/file_contexts/program/winbind.fc
 --- nsapolicy/file_contexts/program/winbind.fc	2005-02-24 14:51:09.000000000 -0500
 +++ policy-1.25.1/file_contexts/program/winbind.fc	2005-07-06 17:29:15.000000000 -0400
@@ -434,8 +489,8 @@
  #
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
 --- nsapolicy/macros/program/chkpwd_macros.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-06 17:29:15.000000000 -0400
-@@ -32,6 +32,8 @@
++++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-06 19:35:03.000000000 -0400
+@@ -32,9 +32,16 @@
  domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
  allow auth_chkpwd sbin_t:dir search;
  allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -444,6 +499,14 @@
  dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
  dontaudit auth_chkpwd shadow_t:file { getattr read };
  can_ypbind(auth_chkpwd)
++can_kerberos(auth_chkpwd)
++can_ldap(auth_chkpwd)
++ifdef(`winbind.te', `
++r_dir_file(auth_chkpwd, winbind_var_run_t)
++')
+ ', `
+ domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+ allow $1_t sbin_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.25.1/macros/program/dbusd_macros.te
 --- nsapolicy/macros/program/dbusd_macros.te	2005-07-06 17:15:07.000000000 -0400
 +++ policy-1.25.1/macros/program/dbusd_macros.te	2005-07-06 17:29:15.000000000 -0400


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.345
retrieving revision 1.346
diff -u -r1.345 -r1.346
--- selinux-policy-strict.spec	6 Jul 2005 22:34:06 -0000	1.345
+++ selinux-policy-strict.spec	6 Jul 2005 23:40:36 -0000	1.346
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.1
-Release: 3
+Release: 4
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -229,7 +229,7 @@
 exit 0
 
 %changelog
-* Wed Jul 6 2005 Dan Walsh <dwalsh redhat com> 1.25.1-3
+* Wed Jul 6 2005 Dan Walsh <dwalsh redhat com> 1.25.1-4
 - Add boolean to allow sysadm_t to ptrace
 
 * Wed Jul 6 2005 Dan Walsh <dwalsh redhat com> 1.25.1-1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]