[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel policy-20050706.patch,1.7,1.8



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12310

Modified Files:
	policy-20050706.patch 
Log Message:
* Fri Jul 8 2005 Dan Walsh <dwalsh redhat com> 1.25.1-8
- Fix saslauthd policy to allow imapd and shadow.


policy-20050706.patch:
 assert.te                            |    2 +-
 attrib.te                            |    4 ++++
 domains/admin.te                     |    5 +++++
 domains/program/getty.te             |    7 +++++++
 domains/program/login.te             |    2 +-
 domains/program/netutils.te          |    2 ++
 domains/program/passwd.te            |    5 +++++
 domains/program/ssh.te               |    2 +-
 domains/program/tmpreaper.te         |    4 ++--
 domains/program/unused/apache.te     |    1 +
 domains/program/unused/apmd.te       |    7 +++++--
 domains/program/unused/bluetooth.te  |    3 ++-
 domains/program/unused/cups.te       |    8 ++++++--
 domains/program/unused/cyrus.te      |    5 +----
 domains/program/unused/dhcpc.te      |    1 +
 domains/program/unused/dovecot.te    |    1 +
 domains/program/unused/ftpd.te       |    2 +-
 domains/program/unused/hald.te       |    3 ++-
 domains/program/unused/hotplug.te    |    4 +++-
 domains/program/unused/hwclock.te    |    3 ---
 domains/program/unused/iceauth.te    |    2 +-
 domains/program/unused/nscd.te       |    1 +
 domains/program/unused/pppd.te       |    7 ++++---
 domains/program/unused/prelink.te    |    7 +------
 domains/program/unused/procmail.te   |    1 +
 domains/program/unused/radvd.te      |    3 ++-
 domains/program/unused/rpcd.te       |    6 +++++-
 domains/program/unused/rpm.te        |    3 +++
 domains/program/unused/samba.te      |   34 ++++++++++++++++++++++++++++++++--
 domains/program/unused/saslauthd.te  |   10 +++++++++-
 domains/program/unused/squid.te      |    3 +++
 domains/program/unused/winbind.te    |   15 ++++++++++++++-
 domains/program/unused/xdm.te        |    2 +-
 file_contexts/program/cups.fc        |    2 ++
 file_contexts/program/rpcd.fc        |    3 ++-
 file_contexts/program/samba.fc       |    1 +
 file_contexts/program/winbind.fc     |    1 +
 file_contexts/types.fc               |   14 +++++++-------
 macros/admin_macros.te               |    3 ---
 macros/base_user_macros.te           |    5 ++---
 macros/global_macros.te              |    1 +
 macros/network_macros.te             |    7 +++++++
 macros/program/apache_macros.te      |    5 ++---
 macros/program/chkpwd_macros.te      |    7 +++++++
 macros/program/dbusd_macros.te       |    2 +-
 macros/program/evolution_macros.te   |    6 ------
 macros/program/games_domain.te       |    3 ---
 macros/program/java_macros.te        |    2 --
 macros/program/mail_client_macros.te |   10 ++++++++--
 macros/program/mozilla_macros.te     |    2 --
 macros/program/mplayer_macros.te     |    2 +-
 macros/program/xserver_macros.te     |    4 ----
 net_contexts                         |    2 ++
 targeted/domains/program/crond.te    |    9 ++++++---
 targeted/domains/unconfined.te       |    5 +++++
 tunables/distro.tun                  |    2 +-
 tunables/tunable.tun                 |    4 ++--
 types/network.te                     |    1 -
 58 files changed, 186 insertions(+), 82 deletions(-)

Index: policy-20050706.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050706.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20050706.patch	9 Jul 2005 02:11:31 -0000	1.7
+++ policy-20050706.patch	11 Jul 2005 16:53:00 -0000	1.8
@@ -1,3 +1,29 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.25.1/assert.te
+--- nsapolicy/assert.te	2005-05-25 11:28:09.000000000 -0400
++++ policy-1.25.1/assert.te	2005-07-11 12:51:43.000000000 -0400
+@@ -41,7 +41,7 @@
+ 
+ #
+ # Verify that only appropriate domains can access /etc/shadow
+-neverallow { domain -auth -auth_write -unrestricted } shadow_t:file ~getattr;
++neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+ neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
+ 
+ #
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.1/attrib.te
+--- nsapolicy/attrib.te	2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.1/attrib.te	2005-07-11 12:51:42.000000000 -0400
+@@ -141,6 +141,10 @@
+ # to read /etc/shadow, and grants the permission.
+ attribute auth;
+ 
++# The auth_bool attribute identifies every domain that can 
++# read /etc/shadow if its boolean is set;
++attribute auth_bool;
++
+ # The auth_write attribute identifies every domain that can have write or
+ # relabel access to /etc/shadow, but does not grant it.
+ attribute auth_write;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.25.1/domains/admin.te
 --- nsapolicy/domains/admin.te	2005-04-27 10:28:48.000000000 -0400
 +++ policy-1.25.1/domains/admin.te	2005-07-07 21:12:02.000000000 -0400
@@ -465,7 +491,16 @@
 +allow samba_net_t privfd:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.1/domains/program/unused/saslauthd.te
 --- nsapolicy/domains/program/unused/saslauthd.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/saslauthd.te	2005-07-08 15:50:42.000000000 -0400
++++ policy-1.25.1/domains/program/unused/saslauthd.te	2005-07-11 12:52:01.000000000 -0400
+@@ -3,7 +3,7 @@
+ # Author: Colin Walters <walters verbum org>
+ #
+ 
+-daemon_domain(saslauthd, `, auth_chkpwd')
++daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
+ 
+ allow saslauthd_t self:fifo_file { read write };
+ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
 @@ -21,3 +21,11 @@
  
  # Needs investigation
@@ -490,8 +525,16 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
 --- nsapolicy/domains/program/unused/winbind.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-07 21:12:02.000000000 -0400
-@@ -22,7 +22,7 @@
++++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-10 07:58:40.000000000 -0400
+@@ -10,6 +10,7 @@
+ 
+ daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
+ log_domain(winbind)
++tmp_domain(winbind)
+ allow winbind_t etc_t:file r_file_perms;
+ allow winbind_t etc_t:lnk_file read;
+ can_network(winbind_t)
+@@ -22,7 +23,7 @@
  type samba_var_t, file_type, sysadmfile;
  type samba_secrets_t, file_type, sysadmfile;
  ')
@@ -500,7 +543,7 @@
  rw_dir_create_file(winbind_t, samba_log_t)
  allow winbind_t samba_secrets_t:file rw_file_perms;
  allow winbind_t self:unix_dgram_socket create_socket_perms;
-@@ -33,3 +33,15 @@
+@@ -33,3 +34,15 @@
  can_kerberos(winbind_t)
  allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
  allow winbind_t winbind_var_run_t:sock_file create_file_perms;
@@ -857,6 +900,35 @@
  
  portcon tcp 106 system_u:object_r:pop_port_t
  portcon tcp 109 system_u:object_r:pop_port_t
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.25.1/targeted/domains/program/crond.te
+--- nsapolicy/targeted/domains/program/crond.te	2005-06-29 16:36:19.000000000 -0400
++++ policy-1.25.1/targeted/domains/program/crond.te	2005-07-10 07:54:37.000000000 -0400
+@@ -11,7 +11,7 @@
+ # This domain is defined just for targeted policy.
+ #
+ type crond_exec_t, file_type, sysadmfile, exec_type;
+-type crond_t, domain, privuser, privrole, privowner;
++type crond_t, domain, privuser, privrole, privfd, privowner;
+ typealias crond_t alias system_crond_t;
+ type anacron_exec_t, file_type, sysadmfile, exec_type;
+ type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
+@@ -20,11 +20,14 @@
+ role system_r types crond_t;
+ domain_auto_trans(initrc_t, crond_exec_t, crond_t)
+ domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
+-unconfined_domain(crond_t)
+ # Access log files
+ file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
+ file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
++var_run_domain(crond)
++
++ifdef(`targeted_policy', `
++unconfined_domain(crond_t)
+ allow crond_t initrc_t:dbus send_msg;
+ allow crond_t unconfined_t:dbus send_msg;
+ allow crond_t unconfined_t:process transition;
+-var_run_domain(crond)
++')
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.1/targeted/domains/unconfined.te
 --- nsapolicy/targeted/domains/unconfined.te	2005-07-06 17:15:07.000000000 -0400
 +++ policy-1.25.1/targeted/domains/unconfined.te	2005-07-07 21:12:02.000000000 -0400


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]