[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/FC-4 policy-20050712.patch, NONE, 1.1 selinux-policy-targeted.spec, 1.322, 1.323 sources, 1.119, 1.120



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv1930

Modified Files:
	selinux-policy-targeted.spec sources 
Added Files:
	policy-20050712.patch 
Log Message:
* Wed Jul 13 2005 Dan Walsh <dwalsh redhat com> 1.25.2-3
- Bump for FC4


policy-20050712.patch:
 assert.te                           |    2 +-
 attrib.te                           |    4 ++++
 domains/program/ifconfig.te         |    1 +
 domains/program/unused/cvs.te       |    2 ++
 domains/program/unused/pppd.te      |    8 ++++++++
 domains/program/unused/radvd.te     |    6 +++---
 domains/program/unused/rlogind.te   |    1 +
 domains/program/unused/rpcd.te      |    7 ++++---
 domains/program/unused/saslauthd.te |   10 +++++++++-
 domains/program/unused/winbind.te   |    1 +
 file_contexts/program/apache.fc     |    2 ++
 file_contexts/program/i18n_input.fc |    2 +-
 macros/program/chkpwd_macros.te     |    3 +++
 targeted/domains/program/crond.te   |    9 ++++++---
 tunables/distro.tun                 |    2 +-
 tunables/tunable.tun                |    4 ++--
 16 files changed, 49 insertions(+), 15 deletions(-)

--- NEW FILE policy-20050712.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.25.2/assert.te
--- nsapolicy/assert.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.2/assert.te	2005-07-12 16:12:07.000000000 -0400
@@ -41,7 +41,7 @@
 
 #
 # Verify that only appropriate domains can access /etc/shadow
-neverallow { domain -auth -auth_write -unrestricted } shadow_t:file ~getattr;
+neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
 neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.25.2/attrib.te
--- nsapolicy/attrib.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.2/attrib.te	2005-07-12 16:12:07.000000000 -0400
@@ -141,6 +141,10 @@
 # to read /etc/shadow, and grants the permission.
 attribute auth;
 
+# The auth_bool attribute identifies every domain that can 
+# read /etc/shadow if its boolean is set;
+attribute auth_bool;
+
 # The auth_write attribute identifies every domain that can have write or
 # relabel access to /etc/shadow, but does not grant it.
 attribute auth_write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.2/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-05-07 00:41:08.000000000 -0400
+++ policy-1.25.2/domains/program/ifconfig.te	2005-07-12 16:12:07.000000000 -0400
@@ -26,6 +26,7 @@
 ')
 
 # for /sbin/ip
+allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 allow ifconfig_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.2/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te	2005-04-27 10:28:50.000000000 -0400
+++ policy-1.25.2/domains/program/unused/cvs.te	2005-07-13 06:22:19.000000000 -0400
@@ -14,3 +14,5 @@
 inetd_child_domain(cvs, tcp)
 type cvs_data_t, file_type, sysadmfile;
 create_dir_file(cvs_t, cvs_data_t)
+typeattribute cvs_t privmail;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.2/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/pppd.te	2005-07-12 16:12:07.000000000 -0400
@@ -102,3 +102,11 @@
 allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
 allow pppd_t initrc_var_run_t:file r_file_perms;
 dontaudit pppd_t initrc_var_run_t:file { lock write };
+
+# pppd needs to load kernel modules for certain modems
+bool pppd_can_insmod false;
+if (pppd_can_insmod) {
+ifdef(`modutil.te', `
+domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
+')
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.2/domains/program/unused/radvd.te
--- nsapolicy/domains/program/unused/radvd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/radvd.te	2005-07-12 16:12:07.000000000 -0400
@@ -15,15 +15,15 @@
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
-allow radvd_t self:capability { net_raw setgid };
+allow radvd_t self:capability { setgid setuid net_raw setgid };
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
 can_network_server(radvd_t)
 can_ypbind(radvd_t)
 
-allow radvd_t proc_t:dir r_dir_perms;
-allow radvd_t proc_t:file { getattr read };
+allow radvd_t { proc_t proc_net_t }:dir r_dir_perms;
+allow radvd_t { proc_t proc_net_t }:file { getattr read };
 allow radvd_t etc_t:lnk_file read;
 
 allow radvd_t sysctl_net_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.2/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.2/domains/program/unused/rlogind.te	2005-07-13 06:35:16.000000000 -0400
@@ -35,3 +35,4 @@
 allow rlogind_t default_t:dir search;
 typealias rlogind_port_t alias rlogin_port_t;
 read_sysctl(rlogind_t);
+allow rlogind_t krb5_keytab_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.25.2/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/rpcd.te	2005-07-12 16:12:07.000000000 -0400
@@ -93,7 +93,8 @@
 bool nfs_export_all_rw false;
 
 if(nfs_export_all_rw) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t, noexattrfile)
 create_dir_file(kernel_t,{ file_type -shadow_t })
 }
 
@@ -102,8 +103,8 @@
 bool nfs_export_all_ro false;
 
 if(nfs_export_all_ro) {
-allow nfsd_t { file_type -shadow_t }:dir r_dir_perms;
-r_dir_file(kernel_t,{ file_type -shadow_t })
+allow nfsd_t { noexattrfile file_type -shadow_t }:dir r_dir_perms;
+r_dir_file(kernel_t,{ noexattrfile file_type -shadow_t })
 }
 
 allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.2/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.2/domains/program/unused/saslauthd.te	2005-07-12 16:12:07.000000000 -0400
@@ -3,7 +3,7 @@
 # Author: Colin Walters <walters verbum org>
 #
 
-daemon_domain(saslauthd, `, auth_chkpwd')
+daemon_domain(saslauthd, `, auth_chkpwd, auth_bool')
 
 allow saslauthd_t self:fifo_file { read write };
 allow saslauthd_t self:unix_dgram_socket create_socket_perms;
@@ -21,3 +21,11 @@
 
 # Needs investigation
 dontaudit saslauthd_t home_root_t:dir getattr;
+can_network_client_tcp(saslauthd_t)
+allow saslauthd_t pop_port_t:tcp_socket name_connect;
+
+bool allow_saslauthd_read_shadow false;
+
+if (allow_saslauthd_read_shadow) {
+allow saslauthd_t shadow_t:file r_file_perms;
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.2/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/domains/program/unused/winbind.te	2005-07-12 16:12:07.000000000 -0400
@@ -10,6 +10,7 @@
 
 daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
 log_domain(winbind)
+tmp_domain(winbind)
 allow winbind_t etc_t:file r_file_perms;
 allow winbind_t etc_t:lnk_file read;
 can_network(winbind_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.25.2/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.2/file_contexts/program/apache.fc	2005-07-12 16:12:07.000000000 -0400
@@ -50,3 +50,5 @@
 ifdef(`targeted_policy', `', `
 /var/spool/cron/apache		-- 	system_u:object_r:user_cron_spool_t
 ')
+/usr/sbin/apachectl		-- 	system_u:object_r:initrc_exec_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.25.2/file_contexts/program/i18n_input.fc
--- nsapolicy/file_contexts/program/i18n_input.fc	2005-05-02 14:06:56.000000000 -0400
+++ policy-1.25.2/file_contexts/program/i18n_input.fc	2005-07-12 16:12:07.000000000 -0400
@@ -1,7 +1,7 @@
 # i18n_input.fc
 /usr/sbin/htt                   --     system_u:object_r:i18n_input_exec_t
 /usr/sbin/htt_server            --     system_u:object_r:i18n_input_exec_t
-/usr/bin/iiimd		        --     system_u:object_r:i18n_input_exec_t
+/usr/bin/iiimd\.bin	        --     system_u:object_r:i18n_input_exec_t
 /usr/bin/httx                   --     system_u:object_r:i18n_input_exec_t
 /usr/bin/htt_xbe                --     system_u:object_r:i18n_input_exec_t
 /usr/bin/iiimx                  --     system_u:object_r:i18n_input_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.2/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.2/macros/program/chkpwd_macros.te	2005-07-12 16:12:07.000000000 -0400
@@ -42,6 +42,9 @@
 ifdef(`winbind.te', `
 r_dir_file(auth_chkpwd, winbind_var_run_t)
 ')
+r_dir_file(auth_chkpwd, cert_t)
+r_dir_file($1_chkpwd_t, cert_t)
+allow $1_chkpwd_t { random_device_t urandom_device_t }:chr_file { getattr read };
 ', `
 domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
 allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.25.2/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te	2005-06-29 16:36:19.000000000 -0400
+++ policy-1.25.2/targeted/domains/program/crond.te	2005-07-12 16:12:07.000000000 -0400
@@ -11,7 +11,7 @@
 # This domain is defined just for targeted policy.
 #
 type crond_exec_t, file_type, sysadmfile, exec_type;
-type crond_t, domain, privuser, privrole, privowner;
+type crond_t, domain, privuser, privrole, privfd, privowner;
 typealias crond_t alias system_crond_t;
 type anacron_exec_t, file_type, sysadmfile, exec_type;
 type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
@@ -20,11 +20,14 @@
 role system_r types crond_t;
 domain_auto_trans(initrc_t, crond_exec_t, crond_t)
 domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
-unconfined_domain(crond_t)
 # Access log files
 file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
 file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
+var_run_domain(crond)
+
+ifdef(`targeted_policy', `
+unconfined_domain(crond_t)
 allow crond_t initrc_t:dbus send_msg;
 allow crond_t unconfined_t:dbus send_msg;
 allow crond_t unconfined_t:process transition;
-var_run_domain(crond)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.2/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.2/tunables/distro.tun	2005-07-12 16:12:07.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.2/tunables/tunable.tun	2005-07-12 16:12:07.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/selinux-policy-targeted.spec,v
retrieving revision 1.322
retrieving revision 1.323
diff -u -r1.322 -r1.323
--- selinux-policy-targeted.spec	11 Jul 2005 16:58:45 -0000	1.322
+++ selinux-policy-targeted.spec	13 Jul 2005 11:35:33 -0000	1.323
@@ -10,15 +10,15 @@
 
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
-Version: 1.25.1
-Release: 9
+Version: 1.25.2
+Release: 3
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
 Source1: booleans
 Prefix: %{_prefix}
 BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050706.patch
+Patch: policy-20050712.patch
 Patch1: policy-%{type}.patch
 
 BuildArch: noarch
@@ -237,6 +237,19 @@
 exit 0
 
 %changelog
+* Wed Jul 13 2005 Dan Walsh <dwalsh redhat com> 1.25.2-3
+- Bump for FC4
+
+* Wed Jul 13 2005 Dan Walsh <dwalsh redhat com> 1.25.2-2
+- Allow klogin to read keytab file.
+- Allow cvs to send mail
+
+* Tue Jul 12 2005 Dan Walsh <dwalsh redhat com> 1.25.2-1
+- Update to latest from NSA
+
+* Mon Jul 11 2005 Dan Walsh <dwalsh redhat com> 1.25.1-10
+- Change file context for iiimd -> iiimd.bin
+
 * Mon Jul 11 2005 Dan Walsh <dwalsh redhat com> 1.25.1-9
 - Bump for FC4
 


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/sources,v
retrieving revision 1.119
retrieving revision 1.120
diff -u -r1.119 -r1.120
--- sources	7 Jul 2005 19:43:40 -0000	1.119
+++ sources	13 Jul 2005 11:35:33 -0000	1.120
@@ -1 +1 @@
-c796981eb7f40135c19198841f76f0e7  policy-1.25.1.tgz
+35e8a874205a05efeb2b298b48dd8b8b  policy-1.25.2.tgz


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]