[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel .cvsignore, 1.118, 1.119 policy-20050712.patch, 1.4, 1.5 selinux-policy-strict.spec, 1.353, 1.354 sources, 1.124, 1.125



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv5660

Modified Files:
	.cvsignore policy-20050712.patch selinux-policy-strict.spec 
	sources 
Log Message:
* Tue Jul 19 2005 Dan Walsh <dwalsh redhat com> 1.25.3-1
- Update to latest from NSA



Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/.cvsignore,v
retrieving revision 1.118
retrieving revision 1.119
diff -u -r1.118 -r1.119
--- .cvsignore	12 Jul 2005 19:16:56 -0000	1.118
+++ .cvsignore	19 Jul 2005 21:12:00 -0000	1.119
@@ -84,3 +84,4 @@
 policy-1.24.tgz
 policy-1.25.1.tgz
 policy-1.25.2.tgz
+policy-1.25.3.tgz

policy-20050712.patch:
 assert.te                                |    2 +-
 attrib.te                                |    4 ++++
 domains/program/crond.te                 |    2 +-
 domains/program/fsadm.te                 |    2 +-
 domains/program/ifconfig.te              |    1 +
 domains/program/initrc.te                |    2 +-
 domains/program/modutil.te               |    2 +-
 domains/program/unused/NetworkManager.te |    8 ++++++++
 domains/program/unused/apmd.te           |    2 +-
 domains/program/unused/cvs.te            |   10 ++++++++++
 domains/program/unused/cyrus.te          |    1 +
 domains/program/unused/hald.te           |    4 ++++
 domains/program/unused/lvm.te            |    2 +-
 domains/program/unused/pamconsole.te     |    2 +-
 domains/program/unused/ping.te           |    2 ++
 domains/program/unused/pppd.te           |   28 ++++++++++++++++++++++++++++
 domains/program/unused/radvd.te          |    6 +++---
 domains/program/unused/rlogind.te        |    1 +
 domains/program/unused/rpcd.te           |    7 ++++---
 domains/program/unused/saslauthd.te      |   10 +++++++++-
 domains/program/unused/squid.te          |    1 +
 domains/program/unused/udev.te           |    5 +++--
 domains/program/unused/vpnc.te           |   15 +++++++++++++--
 domains/program/unused/winbind.te        |    2 ++
 file_contexts/program/apache.fc          |    2 ++
 file_contexts/program/i18n_input.fc      |    2 +-
 file_contexts/program/pppd.fc            |    1 +
 file_contexts/program/vpnc.fc            |    1 +
 genfs_contexts                           |    1 +
 macros/admin_macros.te                   |    1 +
 macros/base_user_macros.te               |   13 -------------
 macros/content_macros.te                 |    5 ++++-
 macros/global_macros.te                  |   19 +++++++++++++++++++
 macros/program/chkpwd_macros.te          |    3 +++
 macros/program/evolution_macros.te       |    5 +----
 macros/program/gconf_macros.te           |    1 +
 macros/program/gnome_vfs_macros.te       |    5 +++++
 macros/program/mail_client_macros.te     |    9 ++++++++-
 macros/program/mozilla_macros.te         |    4 ++++
 macros/program/thunderbird_macros.te     |    2 ++
 macros/user_macros.te                    |   18 +++---------------
 net_contexts                             |    1 +
 targeted/domains/program/crond.te        |    9 ++++++---
 tunables/distro.tun                      |    2 +-
 tunables/tunable.tun                     |    7 ++-----
 types/file.te                            |    3 +++
 types/network.te                         |    1 +
 47 files changed, 173 insertions(+), 63 deletions(-)

Index: policy-20050712.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050712.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20050712.patch	14 Jul 2005 20:13:04 -0000	1.4
+++ policy-20050712.patch	19 Jul 2005 21:12:00 -0000	1.5
@@ -24,6 +24,30 @@
  # The auth_write attribute identifies every domain that can have write or
  # relabel access to /etc/shadow, but does not grant it.
  attribute auth_write;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.2/domains/program/crond.te
+--- nsapolicy/domains/program/crond.te	2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.2/domains/program/crond.te	2005-07-15 15:18:28.000000000 -0400
+@@ -201,7 +201,7 @@
+ r_dir_file(system_crond_t, file_context_t)
+ can_getsecurity(system_crond_t)
+ }
+-allow system_crond_t removable_t:filesystem getattr;
++dontaudit system_crond_t removable_t:filesystem getattr;
+ #
+ # Required for webalizer
+ #
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.2/domains/program/fsadm.te
+--- nsapolicy/domains/program/fsadm.te	2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.2/domains/program/fsadm.te	2005-07-14 20:37:48.000000000 -0400
+@@ -102,7 +102,7 @@
+ allow fsadm_t kernel_t:system syslog_console;
+ 
+ # Access terminals.
+-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file rw_file_perms;
++allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+ ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
+ allow fsadm_t privfd:fd use;
+ allow fsadm_t devpts_t:dir { getattr search };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.2/domains/program/ifconfig.te
 --- nsapolicy/domains/program/ifconfig.te	2005-05-07 00:41:08.000000000 -0400
 +++ policy-1.25.2/domains/program/ifconfig.te	2005-07-12 16:12:07.000000000 -0400
@@ -59,6 +83,18 @@
  ;
  role system_r types insmod_t;
  role sysadm_r types insmod_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.2/domains/program/unused/apmd.te
+--- nsapolicy/domains/program/unused/apmd.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.2/domains/program/unused/apmd.te	2005-07-15 08:35:23.000000000 -0400
+@@ -23,7 +23,7 @@
+ allow apm_t device_t:dir search;
+ allow apm_t self:capability { dac_override sys_admin };
+ allow apm_t proc_t:dir search;
+-allow apm_t proc_t:file { read getattr };
++allow apm_t proc_t:file r_file_perms;
+ allow apm_t fs_t:filesystem getattr;
+ allow apm_t apm_bios_t:chr_file rw_file_perms;
+ role sysadm_r types apm_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.2/domains/program/unused/cvs.te
 --- nsapolicy/domains/program/unused/cvs.te	2005-04-27 10:28:50.000000000 -0400
 +++ policy-1.25.2/domains/program/unused/cvs.te	2005-07-14 06:46:19.000000000 -0400
@@ -87,6 +123,17 @@
  create_dir_file(cyrus_t, mail_spool_t)
 +allow cyrus_t var_spool_t:dir search;
  
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.2/domains/program/unused/hald.te
+--- nsapolicy/domains/program/unused/hald.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.2/domains/program/unused/hald.te	2005-07-15 13:51:11.000000000 -0400
+@@ -96,3 +96,7 @@
+ allow unconfined_t hald_t:dbus send_msg;
+ allow hald_t unconfined_t:dbus send_msg;
+ ')
++ifdef(`mount.te', `
++domain_auto_trans(hald_t, mount_exec_t, mount_t)
++')
++
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.25.2/domains/program/unused/lvm.te
 --- nsapolicy/domains/program/unused/lvm.te	2005-05-25 11:28:10.000000000 -0400
 +++ policy-1.25.2/domains/program/unused/lvm.te	2005-07-14 10:19:48.000000000 -0400
@@ -154,8 +201,8 @@
  domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.2/domains/program/unused/pppd.te
 --- nsapolicy/domains/program/unused/pppd.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.2/domains/program/unused/pppd.te	2005-07-14 11:19:52.000000000 -0400
-@@ -102,3 +102,22 @@
++++ policy-1.25.2/domains/program/unused/pppd.te	2005-07-15 15:37:15.000000000 -0400
+@@ -102,3 +102,31 @@
  allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
  allow pppd_t initrc_var_run_t:file r_file_perms;
  dontaudit pppd_t initrc_var_run_t:file { lock write };
@@ -167,17 +214,26 @@
 +domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
 +')
 +}
++
 +daemon_domain(pptp)
 +can_network_client_tcp(pptp_t)
 +allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
 +can_exec(pptp_t, hostname_exec_t)
 +domain_auto_trans(pppd_t, pptp_exec_t, pptp_t)
 +allow pptp_t self:rawip_socket create_socket_perms;
-+allow pptp_t self:unix_stream_socket create_stream_socket_perms;
++allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
++allow pptp_t self:unix_dgram_socket create_socket_perms;
 +can_exec(pptp_t, pppd_etc_rw_t)
 +allow pptp_t devpts_t:chr_file ioctl;
 +r_dir_file(pptp_t, pppd_etc_rw_t)
 +r_dir_file(pptp_t, pppd_etc_t)
++allow pptp_t devpts_t:dir search;
++allow pppd_t devpts_t:chr_file ioctl;
++allow pppd_t pptp_t:process signal;
++allow pptp_t self:capability net_raw;
++allow pptp_t self:fifo_file { read write };
++allow pptp_t ptmx_t:chr_file rw_file_perms;
++log_domain(pptp)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.2/domains/program/unused/radvd.te
 --- nsapolicy/domains/program/unused/radvd.te	2005-07-12 08:50:43.000000000 -0400
 +++ policy-1.25.2/domains/program/unused/radvd.te	2005-07-12 16:12:07.000000000 -0400
@@ -267,8 +323,8 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.2/domains/program/unused/udev.te
 --- nsapolicy/domains/program/unused/udev.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.2/domains/program/unused/udev.te	2005-07-14 10:18:33.000000000 -0400
-@@ -28,7 +28,7 @@
++++ policy-1.25.2/domains/program/unused/udev.te	2005-07-14 20:36:53.000000000 -0400
+@@ -28,11 +28,12 @@
  type udev_tdb_t, file_type, sysadmfile, dev_fs;
  typealias udev_tdb_t alias udev_tbl_t;
  file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
@@ -277,7 +333,12 @@
  allow udev_t self:file { getattr read };
  allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
  allow udev_t self:unix_dgram_socket create_socket_perms;
-@@ -53,7 +53,7 @@
+ allow udev_t self:fifo_file rw_file_perms;
++allow udev_t self:netlink_kobject_uevent_socket { create bind read }; 
+ allow udev_t device_t:file { unlink rw_file_perms };
+ allow udev_t device_t:sock_file create_file_perms;
+ allow udev_t device_t:lnk_file create_lnk_perms;
+@@ -53,7 +54,7 @@
  allow udev_t bin_t:lnk_file read;
  can_exec(udev_t, { shell_exec_t bin_t sbin_t etc_t } )
  can_exec(udev_t, udev_exec_t)
@@ -400,6 +461,88 @@
  
  # needs more work
  genfscon eventpollfs / system_u:object_r:eventpollfs_t
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.25.2/macros/admin_macros.te
+--- nsapolicy/macros/admin_macros.te	2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.2/macros/admin_macros.te	2005-07-15 15:14:01.000000000 -0400
+@@ -32,6 +32,7 @@
+ 
+ # Inherit rules for ordinary users.
+ base_user_domain($1)
++access_removable_media($1_t)
+ 
+ allow $1_t self:capability setuid;
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.2/macros/base_user_macros.te
+--- nsapolicy/macros/base_user_macros.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.2/macros/base_user_macros.te	2005-07-15 15:12:55.000000000 -0400
+@@ -101,18 +101,6 @@
+ r_dir_file($1_t, default_context_t)
+ r_dir_file($1_t, file_context_t)
+ 
+-can_exec($1_t, { removable_t noexattrfile } )
+-if (user_rw_noexattrfile) {
+-create_dir_file($1_t, noexattrfile)
+-create_dir_file($1_t, removable_t)
+-# Write floppies 
+-allow $1_t removable_device_t:blk_file rw_file_perms;
+-allow $1_t usbtty_device_t:chr_file write;
+-} else {
+-r_dir_file($1_t, noexattrfile)
+-r_dir_file($1_t, removable_t)
+-allow $1_t removable_device_t:blk_file r_file_perms;
+-}
+ allow $1_t usbtty_device_t:chr_file read;
+ 
+ # GNOME checks for usb and other devices
+@@ -342,7 +330,6 @@
+ 
+ # Get attributes of file systems.
+ allow $1_t fs_type:filesystem getattr;
+-allow $1_t removable_t:filesystem getattr;
+ 
+ # Read and write /dev/tty and /dev/null.
+ allow $1_t devtty_t:chr_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/content_macros.te policy-1.25.2/macros/content_macros.te
+--- nsapolicy/macros/content_macros.te	2005-07-05 15:25:48.000000000 -0400
++++ policy-1.25.2/macros/content_macros.te	2005-07-15 15:17:57.000000000 -0400
+@@ -55,7 +55,10 @@
+ ifelse($3, `', `', 
+ `if ($3_read_content) {')
+ allow $1 { tmp_t home_root_t $2_home_dir_t }:dir { read getattr search };
+-r_dir_file($1, { removable_t $2_tmp_t $2_home_t } )
++r_dir_file($1, { $2_tmp_t $2_home_t } )
++ifdef(`mls_policy', `', `
++r_dir_file($1, removable_t)
++')
+ 
+ ifelse($3, `', `', 
+ `} else {
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.2/macros/global_macros.te
+--- nsapolicy/macros/global_macros.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.2/macros/global_macros.te	2005-07-15 15:12:42.000000000 -0400
+@@ -708,3 +708,22 @@
+ ')
+ 
+ ')dnl end unconfined_domain
++
++
++define(`access_removable_media', `
++
++can_exec($1, { removable_t noexattrfile } )
++if (user_rw_noexattrfile) {
++create_dir_file($1, noexattrfile)
++create_dir_file($1, removable_t)
++# Write floppies 
++allow $1 removable_device_t:blk_file rw_file_perms;
++allow $1 usbtty_device_t:chr_file write;
++} else {
++r_dir_file($1, noexattrfile)
++r_dir_file($1, removable_t)
++allow $1 removable_device_t:blk_file r_file_perms;
++}
++allow $1 removable_t:filesystem getattr;
++
++')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.2/macros/program/chkpwd_macros.te
 --- nsapolicy/macros/program/chkpwd_macros.te	2005-07-12 08:50:43.000000000 -0400
 +++ policy-1.25.2/macros/program/chkpwd_macros.te	2005-07-12 16:12:07.000000000 -0400
@@ -413,6 +556,127 @@
  ', `
  domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
  allow $1_t sbin_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.2/macros/program/evolution_macros.te
+--- nsapolicy/macros/program/evolution_macros.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.2/macros/program/evolution_macros.te	2005-07-14 21:21:49.000000000 -0400
+@@ -168,12 +168,9 @@
+ domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
+ role $1_r types $1_evolution_t;
+ 
+-# X, mail, evolution, Dbus common stuff 
++# X, mail, evolution common stuff 
+ x_client_domain($1_evolution, $1)
+ mail_client_domain($1_evolution, $1)
+-dbusd_client(system, $1_evolution)
+-dbusd_client($1, $1_evolution)
+-allow $1_evolution_t $1_dbusd_t:dbus send_msg;
+ gnome_file_dialog($1_evolution, $1)
+ evolution_common($1_evolution, $1)
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gconf_macros.te policy-1.25.2/macros/program/gconf_macros.te
+--- nsapolicy/macros/program/gconf_macros.te	2005-07-05 15:25:49.000000000 -0400
++++ policy-1.25.2/macros/program/gconf_macros.te	2005-07-14 21:21:38.000000000 -0400
+@@ -33,6 +33,7 @@
+ 
+ ifdef(`xdm.te', `
+ can_pipe_xdm($1_gconfd_t)
++allow xdm_t $1_gconfd_t:process signal;
+ ')
+ 
+ ') dnl gconf_domain
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gnome_vfs_macros.te policy-1.25.2/macros/program/gnome_vfs_macros.te
+--- nsapolicy/macros/program/gnome_vfs_macros.te	2005-07-05 15:25:49.000000000 -0400
++++ policy-1.25.2/macros/program/gnome_vfs_macros.te	2005-07-14 21:21:28.000000000 -0400
+@@ -16,6 +16,11 @@
+ # GNOME, dbus
+ gnome_application($1_gnome_vfs, $1)
+ dbusd_client(system, $1_gnome_vfs)
++allow $1_gnome_vfs_t system_dbusd_t:dbus send_msg;
++ifdef(`hald.te', `
++allow $1_gnome_vfs_t hald_t:dbus send_msg;
++allow hald_t $1_gnome_vfs_t:dbus send_msg;
++')
+ 
+ # Transition from user type
+ domain_auto_trans($1_t, gnome_vfs_exec_t, $1_gnome_vfs_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.2/macros/program/mail_client_macros.te
+--- nsapolicy/macros/program/mail_client_macros.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.2/macros/program/mail_client_macros.te	2005-07-14 21:20:48.000000000 -0400
+@@ -50,5 +50,12 @@
+ can_exec($1_t, shell_exec_t)
+ domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
+ ') 
+-
++ifdef(`dbusd.te', `
++dbusd_client(system, $1)
++dbusd_client($2, $1)
++allow $1_t $2_dbusd_t:dbus send_msg;
++ifdef(`cups.te', `
++allow cupsd_t $1_t:dbus send_msg;
++') 
++') 
+ ')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.2/macros/program/mozilla_macros.te
+--- nsapolicy/macros/program/mozilla_macros.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.2/macros/program/mozilla_macros.te	2005-07-14 21:16:53.000000000 -0400
+@@ -130,6 +130,10 @@
+ domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
+ ') dnl if evolution.te
+ 
++ifdef(`thunderbird.te', `
++domain_auto_trans($1_mozilla_t, thunderbird_exec_t, $1_thunderbird_t)
++') dnl if evolution.te
++
+ if (allow_execmem) {
+ allow $1_mozilla_t self:process execmem;
+ }
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.2/macros/program/thunderbird_macros.te
+--- nsapolicy/macros/program/thunderbird_macros.te	2005-07-05 15:25:49.000000000 -0400
++++ policy-1.25.2/macros/program/thunderbird_macros.te	2005-07-14 21:16:34.000000000 -0400
+@@ -42,6 +42,8 @@
+ x_client_domain($1_thunderbird, $1)
+ mail_client_domain($1_thunderbird, $1)
+ 
++allow $1_thunderbird_t fs_t:filesystem getattr;
++
+ # GNOME support
+ ifdef(`gnome.te', `
+ gnome_application($1_thunderbird, $1)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.25.2/macros/user_macros.te
+--- nsapolicy/macros/user_macros.te	2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.2/macros/user_macros.te	2005-07-15 15:15:31.000000000 -0400
+@@ -102,6 +102,9 @@
+ ')
+ 
+ base_user_domain($1)
++ifdef(`mls_policy', `', `
++access_removable_media($1_t)
++')
+ 
+ # do not allow privhome access to sysadm_home_dir_t
+ file_type_auto_trans(privhome, $1_home_dir_t, $1_home_t)
+@@ -304,21 +307,6 @@
+ dontaudit $1_t init_t:fd use;
+ dontaudit $1_t initrc_t:fd use;
+ allow $1_t initrc_t:fifo_file write;
+-ifdef(`user_can_mount', `
+-#
+-#  Allow users to mount file systems like floppies and cdrom
+-#
+-mount_domain($1, $1_mount, `, fs_domain')
+-r_dir_file($1_t, mnt_t)
+-allow $1_mount_t device_t:lnk_file read;
+-allow $1_mount_t removable_device_t:blk_file read;
+-allow $1_mount_t iso9660_t:filesystem relabelfrom;
+-allow $1_mount_t removable_t:filesystem { mount relabelto };
+-allow $1_mount_t removable_t:dir mounton;
+-ifdef(`xdm.te', `
+-can_pipe_xdm($1_mount_t)
+-')
+-')
+ 
+ #
+ # Rules used to associate a homedir as a mountpoint
 diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.2/net_contexts
 --- nsapolicy/net_contexts	2005-07-12 08:50:42.000000000 -0400
 +++ policy-1.25.2/net_contexts	2005-07-14 10:20:24.000000000 -0400
@@ -467,17 +731,18 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.2/tunables/tunable.tun
 --- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.25.2/tunables/tunable.tun	2005-07-12 16:12:07.000000000 -0400
-@@ -2,7 +2,7 @@
- dnl define(`user_can_mount')
- 
++++ policy-1.25.2/tunables/tunable.tun	2005-07-15 15:20:57.000000000 -0400
+@@ -1,8 +1,5 @@
+-# Allow users to execute the mount command
+-dnl define(`user_can_mount')
+-
  # Allow rpm to run unconfined.
 -dnl define(`unlimitedRPM')
 +define(`unlimitedRPM')
  
  # Allow privileged utilities like hotplug and insmod to run unconfined.
  dnl define(`unlimitedUtils')
-@@ -20,7 +20,7 @@
+@@ -20,7 +17,7 @@
  
  # Do not audit things that we know to be broken but which
  # are not security risks


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.353
retrieving revision 1.354
diff -u -r1.353 -r1.354
--- selinux-policy-strict.spec	14 Jul 2005 20:23:45 -0000	1.353
+++ selinux-policy-strict.spec	19 Jul 2005 21:12:00 -0000	1.354
@@ -10,8 +10,8 @@
 
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
-Version: 1.25.2
-Release: 5
+Version: 1.25.3
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -20,7 +20,7 @@
 Source3: selinux.csh
 Prefix: %{_prefix}
 BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050712.patch
+Patch: policy-20050719.patch
 
 BuildArch: noarch
 BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
@@ -229,6 +229,13 @@
 exit 0
 
 %changelog
+* Tue Jul 19 2005 Dan Walsh <dwalsh redhat com> 1.25.3-1
+- Update to latest from NSA
+
+* Fri Jul 15 2005 Dan Walsh <dwalsh redhat com> 1.25.2-6
+- Allow hald to run umount
+- Don't allow users to use removable_t for mls policy
+
 * Thu Jul 14 2005 Dan Walsh <dwalsh redhat com> 1.25.2-5
 - Fixup cyrus to read mail spool
 - Fix vpnc.te, NetworkManager and others for strict policy


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/sources,v
retrieving revision 1.124
retrieving revision 1.125
diff -u -r1.124 -r1.125
--- sources	12 Jul 2005 19:16:56 -0000	1.124
+++ sources	19 Jul 2005 21:12:00 -0000	1.125
@@ -1 +1,2 @@
 35e8a874205a05efeb2b298b48dd8b8b  policy-1.25.2.tgz
+96fe67362d3c09e3d9bf909ab11ea9ba  policy-1.25.3.tgz


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]