[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel policy-20050719.patch, 1.4, 1.5 selinux-policy-strict.spec, 1.359, 1.360



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv28368

Modified Files:
	policy-20050719.patch selinux-policy-strict.spec 
Log Message:
* Wed Jul 27 2005 Dan Walsh <dwalsh redhat com> 1.25.3-6
- Add certwatch.te
- Allow smbd to connect to smbd_port_t
- Fix hugetlb and mqueue


policy-20050719.patch:
 domains/program/crond.te                 |    5 ++-
 domains/program/fsadm.te                 |    2 -
 domains/program/getty.te                 |    2 -
 domains/program/ifconfig.te              |    3 +-
 domains/program/initrc.te                |    2 -
 domains/program/modutil.te               |    2 -
 domains/program/restorecon.te            |    1 
 domains/program/unused/NetworkManager.te |    8 +++++
 domains/program/unused/apache.te         |    3 ++
 domains/program/unused/apmd.te           |    2 -
 domains/program/unused/certwatch.te      |   13 ++++++++
 domains/program/unused/cvs.te            |    9 ++++++
 domains/program/unused/cyrus.te          |   11 ++++++-
 domains/program/unused/evolution.te      |    1 
 domains/program/unused/firstboot.te      |    7 ----
 domains/program/unused/ftpd.te           |    8 +----
 domains/program/unused/hald.te           |    5 +++
 domains/program/unused/hotplug.te        |    3 +-
 domains/program/unused/ipsec.te          |    7 ++--
 domains/program/unused/kudzu.te          |    5 ++-
 domains/program/unused/lvm.te            |    2 -
 domains/program/unused/mta.te            |    4 +-
 domains/program/unused/mysqld.te         |    1 
 domains/program/unused/pamconsole.te     |    2 -
 domains/program/unused/ping.te           |    7 ++--
 domains/program/unused/postgresql.te     |    5 ++-
 domains/program/unused/pppd.te           |   32 ++++++++++++++++++++++
 domains/program/unused/rlogind.te        |    1 
 domains/program/unused/rpm.te            |    2 -
 domains/program/unused/rsync.te          |    4 ++
 domains/program/unused/samba.te          |    3 +-
 domains/program/unused/slocate.te        |    4 ++
 domains/program/unused/squid.te          |    1 
 domains/program/unused/thunderbird.te    |    1 
 domains/program/unused/udev.te           |    5 ++-
 domains/program/unused/vpnc.te           |   15 ++++++++--
 domains/program/unused/winbind.te        |    1 
 domains/program/useradd.te               |    1 
 file_contexts/distros.fc                 |    6 ++++
 file_contexts/program/certwatch.fc       |    3 ++
 file_contexts/program/kudzu.fc           |    1 
 file_contexts/program/postgresql.fc      |    4 ++
 file_contexts/program/pppd.fc            |   15 ++++++----
 file_contexts/program/vpnc.fc            |    1 
 file_contexts/types.fc                   |    4 +-
 genfs_contexts                           |    3 ++
 macros/admin_macros.te                   |    1 
 macros/base_user_macros.te               |   13 --------
 macros/content_macros.te                 |    5 ++-
 macros/global_macros.te                  |   45 +++++++++++++++++++++++++++++++
 macros/network_macros.te                 |    6 ++--
 macros/program/apache_macros.te          |    3 +-
 macros/program/cdrecord_macros.te        |   17 ++++-------
 macros/program/chkpwd_macros.te          |   17 +----------
 macros/program/ethereal_macros.te        |    7 ++--
 macros/program/evolution_macros.te       |    9 ++----
 macros/program/gconf_macros.te           |    1 
 macros/program/gnome_vfs_macros.te       |    6 ++++
 macros/program/mail_client_macros.te     |   13 +++++++-
 macros/program/mozilla_macros.te         |    6 +++-
 macros/program/su_macros.te              |    8 ++++-
 macros/program/thunderbird_macros.te     |   14 +++++----
 macros/user_macros.te                    |   18 ++----------
 net_contexts                             |    9 ------
 targeted/domains/program/crond.te        |    9 ++++--
 tunables/distro.tun                      |    2 -
 tunables/tunable.tun                     |    7 +---
 types/file.te                            |   10 ++++++
 types/network.te                         |   10 ------
 69 files changed, 305 insertions(+), 158 deletions(-)

Index: policy-20050719.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050719.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20050719.patch	25 Jul 2005 17:31:21 -0000	1.4
+++ policy-20050719.patch	27 Jul 2005 14:47:40 -0000	1.5
@@ -1,7 +1,7 @@
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.3/domains/program/crond.te
 --- nsapolicy/domains/program/crond.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/crond.te	2005-07-21 09:07:03.000000000 -0400
-@@ -201,11 +201,12 @@
++++ policy-1.25.3/domains/program/crond.te	2005-07-27 07:49:23.000000000 -0400
+@@ -201,11 +201,14 @@
  r_dir_file(system_crond_t, file_context_t)
  can_getsecurity(system_crond_t)
  }
@@ -15,6 +15,8 @@
 +allow system_crond_t httpd_modules_t:lnk_file read;
  ')
  dontaudit crond_t self:capability sys_tty_config;
++# Needed for certwatch
++r_dir_file(system_crond_t, cert_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.3/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-07-06 17:15:06.000000000 -0400
 +++ policy-1.25.3/domains/program/fsadm.te	2005-07-19 15:41:44.000000000 -0400
@@ -113,6 +115,23 @@
  allow apm_t fs_t:filesystem getattr;
  allow apm_t apm_bios_t:chr_file rw_file_perms;
  role sysadm_r types apm_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.3/domains/program/unused/certwatch.te
+--- nsapolicy/domains/program/unused/certwatch.te	1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.3/domains/program/unused/certwatch.te	2005-07-27 07:49:33.000000000 -0400
+@@ -0,0 +1,13 @@
++#DESC certwatch - generate SSL certificate expiry warnings
++#
++# Domains for the certwatch process 
++# Authors:  Dan Walsh <dwalsh redhat com>,
++#
++application_domain(certwatch)
++role system_r types certwatch_t;
++r_dir_file(certwatch_t, cert_t)
++can_exec(certwatch_t, httpd_modules_t)
++system_crond_entry(certwatch_exec_t, certwatch_t)
++
++
++
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.3/domains/program/unused/cvs.te
 --- nsapolicy/domains/program/unused/cvs.te	2005-04-27 10:28:50.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/cvs.te	2005-07-20 10:09:23.000000000 -0400
@@ -165,6 +184,30 @@
  
  # Everything else is in macros/evolution_macros.te
 +bool disable_evolution_trans false;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.3/domains/program/unused/firstboot.te
+--- nsapolicy/domains/program/unused/firstboot.te	2005-06-01 06:11:22.000000000 -0400
++++ policy-1.25.3/domains/program/unused/firstboot.te	2005-07-25 15:04:43.000000000 -0400
+@@ -57,9 +57,6 @@
+ # Allow write to utmp file
+ allow firstboot_t initrc_var_run_t:file write;
+ 
+-allow firstboot_t krb5_conf_t:file { getattr read };
+-allow firstboot_t net_conf_t:file { getattr read };
+-
+ ifdef(`samba.te', `
+ rw_dir_file(firstboot_t, samba_etc_t)
+ ')
+@@ -95,10 +92,6 @@
+ allow firstboot_t modules_conf_t:file { getattr read };
+ allow firstboot_t modules_dep_t:file { getattr read };
+ allow firstboot_t modules_object_t:dir search;
+-allow firstboot_t net_conf_t:file rw_file_perms;
+-allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
+-allow firstboot_t node_t:node { tcp_recv tcp_send };
+-
+ allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
+ allow firstboot_t proc_t:lnk_file read;
+ 
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.3/domains/program/unused/ftpd.te
 --- nsapolicy/domains/program/unused/ftpd.te	2005-07-12 08:50:43.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/ftpd.te	2005-07-22 08:48:57.000000000 -0400
@@ -182,8 +225,16 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.3/domains/program/unused/hald.te
 --- nsapolicy/domains/program/unused/hald.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/hald.te	2005-07-19 15:41:44.000000000 -0400
-@@ -96,3 +96,7 @@
++++ policy-1.25.3/domains/program/unused/hald.te	2005-07-26 09:07:57.000000000 -0400
+@@ -47,6 +47,7 @@
+ allow hald_t printer_device_t:chr_file rw_file_perms;
+ allow hald_t urandom_device_t:chr_file read;
+ allow hald_t mouse_device_t:chr_file r_file_perms;
++allow hald_t device_type:chr_file getattr;
+ 
+ can_getsecurity(hald_t)
+ 
+@@ -96,3 +97,7 @@
  allow unconfined_t hald_t:dbus send_msg;
  allow hald_t unconfined_t:dbus send_msg;
  ')
@@ -340,7 +391,7 @@
  # for /var/run/console.lock checking
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.3/domains/program/unused/ping.te
 --- nsapolicy/domains/program/unused/ping.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/ping.te	2005-07-19 23:17:05.000000000 -0400
++++ policy-1.25.3/domains/program/unused/ping.te	2005-07-25 14:53:06.000000000 -0400
 @@ -17,6 +17,9 @@
  in_user_role(ping_t)
  type ping_exec_t, file_type, sysadmfile, exec_type;
@@ -359,6 +410,16 @@
  
  # Transition into this domain when you run this program.
  domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
+@@ -40,9 +44,6 @@
+ # Let ping create raw ICMP packets.
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+ 
+-allow ping_t netif_type:netif { rawip_send rawip_recv };
+-allow ping_t node_type:node { rawip_send rawip_recv };
+-
+ # Use capabilities.
+ allow ping_t self:capability { net_raw setuid };
+ 
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.25.3/domains/program/unused/postgresql.te
 --- nsapolicy/domains/program/unused/postgresql.te	2005-07-06 17:15:07.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/postgresql.te	2005-07-20 14:30:01.000000000 -0400
@@ -422,12 +483,24 @@
 +domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.3/domains/program/unused/rlogind.te
 --- nsapolicy/domains/program/unused/rlogind.te	2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/rlogind.te	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/unused/rlogind.te	2005-07-26 15:01:06.000000000 -0400
 @@ -35,3 +35,4 @@
  allow rlogind_t default_t:dir search;
  typealias rlogind_port_t alias rlogin_port_t;
  read_sysctl(rlogind_t);
-+allow rlogind_t krb5_keytab_t:file { getattr read };
++allow rlogind_t krb5_keytab_t:file r_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.3/domains/program/unused/rpm.te
+--- nsapolicy/domains/program/unused/rpm.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/rpm.te	2005-07-26 09:08:15.000000000 -0400
+@@ -114,7 +114,7 @@
+ 
+ allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
+ 
+-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
++type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
+ # policy for rpm scriptlet
+ role system_r types rpm_script_t;
+ uses_shlib(rpm_script_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.3/domains/program/unused/rsync.te
 --- nsapolicy/domains/program/unused/rsync.te	2005-04-27 10:28:52.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/rsync.te	2005-07-22 08:45:55.000000000 -0400
@@ -441,7 +514,16 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.3/domains/program/unused/samba.te
 --- nsapolicy/domains/program/unused/samba.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/samba.te	2005-07-22 08:49:50.000000000 -0400
++++ policy-1.25.3/domains/program/unused/samba.te	2005-07-27 09:18:11.000000000 -0400
+@@ -50,7 +50,7 @@
+ can_ldap(smbd_t)
+ can_kerberos(smbd_t)
+ can_winbind(smbd_t)
+-allow smbd_t ipp_port_t:tcp_socket name_connect;
++allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
+ 
+ allow smbd_t urandom_device_t:chr_file { getattr read };
+ 
 @@ -79,6 +79,7 @@
  
  # Access Samba shares.
@@ -490,7 +572,7 @@
 +bool disable_thunderbird_trans false;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.3/domains/program/unused/udev.te
 --- nsapolicy/domains/program/unused/udev.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/udev.te	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/unused/udev.te	2005-07-26 09:08:06.000000000 -0400
 @@ -28,11 +28,12 @@
  type udev_tdb_t, file_type, sysadmfile, dev_fs;
  typealias udev_tdb_t alias udev_tbl_t;
@@ -501,7 +583,7 @@
  allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
  allow udev_t self:unix_dgram_socket create_socket_perms;
  allow udev_t self:fifo_file rw_file_perms;
-+allow udev_t self:netlink_kobject_uevent_socket { create bind read }; 
++allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt }; 
  allow udev_t device_t:file { unlink rw_file_perms };
  allow udev_t device_t:sock_file create_file_perms;
  allow udev_t device_t:lnk_file create_lnk_perms;
@@ -603,6 +685,13 @@
  
  # Fedora Extras packages: ladspa, imlib2, ocaml
  /usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/certwatch.fc policy-1.25.3/file_contexts/program/certwatch.fc
+--- nsapolicy/file_contexts/program/certwatch.fc	1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.3/file_contexts/program/certwatch.fc	2005-07-27 07:49:50.000000000 -0400
+@@ -0,0 +1,3 @@
++# certwatch.fc
++/usr/bin/certwatch	-- system_u:object_r:certwatch_exec_t
++
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kudzu.fc policy-1.25.3/file_contexts/program/kudzu.fc
 --- nsapolicy/file_contexts/program/kudzu.fc	2005-02-24 14:51:09.000000000 -0500
 +++ policy-1.25.3/file_contexts/program/kudzu.fc	2005-07-25 09:51:13.000000000 -0400
@@ -675,12 +764,14 @@
  # /srv
 diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.25.3/genfs_contexts
 --- nsapolicy/genfs_contexts	2005-05-07 00:41:08.000000000 -0400
-+++ policy-1.25.3/genfs_contexts	2005-07-19 15:41:44.000000000 -0400
-@@ -92,6 +92,7 @@
++++ policy-1.25.3/genfs_contexts	2005-07-27 09:20:11.000000000 -0400
+@@ -92,6 +92,9 @@
  genfscon afs /				system_u:object_r:nfs_t
  
  genfscon debugfs /			system_u:object_r:debugfs_t
 +genfscon inotifyfs /			system_u:object_r:inotifyfs_t
++genfscon hugetlbfs /			system_u:object_r:hugetlbfs_t
++genfscon mqueue /			system_u:object_r:mqueue_t
  
  # needs more work
  genfscon eventpollfs / system_u:object_r:eventpollfs_t
@@ -742,7 +833,7 @@
  `} else {
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.3/macros/global_macros.te
 --- nsapolicy/macros/global_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/global_macros.te	2005-07-22 08:47:35.000000000 -0400
++++ policy-1.25.3/macros/global_macros.te	2005-07-25 14:22:43.000000000 -0400
 @@ -595,6 +595,18 @@
  ')dnl end polyinstantiater
  
@@ -762,7 +853,7 @@
  # Define a domain that can do anything, so that it is
  # effectively unconfined by the SELinux policy.  This
  # means that it is only restricted by the normal Linux 
-@@ -708,3 +720,23 @@
+@@ -708,3 +720,36 @@
  ')
  
  ')dnl end unconfined_domain
@@ -786,6 +877,39 @@
 +
 +')
 +
++define(`authentication_domain', `
++can_ypbind($1)
++can_kerberos($1)
++can_ldap($1)
++can_resolve($1)
++ifdef(`winbind.te', `
++r_dir_file($1, winbind_var_run_t)
++')
++r_dir_file($1, cert_t)
++allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
++allow $1 self:capability { audit_write audit_control };
++dontaudit $1 shadow_t:file { getattr read };
++')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.3/macros/network_macros.te
+--- nsapolicy/macros/network_macros.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/macros/network_macros.te	2005-07-25 14:53:19.000000000 -0400
+@@ -16,9 +16,7 @@
+ # Allow the domain to send or receive using any network interface.
+ # netif_type is a type attribute for all network interface types.
+ #
+-allow $1 netif_type:netif { $2_send rawip_send };
+-allow $1 netif_type:netif { $2_recv rawip_recv };
+-
++allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
+ #
+ # Allow the domain to send to or receive from any node.
+ # node_type is a type attribute for all node types.
+@@ -175,3 +173,5 @@
+ allow $1 winbind_var_run_t:sock_file { getattr read write };
+ ')
+ ')
++
++
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.3/macros/program/apache_macros.te
 --- nsapolicy/macros/program/apache_macros.te	2005-07-12 08:50:43.000000000 -0400
 +++ policy-1.25.3/macros/program/apache_macros.te	2005-07-22 08:51:23.000000000 -0400
@@ -842,9 +966,61 @@
 +allow $1_cdrecord_t $1_home_t:file r_file_perms;
  ')
  
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.3/macros/program/chkpwd_macros.te
+--- nsapolicy/macros/program/chkpwd_macros.te	2005-07-19 10:57:05.000000000 -0400
++++ policy-1.25.3/macros/program/chkpwd_macros.te	2005-07-25 14:22:52.000000000 -0400
+@@ -23,28 +23,15 @@
+ allow $1_chkpwd_t proc_t:file read;
+ 
+ can_getcon($1_chkpwd_t)
+-can_ypbind($1_chkpwd_t)
+-can_kerberos($1_chkpwd_t)
+-can_ldap($1_chkpwd_t)
+-can_resolve($1_chkpwd_t)
++authentication_domain($1_chkpwd_t)
+ 
+ ifelse($1, system, `
+ domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
+ allow auth_chkpwd sbin_t:dir search;
+ allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-allow auth_chkpwd self:capability { audit_write audit_control };
+ 
+ dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+-dontaudit auth_chkpwd shadow_t:file { getattr read };
+-can_ypbind(auth_chkpwd)
+-can_kerberos(auth_chkpwd)
+-can_ldap(auth_chkpwd)
+-ifdef(`winbind.te', `
+-r_dir_file(auth_chkpwd, winbind_var_run_t)
+-')
+-r_dir_file(auth_chkpwd, cert_t)
+-r_dir_file($1_chkpwd_t, cert_t)
+-allow $1_chkpwd_t { random_device_t urandom_device_t }:chr_file { getattr read };
++authentication_domain(auth_chkpwd)
+ ', `
+ domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+ allow $1_t sbin_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.25.3/macros/program/ethereal_macros.te
+--- nsapolicy/macros/program/ethereal_macros.te	2005-07-05 15:25:49.000000000 -0400
++++ policy-1.25.3/macros/program/ethereal_macros.te	2005-07-26 13:53:19.000000000 -0400
+@@ -38,11 +38,10 @@
+ role $1_r types $1_ethereal_t;
+ 
+ # Manual transition from userhelper 
+-# FIXME: Need to handle the fallback case, which requires userhelper support
+ ifdef(`userhelper.te', `
+-allow userhelperdomain sysadm_ethereal_t:process { transition siginh rlimitinh noatsecure };
+-allow sysadm_ethereal_t userhelperdomain:fd use;
+-allow sysadm_ethereal_t userhelperdomain:process sigchld;
++allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
++allow $1_ethereal_t userhelperdomain:fd use;
++allow $1_ethereal_t userhelperdomain:process sigchld;
+ ') dnl userhelper
+ 
+ # X, GNOME
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.3/macros/program/evolution_macros.te
 --- nsapolicy/macros/program/evolution_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/program/evolution_macros.te	2005-07-19 15:43:41.000000000 -0400
++++ policy-1.25.3/macros/program/evolution_macros.te	2005-07-26 14:10:04.000000000 -0400
 @@ -37,7 +37,9 @@
  type $1_evolution_server_t, domain, nscd_client_domain;
  
@@ -855,6 +1031,15 @@
  role $1_r types $1_evolution_server_t;
  
  # Evolution common stuff
+@@ -62,7 +64,7 @@
+ allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
+ 
+ # Look in /etc/pki
+-allow $1_evolution_server_t cert_t:dir r_dir_perms;
++r_dir_file($1_evolution_server_t, cert_t)
+ 
+ ') dnl evolution_data_server
+ 
 @@ -168,12 +170,9 @@
  domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
  role $1_r types $1_evolution_t;
@@ -948,6 +1133,25 @@
  }
  allow $1_mozilla_t texrel_shlib_t:file execmod;
  
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.25.3/macros/program/su_macros.te
+--- nsapolicy/macros/program/su_macros.te	2005-05-25 11:28:11.000000000 -0400
++++ policy-1.25.3/macros/program/su_macros.te	2005-07-25 14:18:04.000000000 -0400
+@@ -23,9 +23,13 @@
+ 
+ define(`su_restricted_domain', `
+ # Derived domain based on the calling user domain and the program.
+-ifdef(`support_polyinstantiation', `
+-type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;',`
+ type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
++ifdef(`support_polyinstantiation', `
++typeattribute $1_su_t mlsfileread;
++typeattribute $1_su_t mlsfilewrite;
++typeattribute $1_su_t mlsfileupgrade;
++typeattribute $1_su_t mlsfiledowngrade;
++typeattribute $1_su_t mlsprocsetsl;
+ ')
+ 
+ # for SSP
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.3/macros/program/thunderbird_macros.te
 --- nsapolicy/macros/program/thunderbird_macros.te	2005-07-05 15:25:49.000000000 -0400
 +++ policy-1.25.3/macros/program/thunderbird_macros.te	2005-07-19 15:42:51.000000000 -0400
@@ -1028,7 +1232,7 @@
  # Rules used to associate a homedir as a mountpoint
 diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.3/net_contexts
 --- nsapolicy/net_contexts	2005-07-12 08:50:42.000000000 -0400
-+++ policy-1.25.3/net_contexts	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/net_contexts	2005-07-25 14:45:47.000000000 -0400
 @@ -45,6 +45,7 @@
  portcon tcp 465 system_u:object_r:smtp_port_t
  portcon tcp 587 system_u:object_r:smtp_port_t
@@ -1037,6 +1241,21 @@
  portcon udp 53 system_u:object_r:dns_port_t
  portcon tcp 53 system_u:object_r:dns_port_t
  
+@@ -222,14 +223,6 @@
+ #
+ # interface netif_context default_msg_context
+ #
+-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
+-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
+-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
+-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
+-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
+-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
+-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
+-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
+ 
+ # Nodes (default = initial SID "node")
+ #
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.25.3/targeted/domains/program/crond.te
 --- nsapolicy/targeted/domains/program/crond.te	2005-06-29 16:36:19.000000000 -0400
 +++ policy-1.25.3/targeted/domains/program/crond.te	2005-07-19 15:41:44.000000000 -0400
@@ -1136,7 +1355,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.3/types/network.te
 --- nsapolicy/types/network.te	2005-07-12 08:50:44.000000000 -0400
-+++ policy-1.25.3/types/network.te	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/types/network.te	2005-07-25 14:47:17.000000000 -0400
 @@ -22,6 +22,7 @@
  type http_port_t, port_type, reserved_port_type;
  type ipp_port_t, port_type, reserved_port_type;
@@ -1145,3 +1364,19 @@
  
  allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
  type pop_port_t, port_type, reserved_port_type;
+@@ -73,15 +74,6 @@
+ # interfaces in net_contexts or net_contexts.mls.
+ #
+ type netif_t, netif_type;
+-type netif_eth0_t, netif_type;
+-type netif_eth1_t, netif_type;
+-type netif_eth2_t, netif_type;
+-type netif_lo_t, netif_type;
+-type netif_ippp0_t, netif_type;
+-
+-type netif_ipsec0_t, netif_type;
+-type netif_ipsec1_t, netif_type;
+-type netif_ipsec2_t, netif_type;
+ 
+ #
+ # node_t is the default type of network nodes.


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.359
retrieving revision 1.360
diff -u -r1.359 -r1.360
--- selinux-policy-strict.spec	25 Jul 2005 17:51:31 -0000	1.359
+++ selinux-policy-strict.spec	27 Jul 2005 14:47:40 -0000	1.360
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.3
-Release: 5
+Release: 6
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -236,6 +236,11 @@
 exit 0
 
 %changelog
+* Wed Jul 27 2005 Dan Walsh <dwalsh redhat com> 1.25.3-6
+- Add certwatch.te
+- Allow smbd to connect to smbd_port_t
+- Fix hugetlb and mqueue
+
 * Mon Jul 25 2005 Dan Walsh <dwalsh redhat com> 1.25.3-5
 - Fix cyrus
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]