[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel policy-20050719.patch, 1.5, 1.6 selinux-policy-strict.spec, 1.361, 1.362



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3874

Modified Files:
	policy-20050719.patch selinux-policy-strict.spec 
Log Message:
* Thu Jul 28 2005 Dan Walsh <dwalsh redhat com> 1.25.3-8
- Fixes for cups, hwclock, system_passwd, samba_net


policy-20050719.patch:
 domains/program/crond.te                 |    5 ++-
 domains/program/fsadm.te                 |    2 -
 domains/program/getty.te                 |    2 -
 domains/program/hostname.te              |    1 
 domains/program/ifconfig.te              |    3 +-
 domains/program/initrc.te                |    2 -
 domains/program/modutil.te               |    2 -
 domains/program/passwd.te                |    2 -
 domains/program/restorecon.te            |    1 
 domains/program/unused/NetworkManager.te |    8 +++++
 domains/program/unused/alsa.te           |    7 +++-
 domains/program/unused/apache.te         |    3 ++
 domains/program/unused/apmd.te           |    2 -
 domains/program/unused/certwatch.te      |   11 +++++++
 domains/program/unused/cups.te           |    1 
 domains/program/unused/cvs.te            |    9 ++++++
 domains/program/unused/cyrus.te          |   11 ++++++-
 domains/program/unused/evolution.te      |    1 
 domains/program/unused/firstboot.te      |    7 ----
 domains/program/unused/ftpd.te           |    8 +----
 domains/program/unused/hald.te           |    5 +++
 domains/program/unused/hotplug.te        |    3 +-
 domains/program/unused/hwclock.te        |    1 
 domains/program/unused/ipsec.te          |    7 ++--
 domains/program/unused/kudzu.te          |    5 ++-
 domains/program/unused/lvm.te            |    2 -
 domains/program/unused/mta.te            |    4 +-
 domains/program/unused/mysqld.te         |    1 
 domains/program/unused/pamconsole.te     |    2 -
 domains/program/unused/ping.te           |    7 ++--
 domains/program/unused/postgresql.te     |    5 ++-
 domains/program/unused/pppd.te           |   32 ++++++++++++++++++++++
 domains/program/unused/rlogind.te        |    1 
 domains/program/unused/rpm.te            |    3 +-
 domains/program/unused/rsync.te          |    4 ++
 domains/program/unused/samba.te          |    5 ++-
 domains/program/unused/slocate.te        |    4 ++
 domains/program/unused/squid.te          |    1 
 domains/program/unused/thunderbird.te    |    1 
 domains/program/unused/udev.te           |    5 ++-
 domains/program/unused/vpnc.te           |   15 ++++++++--
 domains/program/unused/winbind.te        |    1 
 domains/program/useradd.te               |    1 
 file_contexts/distros.fc                 |    6 ++++
 file_contexts/program/certwatch.fc       |    3 ++
 file_contexts/program/cups.fc            |    1 
 file_contexts/program/kudzu.fc           |    1 
 file_contexts/program/postgresql.fc      |    4 ++
 file_contexts/program/pppd.fc            |   15 ++++++----
 file_contexts/program/vpnc.fc            |    1 
 file_contexts/types.fc                   |    4 +-
 genfs_contexts                           |    3 ++
 macros/admin_macros.te                   |    1 
 macros/base_user_macros.te               |   13 --------
 macros/content_macros.te                 |    5 ++-
 macros/global_macros.te                  |   45 +++++++++++++++++++++++++++++++
 macros/network_macros.te                 |    6 ++--
 macros/program/apache_macros.te          |    3 +-
 macros/program/cdrecord_macros.te        |   17 ++++-------
 macros/program/chkpwd_macros.te          |   17 +----------
 macros/program/ethereal_macros.te        |    7 ++--
 macros/program/evolution_macros.te       |    9 ++----
 macros/program/gconf_macros.te           |    1 
 macros/program/gnome_vfs_macros.te       |    6 ++++
 macros/program/mail_client_macros.te     |   13 +++++++-
 macros/program/mozilla_macros.te         |    6 +++-
 macros/program/su_macros.te              |    8 ++++-
 macros/program/thunderbird_macros.te     |   14 +++++----
 macros/user_macros.te                    |   18 ++----------
 net_contexts                             |    9 ------
 targeted/domains/program/crond.te        |    9 ++++--
 tunables/distro.tun                      |    2 -
 tunables/tunable.tun                     |    7 +---
 types/file.te                            |   10 ++++++
 types/network.te                         |   10 ------
 75 files changed, 316 insertions(+), 161 deletions(-)

Index: policy-20050719.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050719.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20050719.patch	27 Jul 2005 14:47:40 -0000	1.5
+++ policy-20050719.patch	28 Jul 2005 15:52:50 -0000	1.6
@@ -1,6 +1,6 @@
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.3/domains/program/crond.te
 --- nsapolicy/domains/program/crond.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/crond.te	2005-07-27 07:49:23.000000000 -0400
++++ policy-1.25.3/domains/program/crond.te	2005-07-27 13:44:47.000000000 -0400
 @@ -201,11 +201,14 @@
  r_dir_file(system_crond_t, file_context_t)
  can_getsecurity(system_crond_t)
@@ -16,7 +16,7 @@
  ')
  dontaudit crond_t self:capability sys_tty_config;
 +# Needed for certwatch
-+r_dir_file(system_crond_t, cert_t)
++can_exec(system_crond_t, httpd_modules_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.3/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-07-06 17:15:06.000000000 -0400
 +++ policy-1.25.3/domains/program/fsadm.te	2005-07-19 15:41:44.000000000 -0400
@@ -41,6 +41,14 @@
  domain_auto_trans(getty_t, login_exec_t, local_login_t)
  
  # Write to /var/run/utmp.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.3/domains/program/hostname.te
+--- nsapolicy/domains/program/hostname.te	2005-05-02 14:06:54.000000000 -0400
++++ policy-1.25.3/domains/program/hostname.te	2005-07-27 14:19:20.000000000 -0400
+@@ -25,3 +25,4 @@
+ allow hostname_t tmpfs_t:chr_file rw_file_perms;
+ ')
+ allow hostname_t initrc_devpts_t:chr_file { read write };
++allow hostname_t initrc_t:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.3/domains/program/ifconfig.te
 --- nsapolicy/domains/program/ifconfig.te	2005-07-19 10:57:05.000000000 -0400
 +++ policy-1.25.3/domains/program/ifconfig.te	2005-07-21 17:03:56.000000000 -0400
@@ -57,7 +65,7 @@
  allow ifconfig_t { kernel_t init_t }:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.3/domains/program/initrc.te
 --- nsapolicy/domains/program/initrc.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/initrc.te	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/initrc.te	2005-07-28 11:23:05.000000000 -0400
 @@ -123,7 +123,7 @@
  allow initrc_t file_t:dir { read search getattr mounton };
  
@@ -79,6 +87,16 @@
  ;
  role system_r types insmod_t;
  role sysadm_r types insmod_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.3/domains/program/passwd.te
+--- nsapolicy/domains/program/passwd.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/passwd.te	2005-07-28 11:43:13.000000000 -0400
+@@ -152,5 +152,5 @@
+ 
+ ifdef(`targeted_policy', `
+ role system_r types sysadm_passwd_t;
+-allow sysadm_passwd_t devpts_t:chr_file { read write };
++allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+ ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.25.3/domains/program/restorecon.te
 --- nsapolicy/domains/program/restorecon.te	2005-07-06 17:15:06.000000000 -0400
 +++ policy-1.25.3/domains/program/restorecon.te	2005-07-20 20:51:57.000000000 -0400
@@ -90,6 +108,27 @@
  
  allow restorecon_t etc_runtime_t:file { getattr read };
  allow restorecon_t etc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.3/domains/program/unused/alsa.te
+--- nsapolicy/domains/program/unused/alsa.te	2005-07-05 15:25:45.000000000 -0400
++++ policy-1.25.3/domains/program/unused/alsa.te	2005-07-27 16:00:20.000000000 -0400
+@@ -6,12 +6,15 @@
+ type alsa_t, domain, privlog, daemon;
+ type alsa_exec_t, file_type, sysadmfile, exec_type;
+ uses_shlib(alsa_t)
+-allow alsa_t self:sem  create_sem_perms;
+-allow alsa_t self:shm  create_shm_perms;
++allow alsa_t { unpriv_userdomain self }:sem  create_sem_perms;
++allow alsa_t { unpriv_userdomain self }:shm  create_shm_perms;
+ allow alsa_t self:unix_stream_socket create_stream_socket_perms;
++allow alsa_t self:unix_dgram_socket create_socket_perms;
+ type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
+ rw_dir_create_file(alsa_t,alsa_etc_rw_t)
+ allow alsa_t self:capability { setgid setuid ipc_owner };
+ allow alsa_t devpts_t:chr_file { read write };
+ allow alsa_t etc_t:file { getattr read };
+ domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
++role system_r types alsa_t;
++read_locale(alsa_t) 
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.3/domains/program/unused/apache.te
 --- nsapolicy/domains/program/unused/apache.te	2005-07-12 08:50:43.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/apache.te	2005-07-25 11:04:03.000000000 -0400
@@ -117,8 +156,8 @@
  role sysadm_r types apm_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.3/domains/program/unused/certwatch.te
 --- nsapolicy/domains/program/unused/certwatch.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.3/domains/program/unused/certwatch.te	2005-07-27 07:49:33.000000000 -0400
-@@ -0,0 +1,13 @@
++++ policy-1.25.3/domains/program/unused/certwatch.te	2005-07-27 13:40:10.000000000 -0400
+@@ -0,0 +1,11 @@
 +#DESC certwatch - generate SSL certificate expiry warnings
 +#
 +# Domains for the certwatch process 
@@ -129,9 +168,18 @@
 +r_dir_file(certwatch_t, cert_t)
 +can_exec(certwatch_t, httpd_modules_t)
 +system_crond_entry(certwatch_exec_t, certwatch_t)
-+
-+
-+
++read_locale(certwatch_t) 
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.3/domains/program/unused/cups.te
+--- nsapolicy/domains/program/unused/cups.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/cups.te	2005-07-28 11:47:11.000000000 -0400
+@@ -245,6 +245,7 @@
+ allow cupsd_config_t self:fifo_file rw_file_perms;
+ 
+ allow cupsd_config_t self:unix_stream_socket create_socket_perms;
++allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+ ifdef(`dbusd.te', `
+ dbusd_client(system, cupsd_config)
+ allow cupsd_config_t userdomain:dbus send_msg;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.3/domains/program/unused/cvs.te
 --- nsapolicy/domains/program/unused/cvs.te	2005-04-27 10:28:50.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/cvs.te	2005-07-20 10:09:23.000000000 -0400
@@ -259,6 +307,14 @@
  allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
  
 +dontaudit hotplug_t selinux_config_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.3/domains/program/unused/hwclock.te
+--- nsapolicy/domains/program/unused/hwclock.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/hwclock.te	2005-07-28 11:40:17.000000000 -0400
+@@ -44,3 +44,4 @@
+ 
+ # for when /usr is not mounted
+ dontaudit hwclock_t file_t:dir search;
++allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.25.3/domains/program/unused/ipsec.te
 --- nsapolicy/domains/program/unused/ipsec.te	2005-04-27 10:28:51.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/ipsec.te	2005-07-25 09:42:06.000000000 -0400
@@ -491,7 +547,7 @@
 +allow rlogind_t krb5_keytab_t:file r_file_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.3/domains/program/unused/rpm.te
 --- nsapolicy/domains/program/unused/rpm.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/rpm.te	2005-07-26 09:08:15.000000000 -0400
++++ policy-1.25.3/domains/program/unused/rpm.te	2005-07-28 11:23:44.000000000 -0400
 @@ -114,7 +114,7 @@
  
  allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
@@ -501,6 +557,14 @@
  # policy for rpm scriptlet
  role system_r types rpm_script_t;
  uses_shlib(rpm_script_t)
+@@ -194,6 +194,7 @@
+ 
+ domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
+ domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
++role sysadm_r types initrc_t;
+ domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
+ ifdef(`bootloader.te', `
+ domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.3/domains/program/unused/rsync.te
 --- nsapolicy/domains/program/unused/rsync.te	2005-04-27 10:28:52.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/rsync.te	2005-07-22 08:45:55.000000000 -0400
@@ -514,7 +578,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.3/domains/program/unused/samba.te
 --- nsapolicy/domains/program/unused/samba.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/samba.te	2005-07-27 09:18:11.000000000 -0400
++++ policy-1.25.3/domains/program/unused/samba.te	2005-07-27 11:13:01.000000000 -0400
 @@ -50,7 +50,7 @@
  can_ldap(smbd_t)
  can_kerberos(smbd_t)
@@ -532,6 +596,15 @@
  
  ifdef(`logrotate.te', `
  # the application should be changed
+@@ -189,6 +190,8 @@
+ ')
+ # Derive from app. domain. Transition from mount.
+ application_domain(samba_net, `, nscd_client_domain')
++role system_r types samba_net_t;
++in_user_role(samba_net_t)
+ file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
+ read_locale(samba_net_t) 
+ allow samba_net_t samba_etc_t:file r_file_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.3/domains/program/unused/slocate.te
 --- nsapolicy/domains/program/unused/slocate.te	2005-04-27 10:28:53.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/slocate.te	2005-07-21 09:07:15.000000000 -0400
@@ -692,6 +765,17 @@
 +# certwatch.fc
 +/usr/bin/certwatch	-- system_u:object_r:certwatch_exec_t
 +
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.3/file_contexts/program/cups.fc
+--- nsapolicy/file_contexts/program/cups.fc	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/file_contexts/program/cups.fc	2005-07-28 11:18:01.000000000 -0400
+@@ -5,6 +5,7 @@
+ /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/client\.conf	--	system_u:object_r:etc_t
+ /etc/cups/cupsd\.conf.* --	system_u:object_r:cupsd_rw_etc_t
++/etc/cups/classes\.conf.* --	system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/lpoptions	--	system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/printers\.conf.* --	system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/ppd/.*	--	system_u:object_r:cupsd_rw_etc_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kudzu.fc policy-1.25.3/file_contexts/program/kudzu.fc
 --- nsapolicy/file_contexts/program/kudzu.fc	2005-02-24 14:51:09.000000000 -0500
 +++ policy-1.25.3/file_contexts/program/kudzu.fc	2005-07-25 09:51:13.000000000 -0400


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.361
retrieving revision 1.362
diff -u -r1.361 -r1.362
--- selinux-policy-strict.spec	27 Jul 2005 15:00:16 -0000	1.361
+++ selinux-policy-strict.spec	28 Jul 2005 15:52:50 -0000	1.362
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.3
-Release: 7
+Release: 8
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -236,6 +236,9 @@
 exit 0
 
 %changelog
+* Thu Jul 28 2005 Dan Walsh <dwalsh redhat com> 1.25.3-8
+- Fixes for cups, hwclock, system_passwd, samba_net
+
 * Wed Jul 27 2005 Dan Walsh <dwalsh redhat com> 1.25.3-7
 - Add certwatch.te
 - Allow smbd to connect to smbd_port_t


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]