rpms/selinux-policy-targeted/devel policy-20050719.patch, 1.5, 1.6 selinux-policy-targeted.spec, 1.356, 1.357
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jul 28 15:52:59 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3923
Modified Files:
policy-20050719.patch selinux-policy-targeted.spec
Log Message:
* Thu Jul 28 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-8
- Fixes for cups, hwclock, system_passwd, samba_net
policy-20050719.patch:
domains/program/crond.te | 5 ++-
domains/program/fsadm.te | 2 -
domains/program/getty.te | 2 -
domains/program/hostname.te | 1
domains/program/ifconfig.te | 3 +-
domains/program/initrc.te | 2 -
domains/program/modutil.te | 2 -
domains/program/passwd.te | 2 -
domains/program/restorecon.te | 1
domains/program/unused/NetworkManager.te | 8 +++++
domains/program/unused/alsa.te | 7 +++-
domains/program/unused/apache.te | 3 ++
domains/program/unused/apmd.te | 2 -
domains/program/unused/certwatch.te | 11 +++++++
domains/program/unused/cups.te | 1
domains/program/unused/cvs.te | 9 ++++++
domains/program/unused/cyrus.te | 11 ++++++-
domains/program/unused/evolution.te | 1
domains/program/unused/firstboot.te | 7 ----
domains/program/unused/ftpd.te | 8 +----
domains/program/unused/hald.te | 5 +++
domains/program/unused/hotplug.te | 3 +-
domains/program/unused/hwclock.te | 1
domains/program/unused/ipsec.te | 7 ++--
domains/program/unused/kudzu.te | 5 ++-
domains/program/unused/lvm.te | 2 -
domains/program/unused/mta.te | 4 +-
domains/program/unused/mysqld.te | 1
domains/program/unused/pamconsole.te | 2 -
domains/program/unused/ping.te | 7 ++--
domains/program/unused/postgresql.te | 5 ++-
domains/program/unused/pppd.te | 32 ++++++++++++++++++++++
domains/program/unused/rlogind.te | 1
domains/program/unused/rpm.te | 3 +-
domains/program/unused/rsync.te | 4 ++
domains/program/unused/samba.te | 5 ++-
domains/program/unused/slocate.te | 4 ++
domains/program/unused/squid.te | 1
domains/program/unused/thunderbird.te | 1
domains/program/unused/udev.te | 5 ++-
domains/program/unused/vpnc.te | 15 ++++++++--
domains/program/unused/winbind.te | 1
domains/program/useradd.te | 1
file_contexts/distros.fc | 6 ++++
file_contexts/program/certwatch.fc | 3 ++
file_contexts/program/cups.fc | 1
file_contexts/program/kudzu.fc | 1
file_contexts/program/postgresql.fc | 4 ++
file_contexts/program/pppd.fc | 15 ++++++----
file_contexts/program/vpnc.fc | 1
file_contexts/types.fc | 4 +-
genfs_contexts | 3 ++
macros/admin_macros.te | 1
macros/base_user_macros.te | 13 --------
macros/content_macros.te | 5 ++-
macros/global_macros.te | 45 +++++++++++++++++++++++++++++++
macros/network_macros.te | 6 ++--
macros/program/apache_macros.te | 3 +-
macros/program/cdrecord_macros.te | 17 ++++-------
macros/program/chkpwd_macros.te | 17 +----------
macros/program/ethereal_macros.te | 7 ++--
macros/program/evolution_macros.te | 9 ++----
macros/program/gconf_macros.te | 1
macros/program/gnome_vfs_macros.te | 6 ++++
macros/program/mail_client_macros.te | 13 +++++++-
macros/program/mozilla_macros.te | 6 +++-
macros/program/su_macros.te | 8 ++++-
macros/program/thunderbird_macros.te | 14 +++++----
macros/user_macros.te | 18 ++----------
net_contexts | 9 ------
targeted/domains/program/crond.te | 9 ++++--
tunables/distro.tun | 2 -
tunables/tunable.tun | 7 +---
types/file.te | 10 ++++++
types/network.te | 10 ------
75 files changed, 316 insertions(+), 161 deletions(-)
Index: policy-20050719.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050719.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20050719.patch 27 Jul 2005 14:47:46 -0000 1.5
+++ policy-20050719.patch 28 Jul 2005 15:52:56 -0000 1.6
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.3/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/crond.te 2005-07-27 07:49:23.000000000 -0400
++++ policy-1.25.3/domains/program/crond.te 2005-07-27 13:44:47.000000000 -0400
@@ -201,11 +201,14 @@
r_dir_file(system_crond_t, file_context_t)
can_getsecurity(system_crond_t)
@@ -16,7 +16,7 @@
')
dontaudit crond_t self:capability sys_tty_config;
+# Needed for certwatch
-+r_dir_file(system_crond_t, cert_t)
++can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.3/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/fsadm.te 2005-07-19 15:41:44.000000000 -0400
@@ -41,6 +41,14 @@
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.3/domains/program/hostname.te
+--- nsapolicy/domains/program/hostname.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.25.3/domains/program/hostname.te 2005-07-27 14:19:20.000000000 -0400
+@@ -25,3 +25,4 @@
+ allow hostname_t tmpfs_t:chr_file rw_file_perms;
+ ')
+ allow hostname_t initrc_devpts_t:chr_file { read write };
++allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.3/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.3/domains/program/ifconfig.te 2005-07-21 17:03:56.000000000 -0400
@@ -57,7 +65,7 @@
allow ifconfig_t { kernel_t init_t }:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.3/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/initrc.te 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/initrc.te 2005-07-28 11:23:05.000000000 -0400
@@ -123,7 +123,7 @@
allow initrc_t file_t:dir { read search getattr mounton };
@@ -79,6 +87,16 @@
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.3/domains/program/passwd.te
+--- nsapolicy/domains/program/passwd.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/passwd.te 2005-07-28 11:43:13.000000000 -0400
+@@ -152,5 +152,5 @@
+
+ ifdef(`targeted_policy', `
+ role system_r types sysadm_passwd_t;
+-allow sysadm_passwd_t devpts_t:chr_file { read write };
++allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+ ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.25.3/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/restorecon.te 2005-07-20 20:51:57.000000000 -0400
@@ -90,6 +108,27 @@
allow restorecon_t etc_runtime_t:file { getattr read };
allow restorecon_t etc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.3/domains/program/unused/alsa.te
+--- nsapolicy/domains/program/unused/alsa.te 2005-07-05 15:25:45.000000000 -0400
++++ policy-1.25.3/domains/program/unused/alsa.te 2005-07-27 16:00:20.000000000 -0400
+@@ -6,12 +6,15 @@
+ type alsa_t, domain, privlog, daemon;
+ type alsa_exec_t, file_type, sysadmfile, exec_type;
+ uses_shlib(alsa_t)
+-allow alsa_t self:sem create_sem_perms;
+-allow alsa_t self:shm create_shm_perms;
++allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
++allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
+ allow alsa_t self:unix_stream_socket create_stream_socket_perms;
++allow alsa_t self:unix_dgram_socket create_socket_perms;
+ type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
+ rw_dir_create_file(alsa_t,alsa_etc_rw_t)
+ allow alsa_t self:capability { setgid setuid ipc_owner };
+ allow alsa_t devpts_t:chr_file { read write };
+ allow alsa_t etc_t:file { getattr read };
+ domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
++role system_r types alsa_t;
++read_locale(alsa_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.3/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/apache.te 2005-07-25 11:04:03.000000000 -0400
@@ -117,8 +156,8 @@
role sysadm_r types apm_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.3/domains/program/unused/certwatch.te
--- nsapolicy/domains/program/unused/certwatch.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.25.3/domains/program/unused/certwatch.te 2005-07-27 07:49:33.000000000 -0400
-@@ -0,0 +1,13 @@
++++ policy-1.25.3/domains/program/unused/certwatch.te 2005-07-27 13:40:10.000000000 -0400
+@@ -0,0 +1,11 @@
+#DESC certwatch - generate SSL certificate expiry warnings
+#
+# Domains for the certwatch process
@@ -129,9 +168,18 @@
+r_dir_file(certwatch_t, cert_t)
+can_exec(certwatch_t, httpd_modules_t)
+system_crond_entry(certwatch_exec_t, certwatch_t)
-+
-+
-+
++read_locale(certwatch_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.3/domains/program/unused/cups.te
+--- nsapolicy/domains/program/unused/cups.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/cups.te 2005-07-28 11:47:11.000000000 -0400
+@@ -245,6 +245,7 @@
+ allow cupsd_config_t self:fifo_file rw_file_perms;
+
+ allow cupsd_config_t self:unix_stream_socket create_socket_perms;
++allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+ ifdef(`dbusd.te', `
+ dbusd_client(system, cupsd_config)
+ allow cupsd_config_t userdomain:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.3/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-04-27 10:28:50.000000000 -0400
+++ policy-1.25.3/domains/program/unused/cvs.te 2005-07-20 10:09:23.000000000 -0400
@@ -259,6 +307,14 @@
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit hotplug_t selinux_config_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.3/domains/program/unused/hwclock.te
+--- nsapolicy/domains/program/unused/hwclock.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/hwclock.te 2005-07-28 11:40:17.000000000 -0400
+@@ -44,3 +44,4 @@
+
+ # for when /usr is not mounted
+ dontaudit hwclock_t file_t:dir search;
++allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.25.3/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.25.3/domains/program/unused/ipsec.te 2005-07-25 09:42:06.000000000 -0400
@@ -491,7 +547,7 @@
+allow rlogind_t krb5_keytab_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.3/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/rpm.te 2005-07-26 09:08:15.000000000 -0400
++++ policy-1.25.3/domains/program/unused/rpm.te 2005-07-28 11:23:44.000000000 -0400
@@ -114,7 +114,7 @@
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
@@ -501,6 +557,14 @@
# policy for rpm scriptlet
role system_r types rpm_script_t;
uses_shlib(rpm_script_t)
+@@ -194,6 +194,7 @@
+
+ domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
+ domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
++role sysadm_r types initrc_t;
+ domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
+ ifdef(`bootloader.te', `
+ domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.3/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.3/domains/program/unused/rsync.te 2005-07-22 08:45:55.000000000 -0400
@@ -514,7 +578,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.3/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/samba.te 2005-07-27 09:18:11.000000000 -0400
++++ policy-1.25.3/domains/program/unused/samba.te 2005-07-27 11:13:01.000000000 -0400
@@ -50,7 +50,7 @@
can_ldap(smbd_t)
can_kerberos(smbd_t)
@@ -532,6 +596,15 @@
ifdef(`logrotate.te', `
# the application should be changed
+@@ -189,6 +190,8 @@
+ ')
+ # Derive from app. domain. Transition from mount.
+ application_domain(samba_net, `, nscd_client_domain')
++role system_r types samba_net_t;
++in_user_role(samba_net_t)
+ file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
+ read_locale(samba_net_t)
+ allow samba_net_t samba_etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.3/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te 2005-04-27 10:28:53.000000000 -0400
+++ policy-1.25.3/domains/program/unused/slocate.te 2005-07-21 09:07:15.000000000 -0400
@@ -692,6 +765,17 @@
+# certwatch.fc
+/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t
+
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.3/file_contexts/program/cups.fc
+--- nsapolicy/file_contexts/program/cups.fc 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/file_contexts/program/cups.fc 2005-07-28 11:18:01.000000000 -0400
+@@ -5,6 +5,7 @@
+ /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/client\.conf -- system_u:object_r:etc_t
+ /etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t
++/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kudzu.fc policy-1.25.3/file_contexts/program/kudzu.fc
--- nsapolicy/file_contexts/program/kudzu.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.3/file_contexts/program/kudzu.fc 2005-07-25 09:51:13.000000000 -0400
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.356
retrieving revision 1.357
diff -u -r1.356 -r1.357
--- selinux-policy-targeted.spec 27 Jul 2005 14:59:56 -0000 1.356
+++ selinux-policy-targeted.spec 28 Jul 2005 15:52:56 -0000 1.357
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.25.3
-Release: 7
+Release: 8
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -237,6 +237,9 @@
exit 0
%changelog
+* Thu Jul 28 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-8
+- Fixes for cups, hwclock, system_passwd, samba_net
+
* Wed Jul 27 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-7
- Add certwatch.te
- Allow smbd to connect to smbd_port_t
More information about the fedora-cvs-commits
mailing list