rpms/selinux-policy-targeted/FC-4 policy-20050719.patch, 1.2, 1.3 selinux-policy-targeted.spec, 1.326, 1.327
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jul 28 15:59:13 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv6874
Modified Files:
policy-20050719.patch selinux-policy-targeted.spec
Log Message:
* Thu Jul 28 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-9
- Bump for FC4
policy-20050719.patch:
domains/program/crond.te | 5 ++-
domains/program/fsadm.te | 2 -
domains/program/getty.te | 2 -
domains/program/hostname.te | 1
domains/program/ifconfig.te | 3 +-
domains/program/initrc.te | 2 -
domains/program/modutil.te | 2 -
domains/program/passwd.te | 2 -
domains/program/restorecon.te | 1
domains/program/unused/NetworkManager.te | 8 +++++
domains/program/unused/alsa.te | 7 +++-
domains/program/unused/apache.te | 3 ++
domains/program/unused/apmd.te | 2 -
domains/program/unused/certwatch.te | 11 +++++++
domains/program/unused/cups.te | 1
domains/program/unused/cvs.te | 9 ++++++
domains/program/unused/cyrus.te | 11 ++++++-
domains/program/unused/evolution.te | 1
domains/program/unused/firstboot.te | 7 ----
domains/program/unused/ftpd.te | 8 +----
domains/program/unused/hald.te | 5 +++
domains/program/unused/hotplug.te | 3 +-
domains/program/unused/hwclock.te | 1
domains/program/unused/ipsec.te | 7 ++--
domains/program/unused/kudzu.te | 5 ++-
domains/program/unused/lvm.te | 2 -
domains/program/unused/mta.te | 4 +-
domains/program/unused/mysqld.te | 1
domains/program/unused/pamconsole.te | 2 -
domains/program/unused/ping.te | 7 ++--
domains/program/unused/postgresql.te | 5 ++-
domains/program/unused/pppd.te | 32 ++++++++++++++++++++++
domains/program/unused/rlogind.te | 1
domains/program/unused/rpm.te | 3 +-
domains/program/unused/rsync.te | 4 ++
domains/program/unused/samba.te | 5 ++-
domains/program/unused/slocate.te | 4 ++
domains/program/unused/squid.te | 1
domains/program/unused/thunderbird.te | 1
domains/program/unused/udev.te | 5 ++-
domains/program/unused/vpnc.te | 15 ++++++++--
domains/program/unused/winbind.te | 1
domains/program/useradd.te | 1
file_contexts/distros.fc | 6 ++++
file_contexts/program/certwatch.fc | 3 ++
file_contexts/program/cups.fc | 1
file_contexts/program/kudzu.fc | 1
file_contexts/program/postgresql.fc | 4 ++
file_contexts/program/pppd.fc | 15 ++++++----
file_contexts/program/vpnc.fc | 1
file_contexts/types.fc | 4 +-
genfs_contexts | 3 ++
macros/admin_macros.te | 1
macros/base_user_macros.te | 13 --------
macros/content_macros.te | 5 ++-
macros/global_macros.te | 45 +++++++++++++++++++++++++++++++
macros/network_macros.te | 6 ++--
macros/program/apache_macros.te | 3 +-
macros/program/cdrecord_macros.te | 17 ++++-------
macros/program/chkpwd_macros.te | 17 +----------
macros/program/ethereal_macros.te | 7 ++--
macros/program/evolution_macros.te | 9 ++----
macros/program/gconf_macros.te | 1
macros/program/gnome_vfs_macros.te | 6 ++++
macros/program/mail_client_macros.te | 13 +++++++-
macros/program/mozilla_macros.te | 6 +++-
macros/program/su_macros.te | 8 ++++-
macros/program/thunderbird_macros.te | 14 +++++----
macros/user_macros.te | 18 ++----------
net_contexts | 9 ------
targeted/domains/program/crond.te | 9 ++++--
tunables/distro.tun | 2 -
tunables/tunable.tun | 7 +---
types/file.te | 10 ++++++
types/network.te | 10 ------
75 files changed, 316 insertions(+), 161 deletions(-)
Index: policy-20050719.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/policy-20050719.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050719.patch 25 Jul 2005 17:54:17 -0000 1.2
+++ policy-20050719.patch 28 Jul 2005 15:59:09 -0000 1.3
@@ -1,7 +1,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.3/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/crond.te 2005-07-21 09:07:03.000000000 -0400
-@@ -201,11 +201,12 @@
++++ policy-1.25.3/domains/program/crond.te 2005-07-27 13:44:47.000000000 -0400
+@@ -201,11 +201,14 @@
r_dir_file(system_crond_t, file_context_t)
can_getsecurity(system_crond_t)
}
@@ -15,6 +15,8 @@
+allow system_crond_t httpd_modules_t:lnk_file read;
')
dontaudit crond_t self:capability sys_tty_config;
++# Needed for certwatch
++can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.3/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/fsadm.te 2005-07-19 15:41:44.000000000 -0400
@@ -39,6 +41,14 @@
domain_auto_trans(getty_t, login_exec_t, local_login_t)
# Write to /var/run/utmp.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.25.3/domains/program/hostname.te
+--- nsapolicy/domains/program/hostname.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.25.3/domains/program/hostname.te 2005-07-27 14:19:20.000000000 -0400
+@@ -25,3 +25,4 @@
+ allow hostname_t tmpfs_t:chr_file rw_file_perms;
+ ')
+ allow hostname_t initrc_devpts_t:chr_file { read write };
++allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.25.3/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-07-19 10:57:05.000000000 -0400
+++ policy-1.25.3/domains/program/ifconfig.te 2005-07-21 17:03:56.000000000 -0400
@@ -55,7 +65,7 @@
allow ifconfig_t { kernel_t init_t }:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.3/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/initrc.te 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/initrc.te 2005-07-28 11:23:05.000000000 -0400
@@ -123,7 +123,7 @@
allow initrc_t file_t:dir { read search getattr mounton };
@@ -77,6 +87,16 @@
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.3/domains/program/passwd.te
+--- nsapolicy/domains/program/passwd.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/passwd.te 2005-07-28 11:43:13.000000000 -0400
+@@ -152,5 +152,5 @@
+
+ ifdef(`targeted_policy', `
+ role system_r types sysadm_passwd_t;
+-allow sysadm_passwd_t devpts_t:chr_file { read write };
++allow sysadm_passwd_t devpts_t:chr_file rw_file_perms;
+ ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.25.3/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.3/domains/program/restorecon.te 2005-07-20 20:51:57.000000000 -0400
@@ -88,6 +108,27 @@
allow restorecon_t etc_runtime_t:file { getattr read };
allow restorecon_t etc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.3/domains/program/unused/alsa.te
+--- nsapolicy/domains/program/unused/alsa.te 2005-07-05 15:25:45.000000000 -0400
++++ policy-1.25.3/domains/program/unused/alsa.te 2005-07-27 16:00:20.000000000 -0400
+@@ -6,12 +6,15 @@
+ type alsa_t, domain, privlog, daemon;
+ type alsa_exec_t, file_type, sysadmfile, exec_type;
+ uses_shlib(alsa_t)
+-allow alsa_t self:sem create_sem_perms;
+-allow alsa_t self:shm create_shm_perms;
++allow alsa_t { unpriv_userdomain self }:sem create_sem_perms;
++allow alsa_t { unpriv_userdomain self }:shm create_shm_perms;
+ allow alsa_t self:unix_stream_socket create_stream_socket_perms;
++allow alsa_t self:unix_dgram_socket create_socket_perms;
+ type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
+ rw_dir_create_file(alsa_t,alsa_etc_rw_t)
+ allow alsa_t self:capability { setgid setuid ipc_owner };
+ allow alsa_t devpts_t:chr_file { read write };
+ allow alsa_t etc_t:file { getattr read };
+ domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
++role system_r types alsa_t;
++read_locale(alsa_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.3/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/apache.te 2005-07-25 11:04:03.000000000 -0400
@@ -113,6 +154,32 @@
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.3/domains/program/unused/certwatch.te
+--- nsapolicy/domains/program/unused/certwatch.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.3/domains/program/unused/certwatch.te 2005-07-27 13:40:10.000000000 -0400
+@@ -0,0 +1,11 @@
++#DESC certwatch - generate SSL certificate expiry warnings
++#
++# Domains for the certwatch process
++# Authors: Dan Walsh <dwalsh at redhat.com>,
++#
++application_domain(certwatch)
++role system_r types certwatch_t;
++r_dir_file(certwatch_t, cert_t)
++can_exec(certwatch_t, httpd_modules_t)
++system_crond_entry(certwatch_exec_t, certwatch_t)
++read_locale(certwatch_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.3/domains/program/unused/cups.te
+--- nsapolicy/domains/program/unused/cups.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/cups.te 2005-07-28 11:47:11.000000000 -0400
+@@ -245,6 +245,7 @@
+ allow cupsd_config_t self:fifo_file rw_file_perms;
+
+ allow cupsd_config_t self:unix_stream_socket create_socket_perms;
++allow cupsd_config_t self:unix_dgram_socket create_socket_perms;
+ ifdef(`dbusd.te', `
+ dbusd_client(system, cupsd_config)
+ allow cupsd_config_t userdomain:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.25.3/domains/program/unused/cvs.te
--- nsapolicy/domains/program/unused/cvs.te 2005-04-27 10:28:50.000000000 -0400
+++ policy-1.25.3/domains/program/unused/cvs.te 2005-07-20 10:09:23.000000000 -0400
@@ -165,6 +232,30 @@
# Everything else is in macros/evolution_macros.te
+bool disable_evolution_trans false;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.3/domains/program/unused/firstboot.te
+--- nsapolicy/domains/program/unused/firstboot.te 2005-06-01 06:11:22.000000000 -0400
++++ policy-1.25.3/domains/program/unused/firstboot.te 2005-07-25 15:04:43.000000000 -0400
+@@ -57,9 +57,6 @@
+ # Allow write to utmp file
+ allow firstboot_t initrc_var_run_t:file write;
+
+-allow firstboot_t krb5_conf_t:file { getattr read };
+-allow firstboot_t net_conf_t:file { getattr read };
+-
+ ifdef(`samba.te', `
+ rw_dir_file(firstboot_t, samba_etc_t)
+ ')
+@@ -95,10 +92,6 @@
+ allow firstboot_t modules_conf_t:file { getattr read };
+ allow firstboot_t modules_dep_t:file { getattr read };
+ allow firstboot_t modules_object_t:dir search;
+-allow firstboot_t net_conf_t:file rw_file_perms;
+-allow firstboot_t netif_lo_t:netif { tcp_recv tcp_send };
+-allow firstboot_t node_t:node { tcp_recv tcp_send };
+-
+ allow firstboot_t port_t:tcp_socket { recv_msg send_msg };
+ allow firstboot_t proc_t:lnk_file read;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.25.3/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/ftpd.te 2005-07-22 08:48:57.000000000 -0400
@@ -182,8 +273,16 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.3/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/hald.te 2005-07-19 15:41:44.000000000 -0400
-@@ -96,3 +96,7 @@
++++ policy-1.25.3/domains/program/unused/hald.te 2005-07-26 09:07:57.000000000 -0400
+@@ -47,6 +47,7 @@
+ allow hald_t printer_device_t:chr_file rw_file_perms;
+ allow hald_t urandom_device_t:chr_file read;
+ allow hald_t mouse_device_t:chr_file r_file_perms;
++allow hald_t device_type:chr_file getattr;
+
+ can_getsecurity(hald_t)
+
+@@ -96,3 +97,7 @@
allow unconfined_t hald_t:dbus send_msg;
allow hald_t unconfined_t:dbus send_msg;
')
@@ -208,6 +307,14 @@
allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+dontaudit hotplug_t selinux_config_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.3/domains/program/unused/hwclock.te
+--- nsapolicy/domains/program/unused/hwclock.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/hwclock.te 2005-07-28 11:40:17.000000000 -0400
+@@ -44,3 +44,4 @@
+
+ # for when /usr is not mounted
+ dontaudit hwclock_t file_t:dir search;
++allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ipsec.te policy-1.25.3/domains/program/unused/ipsec.te
--- nsapolicy/domains/program/unused/ipsec.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.25.3/domains/program/unused/ipsec.te 2005-07-25 09:42:06.000000000 -0400
@@ -340,7 +447,7 @@
# for /var/run/console.lock checking
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.3/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/ping.te 2005-07-19 23:17:05.000000000 -0400
++++ policy-1.25.3/domains/program/unused/ping.te 2005-07-25 14:53:06.000000000 -0400
@@ -17,6 +17,9 @@
in_user_role(ping_t)
type ping_exec_t, file_type, sysadmfile, exec_type;
@@ -359,6 +466,16 @@
# Transition into this domain when you run this program.
domain_auto_trans(sysadm_t, ping_exec_t, ping_t)
+@@ -40,9 +44,6 @@
+ # Let ping create raw ICMP packets.
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+
+-allow ping_t netif_type:netif { rawip_send rawip_recv };
+-allow ping_t node_type:node { rawip_send rawip_recv };
+-
+ # Use capabilities.
+ allow ping_t self:capability { net_raw setuid };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.25.3/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.3/domains/program/unused/postgresql.te 2005-07-20 14:30:01.000000000 -0400
@@ -422,12 +539,32 @@
+domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rlogind.te policy-1.25.3/domains/program/unused/rlogind.te
--- nsapolicy/domains/program/unused/rlogind.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/rlogind.te 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/unused/rlogind.te 2005-07-26 15:01:06.000000000 -0400
@@ -35,3 +35,4 @@
allow rlogind_t default_t:dir search;
typealias rlogind_port_t alias rlogin_port_t;
read_sysctl(rlogind_t);
-+allow rlogind_t krb5_keytab_t:file { getattr read };
++allow rlogind_t krb5_keytab_t:file r_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.25.3/domains/program/unused/rpm.te
+--- nsapolicy/domains/program/unused/rpm.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/rpm.te 2005-07-28 11:23:44.000000000 -0400
+@@ -114,7 +114,7 @@
+
+ allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
+
+-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, priv_system_role;
++type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
+ # policy for rpm scriptlet
+ role system_r types rpm_script_t;
+ uses_shlib(rpm_script_t)
+@@ -194,6 +194,7 @@
+
+ domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
+ domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
++role sysadm_r types initrc_t;
+ domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
+ ifdef(`bootloader.te', `
+ domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.25.3/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.3/domains/program/unused/rsync.te 2005-07-22 08:45:55.000000000 -0400
@@ -441,7 +578,16 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.3/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/samba.te 2005-07-22 08:49:50.000000000 -0400
++++ policy-1.25.3/domains/program/unused/samba.te 2005-07-27 11:13:01.000000000 -0400
+@@ -50,7 +50,7 @@
+ can_ldap(smbd_t)
+ can_kerberos(smbd_t)
+ can_winbind(smbd_t)
+-allow smbd_t ipp_port_t:tcp_socket name_connect;
++allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
+
+ allow smbd_t urandom_device_t:chr_file { getattr read };
+
@@ -79,6 +79,7 @@
# Access Samba shares.
@@ -450,6 +596,15 @@
ifdef(`logrotate.te', `
# the application should be changed
+@@ -189,6 +190,8 @@
+ ')
+ # Derive from app. domain. Transition from mount.
+ application_domain(samba_net, `, nscd_client_domain')
++role system_r types samba_net_t;
++in_user_role(samba_net_t)
+ file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
+ read_locale(samba_net_t)
+ allow samba_net_t samba_etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.3/domains/program/unused/slocate.te
--- nsapolicy/domains/program/unused/slocate.te 2005-04-27 10:28:53.000000000 -0400
+++ policy-1.25.3/domains/program/unused/slocate.te 2005-07-21 09:07:15.000000000 -0400
@@ -490,7 +645,7 @@
+bool disable_thunderbird_trans false;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.25.3/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/udev.te 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/unused/udev.te 2005-07-26 09:08:06.000000000 -0400
@@ -28,11 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -501,7 +656,7 @@
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
allow udev_t self:fifo_file rw_file_perms;
-+allow udev_t self:netlink_kobject_uevent_socket { create bind read };
++allow udev_t self:netlink_kobject_uevent_socket { create bind read setopt };
allow udev_t device_t:file { unlink rw_file_perms };
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
@@ -603,6 +758,24 @@
# Fedora Extras packages: ladspa, imlib2, ocaml
/usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/certwatch.fc policy-1.25.3/file_contexts/program/certwatch.fc
+--- nsapolicy/file_contexts/program/certwatch.fc 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.25.3/file_contexts/program/certwatch.fc 2005-07-27 07:49:50.000000000 -0400
+@@ -0,0 +1,3 @@
++# certwatch.fc
++/usr/bin/certwatch -- system_u:object_r:certwatch_exec_t
++
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.3/file_contexts/program/cups.fc
+--- nsapolicy/file_contexts/program/cups.fc 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/file_contexts/program/cups.fc 2005-07-28 11:18:01.000000000 -0400
+@@ -5,6 +5,7 @@
+ /var/cache/alchemist/printconf.* system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/client\.conf -- system_u:object_r:etc_t
+ /etc/cups/cupsd\.conf.* -- system_u:object_r:cupsd_rw_etc_t
++/etc/cups/classes\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/lpoptions -- system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/printers\.conf.* -- system_u:object_r:cupsd_rw_etc_t
+ /etc/cups/ppd/.* -- system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/kudzu.fc policy-1.25.3/file_contexts/program/kudzu.fc
--- nsapolicy/file_contexts/program/kudzu.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.3/file_contexts/program/kudzu.fc 2005-07-25 09:51:13.000000000 -0400
@@ -675,12 +848,14 @@
# /srv
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.25.3/genfs_contexts
--- nsapolicy/genfs_contexts 2005-05-07 00:41:08.000000000 -0400
-+++ policy-1.25.3/genfs_contexts 2005-07-19 15:41:44.000000000 -0400
-@@ -92,6 +92,7 @@
++++ policy-1.25.3/genfs_contexts 2005-07-27 09:20:11.000000000 -0400
+@@ -92,6 +92,9 @@
genfscon afs / system_u:object_r:nfs_t
genfscon debugfs / system_u:object_r:debugfs_t
+genfscon inotifyfs / system_u:object_r:inotifyfs_t
++genfscon hugetlbfs / system_u:object_r:hugetlbfs_t
++genfscon mqueue / system_u:object_r:mqueue_t
# needs more work
genfscon eventpollfs / system_u:object_r:eventpollfs_t
@@ -742,7 +917,7 @@
`} else {
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.3/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/global_macros.te 2005-07-22 08:47:35.000000000 -0400
++++ policy-1.25.3/macros/global_macros.te 2005-07-25 14:22:43.000000000 -0400
@@ -595,6 +595,18 @@
')dnl end polyinstantiater
@@ -762,7 +937,7 @@
# Define a domain that can do anything, so that it is
# effectively unconfined by the SELinux policy. This
# means that it is only restricted by the normal Linux
-@@ -708,3 +720,23 @@
+@@ -708,3 +720,36 @@
')
')dnl end unconfined_domain
@@ -786,6 +961,39 @@
+
+')
+
++define(`authentication_domain', `
++can_ypbind($1)
++can_kerberos($1)
++can_ldap($1)
++can_resolve($1)
++ifdef(`winbind.te', `
++r_dir_file($1, winbind_var_run_t)
++')
++r_dir_file($1, cert_t)
++allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
++allow $1 self:capability { audit_write audit_control };
++dontaudit $1 shadow_t:file { getattr read };
++')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.3/macros/network_macros.te
+--- nsapolicy/macros/network_macros.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/macros/network_macros.te 2005-07-25 14:53:19.000000000 -0400
+@@ -16,9 +16,7 @@
+ # Allow the domain to send or receive using any network interface.
+ # netif_type is a type attribute for all network interface types.
+ #
+-allow $1 netif_type:netif { $2_send rawip_send };
+-allow $1 netif_type:netif { $2_recv rawip_recv };
+-
++allow $1 netif_t:netif { $2_recv $2_send rawip_send rawip_recv };
+ #
+ # Allow the domain to send to or receive from any node.
+ # node_type is a type attribute for all node types.
+@@ -175,3 +173,5 @@
+ allow $1 winbind_var_run_t:sock_file { getattr read write };
+ ')
+ ')
++
++
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.3/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/macros/program/apache_macros.te 2005-07-22 08:51:23.000000000 -0400
@@ -842,9 +1050,61 @@
+allow $1_cdrecord_t $1_home_t:file r_file_perms;
')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.3/macros/program/chkpwd_macros.te
+--- nsapolicy/macros/program/chkpwd_macros.te 2005-07-19 10:57:05.000000000 -0400
++++ policy-1.25.3/macros/program/chkpwd_macros.te 2005-07-25 14:22:52.000000000 -0400
+@@ -23,28 +23,15 @@
+ allow $1_chkpwd_t proc_t:file read;
+
+ can_getcon($1_chkpwd_t)
+-can_ypbind($1_chkpwd_t)
+-can_kerberos($1_chkpwd_t)
+-can_ldap($1_chkpwd_t)
+-can_resolve($1_chkpwd_t)
++authentication_domain($1_chkpwd_t)
+
+ ifelse($1, system, `
+ domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
+ allow auth_chkpwd sbin_t:dir search;
+ allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+-allow auth_chkpwd self:capability { audit_write audit_control };
+
+ dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
+-dontaudit auth_chkpwd shadow_t:file { getattr read };
+-can_ypbind(auth_chkpwd)
+-can_kerberos(auth_chkpwd)
+-can_ldap(auth_chkpwd)
+-ifdef(`winbind.te', `
+-r_dir_file(auth_chkpwd, winbind_var_run_t)
+-')
+-r_dir_file(auth_chkpwd, cert_t)
+-r_dir_file($1_chkpwd_t, cert_t)
+-allow $1_chkpwd_t { random_device_t urandom_device_t }:chr_file { getattr read };
++authentication_domain(auth_chkpwd)
+ ', `
+ domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+ allow $1_t sbin_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ethereal_macros.te policy-1.25.3/macros/program/ethereal_macros.te
+--- nsapolicy/macros/program/ethereal_macros.te 2005-07-05 15:25:49.000000000 -0400
++++ policy-1.25.3/macros/program/ethereal_macros.te 2005-07-26 13:53:19.000000000 -0400
+@@ -38,11 +38,10 @@
+ role $1_r types $1_ethereal_t;
+
+ # Manual transition from userhelper
+-# FIXME: Need to handle the fallback case, which requires userhelper support
+ ifdef(`userhelper.te', `
+-allow userhelperdomain sysadm_ethereal_t:process { transition siginh rlimitinh noatsecure };
+-allow sysadm_ethereal_t userhelperdomain:fd use;
+-allow sysadm_ethereal_t userhelperdomain:process sigchld;
++allow userhelperdomain $1_ethereal_t:process { transition siginh rlimitinh noatsecure };
++allow $1_ethereal_t userhelperdomain:fd use;
++allow $1_ethereal_t userhelperdomain:process sigchld;
+ ') dnl userhelper
+
+ # X, GNOME
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.3/macros/program/evolution_macros.te
--- nsapolicy/macros/program/evolution_macros.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/program/evolution_macros.te 2005-07-19 15:43:41.000000000 -0400
++++ policy-1.25.3/macros/program/evolution_macros.te 2005-07-26 14:10:04.000000000 -0400
@@ -37,7 +37,9 @@
type $1_evolution_server_t, domain, nscd_client_domain;
@@ -855,6 +1115,15 @@
role $1_r types $1_evolution_server_t;
# Evolution common stuff
+@@ -62,7 +64,7 @@
+ allow $1_evolution_server_t ldap_port_t:tcp_socket name_connect;
+
+ # Look in /etc/pki
+-allow $1_evolution_server_t cert_t:dir r_dir_perms;
++r_dir_file($1_evolution_server_t, cert_t)
+
+ ') dnl evolution_data_server
+
@@ -168,12 +170,9 @@
domain_auto_trans($1_t, evolution_exec_t, $1_evolution_t)
role $1_r types $1_evolution_t;
@@ -948,6 +1217,25 @@
}
allow $1_mozilla_t texrel_shlib_t:file execmod;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.25.3/macros/program/su_macros.te
+--- nsapolicy/macros/program/su_macros.te 2005-05-25 11:28:11.000000000 -0400
++++ policy-1.25.3/macros/program/su_macros.te 2005-07-25 14:18:04.000000000 -0400
+@@ -23,9 +23,13 @@
+
+ define(`su_restricted_domain', `
+ # Derived domain based on the calling user domain and the program.
+-ifdef(`support_polyinstantiation', `
+-type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;',`
+ type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
++ifdef(`support_polyinstantiation', `
++typeattribute $1_su_t mlsfileread;
++typeattribute $1_su_t mlsfilewrite;
++typeattribute $1_su_t mlsfileupgrade;
++typeattribute $1_su_t mlsfiledowngrade;
++typeattribute $1_su_t mlsprocsetsl;
+ ')
+
+ # for SSP
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.25.3/macros/program/thunderbird_macros.te
--- nsapolicy/macros/program/thunderbird_macros.te 2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.3/macros/program/thunderbird_macros.te 2005-07-19 15:42:51.000000000 -0400
@@ -1028,7 +1316,7 @@
# Rules used to associate a homedir as a mountpoint
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.3/net_contexts
--- nsapolicy/net_contexts 2005-07-12 08:50:42.000000000 -0400
-+++ policy-1.25.3/net_contexts 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/net_contexts 2005-07-25 14:45:47.000000000 -0400
@@ -45,6 +45,7 @@
portcon tcp 465 system_u:object_r:smtp_port_t
portcon tcp 587 system_u:object_r:smtp_port_t
@@ -1037,6 +1325,21 @@
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
+@@ -222,14 +223,6 @@
+ #
+ # interface netif_context default_msg_context
+ #
+-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
+-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
+-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
+-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
+-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
+-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
+-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
+-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
+
+ # Nodes (default = initial SID "node")
+ #
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.25.3/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te 2005-06-29 16:36:19.000000000 -0400
+++ policy-1.25.3/targeted/domains/program/crond.te 2005-07-19 15:41:44.000000000 -0400
@@ -1136,7 +1439,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.3/types/network.te
--- nsapolicy/types/network.te 2005-07-12 08:50:44.000000000 -0400
-+++ policy-1.25.3/types/network.te 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/types/network.te 2005-07-25 14:47:17.000000000 -0400
@@ -22,6 +22,7 @@
type http_port_t, port_type, reserved_port_type;
type ipp_port_t, port_type, reserved_port_type;
@@ -1145,3 +1448,19 @@
allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
type pop_port_t, port_type, reserved_port_type;
+@@ -73,15 +74,6 @@
+ # interfaces in net_contexts or net_contexts.mls.
+ #
+ type netif_t, netif_type;
+-type netif_eth0_t, netif_type;
+-type netif_eth1_t, netif_type;
+-type netif_eth2_t, netif_type;
+-type netif_lo_t, netif_type;
+-type netif_ippp0_t, netif_type;
+-
+-type netif_ipsec0_t, netif_type;
+-type netif_ipsec1_t, netif_type;
+-type netif_ipsec2_t, netif_type;
+
+ #
+ # node_t is the default type of network nodes.
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/selinux-policy-targeted.spec,v
retrieving revision 1.326
retrieving revision 1.327
diff -u -r1.326 -r1.327
--- selinux-policy-targeted.spec 25 Jul 2005 17:54:17 -0000 1.326
+++ selinux-policy-targeted.spec 28 Jul 2005 15:59:09 -0000 1.327
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.25.3
-Release: 6
+Release: 9
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -237,6 +237,17 @@
exit 0
%changelog
+* Thu Jul 28 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-9
+- Bump for FC4
+
+* Thu Jul 28 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-8
+- Fixes for cups, hwclock, system_passwd, samba_net
+
+* Wed Jul 27 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-7
+- Add certwatch.te
+- Allow smbd to connect to smbd_port_t
+- Fix hugetlb and mqueue
+
* Mon Jul 25 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-6
- Bump for FC4
More information about the fedora-cvs-commits
mailing list