[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/devel policy-20051021.patch,NONE,1.1



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv5022

Added Files:
	policy-20051021.patch 
Log Message:
* Fri Oct 21 2005 Dan Walsh <dwalsh redhat com> 1.27.2-1
- Update to latest from NSA
	* Merged patch from Chad Hanson.  Modified MLS constraints.
	Provided comments for the MLS attributes.
	* Merged two patches from Thomas Bleher which made some minor
	fixes and cleanups.
	* Merged patches from Russell Coker. Added comments to some of the
	MLS attributes.  Added the secure_mode_insmod boolean to determine
	whether the system permits loading policy, setting enforcing mode,
	and changing boolean values. Made minor fixes for the cdrecord_domain
	macro, application_domain, newrole_domain, and daemon_base_domain
	macros.  Added rules to allow the mail server to access the user
	home directories in the targeted policy and allows the postfix
	showq program to do DNS lookups.  Minor fixes for the MCS
	policy.  Made other minor fixes and cleanups.
	* Merged patch from Dan Walsh.  Added opencd, pegasus, readahead,
	and roundup policies.  Created can_access_pty macro to handle pty
	output.  Created nsswithch_domain macro for domains using
	nsswitch.  Added mcs transition rules.  Removed mqueue and added
	capifs genfscon entries.  Added dhcpd and pegasus ports.  Added
	domain transitions from login domains to pam_console and alsa
	domains.  Added rules to allow the httpd and squid domains to
	relay more protocols.  For the targeted policy, removed sysadm_r
	role from unconfined_t.  Made other fixes and cleanups.


policy-20051021.patch:
 Makefile                                 |    6 
 attrib.te                                |   18 +-
 domains/admin.te                         |    2 
 domains/misc/kernel.te                   |    2 
 domains/program/fsadm.te                 |    2 
 domains/program/ifconfig.te              |    2 
 domains/program/init.te                  |    2 
 domains/program/initrc.te                |   13 +
 domains/program/logrotate.te             |    2 
 domains/program/modutil.te               |    8 -
 domains/program/newrole.te               |    4 
 domains/program/restorecon.te            |    1 
 domains/program/setfiles.te              |    2 
 domains/program/ssh.te                   |    2 
 domains/program/su.te                    |    4 
 domains/program/syslogd.te               |    4 
 domains/program/tmpreaper.te             |    2 
 domains/program/unused/NetworkManager.te |   10 +
 domains/program/unused/amanda.te         |   21 +-
 domains/program/unused/apache.te         |   15 +-
 domains/program/unused/apmd.te           |   13 +
 domains/program/unused/auditd.te         |    6 
 domains/program/unused/bluetooth.te      |   57 +++++++
 domains/program/unused/cups.te           |   11 -
 domains/program/unused/dbusd.te          |    2 
 domains/program/unused/dhcpc.te          |    3 
 domains/program/unused/dhcpd.te          |    3 
 domains/program/unused/ftpd.te           |    6 
 domains/program/unused/hald.te           |    5 
 domains/program/unused/hotplug.te        |    5 
 domains/program/unused/ipsec.te          |    2 
 domains/program/unused/kudzu.te          |    3 
 domains/program/unused/mysqld.te         |    6 
 domains/program/unused/named.te          |   17 ++
 domains/program/unused/nscd.te           |    1 
 domains/program/unused/ntpd.te           |    5 
 domains/program/unused/pamconsole.te     |    2 
 domains/program/unused/pegasus.te        |   10 +
 domains/program/unused/ping.te           |    2 
 domains/program/unused/postfix.te        |   50 ++++--
 domains/program/unused/pppd.te           |   17 +-
 domains/program/unused/rpcd.te           |   16 ++
 domains/program/unused/rpm.te            |    4 
 domains/program/unused/rsync.te          |    3 
 domains/program/unused/samba.te          |    3 
 domains/program/unused/sendmail.te       |    3 
 domains/program/unused/snmpd.te          |    1 
 domains/program/unused/udev.te           |    8 -
 domains/program/unused/webalizer.te      |    3 
 domains/program/unused/xdm.te            |    2 
 domains/program/unused/yppasswdd.te      |   40 +++++
 file_contexts/distros.fc                 |    1 
 file_contexts/program/apache.fc          |    2 
 file_contexts/program/backup.fc          |    2 
 file_contexts/program/bluetooth.fc       |    2 
 file_contexts/program/dhcpc.fc           |    1 
 file_contexts/program/dhcpd.fc           |    5 
 file_contexts/program/ftpd.fc            |    5 
 file_contexts/program/games.fc           |    3 
 file_contexts/program/kudzu.fc           |    2 
 file_contexts/program/rshd.fc            |    1 
 file_contexts/program/rsync.fc           |    2 
 file_contexts/program/squid.fc           |    3 
 file_contexts/program/yppasswdd.fc       |    2 
 file_contexts/types.fc                   |    4 
 genfs_contexts                           |    1 
 macros/base_user_macros.te               |    6 
 macros/global_macros.te                  |   23 ---
 macros/program/chkpwd_macros.te          |    2 
 macros/program/su_macros.te              |    2 
 man/man8/ftpd_selinux.8                  |   19 +-
 man/man8/httpd_selinux.8                 |    9 +
 man/man8/rsync_selinux.8                 |   12 +
 man/man8/samba_selinux.8                 |    9 +
 mcs                                      |  194 ++++++++------------------
 mls                                      |  227 +++++++++++--------------------
 targeted/assert.te                       |    2 
 targeted/domains/program/sendmail.te     |    1 
 targeted/domains/program/ssh.te          |    2 
 targeted/domains/program/xdm.te          |    4 
 targeted/domains/unconfined.te           |    7 
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    4 
 types/devpts.te                          |    4 
 types/file.te                            |   43 +----
 types/network.te                         |   10 -
 types/nfs.te                             |    1 
 types/security.te                        |    2 
 88 files changed, 587 insertions(+), 465 deletions(-)

--- NEW FILE policy-20051021.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.27.2/attrib.te
--- nsapolicy/attrib.te	2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/attrib.te	2005-10-21 12:55:51.000000000 -0400
@@ -28,7 +28,8 @@
 #
 # Grant MLS read access to files not dominated by the process Effective SL
 attribute mlsfileread;
-# Grant MLS read access to files dominated by the process Clearance SL
+# Grant MLS read access to files which dominate the process Effective SL
+# and are dominated by the process Clearance SL
 attribute mlsfilereadtoclr;
 # Grant MLS write access to files not equal to the Effective SL
 attribute mlsfilewrite;
@@ -47,7 +48,8 @@
 #
 # Grant MLS read access to packets not dominated by the process Effective SL
 attribute mlsnetread;
-# Grant MLS read access to packets dominated by the process Clearance SL
+# Grant MLS read access to packets which dominate the process Effective SL
+# and are dominated by the process Clearance SL
 attribute mlsnetreadtoclr;
 # Grant MLS write access to packets not equal to the Effective SL
 attribute mlsnetwrite;
@@ -69,7 +71,8 @@
 #
 # Grant MLS read access to IPC objects not dominated by the process Effective SL
 attribute mlsipcread;
-# Grant MLS read access to IPC objects dominated by the process Clearance SL
+# Grant MLS read access to IPC objects which dominate the process Effective SL
+# and are dominated by the process Clearance SL
 attribute mlsipcreadtoclr;
 # Grant MLS write access to IPC objects not equal to the process Effective SL
 attribute mlsipcwrite;
@@ -82,7 +85,8 @@
 #
 # Grant MLS read access to processes not dominated by the process Effective SL
 attribute mlsprocread;
-# Grant MLS read access to processes dominated by the process Clearance SL
+# Grant MLS read access to processes which dominate the process Effective SL
+# and are dominated by the process Clearance SL
 attribute mlsprocreadtoclr;
 # Grant MLS write access to processes not equal to the Effective SL
 attribute mlsprocwrite;
@@ -98,7 +102,8 @@
 #
 # Grant MLS read access to X objects not dominated by the process Effective SL
 attribute mlsxwinread;
-# Grant MLS read access to X objects dominated by the process Clearance SL
+# Grant MLS read access to X objects which dominate the process Effective SL
+# and are dominated by the process Clearance SL
 attribute mlsxwinreadtoclr;
 # Grant MLS write access to X objects not equal to the process Effective SL
 attribute mlsxwinwrite;
@@ -517,6 +522,9 @@
 # Attribute to designate unrestricted access
 attribute unrestricted;
 
+# Attribute to designate can transition to unconfined_t
+attribute unconfinedtrans;
+
 # For clients of nscd.
 attribute nscd_client_domain;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.27.2/domains/admin.te
--- nsapolicy/domains/admin.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.2/domains/admin.te	2005-10-21 12:55:51.000000000 -0400
@@ -4,7 +4,7 @@
 
 # sysadm_t is the system administrator domain.
 type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
-ifdef(`direct_sysadm_daemon', `, priv_system_role')
+ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans')
 ; dnl end of sysadm_t type declaration
 
 allow privhome home_root_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.27.2/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te	2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.2/domains/misc/kernel.te	2005-10-21 12:55:51.000000000 -0400
@@ -30,7 +30,7 @@
 
 ifdef(`mls_policy', `
 # run init with maximum MLS range
-range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+range_transition kernel_t init_exec_t s0 - s15:c0.c255;
 ')
 
 # Share state with the init process.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.2/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/fsadm.te	2005-10-21 12:55:51.000000000 -0400
@@ -12,7 +12,7 @@
 # administration.
 # fsadm_exec_t is the type of the corresponding programs.
 #
-type fsadm_t, domain, privlog, fs_domain, mlsfileread;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
 role system_r types fsadm_t;
 role sysadm_r types fsadm_t;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.2/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/ifconfig.te	2005-10-21 12:55:51.000000000 -0400
@@ -61,7 +61,7 @@
 # ifconfig attempts to search some sysctl entries.
 # Do not audit those attempts; comment out these rules if it is desired to
 # see the denials.
-dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
+allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
 
 allow ifconfig_t fs_t:filesystem getattr;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.2/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/initrc.te	2005-10-21 12:55:51.000000000 -0400
@@ -12,7 +12,7 @@
 # initrc_exec_t is the type of the init program.
 #
 # do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans;
 
 role system_r types initrc_t;
 uses_shlib(initrc_t);
@@ -56,6 +56,10 @@
 can_create_pty(initrc)
 
 tmp_domain(initrc)
+#
+# Some initscripts generate scripts that they need to execute (ldap)
+#
+can_exec(initrc_t, initrc_tmp_t)
 
 var_run_domain(initrc)
 allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
@@ -279,6 +283,10 @@
 ifdef(`direct_sysadm_daemon', `
 role_transition sysadm_r initrc_exec_t system_r;
 domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
+ifdef(`mls_policy', `
+typeattribute initrc_t mlsrangetrans;
+range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255;
+')
 ')
 
 #
@@ -333,3 +341,6 @@
 
 # Slapd needs to read cert files from its initscript
 r_dir_file(initrc_t, cert_t)
+ifdef(`use_mcs', `
+range_transition sysadm_t initrc_exec_t s0;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.27.2/domains/program/init.te
--- nsapolicy/domains/program/init.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.2/domains/program/init.te	2005-10-21 12:55:51.000000000 -0400
@@ -14,7 +14,7 @@
 # by init during initialization.  This pipe is used
 # to communicate with init.
 #
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
 role system_r types init_t;
 uses_shlib(init_t);
 type init_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.27.2/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.2/domains/program/logrotate.te	2005-10-21 12:55:51.000000000 -0400
@@ -13,7 +13,7 @@
 # logrotate_t is the domain for the logrotate program.
 # logrotate_exec_t is the type of the corresponding program.
 #
-type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
+type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade;
 role system_r types logrotate_t;
 role sysadm_r types logrotate_t;
 uses_shlib(logrotate_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.2/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te	2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/modutil.te	2005-10-21 13:31:27.000000000 -0400
@@ -82,7 +82,6 @@
 bool secure_mode_insmod false;
 
 can_ypbind(insmod_t)
-if (!secure_mode_insmod) {
 
 ifdef(`unlimitedUtils', `
 unconfined_domain(insmod_t) 
@@ -133,7 +132,7 @@
 allow insmod_t self:unix_dgram_socket create_socket_perms;
 allow insmod_t self:unix_stream_socket create_stream_socket_perms;
 allow insmod_t self:rawip_socket create_socket_perms;
-allow insmod_t self:capability { dac_override kill net_raw sys_module sys_tty_config };
+allow insmod_t self:capability { dac_override kill net_raw sys_tty_config };
 allow insmod_t domain:process signal;
 allow insmod_t self:process { fork signal_perms };
 allow insmod_t device_t:dir search;
@@ -166,7 +165,11 @@
 allow insmod_t device_t:dir read;
 allow insmod_t devpts_t:dir { getattr search };
[...2014 lines suppressed...]
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.2/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.2/tunables/distro.tun	2005-10-21 12:55:51.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.2/tunables/tunable.tun	2005-10-21 12:55:51.000000000 -0400
@@ -1,5 +1,5 @@
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.27.2/types/devpts.te
--- nsapolicy/types/devpts.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.2/types/devpts.te	2005-10-21 12:55:51.000000000 -0400
@@ -18,4 +18,6 @@
 #
 type devpts_t, mount_point, fs_type;
 
-
+ifdef(`targeted_policy', `
+typeattribute devpts_t ttyfile;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.2/types/file.te
--- nsapolicy/types/file.te	2005-10-21 11:36:16.000000000 -0400
+++ policy-1.27.2/types/file.te	2005-10-21 12:55:51.000000000 -0400
@@ -84,6 +84,9 @@
 #
 type etc_t, file_type, sysadmfile;
 
+# etc_mail_t is the type of /etc/mail.
+type etc_mail_t, file_type, sysadmfile, usercanread;
+
 #
 # shadow_t is the type of the /etc/shadow file
 #
@@ -273,9 +276,6 @@
 #
 allow { file_type device_type ttyfile } fs_t:filesystem associate;
 
-# Allow the pty to be associated with the file system.
-allow devpts_t self:filesystem associate;
-
 type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
 allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
 allow { logfile tmpfile home_type } tmp_t:filesystem associate;
@@ -284,29 +284,13 @@
 ')
 
 type autofs_t, fs_type, noexattrfile, sysadmfile;
-allow autofs_t self:filesystem associate;
-
 type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
-allow usbdevfs_t self:filesystem associate;
-
 type sysfs_t, mount_point, fs_type,  sysadmfile;
-allow sysfs_t self:filesystem associate;
-
 type iso9660_t, fs_type, noexattrfile, sysadmfile;
-allow iso9660_t self:filesystem associate;
-
 type romfs_t, fs_type, sysadmfile;
-allow romfs_t self:filesystem associate;
-
 type ramfs_t, fs_type, sysadmfile;
-allow ramfs_t self:filesystem associate;
-
 type dosfs_t, fs_type, noexattrfile, sysadmfile;
-allow dosfs_t self:filesystem associate;
-
 type hugetlbfs_t, mount_point, fs_type,  sysadmfile;
-allow hugetlbfs_t self:filesystem associate;
-
 typealias file_t alias  mqueue_t;
 
 # udev_runtime_t is the type of the udev table file
@@ -316,29 +300,26 @@
 type krb5_conf_t, file_type, sysadmfile;
 
 type cifs_t, fs_type, noexattrfile, sysadmfile;
-allow cifs_t self:filesystem associate;
-
 type debugfs_t, fs_type, sysadmfile;
-allow debugfs_t self:filesystem associate;
-
+type configfs_t, fs_type, sysadmfile;
 type inotifyfs_t, fs_type, sysadmfile;
-allow inotifyfs_t self:filesystem associate;
-
 type capifs_t, fs_type, sysadmfile;
-allow capifs_t self:filesystem associate;
 
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
-allow removable_t self:filesystem associate;
 allow file_type removable_t:filesystem associate;
 allow file_type noexattrfile:filesystem associate;
 
 # Type for anonymous FTP data, used by ftp and rsync
-type ftpd_anon_t, file_type, sysadmfile, customizable;
-type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
-
-allow customizable self:filesystem associate;
+type public_content_t, file_type, sysadmfile, customizable;
+type public_content_rw_t, file_type, sysadmfile, customizable;
+typealias public_content_t alias ftpd_anon_t;
+typealias public_content_rw_t alias ftpd_anon_rw_t;
 
 # type for /tmp/.ICE-unix
 type ice_tmp_t, file_type, sysadmfile, tmpfile;
 
+# type for /usr/share/hwdata
+type hwdata_t, file_type, sysadmfile;
+allow { fs_type file_type } self:filesystem associate;
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.2/types/network.te
--- nsapolicy/types/network.te	2005-10-21 11:36:16.000000000 -0400
+++ policy-1.27.2/types/network.te	2005-10-21 12:55:51.000000000 -0400
@@ -18,7 +18,7 @@
 type dhcpd_port_t, port_type, reserved_port_type;
 type smbd_port_t, port_type, reserved_port_type;
 type nmbd_port_t, port_type, reserved_port_type;
-type http_cache_port_t, port_type, reserved_port_type;
+type http_cache_port_t, port_type;
 type http_port_t, port_type, reserved_port_type;
 type ipp_port_t, port_type, reserved_port_type;
 type gopher_port_t, port_type, reserved_port_type;
@@ -104,7 +104,7 @@
 type printer_port_t, port_type, reserved_port_type;
 type mysqld_port_t, port_type;
 type postgresql_port_t, port_type;
-type ptal_port_t, port_type, reserved_port_type;
+type ptal_port_t, port_type;
 type howl_port_t, port_type;
 type dict_port_t, port_type;
 type syslogd_port_t, port_type, reserved_port_type;
@@ -122,10 +122,10 @@
 type pegasus_http_port_t, port_type;
 type pegasus_https_port_t, port_type;
 type openvpn_port_t, port_type;
-type clamd_port_t, port_type, reserved_port_type;
+type clamd_port_t, port_type;
 type transproxy_port_t, port_type;
 type clockspeed_port_t, port_type;
-type pyzor_port_t, port_type, reserved_port_type;
+type pyzor_port_t, port_type;
 type postgrey_port_t, port_type;
 type asterisk_port_t, port_type;
 type utcpserver_port_t, port_type;
@@ -158,7 +158,7 @@
 type telnetd_port_t, port_type, reserved_port_type;
 type comsat_port_t, port_type, reserved_port_type;
 type cvs_port_t, port_type;
-type dbskkd_port_t, port_type, reserved_port_type;
+type dbskkd_port_t, port_type;
 type inetd_child_port_t, port_type, reserved_port_type;
 type ktalkd_port_t, port_type, reserved_port_type;
 type rsync_port_t, port_type, reserved_port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.27.2/types/nfs.te
--- nsapolicy/types/nfs.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.2/types/nfs.te	2005-10-21 12:55:51.000000000 -0400
@@ -18,5 +18,4 @@
 #
 # Allow NFS files to be associated with an NFS file system.
 #
-allow nfs_t self:filesystem associate;
 allow file_type nfs_t:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.2/types/security.te
--- nsapolicy/types/security.te	2005-10-21 11:36:16.000000000 -0400
+++ policy-1.27.2/types/security.te	2005-10-21 12:55:51.000000000 -0400
@@ -13,6 +13,8 @@
 # applied to selinuxfs inodes.
 #
 type security_t, mount_point, fs_type, mlstrustedobject;
+dontaudit domain security_t:dir search;
+dontaudit domain security_t:file { getattr read };
 
 #
 # policy_config_t is the type of /etc/security/selinux/*


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]