rpms/selinux-policy-strict/devel policy-20051021.patch, 1.1, 1.2 selinux-policy-strict.spec, 1.400, 1.401
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Oct 24 18:20:04 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv17290
Modified Files:
policy-20051021.patch selinux-policy-strict.spec
Log Message:
* Mon Oct 24 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-2
- Allow spamd to read homedirs
policy-20051021.patch:
Makefile | 8 -
attrib.te | 18 +-
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/fsadm.te | 2
domains/program/ifconfig.te | 2
domains/program/init.te | 2
domains/program/initrc.te | 13 +
domains/program/logrotate.te | 2
domains/program/modutil.te | 8 -
domains/program/newrole.te | 4
domains/program/restorecon.te | 1
domains/program/setfiles.te | 2
domains/program/ssh.te | 2
domains/program/su.te | 4
domains/program/syslogd.te | 4
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 10 +
domains/program/unused/amanda.te | 21 +-
domains/program/unused/apache.te | 15 +-
domains/program/unused/apmd.te | 13 +
domains/program/unused/auditd.te | 6
domains/program/unused/bluetooth.te | 57 +++++++
domains/program/unused/cups.te | 11 -
domains/program/unused/dbusd.te | 2
domains/program/unused/dhcpc.te | 3
domains/program/unused/dhcpd.te | 3
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 3
domains/program/unused/mysqld.te | 6
domains/program/unused/named.te | 17 ++
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 16 +-
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 50 ++++--
domains/program/unused/pppd.te | 17 +-
domains/program/unused/rpcd.te | 16 ++
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 3
domains/program/unused/sendmail.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/spamd.te | 18 --
domains/program/unused/udev.te | 8 -
domains/program/unused/webalizer.te | 3
domains/program/unused/xdm.te | 2
domains/program/unused/yppasswdd.te | 40 +++++
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 2
file_contexts/program/backup.fc | 2
file_contexts/program/bluetooth.fc | 2
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 5
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 3
file_contexts/program/kudzu.fc | 2
file_contexts/program/pegasus.fc | 6
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/yppasswdd.fc | 2
file_contexts/types.fc | 4
genfs_contexts | 1
macros/base_user_macros.te | 6
macros/global_macros.te | 23 ---
macros/home_macros.te | 9 +
macros/program/chkpwd_macros.te | 2
macros/program/dbusd_macros.te | 1
macros/program/su_macros.te | 2
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +-
man/man8/httpd_selinux.8 | 9 +
man/man8/rsync_selinux.8 | 12 +
man/man8/samba_selinux.8 | 9 +
mcs | 194 ++++++++------------------
mls | 227 +++++++++++--------------------
targeted/assert.te | 2
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 2
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 7
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 43 +----
types/network.te | 10 -
types/nfs.te | 1
types/security.te | 2
93 files changed, 605 insertions(+), 490 deletions(-)
Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20051021.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20051021.patch 21 Oct 2005 18:23:51 -0000 1.1
+++ policy-20051021.patch 24 Oct 2005 18:19:59 -0000 1.2
@@ -824,7 +824,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.2/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 2005-10-20 15:53:02.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pegasus.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pegasus.te 2005-10-24 14:13:31.000000000 -0400
@@ -7,17 +7,20 @@
#
# Rules for the pegasus domain
@@ -833,8 +833,9 @@
+daemon_domain(pegasus, `, nscd_client_domain, auth')
type pegasus_data_t, file_type, sysadmfile;
type pegasus_conf_t, file_type, sysadmfile;
++typealias sbin_t alias pegasus_conf_exec_t;
type pegasus_mof_t, file_type, sysadmfile;
- type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
+-type pegasus_conf_exec_t, file_type, exec_type, sysadmfile;
-allow pegasus_t self:capability { dac_override net_bind_service };
+allow pegasus_t self:capability { dac_override net_bind_service audit_write };
can_network_tcp(pegasus_t);
@@ -848,10 +849,15 @@
allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket { name_bind name_connect };
allow pegasus_t proc_t:file { getattr read };
allow pegasus_t sysctl_vm_t:dir search;
-@@ -29,3 +32,6 @@
- rw_dir_create_file(pegasus_t, pegasus_conf_t)
+@@ -26,6 +29,9 @@
+ r_dir_file(pegasus_t, etc_t)
+ r_dir_file(pegasus_t, var_lib_t)
+ r_dir_file(pegasus_t, pegasus_mof_t)
+-rw_dir_create_file(pegasus_t, pegasus_conf_t)
++r_dir_file(pegasus_t, pegasus_conf_t)
++file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
rw_dir_create_file(pegasus_t, pegasus_data_t)
- rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
+-rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
+allow pegasus_t shadow_t:file { getattr read };
+dontaudit pegasus_t selinux_config_t:dir search;
+
@@ -1172,6 +1178,31 @@
+allow snmpd_t domain:process signull;
dontaudit snmpd_t selinux_config_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/spamd.te policy-1.27.2/domains/program/unused/spamd.te
+--- nsapolicy/domains/program/unused/spamd.te 2005-09-12 16:40:29.000000000 -0400
++++ policy-1.27.2/domains/program/unused/spamd.te 2005-10-24 09:50:10.000000000 -0400
+@@ -52,20 +52,4 @@
+ allow spamd_t urandom_device_t:chr_file { getattr read };
+
+ system_crond_entry(spamd_exec_t, spamd_t)
+-
+-allow spamd_t autofs_t:dir { search getattr };
+-
+-if (use_nfs_home_dirs) {
+-allow spamd_t nfs_t:dir rw_dir_perms;
+-allow spamd_t nfs_t:file create_file_perms;
+-}
+-
+-if (use_samba_home_dirs) {
+-allow spamd_t cifs_t:dir rw_dir_perms;
+-allow spamd_t cifs_t:file create_file_perms;
+-}
+-
+-allow spamd_t home_root_t:dir getattr;
+-allow spamd_t user_home_dir_type:dir { search getattr };
+-
+-
++ifdef(`targeted_policy', `home_domain_ro_access(spamd_t, user)')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.2/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/unused/udev.te 2005-10-21 12:55:51.000000000 -0400
@@ -1380,6 +1411,23 @@
+(/usr)?/sbin/kudzu -- system_u:object_r:kudzu_exec_t
/sbin/kmodule -- system_u:object_r:kudzu_exec_t
/var/run/Xconfig -- root:object_r:kudzu_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/pegasus.fc policy-1.27.2/file_contexts/program/pegasus.fc
+--- nsapolicy/file_contexts/program/pegasus.fc 2005-10-20 15:53:02.000000000 -0400
++++ policy-1.27.2/file_contexts/program/pegasus.fc 2005-10-24 11:27:17.000000000 -0400
+@@ -1,11 +1,9 @@
+ # File Contexts for The Open Group Pegasus (tog-pegasus) cimserver
+ /usr/sbin/cimserver -- system_u:object_r:pegasus_exec_t
+-/usr/sbin/cimconfig -- system_u:object_r:pegasus_conf_exec_t
+-/usr/sbin/cimuser -- system_u:object_r:pegasus_conf_exec_t
+-/usr/sbin/cimauth -- system_u:object_r:pegasus_conf_exec_t
+ /usr/sbin/init_repository -- system_u:object_r:pegasus_exec_t
+-/usr/lib(64)?/Pegasus/providers/.*\.so.* system_u:object_r:shlib_t
+ /etc/Pegasus(/.*)? system_u:object_r:pegasus_conf_t
+ /var/lib/Pegasus(/.*)? system_u:object_r:pegasus_data_t
+ /var/run/tog-pegasus(/.*)? system_u:object_r:pegasus_var_run_t
+ /usr/share/Pegasus/mof(/.*)?/.*\.mof system_u:object_r:pegasus_mof_t
++/etc/Pegasus/pegasus_current.conf system_u:object_r:pegasus_data_t
++
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rshd.fc policy-1.27.2/file_contexts/program/rshd.fc
--- nsapolicy/file_contexts/program/rshd.fc 2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.2/file_contexts/program/rshd.fc 2005-10-21 12:55:51.000000000 -0400
@@ -1450,7 +1498,7 @@
genfscon eventpollfs / system_u:object_r:eventpollfs_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.27.2/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-09-16 11:17:11.000000000 -0400
-+++ policy-1.27.2/macros/base_user_macros.te 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/macros/base_user_macros.te 2005-10-24 11:12:53.000000000 -0400
@@ -40,6 +40,12 @@
allow $1_t $1_home_t:{ notdevfile_class_set dir } { relabelfrom relabelto };
can_setfscreate($1_t)
@@ -1526,6 +1574,34 @@
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.2/macros/home_macros.te
+--- nsapolicy/macros/home_macros.te 2005-09-12 16:40:26.000000000 -0400
++++ policy-1.27.2/macros/home_macros.te 2005-10-24 11:12:50.000000000 -0400
+@@ -68,7 +68,11 @@
+ define(`home_domain_ro_access', `
+ allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
+ read_network_home($1)
++ifelse($3, `
+ r_dir_file($1, $2_$3_ro_home_t)
++', `
++r_dir_file($1, $2_home_t)
++')
+ ') dnl home_domain_ro_access
+
+ #################################################
+@@ -82,7 +86,12 @@
+ define(`home_domain_access', `
+ allow $1 { home_root_t $2_home_dir_t }:dir { search getattr };
+ write_network_home($1)
++ifelse($3, `
+ create_dir_file($1, $2_$3_home_t)
++', `
++file_type_auto_trans($1, $2_home_dir_t, $2_home_t)
++create_dir_file($1, $2_home_t)
++')
+ ') dnl home_domain_access
+
+ ####################################################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.27.2/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-10-21 11:36:16.000000000 -0400
+++ policy-1.27.2/macros/program/chkpwd_macros.te 2005-10-21 12:56:34.000000000 -0400
@@ -1538,6 +1614,17 @@
can_getcon($1_chkpwd_t)
authentication_domain($1_chkpwd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.27.2/macros/program/dbusd_macros.te
+--- nsapolicy/macros/program/dbusd_macros.te 2005-10-21 11:36:16.000000000 -0400
++++ policy-1.27.2/macros/program/dbusd_macros.te 2005-10-23 17:25:28.000000000 -0400
+@@ -41,6 +41,7 @@
+ can_getsecurity($1_dbusd_t)
+ r_dir_file($1_dbusd_t, default_context_t)
+ allow $1_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
+
+ ifdef(`pamconsole.te', `
+ r_dir_file($1_dbusd_t, pam_var_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.27.2/macros/program/su_macros.te
--- nsapolicy/macros/program/su_macros.te 2005-10-21 11:36:16.000000000 -0400
+++ policy-1.27.2/macros/program/su_macros.te 2005-10-21 12:55:51.000000000 -0400
@@ -1550,9 +1637,29 @@
dontaudit $1_su_t self:capability sys_tty_config;
#
# Caused by su - init scripts
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.2/macros/user_macros.te
+--- nsapolicy/macros/user_macros.te 2005-10-21 11:36:16.000000000 -0400
++++ policy-1.27.2/macros/user_macros.te 2005-10-24 09:51:46.000000000 -0400
+@@ -122,6 +122,7 @@
+ ifelse($1, sysadm, `',`
+ ifdef(`apache.te', `apache_user_domain($1)')
+ ifdef(`i18n_input.te', `i18n_input_domain($1)')
++ifdef(`spamd.te', `home_domain_ro_access(spamd_t, $1)')
+ ')
+ ifdef(`slocate.te', `locate_domain($1)')
+ ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.2/Makefile
--- nsapolicy/Makefile 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/Makefile 2005-10-21 12:55:51.000000000 -0400
++++ policy-1.27.2/Makefile 2005-10-24 14:18:52.000000000 -0400
+@@ -27,7 +27,7 @@
+ GENHOMEDIRCON = $(SBINDIR)/genhomedircon
+ SETFILES = $(SBINDIR)/setfiles
+ VERS := $(shell $(CHECKPOLICY) $(POLICYCOMPAT) -V |cut -f 1 -d ' ')
+-PREVERS := 19
++PREVERS := 20
+ KERNVERS := $(shell cat /selinux/policyvers)
+ MLSENABLED := $(shell cat /selinux/mls)
+ POLICYVER := policy.$(VERS)
@@ -340,10 +340,10 @@
done
@for file in $(USER_FILES); do \
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.400
retrieving revision 1.401
diff -u -r1.400 -r1.401
--- selinux-policy-strict.spec 21 Oct 2005 18:20:55 -0000 1.400
+++ selinux-policy-strict.spec 24 Oct 2005 18:19:59 -0000 1.401
@@ -3,14 +3,13 @@
%define FILE_CONTEXT %{POLICYDIR}/contexts/files/file_contexts
%define PRE_FILE_CONTEXT %{FILE_CONTEXT}.pre
%define POLICYVER 20
-%define PREVPOLICYVER 19
-%define POLICYCOREUTILSVER 1.27.14-1
-%define CHECKPOLICYVER 1.27.11-1
+%define POLICYCOREUTILSVER 1.27.18-1
+%define CHECKPOLICYVER 1.27.16-1
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.2
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -97,7 +96,6 @@
%config(noreplace) %{_sysconfdir}/selinux/%{type}/seusers
%ghost %config(noreplace) %{_sysconfdir}/selinux/%{type}/booleans.local
%{_sysconfdir}/selinux/%{type}/policy/policy.%{POLICYVER}
-%{_sysconfdir}/selinux/%{type}/policy/policy.%{PREVPOLICYVER}
%{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts
%{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts.homedirs
%config %{_sysconfdir}/selinux/%{type}/contexts/files/homedir_template
@@ -163,7 +161,7 @@
. /etc/selinux/config
MLS=`cat /selinux/mls`
if [ "${SELINUXTYPE}" = "%{type}" -a ! -s %{POLICYDIR}/src/policy/Makefile -a ${MLS} -eq 1 ]; then
- [ -x /usr/sbin/load_policy ] && /usr/sbin/load_policy %{POLICYDIR}/policy/policy.`cat /selinux/policyvers`
+ [ -x /usr/sbin/load_policy ] && /usr/sbin/load_policy
[ -f %{PRE_FILE_CONTEXT} ] && fixfiles -l /dev/null -C %{PRE_FILE_CONTEXT} restore && rm -f %{PRE_FILE_CONTEXT}
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon --type %{type}
@@ -244,6 +242,9 @@
exit 0
%changelog
+* Mon Oct 24 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-2
+- Allow spamd to read homedirs
+
* Fri Oct 21 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-1
- Update to latest from NSA
* Merged patch from Chad Hanson. Modified MLS constraints.
More information about the fedora-cvs-commits
mailing list