rpms/selinux-policy-targeted/devel setrans.conf, NONE, 1.1 policy-20051021.patch, 1.3, 1.4 seusers, 1.1, 1.2
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Oct 26 21:07:38 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel setrans.conf, NONE, 1.1 policy-20051021.patch, 1.3, 1.4 selinux-policy-strict.spec, 1.402, 1.403 seusers, 1.2, 1.3
- Next message (by thread): rpms/selinux-policy-targeted/devel selinux-policy-targeted.spec, 1.396, 1.397
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv24539
Modified Files:
policy-20051021.patch seusers
Added Files:
setrans.conf
Log Message:
* Tue Oct 25 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-3
- Add setrans.conf
--- NEW FILE setrans.conf ---
#
# Multi-Category Security translation table for SELinux
#
# Uncomment the following to disable translation libary
# disable=1
#
# Objects can be categorized with 0-256 categories defined by the admin.
# Objects can be in more than one category at a time.
# Categories are stored in the system as c0-c255. Users can use this
# table to translate the categories into a more meaningful output.
# Examples:
# s0:c0=CompanyConfidential
# s0:c1=PatientRecord
# s0:c2=Unclassified
# s0:c3=TopSecret
# s0:c1,c3=CompanyConfidentialRedHat
s0=
s0-s0:c0.c255=SystemLow-SystemHigh
s0:c0.c255=SystemHigh
policy-20051021.patch:
Makefile | 8
attrib.te | 18 +
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/fsadm.te | 2
domains/program/ifconfig.te | 2
domains/program/init.te | 2
domains/program/initrc.te | 13 +
domains/program/logrotate.te | 2
domains/program/modutil.te | 8
domains/program/newrole.te | 4
domains/program/restorecon.te | 1
domains/program/setfiles.te | 2
domains/program/ssh.te | 2
domains/program/su.te | 4
domains/program/syslogd.te | 4
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 10 +
domains/program/unused/amanda.te | 21 +-
domains/program/unused/apache.te | 15 +
domains/program/unused/apmd.te | 13 +
domains/program/unused/auditd.te | 6
domains/program/unused/bluetooth.te | 57 +++++
domains/program/unused/cups.te | 11 -
domains/program/unused/dbusd.te | 2
domains/program/unused/dhcpc.te | 3
domains/program/unused/dhcpd.te | 3
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 3
domains/program/unused/mysqld.te | 6
domains/program/unused/named.te | 17 +
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 16 +
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 50 +++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 22 +-
domains/program/unused/rpcd.te | 16 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 3
domains/program/unused/sendmail.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/spamd.te | 18 -
domains/program/unused/udev.te | 8
domains/program/unused/webalizer.te | 3
domains/program/unused/xdm.te | 2
domains/program/unused/yppasswdd.te | 40 ++++
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 2
file_contexts/program/backup.fc | 2
file_contexts/program/bluetooth.fc | 2
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 5
file_contexts/program/exim.fc | 18 +
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 3
file_contexts/program/kudzu.fc | 2
file_contexts/program/pegasus.fc | 6
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/yppasswdd.fc | 2
file_contexts/types.fc | 4
genfs_contexts | 1
macros/base_user_macros.te | 7
macros/global_macros.te | 25 --
macros/home_macros.te | 9
macros/program/chkpwd_macros.te | 7
macros/program/dbusd_macros.te | 1
macros/program/exim_macros.te | 75 +++++++
macros/program/su_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 194 ++++++-------------
mls | 227 ++++++++--------------
targeted/assert.te | 2
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 2
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 7
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 43 +---
types/network.te | 10 -
types/nfs.te | 1
types/security.te | 2
98 files changed, 1022 insertions(+), 500 deletions(-)
Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20051021.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20051021.patch 25 Oct 2005 22:20:38 -0000 1.3
+++ policy-20051021.patch 26 Oct 2005 21:07:24 -0000 1.4
@@ -616,7 +616,7 @@
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/exim.te policy-1.27.2/domains/program/unused/exim.te
--- nsapolicy/domains/program/unused/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.27.2/domains/program/unused/exim.te 2005-10-25 08:42:31.000000000 -0400
++++ policy-1.27.2/domains/program/unused/exim.te 2005-10-26 17:05:10.000000000 -0400
@@ -0,0 +1,309 @@
+#DESC Exim - Mail server
+#
@@ -861,8 +861,8 @@
+allow exiwhat_t exim_t:process signal;
+allow exiwhat_t self:capability { dac_override kill sys_nice };
+
-+dontaudit exiwhat_t *:dir search;
-+dontaudit exiwhat_t *:file { getattr read };
++dontaudit exiwhat_t file_type:dir search;
++dontaudit exiwhat_t file_type:file { getattr read };
+
+# rm
+allow exiwhat_t devpts_t:chr_file ioctl;
@@ -1343,20 +1343,37 @@
-allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postgresql.te policy-1.27.2/domains/program/unused/postgresql.te
--- nsapolicy/domains/program/unused/postgresql.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/postgresql.te 2005-10-25 13:40:36.000000000 -0400
-@@ -136,3 +136,9 @@
++++ policy-1.27.2/domains/program/unused/postgresql.te 2005-10-26 17:02:37.000000000 -0400
+@@ -51,7 +51,6 @@
+
+ # Use the network.
+ can_network(postgresql_t)
+-can_ypbind(postgresql_t)
+ allow postgresql_t self:fifo_file { getattr read write ioctl };
+ allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+ can_unix_connect(postgresql_t, self)
+@@ -130,9 +129,17 @@
+ ')
+
+ dontaudit postgresql_t home_root_t:dir search;
+-can_kerberos(postgresql_t)
+ allow postgresql_t urandom_device_t:chr_file { getattr read };
+
if (allow_execmem) {
allow postgresql_t self:process execmem;
}
+
++authentication_domain(postgresql_t)
++#
++# postgresql has pam support
++#
+bool allow_postgresql_use_pam false;
+if (allow_postgresql_use_pam) {
+domain_auto_trans(postgresql_t, chkpwd_exec_t, system_chkpwd_t)
-+authentication_domain(postgresql_t)
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.2/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pppd.te 2005-10-21 13:27:06.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pppd.te 2005-10-26 15:40:43.000000000 -0400
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -1384,7 +1401,15 @@
# Access /dev/ppp.
allow pppd_t ppp_device_t:chr_file rw_file_perms;
-@@ -105,14 +105,16 @@
+@@ -75,6 +75,7 @@
+ allow pppd_t tty_device_t:chr_file { setattr rw_file_perms };
+
+ allow pppd_t devpts_t:dir search;
++allow pppd_t devpts_t:chr_file ioctl;
+
+ # for scripts
+ allow pppd_t self:fifo_file rw_file_perms;
+@@ -105,14 +106,16 @@
dontaudit pppd_t initrc_var_run_t:file { lock write };
# pppd needs to load kernel modules for certain modems
@@ -1405,7 +1430,21 @@
can_network_client_tcp(pptp_t)
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
-@@ -145,3 +147,4 @@
+@@ -121,11 +124,11 @@
+ allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
+ allow pptp_t self:unix_dgram_socket create_socket_perms;
+ can_exec(pptp_t, pppd_etc_rw_t)
++allow pptp_t devpts_t:dir search;
++allow pptp_t pppd_devpts_t:chr_file rw_file_perms;
+ allow pptp_t devpts_t:chr_file ioctl;
+ r_dir_file(pptp_t, pppd_etc_rw_t)
+ r_dir_file(pptp_t, pppd_etc_t)
+-allow pptp_t devpts_t:dir search;
+-allow pppd_t devpts_t:chr_file ioctl;
+ allow pppd_t pptp_t:process signal;
+ allow pptp_t self:capability net_raw;
+ allow pptp_t self:fifo_file { read write };
+@@ -145,3 +148,4 @@
# Allow /etc/ppp/ip-{up,down} to run most anything
type pppd_script_exec_t, file_type, sysadmfile;
domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
@@ -1870,7 +1909,7 @@
ifdef(`screen.te', `screen_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.2/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/global_macros.te 2005-10-25 13:29:28.000000000 -0400
++++ policy-1.27.2/macros/global_macros.te 2005-10-25 18:08:49.000000000 -0400
@@ -325,27 +325,13 @@
') dnl transitionbool
domain_auto_trans(initrc_t, $1_exec_t, $1_t)
@@ -1930,10 +1969,11 @@
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-@@ -774,4 +761,5 @@
+@@ -774,4 +761,6 @@
allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
allow $1 self:capability { audit_write audit_control };
dontaudit $1 shadow_t:file { getattr read };
++allow $1 sbin_t:dir search;
+allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.2/macros/home_macros.te
@@ -1966,7 +2006,7 @@
####################################################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.27.2/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/program/chkpwd_macros.te 2005-10-25 13:30:32.000000000 -0400
++++ policy-1.27.2/macros/program/chkpwd_macros.te 2005-10-25 17:34:24.000000000 -0400
@@ -22,21 +22,18 @@
# read /selinux/mls
allow $1_chkpwd_t security_t:dir search;
@@ -2093,6 +2133,14 @@
dontaudit $1_su_t self:capability sys_tty_config;
#
# Caused by su - init scripts
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.27.2/macros/program/ypbind_macros.te
+--- nsapolicy/macros/program/ypbind_macros.te 2005-09-12 16:40:26.000000000 -0400
++++ policy-1.27.2/macros/program/ypbind_macros.te 2005-10-26 16:35:21.000000000 -0400
+@@ -1,4 +1,3 @@
+-
+ define(`uncond_can_ypbind', `
+ can_network($1)
+ r_dir_file($1,var_yp_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.27.2/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-10-21 11:36:16.000000000 -0400
+++ policy-1.27.2/macros/user_macros.te 2005-10-24 09:51:46.000000000 -0400
Index: seusers
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/seusers,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- seusers 7 Oct 2005 20:26:03 -0000 1.1
+++ seusers 26 Oct 2005 21:07:24 -0000 1.2
@@ -1,3 +1,2 @@
root:root:s0-s0:c0.c255
-default:user_u:s0
-
+__default__:user_u:s0
- Previous message (by thread): rpms/selinux-policy-strict/devel setrans.conf, NONE, 1.1 policy-20051021.patch, 1.3, 1.4 selinux-policy-strict.spec, 1.402, 1.403 seusers, 1.2, 1.3
- Next message (by thread): rpms/selinux-policy-targeted/devel selinux-policy-targeted.spec, 1.396, 1.397
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list