rpms/selinux-policy/devel policy-20060915.patch, 1.10, 1.11 selinux-policy.spec, 1.291, 1.292
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Sep 25 15:58:35 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7171
Modified Files:
policy-20060915.patch selinux-policy.spec
Log Message:
* Mon Sep 25 2006 Dan Walsh <dwalsh at redhat.com> 2.3.15-2
- mls fixes
policy-20060915.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 3
config/appconfig-strict-mls/initrc_context | 2
config/appconfig-strict-mls/seusers | 3
config/appconfig-strict/seusers | 1
config/appconfig-targeted-mcs/seusers | 3
config/appconfig-targeted-mls/initrc_context | 2
config/appconfig-targeted-mls/seusers | 3
config/appconfig-targeted/seusers | 1
local.mod |binary
local.pp |binary
local.te | 16 +
policy/global_tunables | 9
policy/mcs | 6
policy/mls | 36 +-
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 7
policy/modules/admin/consoletype.te | 7
policy/modules/admin/firstboot.te | 4
policy/modules/admin/prelink.if | 2
policy/modules/admin/readahead.te | 4
policy/modules/admin/rpm.fc | 2
policy/modules/apps/java.fc | 2
policy/modules/apps/slocate.te | 1
policy/modules/kernel/corenetwork.te.in | 15 -
policy/modules/kernel/devices.fc | 8
policy/modules/kernel/devices.if | 39 ++
policy/modules/kernel/files.fc | 29 +-
policy/modules/kernel/files.if | 20 +
policy/modules/kernel/filesystem.if | 2
policy/modules/kernel/kernel.te | 25 -
policy/modules/kernel/mcs.te | 18 -
policy/modules/kernel/mls.te | 12
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 48 +--
policy/modules/kernel/storage.if | 1
policy/modules/kernel/terminal.fc | 2
policy/modules/services/apache.fc | 9
policy/modules/services/automount.te | 3
policy/modules/services/bind.te | 1
policy/modules/services/bluetooth.fc | 2
policy/modules/services/ccs.fc | 8
policy/modules/services/ccs.if | 65 ++++
policy/modules/services/ccs.te | 87 ++++++
policy/modules/services/cron.fc | 1
policy/modules/services/cron.te | 19 +
policy/modules/services/dbus.if | 1
policy/modules/services/hal.te | 6
policy/modules/services/networkmanager.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 2
policy/modules/services/oddjob.fc | 10
policy/modules/services/oddjob.if | 99 ++++++
policy/modules/services/oddjob.te | 95 ++++++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.fc | 1
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 386 +++++++++++++++++++++++++++
policy/modules/services/sendmail.te | 1
policy/modules/services/smartmon.te | 8
policy/modules/services/ssh.te | 6
policy/modules/system/hostname.te | 5
policy/modules/system/init.fc | 3
policy/modules/system/init.if | 3
policy/modules/system/init.te | 14
policy/modules/system/logging.fc | 8
policy/modules/system/logging.te | 2
policy/modules/system/raid.te | 2
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/setrans.fc | 2
policy/modules/system/udev.te | 1
policy/modules/system/unconfined.if | 1
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 27 +
policy/modules/system/userdomain.te | 21 +
policy/users | 14
78 files changed, 1392 insertions(+), 140 deletions(-)
Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- policy-20060915.patch 22 Sep 2006 20:36:32 -0000 1.10
+++ policy-20060915.patch 25 Sep 2006 15:58:33 -0000 1.11
@@ -56,6 +56,28 @@
+system_u:system_u:s0-s15:c0.c1023
+root:root:s0-s15:c0.c1023
__default__:user_u:s0
+Binary files nsaserefpolicy/local.mod and serefpolicy-2.3.15/local.mod differ
+Binary files nsaserefpolicy/local.pp and serefpolicy-2.3.15/local.pp differ
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/local.te serefpolicy-2.3.15/local.te
+--- nsaserefpolicy/local.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.3.15/local.te 2006-09-23 07:02:40.000000000 -0400
+@@ -0,0 +1,16 @@
++module local 1.0;
++
++require {
++ class association polmatch;
++ class unix_stream_socket { read write };
++ type ifconfig_t;
++ type initrc_t;
++ type unlabeled_t;
++ role object_r;
++ role system_r;
++};
++
++allow ifconfig_t initrc_t:unix_stream_socket { read write };
++allow initrc_t self:association polmatch;
++allow unlabeled_t initrc_t:association polmatch;
++allow unlabeled_t self:association polmatch;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.3.15/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-09-15 13:14:28.000000000 -0400
+++ serefpolicy-2.3.15/policy/global_tunables 2006-09-22 16:06:31.000000000 -0400
@@ -209,6 +231,18 @@
########################################
#
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.if serefpolicy-2.3.15/policy/modules/admin/prelink.if
+--- nsaserefpolicy/policy/modules/admin/prelink.if 2006-07-14 17:04:46.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/admin/prelink.if 2006-09-25 09:04:49.000000000 -0400
+@@ -76,7 +76,7 @@
+ gen_require(`
+ type prelink_cache_t;
+ ')
+-
++ files_rw_etc_dir($1)
+ allow $1 prelink_cache_t:file unlink;
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-2.3.15/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/admin/readahead.te 2006-09-22 16:06:31.000000000 -0400
@@ -254,6 +288,17 @@
#
# /usr
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.3.15/policy/modules/apps/slocate.te
+--- nsaserefpolicy/policy/modules/apps/slocate.te 2006-07-14 17:04:31.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/apps/slocate.te 2006-09-25 08:58:15.000000000 -0400
+@@ -45,6 +45,7 @@
+ files_dontaudit_getattr_all_dirs(locate_t)
+
+ fs_getattr_xattr_fs(locate_t)
++fs_getattr_rpc_pipefs(locate_t)
+
+ libs_use_shared_libs(locate_t)
+ libs_use_ld_so(locate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.15/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-09-22 09:35:44.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/kernel/corenetwork.te.in 2006-09-22 16:06:31.000000000 -0400
@@ -347,7 +392,7 @@
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.3.15/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/devices.if 2006-09-22 16:06:31.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/kernel/devices.if 2006-09-23 19:49:14.000000000 -0400
@@ -1998,6 +1998,25 @@
########################################
@@ -374,6 +419,30 @@
## Get the attributes of the printer device nodes.
## </summary>
## <param name="domain">
+@@ -3211,3 +3230,23 @@
+
+ typeattribute $1 devices_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## dontaudit getattr generic files in /dev.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`dev_dontaudit_getattr_generic_files',`
++ gen_require(`
++ type device_t;
++ ')
++
++ allow $1 device_t:dir search;
++ dontaudit $1 device_t:file getattr;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.15/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-09-05 07:41:00.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/kernel/files.fc 2006-09-22 16:06:31.000000000 -0400
@@ -480,6 +549,33 @@
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c1023)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.3.15/policy/modules/kernel/files.if
+--- nsaserefpolicy/policy/modules/kernel/files.if 2006-09-22 14:07:03.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/kernel/files.if 2006-09-25 09:04:36.000000000 -0400
+@@ -4541,3 +4541,23 @@
+
+ typealias etc_runtime_t alias $1;
+ ')
++
++########################################
++## <summary>
++## Read and write files in /etc.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`files_rw_etc_dir',`
++ gen_require(`
++ type etc_t;
++ ')
++
++ allow $1 etc_t:dir rw_dir_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.3.15/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/kernel/filesystem.if 2006-09-22 16:06:31.000000000 -0400
@@ -494,7 +590,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.3.15/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/kernel/kernel.te 2006-09-22 16:06:31.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/kernel/kernel.te 2006-09-23 07:06:41.000000000 -0400
@@ -39,7 +39,7 @@
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
@@ -556,6 +652,14 @@
########################################
#
+@@ -326,6 +326,7 @@
+
+ ifdef(`targeted_policy',`
+ allow unlabeled_t self:filesystem associate;
++ allow unlabeled_t self:association polmatch;
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mcs.te serefpolicy-2.3.15/policy/modules/kernel/mcs.te
--- nsaserefpolicy/policy/modules/kernel/mcs.te 2006-09-22 14:07:03.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/kernel/mcs.te 2006-09-22 16:06:31.000000000 -0400
@@ -973,6 +1077,42 @@
/var/run/crond?\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/crond\.reboot -- gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.3.15/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2006-09-15 13:14:24.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/services/cron.te 2006-09-25 09:37:04.000000000 -0400
+@@ -17,6 +17,14 @@
+ type cron_spool_t;
+ files_type(cron_spool_t)
+
++# var/lib files
++type cron_var_lib_t;
++files_type(cron_var_lib_t)
++
++# var/log files
++type cron_log_t;
++logging_log_file(cron_log_t)
++
+ type crond_t;
+ # real declaration moved to mls until
+ # range_transition works in loadable modules
+@@ -184,6 +192,17 @@
+ files_tmp_filetrans(crond_t, crond_tmp_t, { file dir })
+ ')
+
++# This is to handle /var/lib/misc directory. Used currently by prelink
++# var/lib files for cron
++allow system_crond_t cron_var_lib_t:file create_file_perms;
++files_var_lib_filetrans(system_crond_t,cron_var_lib_t,file)
++
++# This is to handle creation of files in /var/log directory. Used currently by rpm script
++# log files
++allow system_crond_t crond_log_t:file create_file_perms;
++logging_log_filetrans(system_crond_t,cron_log_t,{ file })
++
++
+ tunable_policy(`fcron_crond', `
+ allow crond_t system_cron_spool_t:file create_file_perms;
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.3.15/policy/modules/services/dbus.if
--- nsaserefpolicy/policy/modules/services/dbus.if 2006-09-15 13:14:24.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/services/dbus.if 2006-09-22 16:06:31.000000000 -0400
@@ -1936,6 +2076,17 @@
+')
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.3.15/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2006-09-22 14:07:06.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/services/sendmail.te 2006-09-25 09:21:31.000000000 -0400
+@@ -32,6 +32,7 @@
+ allow sendmail_t self:unix_dgram_socket create_socket_perms;
+ allow sendmail_t self:tcp_socket create_stream_socket_perms;
+ allow sendmail_t self:udp_socket create_socket_perms;
++allow sendmail_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow sendmail_t sendmail_log_t:file create_file_perms;
+ allow sendmail_t sendmail_log_t:dir { rw_dir_perms setattr };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.3.15/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/services/smartmon.te 2006-09-22 16:06:31.000000000 -0400
@@ -2027,7 +2178,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.3.15/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2006-09-22 14:07:07.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/init.te 2006-09-22 16:06:31.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/system/init.te 2006-09-25 09:48:06.000000000 -0400
@@ -16,6 +16,9 @@
attribute direct_init;
attribute direct_init_entry;
@@ -2068,6 +2219,15 @@
',`
# cjp: require doesnt work in the else of optionals :\
# this also would result in a type transition
+@@ -570,6 +580,8 @@
+ dev_getattr_printer_dev(initrc_t)
+
+ cups_read_log(initrc_t)
++#cups init script clears error log
++ cups_write_log(initrc_t)
+ cups_read_rw_config(initrc_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.3.15/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2006-09-01 14:10:18.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/system/logging.fc 2006-09-22 16:06:31.000000000 -0400
@@ -2097,8 +2257,16 @@
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.15/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-08-29 09:00:29.000000000 -0400
-+++ serefpolicy-2.3.15/policy/modules/system/logging.te 2006-09-22 16:06:31.000000000 -0400
-@@ -161,6 +161,7 @@
++++ serefpolicy-2.3.15/policy/modules/system/logging.te 2006-09-23 19:46:15.000000000 -0400
+@@ -18,6 +18,7 @@
+
+ type auditd_log_t;
+ files_security_file(auditd_log_t)
++files_mountpoint(auditd_log_t)
+
+ type auditd_t;
+ # real declaration moved to mls until
+@@ -161,6 +162,7 @@
miscfiles_read_localization(auditd_t)
mls_file_read_up(auditd_t)
@@ -2106,6 +2274,23 @@
mls_rangetrans_target(auditd_t)
seutil_dontaudit_read_config(auditd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.3.15/policy/modules/system/raid.te
+--- nsaserefpolicy/policy/modules/system/raid.te 2006-07-14 17:04:44.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/system/raid.te 2006-09-23 19:48:31.000000000 -0400
+@@ -29,11 +29,13 @@
+ kernel_read_system_state(mdadm_t)
+ kernel_read_kernel_sysctls(mdadm_t)
+ kernel_rw_software_raid_state(mdadm_t)
++kernel_getattr_core_if(mdadm_t)
+
+ dev_read_sysfs(mdadm_t)
+ # Ignore attempts to read every device file
+ dev_dontaudit_getattr_all_blk_files(mdadm_t)
+ dev_dontaudit_getattr_all_chr_files(mdadm_t)
++dev_dontaudit_getattr_generic_files(mdadm_t)
+
+ fs_search_auto_mountpoints(mdadm_t)
+ fs_dontaudit_list_tmpfs(mdadm_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.3.15/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-09-05 07:41:01.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/system/selinuxutil.fc 2006-09-22 16:06:31.000000000 -0400
@@ -2144,6 +2329,17 @@
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.3.15/policy/modules/system/unconfined.if
+--- nsaserefpolicy/policy/modules/system/unconfined.if 2006-08-29 09:00:29.000000000 -0400
++++ serefpolicy-2.3.15/policy/modules/system/unconfined.if 2006-09-23 07:08:23.000000000 -0400
+@@ -31,6 +31,7 @@
+ allow $1 self:nscd *;
+ allow $1 self:dbus *;
+ allow $1 self:passwd *;
++ allow $1 self:association *;
+
+ kernel_unconfined($1)
+ corenet_unconfined($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.3.15/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2006-07-14 17:04:44.000000000 -0400
+++ serefpolicy-2.3.15/policy/modules/system/userdomain.fc 2006-09-22 16:06:31.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.291
retrieving revision 1.292
diff -u -r1.291 -r1.292
--- selinux-policy.spec 22 Sep 2006 20:36:32 -0000 1.291
+++ selinux-policy.spec 25 Sep 2006 15:58:33 -0000 1.292
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.3.15
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -349,6 +349,9 @@
%endif
%changelog
+* Mon Sep 25 2006 Dan Walsh <dwalsh at redhat.com> 2.3.15-2
+- mls fixes
+
* Fri Sep 22 2006 Dan Walsh <dwalsh at redhat.com> 2.3.15-1
- Update from upstream
More information about the fedora-cvs-commits
mailing list