rpms/selinux-policy/FC-6 policy-20061106.patch, 1.31, 1.32 selinux-policy.spec, 1.354, 1.355
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Apr 10 12:49:37 UTC 2007
- Previous message (by thread): rpms/kernel-xen-2.6/devel git-iwlwifi-fixes.patch, NONE, 1.1.2.1 git-iwlwifi.patch, NONE, 1.1.2.1 git-wireless-dev.patch, NONE, 1.1.2.1 linux-2.6-ata-quirk.patch, NONE, 1.1.2.1 linux-2.6-crap-sysfs-workaround.patch, NONE, 1.1.2.1 linux-2.6-debug-extra-warnings.patch, NONE, 1.1.2.1 linux-2.6-defaults-pci_no_msi_mmconf.patch, NONE, 1.1.2.1 linux-2.6-dvb-spinlock.patch, NONE, 1.1.2.1 linux-2.6-firewire-check-condition.patch, NONE, 1.1.2.1 linux-2.6-firewire-context-run.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-1.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-2.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-3.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-4.patch, NONE, 1.1.2.1 linux-2.6-i82875-edac-pci-setup.patch, NONE, 1.1.2.1 linux-2.6-mpc52xx-fec.patch, NONE, 1.1.2.1 linux-2.6-mpc52xx-sdma.patch, NONE, 1.1.2.1 linux-2.6-ondemand-timer.patch, NONE, 1.1.2.1 linux-2.6-pmac-zilog.patch, NONE, 1.1.2.1 linux-2.6-powermac-generic-suspend-1.patch, NONE, 1.1.2.1 linux-2.6-powermac-generic-suspend-2.patch, NONE, 1.1.2.1 linux-2.6-powe! rmac-generic-suspend-3.patch, NONE, 1.1.2.1 linux-2.6-powermac-generic-suspend-4.patch, NONE, 1.1.2.1 linux-2.6-ps3-device-init.patch, NONE, 1.1.2.1 linux-2.6-ps3-ethernet-autoload.patch, NONE, 1.1.2.1 linux-2.6-ps3-ethernet-modular.patch, NONE, 1.1.2.1 linux-2.6-ps3-ethernet.patch, NONE, 1.1.2.1 linux-2.6-ps3-exports.patch, NONE, 1.1.2.1 linux-2.6-ps3-fix-slowdown-bug.patch, NONE, 1.1.2.1 linux-2.6-ps3-legacy-ioport.patch, NONE, 1.1.2.1 linux-2.6-ps3-memory-probe.patch, NONE, 1.1.2.1 linux-2.6-ps3-replace-irq-alloc-free.patch, NONE, 1.1.2.1 linux-2.6-ps3-sound.patch, NONE, 1.1.2.1 linux-2.6-ps3-stable-patches.patch, NONE, 1.1.2.1 linux-2.6-ps3-storage.patch, NONE, 1.1.2.1 linux-2.6-ps3av-export-header.patch, NONE, 1.1.2.1 linux-2.6-ps3fb-panic.patch, NONE, 1.1.2.1 linux-2.6-rt2x00-scan-fix.patch, NONE, 1.1.2.1 linux-2.6-uevent-ps3.patch, NONE, 1.1.2.1 linux-2.6-warnings-inline.patch, NONE, 1.1.2.1 linux-2.6-xen-blktap-cleanup.patch, NONE, 1.1.2.1 linux-2.6-xen-blktap-dynamic-major.patch, NONE, 1.1.2.1 linux-2.6-xe! n-blktap-fixes.patch,NONE,1.1.2.1 linux-2.6-xen-blktap-sysfs.p! atch,NON
- Next message (by thread): rpms/tetex/devel .cvsignore, 1.26, 1.27 sources, 1.28, 1.29 tetex.spec, 1.107, 1.108
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv16505
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Thu Apr 5 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-52
- Don't relabel if selinux is not enabled
- Allow netutils to read sysfs
Resolves: #235357
- Allow samba to work as a PDC
Resolves: #235360
- Allow ypserv to bind to ports 600-1024
Resolves: #235363
- Fix kudzu to be able to telinit
Resolves: #225443
policy-20061106.patch:
Rules.modular | 10
config/appconfig-strict-mcs/seusers | 1
config/appconfig-strict-mls/default_contexts | 6
config/appconfig-strict-mls/seusers | 1
config/appconfig-strict/seusers | 1
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 2
policy/global_tunables | 89 ++++
policy/mls | 31 +
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17
policy/modules/admin/amanda.te | 6
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 57 ++
policy/modules/admin/amtu.te | 56 ++
policy/modules/admin/backup.te | 5
policy/modules/admin/bootloader.fc | 5
policy/modules/admin/bootloader.te | 14
policy/modules/admin/consoletype.te | 21
policy/modules/admin/ddcprobe.te | 10
policy/modules/admin/dmesg.te | 7
policy/modules/admin/dmidecode.te | 5
policy/modules/admin/firstboot.if | 6
policy/modules/admin/kudzu.te | 11
policy/modules/admin/logrotate.te | 5
policy/modules/admin/logwatch.te | 8
policy/modules/admin/netutils.te | 13
policy/modules/admin/portage.te | 5
policy/modules/admin/prelink.te | 18
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 24 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 43 ++
policy/modules/admin/rpm.te | 49 --
policy/modules/admin/su.if | 28 -
policy/modules/admin/su.te | 2
policy/modules/admin/sudo.if | 10
policy/modules/admin/tripwire.te | 11
policy/modules/admin/usbmodules.te | 5
policy/modules/admin/usermanage.if | 1
policy/modules/admin/usermanage.te | 42 +
policy/modules/admin/vpn.te | 1
policy/modules/apps/ethereal.te | 5
policy/modules/apps/evolution.if | 107 ++++-
policy/modules/apps/evolution.te | 1
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.fc | 2
policy/modules/apps/gnome.if | 108 +++++
policy/modules/apps/gnome.te | 5
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.if | 38 +
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17
policy/modules/apps/mozilla.if | 210 ++++++++-
policy/modules/apps/mplayer.if | 84 +++
policy/modules/apps/mplayer.te | 1
policy/modules/apps/slocate.te | 3
policy/modules/apps/thunderbird.if | 81 +++
policy/modules/apps/userhelper.if | 19
policy/modules/apps/webalizer.te | 6
policy/modules/apps/wine.fc | 1
policy/modules/apps/yam.te | 5
policy/modules/kernel/corecommands.fc | 19
policy/modules/kernel/corecommands.if | 77 +++
policy/modules/kernel/corenetwork.if.in | 140 ++++++
policy/modules/kernel/corenetwork.te.in | 13
policy/modules/kernel/devices.fc | 8
policy/modules/kernel/devices.if | 18
policy/modules/kernel/devices.te | 8
policy/modules/kernel/domain.if | 58 ++
policy/modules/kernel/domain.te | 22 +
policy/modules/kernel/files.fc | 2
policy/modules/kernel/files.if | 224 ++++++++++
policy/modules/kernel/filesystem.if | 62 ++
policy/modules/kernel/filesystem.te | 19
policy/modules/kernel/kernel.if | 84 +++
policy/modules/kernel/kernel.te | 22 -
policy/modules/kernel/mls.if | 28 +
policy/modules/kernel/mls.te | 6
policy/modules/kernel/storage.fc | 3
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 4
policy/modules/services/aide.te | 7
policy/modules/services/amavis.te | 2
policy/modules/services/apache.fc | 17
policy/modules/services/apache.if | 21
policy/modules/services/apache.te | 40 +
policy/modules/services/apm.te | 3
policy/modules/services/automount.fc | 1
policy/modules/services/automount.te | 9
policy/modules/services/avahi.if | 21
policy/modules/services/bind.fc | 1
policy/modules/services/bind.te | 5
policy/modules/services/bluetooth.te | 8
policy/modules/services/ccs.fc | 1
policy/modules/services/ccs.te | 11
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 6
policy/modules/services/cron.if | 92 ++--
policy/modules/services/cron.te | 52 ++
policy/modules/services/cups.fc | 3
policy/modules/services/cups.te | 9
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 5
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 62 ++
policy/modules/services/dcc.te | 9
policy/modules/services/dhcp.te | 2
policy/modules/services/dovecot.te | 6
policy/modules/services/ftp.te | 18
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 57 ++
policy/modules/services/hal.te | 22 -
policy/modules/services/inetd.te | 28 +
policy/modules/services/irqbalance.te | 4
policy/modules/services/kerberos.if | 25 +
policy/modules/services/kerberos.te | 15
policy/modules/services/ktalk.fc | 3
policy/modules/services/ktalk.te | 5
policy/modules/services/lpd.if | 57 +-
policy/modules/services/lpd.te | 5
policy/modules/services/mta.fc | 1
policy/modules/services/mta.if | 20
policy/modules/services/mta.te | 2
policy/modules/services/munin.te | 5
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.fc | 3
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 34 +
policy/modules/services/nscd.if | 20
policy/modules/services/nscd.te | 24 -
policy/modules/services/oav.te | 5
policy/modules/services/oddjob.te | 3
policy/modules/services/openca.if | 4
policy/modules/services/openca.te | 2
policy/modules/services/openvpn.te | 4
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 62 ++
policy/modules/services/pcscd.te | 78 +++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 6
policy/modules/services/portmap.te | 5
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.if | 3
policy/modules/services/postfix.te | 21
policy/modules/services/procmail.te | 28 +
policy/modules/services/pyzor.if | 18
policy/modules/services/pyzor.te | 13
policy/modules/services/radius.te | 1
policy/modules/services/radvd.te | 2
policy/modules/services/rhgb.if | 76 +++
policy/modules/services/rhgb.te | 3
policy/modules/services/ricci.te | 21
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.fc | 1
policy/modules/services/rpc.if | 3
policy/modules/services/rpc.te | 26 -
policy/modules/services/rsync.te | 1
policy/modules/services/samba.fc | 5
policy/modules/services/samba.if | 41 +
policy/modules/services/samba.te | 51 ++
policy/modules/services/sasl.te | 12
policy/modules/services/sendmail.if | 22 +
policy/modules/services/sendmail.te | 8
policy/modules/services/setroubleshoot.if | 20
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.if | 17
policy/modules/services/snmp.te | 13
policy/modules/services/spamassassin.fc | 2
policy/modules/services/spamassassin.if | 42 +
policy/modules/services/spamassassin.te | 18
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 21
policy/modules/services/squid.te | 11
policy/modules/services/ssh.if | 83 +++
policy/modules/services/ssh.te | 10
policy/modules/services/telnet.te | 3
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 +++
policy/modules/services/uucp.te | 44 +-
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 190 ++++++++-
policy/modules/services/xserver.te | 12
policy/modules/system/authlogin.if | 76 +++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 13
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 11
policy/modules/system/getty.te | 14
policy/modules/system/hostname.te | 19
policy/modules/system/init.if | 64 +++
policy/modules/system/init.te | 51 ++
policy/modules/system/ipsec.fc | 5
policy/modules/system/ipsec.if | 99 ++++
policy/modules/system/ipsec.te | 122 +++++
policy/modules/system/iptables.te | 22 -
policy/modules/system/libraries.fc | 39 +
policy/modules/system/libraries.te | 11
policy/modules/system/locallogin.if | 37 +
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.fc | 5
policy/modules/system/logging.te | 25 +
policy/modules/system/lvm.fc | 2
policy/modules/system/lvm.if | 44 ++
policy/modules/system/lvm.te | 78 +++
policy/modules/system/miscfiles.fc | 3
policy/modules/system/miscfiles.if | 79 +++
policy/modules/system/modutils.te | 25 -
policy/modules/system/mount.te | 27 -
policy/modules/system/netlabel.te | 6
policy/modules/system/pcmcia.te | 5
policy/modules/system/raid.te | 15
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 119 +++++
policy/modules/system/selinuxutil.te | 124 ++---
policy/modules/system/sysnetwork.te | 10
policy/modules/system/tzdata.fc | 3
policy/modules/system/tzdata.if | 23 +
policy/modules/system/tzdata.te | 51 ++
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19
policy/modules/system/unconfined.te | 23 +
policy/modules/system/userdomain.if | 569 ++++++++++++++++++++++++---
policy/modules/system/userdomain.te | 76 +--
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 46 +-
233 files changed, 5424 insertions(+), 620 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/policy-20061106.patch,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- policy-20061106.patch 5 Apr 2007 17:46:28 -0000 1.31
+++ policy-20061106.patch 10 Apr 2007 12:49:35 -0000 1.32
@@ -3591,7 +3591,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-2.4.6/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2007-03-20 16:07:41.000000000 -0400
++++ serefpolicy-2.4.6/policy/modules/kernel/filesystem.te 2007-04-09 16:05:21.000000000 -0400
@@ -21,9 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -3604,7 +3604,15 @@
fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
-@@ -63,6 +65,11 @@
+@@ -52,6 +54,7 @@
+
+ type capifs_t;
+ fs_type(capifs_t)
++files_mountpoint(capifs_t)
+ genfscon capifs / gen_context(system_u:object_r:capifs_t,s0)
+
+ type configfs_t;
+@@ -63,6 +66,11 @@
# change to task SID 20060628
#genfscon eventpollfs / gen_context(system_u:object_r:eventpollfs_t,s0)
@@ -3616,7 +3624,7 @@
type futexfs_t;
fs_type(futexfs_t)
genfscon futexfs / gen_context(system_u:object_r:futexfs_t,s0)
-@@ -101,6 +108,7 @@
+@@ -101,6 +109,7 @@
type rpc_pipefs_t;
fs_type(rpc_pipefs_t)
genfscon rpc_pipefs / gen_context(system_u:object_r:rpc_pipefs_t,s0)
@@ -3624,7 +3632,7 @@
#
# tmpfs_t is the type for tmpfs filesystems
-@@ -137,6 +145,7 @@
+@@ -137,6 +146,7 @@
#
type cifs_t alias sambafs_t;
fs_noxattr_type(cifs_t)
@@ -3632,7 +3640,7 @@
genfscon cifs / gen_context(system_u:object_r:cifs_t,s0)
genfscon smbfs / gen_context(system_u:object_r:cifs_t,s0)
-@@ -146,9 +155,9 @@
+@@ -146,9 +156,9 @@
#
type dosfs_t;
fs_noxattr_type(dosfs_t)
@@ -3643,7 +3651,7 @@
genfscon ntfs / gen_context(system_u:object_r:dosfs_t,s0)
genfscon vfat / gen_context(system_u:object_r:dosfs_t,s0)
-@@ -182,7 +191,6 @@
+@@ -182,7 +192,6 @@
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -3651,7 +3659,7 @@
########################################
#
-@@ -202,3 +210,9 @@
+@@ -202,3 +211,9 @@
# pseudo filesystem types that are applied to both the filesystem
# and its files.
allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *;
@@ -4025,6 +4033,25 @@
+locallogin_use_fds(aide_t)
+
seutil_use_newrole_fds(aide_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.te serefpolicy-2.4.6/policy/modules/services/amavis.te
+--- nsaserefpolicy/policy/modules/services/amavis.te 2006-11-29 12:04:51.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/amavis.te 2007-04-09 14:51:43.000000000 -0400
+@@ -50,6 +50,7 @@
+ allow amavis_t self:unix_stream_socket create_stream_socket_perms;
+ allow amavis_t self:unix_dgram_socket create_socket_perms;
+ allow amavis_t self:tcp_socket { listen accept };
++allow amavis_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # configuration files
+ allow amavis_t amavis_etc_t:dir r_dir_perms;
+@@ -74,6 +75,7 @@
+ files_tmp_filetrans(amavis_t,amavis_tmp_t,file)
+
+ # var/lib files for amavis
++files_search_var_lib(amavis_t)
+ allow amavis_t amavis_var_lib_t:file create_file_perms;
+ allow amavis_t amavis_var_lib_t:sock_file create_file_perms;
+ allow amavis_t amavis_var_lib_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.4.6/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2006-11-29 12:04:49.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/apache.fc 2007-03-09 13:35:58.000000000 -0500
@@ -4354,7 +4381,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.4.6/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/bluetooth.te 2007-03-09 13:35:58.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/bluetooth.te 2007-04-09 14:52:15.000000000 -0400
@@ -41,7 +41,7 @@
# Bluetooth services local policy
#
@@ -4364,7 +4391,15 @@
dontaudit bluetooth_t self:capability sys_tty_config;
allow bluetooth_t self:process { getsched signal_perms };
allow bluetooth_t self:fifo_file rw_file_perms;
-@@ -253,3 +253,8 @@
+@@ -104,6 +104,7 @@
+
+ fs_getattr_all_fs(bluetooth_t)
+ fs_search_auto_mountpoints(bluetooth_t)
++fs_list_inotifyfs(bluetooth_t)
+
+ term_dontaudit_use_console(bluetooth_t)
+ #Handle bluetooth serial devices
+@@ -253,3 +254,8 @@
optional_policy(`
xserver_stream_connect_xdm(bluetooth_helper_t)
')
@@ -6886,8 +6921,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.4.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/samba.te 2007-04-05 10:12:51.000000000 -0400
-@@ -10,6 +10,10 @@
++++ serefpolicy-2.4.6/policy/modules/services/samba.te 2007-04-05 13:57:44.000000000 -0400
+@@ -10,6 +10,13 @@
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)
@@ -6895,10 +6930,13 @@
+domain_type(samba_unconfined_script_t)
+role system_r types samba_unconfined_script_t;
+
++type samba_unconfined_script_exec_t;
++domain_entry_file(samba_unconfined_script_t, samba_unconfined_script_exec_t)
++
type nmbd_var_run_t;
files_pid_file(nmbd_var_run_t)
-@@ -235,6 +239,9 @@
+@@ -235,6 +242,9 @@
corenet_tcp_connect_ipp_port(smbd_t)
corenet_tcp_connect_smbd_port(smbd_t)
@@ -6908,7 +6946,7 @@
dev_read_sysfs(smbd_t)
dev_read_urand(smbd_t)
dev_getattr_mtrr_dev(smbd_t)
-@@ -279,6 +286,12 @@
+@@ -279,6 +289,12 @@
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -6921,7 +6959,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -349,7 +362,7 @@
+@@ -349,7 +365,7 @@
allow nmbd_t samba_etc_t:file { getattr read };
allow nmbd_t samba_log_t:dir { create ra_dir_perms setattr };
@@ -6930,7 +6968,7 @@
allow nmbd_t samba_var_t:dir rw_dir_perms;
allow nmbd_t samba_var_t:file { lock unlink create write setattr read getattr rename };
-@@ -502,7 +515,7 @@
+@@ -502,7 +518,7 @@
userdom_use_sysadm_ttys(smbmount_t)
optional_policy(`
@@ -6939,7 +6977,7 @@
')
optional_policy(`
-@@ -525,7 +538,7 @@
+@@ -525,7 +541,7 @@
allow swat_t self:netlink_audit_socket create;
allow swat_t self:tcp_socket create_stream_socket_perms;
allow swat_t self:udp_socket create_socket_perms;
@@ -6948,7 +6986,7 @@
allow swat_t nmbd_exec_t:file { execute read };
-@@ -533,7 +546,7 @@
+@@ -533,7 +549,7 @@
allow swat_t samba_etc_t:file { getattr write read };
allow swat_t samba_log_t:dir search;
@@ -6957,7 +6995,7 @@
allow swat_t smbd_exec_t:file execute ;
-@@ -566,9 +579,8 @@
+@@ -566,9 +582,8 @@
corenet_raw_sendrecv_all_nodes(swat_t)
corenet_tcp_sendrecv_all_ports(swat_t)
corenet_udp_sendrecv_all_ports(swat_t)
@@ -6968,7 +7006,7 @@
dev_read_urand(swat_t)
-@@ -591,6 +603,7 @@
+@@ -591,6 +606,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
@@ -6976,7 +7014,7 @@
')
optional_policy(`
-@@ -614,6 +627,8 @@
+@@ -614,6 +630,8 @@
# Winbind local policy
#
@@ -6985,7 +7023,7 @@
dontaudit winbind_t self:capability sys_tty_config;
allow winbind_t self:process signal_perms;
allow winbind_t self:fifo_file { read write };
-@@ -763,3 +778,24 @@
+@@ -763,3 +781,24 @@
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
@@ -7055,8 +7093,8 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-2.4.6/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/sendmail.if 2007-03-26 13:51:31.000000000 -0400
-@@ -76,6 +76,26 @@
++++ serefpolicy-2.4.6/policy/modules/services/sendmail.if 2007-04-09 15:07:05.000000000 -0400
+@@ -76,6 +76,27 @@
########################################
## <summary>
@@ -7075,6 +7113,7 @@
+ ')
+
+ logging_search_logs($1)
++ allow $1 sendmail_log_t:dir search_dir_perms;
+ allow $1 sendmail_log_t:file read_file_perms;
+')
+
@@ -7083,6 +7122,14 @@
## Create, read, write, and delete sendmail logs.
## </summary>
## <param name="domain">
+@@ -91,6 +112,7 @@
+ ')
+
+ logging_search_logs($1)
++ allow $1 sendmail_log_t:dir manage_dir_perms;
+ allow $1 sendmail_log_t:file manage_file_perms;
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.4.6/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2006-11-29 12:04:51.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/sendmail.te 2007-03-09 13:35:59.000000000 -0500
@@ -9238,10 +9285,25 @@
corecmd_list_sbin(local_login_t)
corecmd_read_bin_symlinks(local_login_t)
corecmd_read_sbin_symlinks(local_login_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.4.6/policy/modules/system/logging.fc
+--- nsaserefpolicy/policy/modules/system/logging.fc 2006-11-29 12:04:51.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/logging.fc 2007-04-09 17:10:37.000000000 -0400
+@@ -26,6 +26,11 @@
+
+ /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+ /var/log/.* gen_context(system_u:object_r:var_log_t,s0)
++/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/cron[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
++/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
+ /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
+
+ ifndef(`distro_gentoo',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.4.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/logging.te 2007-03-09 13:35:59.000000000 -0500
-@@ -53,6 +53,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/logging.te 2007-04-09 17:14:48.000000000 -0400
+@@ -53,9 +53,11 @@
type var_log_t;
logging_log_file(var_log_t)
@@ -9249,7 +9311,11 @@
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
-@@ -63,7 +64,7 @@
++ init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh)
+ ')
+
+ ########################################
+@@ -63,7 +65,7 @@
# Auditd local policy
#
@@ -9258,7 +9324,7 @@
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
libs_use_ld_so(auditctl_t)
-@@ -275,7 +276,7 @@
+@@ -275,7 +277,7 @@
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms;
allow syslogd_t self:udp_socket create_socket_perms;
@@ -9267,7 +9333,16 @@
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms;
files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-@@ -326,6 +327,18 @@
+@@ -311,6 +313,8 @@
+
+ fs_search_auto_mountpoints(syslogd_t)
+
++mls_rangetrans_target(syslogd_t)
++
+ term_write_console(syslogd_t)
+ # Allow syslog to a terminal
+ term_write_unallocated_ttys(syslogd_t)
+@@ -326,6 +330,18 @@
corenet_udp_sendrecv_all_ports(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
@@ -9286,7 +9361,7 @@
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
-@@ -398,3 +411,8 @@
+@@ -398,3 +414,8 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -10067,7 +10142,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.6/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-11-29 12:04:51.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2007-03-09 13:35:59.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2007-04-09 13:48:27.000000000 -0400
@@ -107,6 +107,19 @@
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -10096,11 +10171,13 @@
selinux_get_fs_mount(load_policy_t)
selinux_load_policy(load_policy_t)
-@@ -225,6 +239,7 @@
+@@ -224,7 +238,8 @@
+ # cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
- unconfined_dontaudit_read_pipes(load_policy_t)
-+ unconfined_dontaudit_read_pipes(setfiles_t)
+- unconfined_dontaudit_read_pipes(load_policy_t)
++ unconfined_dontaudit_rw_pipes(load_policy_t)
++ unconfined_dontaudit_rw_pipes(setfiles_t)
')
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-6/selinux-policy.spec,v
retrieving revision 1.354
retrieving revision 1.355
diff -u -r1.354 -r1.355
--- selinux-policy.spec 5 Apr 2007 17:46:28 -0000 1.354
+++ selinux-policy.spec 10 Apr 2007 12:49:35 -0000 1.355
@@ -158,7 +158,8 @@
%define relabel() \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
-if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.pre ]; then \
+selinuxenabled; \
+if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.pre ]; then \
fixfiles -C ${FILE_CONTEXT}.pre restore; \
rm -f ${FILE_CONTEXT}.pre; \
fi;
@@ -358,6 +359,7 @@
%changelog
* Thu Apr 5 2007 Dan Walsh <dwalsh at redhat.com> 2.4.6-52
+- Don't relabel if selinux is not enabled
- Allow netutils to read sysfs
Resolves: #235357
- Allow samba to work as a PDC
- Previous message (by thread): rpms/kernel-xen-2.6/devel git-iwlwifi-fixes.patch, NONE, 1.1.2.1 git-iwlwifi.patch, NONE, 1.1.2.1 git-wireless-dev.patch, NONE, 1.1.2.1 linux-2.6-ata-quirk.patch, NONE, 1.1.2.1 linux-2.6-crap-sysfs-workaround.patch, NONE, 1.1.2.1 linux-2.6-debug-extra-warnings.patch, NONE, 1.1.2.1 linux-2.6-defaults-pci_no_msi_mmconf.patch, NONE, 1.1.2.1 linux-2.6-dvb-spinlock.patch, NONE, 1.1.2.1 linux-2.6-firewire-check-condition.patch, NONE, 1.1.2.1 linux-2.6-firewire-context-run.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-1.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-2.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-3.patch, NONE, 1.1.2.1 linux-2.6-fix-pmops-4.patch, NONE, 1.1.2.1 linux-2.6-i82875-edac-pci-setup.patch, NONE, 1.1.2.1 linux-2.6-mpc52xx-fec.patch, NONE, 1.1.2.1 linux-2.6-mpc52xx-sdma.patch, NONE, 1.1.2.1 linux-2.6-ondemand-timer.patch, NONE, 1.1.2.1 linux-2.6-pmac-zilog.patch, NONE, 1.1.2.1 linux-2.6-powermac-generic-suspend-1.patch, NONE, 1.1.2.1 linux-2.6-powermac-generic-suspend-2.patch, NONE, 1.1.2.1 linux-2.6-powe! rmac-generic-suspend-3.patch, NONE, 1.1.2.1 linux-2.6-powermac-generic-suspend-4.patch, NONE, 1.1.2.1 linux-2.6-ps3-device-init.patch, NONE, 1.1.2.1 linux-2.6-ps3-ethernet-autoload.patch, NONE, 1.1.2.1 linux-2.6-ps3-ethernet-modular.patch, NONE, 1.1.2.1 linux-2.6-ps3-ethernet.patch, NONE, 1.1.2.1 linux-2.6-ps3-exports.patch, NONE, 1.1.2.1 linux-2.6-ps3-fix-slowdown-bug.patch, NONE, 1.1.2.1 linux-2.6-ps3-legacy-ioport.patch, NONE, 1.1.2.1 linux-2.6-ps3-memory-probe.patch, NONE, 1.1.2.1 linux-2.6-ps3-replace-irq-alloc-free.patch, NONE, 1.1.2.1 linux-2.6-ps3-sound.patch, NONE, 1.1.2.1 linux-2.6-ps3-stable-patches.patch, NONE, 1.1.2.1 linux-2.6-ps3-storage.patch, NONE, 1.1.2.1 linux-2.6-ps3av-export-header.patch, NONE, 1.1.2.1 linux-2.6-ps3fb-panic.patch, NONE, 1.1.2.1 linux-2.6-rt2x00-scan-fix.patch, NONE, 1.1.2.1 linux-2.6-uevent-ps3.patch, NONE, 1.1.2.1 linux-2.6-warnings-inline.patch, NONE, 1.1.2.1 linux-2.6-xen-blktap-cleanup.patch, NONE, 1.1.2.1 linux-2.6-xen-blktap-dynamic-major.patch, NONE, 1.1.2.1 linux-2.6-xe! n-blktap-fixes.patch,NONE,1.1.2.1 linux-2.6-xen-blktap-sysfs.p! atch,NON
- Next message (by thread): rpms/tetex/devel .cvsignore, 1.26, 1.27 sources, 1.28, 1.29 tetex.spec, 1.107, 1.108
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list