rpms/selinux-policy-targeted/devel policy-20050425.patch, NONE, 1.1 .cvsignore, 1.105, 1.106 selinux-policy-targeted.spec, 1.284, 1.285 sources, 1.111, 1.112
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 25 19:13:41 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050425.patch, NONE, 1.1 .cvsignore, 1.109, 1.110 policy-20050414.patch, 1.11, 1.12 selinux-policy-strict.spec, 1.287, 1.288 sources, 1.115, 1.116
- Next message (by thread): rpms/selinux-policy-strict/devel selinux-policy-strict.spec, 1.288, 1.289
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv21564
Modified Files:
.cvsignore selinux-policy-targeted.spec sources
Added Files:
policy-20050425.patch
Log Message:
* Mon Apr 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-1
- Update to latest from NSA
* Merged more changes from Dan Walsh to initrc_t for removal of
unconfined_domain.
* Merged Dan Walsh's split of auditd policy into auditd_t for the
audit daemon and auditctl_t for the autoctl program.
* Added use of name_connect to uncond_can_ypbind macro by Dan
Walsh.
* Merged other cleanup and fixes by Dan Walsh.
policy-20050425.patch:
domains/misc/kernel.te | 4 ++
domains/program/fsadm.te | 2 -
domains/program/getty.te | 14 ++--------
domains/program/init.te | 2 -
domains/program/initrc.te | 1
domains/program/klogd.te | 3 ++
domains/program/load_policy.te | 3 --
domains/program/unused/amavis.te | 7 -----
domains/program/unused/apache.te | 16 +++--------
domains/program/unused/auditd.te | 15 ++++++++--
domains/program/unused/clamav.te | 2 -
domains/program/unused/consoletype.te | 13 ++++-----
domains/program/unused/cups.te | 2 +
domains/program/unused/hald.te | 4 ++
domains/program/unused/hotplug.te | 8 +----
domains/program/unused/ntpd.te | 3 --
domains/program/unused/portmap.te | 5 ++-
domains/program/unused/squid.te | 4 --
domains/program/unused/tinydns.te | 2 -
domains/program/unused/udev.te | 6 ++--
domains/program/unused/webalizer.te | 2 -
domains/user.te | 7 +++++
file_contexts/distros.fc | 1
file_contexts/program/compat.fc | 17 ++++++++----
file_contexts/program/getty.fc | 2 +
file_contexts/program/portmap.fc | 1
file_contexts/program/traceroute.fc | 1
file_contexts/program/webalizer.fc | 2 +
file_contexts/types.fc | 2 -
macros/base_user_macros.te | 2 -
macros/core_macros.te | 1
macros/global_macros.te | 12 ++++++++
macros/program/cdrecord_macros.te | 2 -
macros/program/mozilla_macros.te | 2 -
man/man8/httpd_selinux.8 | 6 ++++
targeted/appconfig/default_contexts | 1
targeted/domains/program/compat.te | 2 -
targeted/domains/program/hotplug.te | 17 ------------
targeted/domains/program/udev.te | 17 ------------
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 3 +-
targeted/initial_sid_contexts | 47 ----------------------------------
tunables/distro.tun | 2 -
tunables/tunable.tun | 6 ++--
types/network.te | 1
45 files changed, 114 insertions(+), 159 deletions(-)
--- NEW FILE policy-20050425.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.12/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.12/domains/misc/kernel.te 2005-04-22 10:14:15.000000000 -0400
@@ -63,4 +63,6 @@
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)
-
+ifdef(`targeted_policy', `
+typeattribute kernel_t unrestricted;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.12/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-04-04 10:21:10.000000000 -0400
+++ policy-1.23.12/domains/program/fsadm.te 2005-04-25 10:04:33.000000000 -0400
@@ -100,7 +100,7 @@
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
allow fsadm_t devpts_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.23.12/domains/program/getty.te
--- nsapolicy/domains/program/getty.te 2005-04-25 14:48:58.000000000 -0400
+++ policy-1.23.12/domains/program/getty.te 2005-04-22 16:17:17.000000000 -0400
@@ -23,18 +23,9 @@
allow getty_t self:unix_dgram_socket create_socket_perms;
allow getty_t self:unix_stream_socket create_socket_perms;
-# to allow w to display everyone...
-bool user_ttyfile_stat false;
-if (user_ttyfile_stat) {
-allow userdomain ttyfile:chr_file getattr;
-}
-
# Use capabilities.
allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
-# fbgetty needs fsetid for some reason
-#allow getty_t self:capability fsetid;
-
read_locale(getty_t)
# Run login in local_login_t domain.
@@ -51,10 +42,13 @@
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
-allow getty_t initrc_devpts_t:chr_file rw_file_perms;
+dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
# for error condition handling
allow getty_t fs_t:filesystem getattr;
lock_domain(getty)
r_dir_file(getty_t, sysfs_t)
+# for mgetty
+var_run_domain(getty)
+allow getty_t self:capability { fowner fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.12/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-04-25 14:48:58.000000000 -0400
+++ policy-1.23.12/domains/program/initrc.te 2005-04-22 15:07:04.000000000 -0400
@@ -253,6 +253,7 @@
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
domain_trans(initrc_t, shell_exec_t, unconfined_t)
+allow initrc_t unconfined_t:system syslog_mod;
', `
run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.12/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.12/domains/program/init.te 2005-04-22 14:07:40.000000000 -0400
@@ -131,10 +131,8 @@
allow init_t lib_t:file { getattr read };
-ifdef(`rhgb.te', `
allow init_t devtty_t:chr_file { read write };
allow init_t ramfs_t:dir search;
-')
r_dir_file(init_t, sysfs_t)
r_dir_file(init_t, selinux_config_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.12/domains/program/klogd.te
--- nsapolicy/domains/program/klogd.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.12/domains/program/klogd.te 2005-04-22 14:10:06.000000000 -0400
@@ -43,3 +43,6 @@
# Read /boot/System.map*
allow klogd_t system_map_t:file r_file_perms;
allow klogd_t boot_t:dir r_dir_perms;
+ifdef(`targeted_policy', `
+allow klogd_t unconfined_t:system syslog_mod;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.23.12/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-04-20 15:40:34.000000000 -0400
+++ policy-1.23.12/domains/program/load_policy.te 2005-04-21 08:37:13.000000000 -0400
@@ -39,6 +39,7 @@
# only allow read of policy config files
allow load_policy_t policy_src_t:dir search;
r_dir_file(load_policy_t, policy_config_t)
+r_dir_file(load_policy_t, selinux_config_t)
# directory search permissions for path to binary policy files
allow load_policy_t root_t:dir search;
@@ -57,5 +58,3 @@
allow load_policy_t fs_t:filesystem getattr;
read_locale(load_policy_t)
-r_dir_file(load_policy_t, selinux_config_t)
-allow load_policy_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.12/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te 2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.12/domains/program/unused/amavis.te 2005-04-22 07:09:19.000000000 -0400
@@ -13,7 +13,7 @@
type amavisd_lib_t, file_type, sysadmfile;
# Virus and spam found and quarantined.
-type amavisd_quarantine_t, file_type, sysadmfile;
+type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
# Differentiate between the port where amavisd receives mail, and the
# port where it returns cleaned mail back to the MTA.
@@ -118,8 +118,3 @@
dontaudit amavisd_t shadow_t:file { getattr read };
dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
-# Tmp reaper
-ifdef(`tmpreaper.te', `
-allow tmpreaper_t amavisd_quarantine_t:dir { read search getattr setattr unlink };
-allow tmpreaper_t amavisd_quarantine_t:file getattr;
-')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.12/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-04-25 14:48:58.000000000 -0400
+++ policy-1.23.12/domains/program/unused/apache.te 2005-04-25 13:34:10.000000000 -0400
@@ -290,7 +290,7 @@
allow httpd_helper_t httpd_log_t:file { append };
########################################
-# When the admin starts the server, the server wants to acess
+# When the admin starts the server, the server wants to access
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here.
@@ -322,7 +322,7 @@
# The following are types for SUEXEC,which runs user scripts as their
# own user ID
#
-daemon_sub_domain(httpd_t, httpd_suexec)
+daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
allow httpd_t httpd_suexec_exec_t:file read;
#########################################################
@@ -361,12 +361,6 @@
allow httpd_suexec_t autofs_t:dir { search getattr };
tmp_domain(httpd_suexec)
-ifdef(`mta.te', `
-# apache should set close-on-exec
-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
-')
-
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
@@ -374,7 +368,6 @@
if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
-can_exec(httpd_t, httpdcontent )
}
if (httpd_enable_cgi) {
domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
@@ -396,9 +389,10 @@
r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
ifdef(`mta.te', `
+# apache should set close-on-exec
+dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
dontaudit system_mail_t httpd_log_t:file { append getattr };
allow system_mail_t httpd_squirrelmail_t:file { append read };
dontaudit system_mail_t httpd_t:tcp_socket { read write };
')
-
-allow httpd_t var_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.12/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-04-25 14:48:58.000000000 -0400
+++ policy-1.23.12/domains/program/unused/auditd.te 2005-04-25 11:10:33.000000000 -0400
@@ -2,6 +2,8 @@
#
# Authors: Colin Walters <walters at verbum.org>
#
+# Some fixes by Paul Moore <paul.moore at hp.com>
+#
define(`audit_manager_domain', `
allow $1 auditd_etc_t:file rw_file_perms;
create_dir_file($1, auditd_log_t)
@@ -15,10 +17,10 @@
allow auditd_t self:capability { audit_write audit_control sys_nice };
allow auditd_t etc_t:file { getattr read };
-# Don't use logdir_domain since this is a security file
+# Do not use logdir_domain since this is a security file
type auditd_log_t, file_type, secure_file_type;
-file_type_auto_trans(auditd_t, var_log_t, auditd_log_t, file)
-allow auditd_t auditd_log_t:dir { setattr rw_dir_perms };
+allow auditd_t var_log_t:dir search;
+rw_dir_create_file(auditd_t, auditd_log_t)
can_exec(auditd_t, init_exec_t)
@@ -43,7 +45,14 @@
ifdef(`separate_secadm', `', `
audit_manager_domain(sysadm_t)
')
+allow initrc_t auditd_etc_t:file r_file_perms;
+
+role system_r types auditctl_t;
+domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
+
dontaudit auditctl_t local_login_t:fd use;
allow auditctl_t proc_t:dir search;
allow auditctl_t sysctl_kernel_t:dir search;
allow auditctl_t sysctl_kernel_t:file read;
+allow auditd_t self:process setsched;
+dontaudit auditctl_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.23.12/domains/program/unused/clamav.te
--- nsapolicy/domains/program/unused/clamav.te 2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.12/domains/program/unused/clamav.te 2005-04-22 07:01:47.000000000 -0400
@@ -22,7 +22,7 @@
# Freshclam
#
-daemon_base_domain(freshclam)
+daemon_base_domain(freshclam, `, web_client_domain')
read_locale(freshclam_t)
# not sure why it needs this
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.12/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2005-03-21 22:32:18.000000000 -0500
+++ policy-1.23.12/domains/program/unused/consoletype.te 2005-04-22 16:37:44.000000000 -0400
@@ -19,29 +19,28 @@
uses_shlib(consoletype_t)
general_domain_access(consoletype_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
-allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
-allow consoletype_t devtty_t:chr_file { read write };
-allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
-
ifdef(`xdm.te', `
domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
allow consoletype_t xdm_tmp_t:file { read write };
')
-allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
-allow consoletype_t admin_tty_type:chr_file rw_file_perms;
ifdef(`hotplug.te', `
domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
')
+')
+
+allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
+
+allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
# Use capabilities.
allow consoletype_t self:capability sys_admin;
allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
allow consoletype_t initrc_t:fifo_file write;
-allow consoletype_t tty_device_t:chr_file read;
allow consoletype_t nfs_t:file write;
allow consoletype_t sysadm_t:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.12/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-04-25 14:48:59.000000000 -0400
+++ policy-1.23.12/domains/program/unused/cups.te 2005-04-21 13:13:45.000000000 -0400
@@ -17,6 +17,7 @@
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
can_network(cupsd_t)
+can_ypbind(cupsd_t)
allow cupsd_t port_type:tcp_socket name_connect;
logdir_domain(cupsd)
@@ -203,6 +204,7 @@
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
can_network_tcp(cupsd_config_t)
+can_ypbind(cupsd_config_t)
allow cupsd_config_t port_type:tcp_socket name_connect;
can_tcp_connect(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.12/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-04-07 22:22:55.000000000 -0400
+++ policy-1.23.12/domains/program/unused/hald.te 2005-04-22 09:43:35.000000000 -0400
@@ -93,3 +93,7 @@
ifdef(`lvm.te', `
allow hald_t lvm_control_t:chr_file r_file_perms;
')
+ifdef(`targeted_policy', `
+allow unconfined_t hald_t:dbus send_msg;
+allow hald_t unconfined_t:dbus send_msg;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.12/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.12/domains/program/unused/hotplug.te 2005-04-22 15:31:15.000000000 -0400
@@ -83,7 +83,9 @@
allow hotplug_t self:file getattr;
domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
+ifdef(`mount.te', `
domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
+')
domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
ifdef(`updfstab.te', `
domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
@@ -154,10 +156,4 @@
domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
')
-allow restorecon_t hotplug_t:fd use;
-
-ifdef(`unlimitedUtils', `
-unconfined_domain(hotplug_t)
-')
-
allow kernel_t hotplug_etc_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.12/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/domains/program/unused/ntpd.te 2005-04-22 11:42:46.000000000 -0400
@@ -14,7 +14,6 @@
type ntpdate_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
-allow sysadm_t ntp_port_t:udp_socket name_bind;
logdir_domain(ntpd)
@@ -45,6 +44,7 @@
allow ntpd_t ntp_port_t:tcp_socket name_connect;
can_ypbind(ntpd_t)
allow ntpd_t ntp_port_t:udp_socket name_bind;
+allow sysadm_t ntp_port_t:udp_socket name_bind;
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
@@ -85,4 +85,3 @@
allow ntpd_t winbind_var_run_t:dir r_dir_perms;
allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
')
-allow sysadm_t ntp_port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.23.12/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te 2005-03-24 08:58:27.000000000 -0500
+++ policy-1.23.12/domains/program/unused/portmap.te 2005-04-25 10:04:05.000000000 -0400
@@ -58,13 +58,14 @@
domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
dontaudit portmap_helper_t self:capability { net_admin };
allow portmap_helper_t self:capability { net_bind_service };
-allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
+allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
+file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
can_network(portmap_helper_t)
allow portmap_helper_t port_type:tcp_socket name_connect;
can_ypbind(portmap_helper_t)
dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
allow portmap_helper_t etc_t:file { getattr read };
-dontaudit portmap_helper_t userdomain:fd use;
+dontaudit portmap_helper_t { userdomain privfd }:fd use;
allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.12/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.12/domains/program/unused/squid.te 2005-04-22 06:58:24.000000000 -0400
@@ -55,9 +55,7 @@
can_network(squid_t)
if (squid_connect_any) {
allow squid_t port_type:tcp_socket name_connect;
-} else {
-allow squid_t { http_port_t http_cache_port_t }:tcp_socket name_connect;
-}
+}
can_ypbind(squid_t)
can_tcp_connect(web_client_domain, squid_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tinydns.te policy-1.23.12/domains/program/unused/tinydns.te
--- nsapolicy/domains/program/unused/tinydns.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.12/domains/program/unused/tinydns.te 2005-04-21 08:22:26.000000000 -0400
@@ -36,7 +36,7 @@
can_udp_send(domain, tinydns_t)
can_udp_send(tinydns_t, domain)
# tinydns itself doesn't do zone transfers
-# so we don't need to have it tcp_connect
+# so we do not need to have it tcp_connect
#read configuration files
r_dir_file(tinydns_t, tinydns_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.12/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-04-25 14:48:59.000000000 -0400
+++ policy-1.23.12/domains/program/unused/udev.te 2005-04-21 14:29:25.000000000 -0400
@@ -76,7 +76,6 @@
allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;
-domain_auto_trans(initrc_t, udev_exec_t, udev_t)
domain_auto_trans(kernel_t, udev_exec_t, udev_t)
domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
ifdef(`hide_broken_symptoms', `
@@ -87,7 +86,6 @@
ifdef(`xdm.te', `
allow udev_t xdm_var_run_t:file { getattr read };
')
-dontaudit udev_t staff_home_dir_t:dir search;
ifdef(`hotplug.te', `
r_dir_file(udev_t, hotplug_etc_t)
@@ -140,3 +138,7 @@
')
r_dir_file(udev_t, domain)
allow udev_t modules_dep_t:file r_file_perms;
+
+ifdef(`unlimitedUtils', `
+unconfined_domain(udev_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.23.12/domains/program/unused/webalizer.te
--- nsapolicy/domains/program/unused/webalizer.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.12/domains/program/unused/webalizer.te 2005-04-25 13:15:57.000000000 -0400
@@ -4,7 +4,7 @@
#
# Depends: apache.te
-application_domain(webalizer)
+application_domain(webalizer, `, nscd_client_domain')
# to use from cron
system_crond_entry(webalizer_exec_t,webalizer_t)
role system_r types webalizer_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.12/domains/user.te
--- nsapolicy/domains/user.te 2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.12/domains/user.te 2005-04-22 09:41:28.000000000 -0400
@@ -132,3 +132,10 @@
# "ps aux" and "ls -l /dev/pts" make too much noise without this
dontaudit unpriv_userdomain ptyfile:chr_file getattr;
+# to allow w to display everyone...
+bool user_ttyfile_stat false;
+
+if (user_ttyfile_stat) {
+allow userdomain ttyfile:chr_file getattr;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.12/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/file_contexts/distros.fc 2005-04-24 08:35:47.000000000 -0400
@@ -37,6 +37,7 @@
/usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
/usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
/usr/share/ssl/private(/.*)? system_u:object_r:cert_t
+/etc/pki(/.*)? system_u:object_r:cert_t
/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
#
# /emul/ia32-linux/usr
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.12/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc 2005-04-20 08:58:41.000000000 -0400
+++ policy-1.23.12/file_contexts/program/compat.fc 2005-04-24 08:15:01.000000000 -0400
@@ -1,19 +1,23 @@
+ifdef(`setfiles.te', `', `
# setfiles
/usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
+')
+ifdef(`mout.te', `', `
# mount
/bin/mount.* -- system_u:object_r:mount_exec_t
/bin/umount.* -- system_u:object_r:mount_exec_t
-# restorecon
-/sbin/restorecon -- system_u:object_r:restorecon_exec_t
-/bin/hostname -- system_u:object_r:hostname_exec_t
-# consoletype
-/sbin/consoletype -- system_u:object_r:consoletype_exec_t
+')
+ifdef(`loadkeys.te', `', `
# loadkeys
/bin/unikeys -- system_u:object_r:loadkeys_exec_t
/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
+')
+ifdef(`dmesg.te', `', `
# dmesg
/bin/dmesg -- system_u:object_r:dmesg_exec_t
+')
+ifdef(`fsadm.te', `', `
# fs admin utilities
/sbin/fsck.* -- system_u:object_r:fsadm_exec_t
/sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
@@ -50,6 +54,9 @@
/sbin/partx -- system_u:object_r:fsadm_exec_t
/usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
/sbin/partprobe -- system_u:object_r:fsadm_exec_t
+')
+ifdef(`kudzu.te', `', `
# kudzu
/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
/sbin/kmodule -- system_u:object_r:kudzu_exec_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/getty.fc policy-1.23.12/file_contexts/program/getty.fc
--- nsapolicy/file_contexts/program/getty.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.12/file_contexts/program/getty.fc 2005-04-22 16:17:17.000000000 -0400
@@ -1,3 +1,5 @@
# getty
/sbin/.*getty -- system_u:object_r:getty_exec_t
/etc/mgetty(/.*)? system_u:object_r:getty_etc_t
+/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t
+/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/portmap.fc policy-1.23.12/file_contexts/program/portmap.fc
--- nsapolicy/file_contexts/program/portmap.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.12/file_contexts/program/portmap.fc 2005-04-25 10:03:52.000000000 -0400
@@ -7,3 +7,4 @@
/usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t
/usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t
')
+/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/traceroute.fc policy-1.23.12/file_contexts/program/traceroute.fc
--- nsapolicy/file_contexts/program/traceroute.fc 2005-04-25 14:48:59.000000000 -0400
+++ policy-1.23.12/file_contexts/program/traceroute.fc 2005-04-21 09:45:13.000000000 -0400
@@ -2,7 +2,6 @@
/bin/traceroute.* -- system_u:object_r:traceroute_exec_t
/bin/tracepath.* -- system_u:object_r:traceroute_exec_t
/sbin/rdisc -- system_u:object_r:traceroute_exec_t
-/sbin/arping -- system_u:object_r:traceroute_exec_t
/usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t
/usr/bin/lft -- system_u:object_r:traceroute_exec_t
/usr/bin/nmap -- system_u:object_r:traceroute_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/webalizer.fc policy-1.23.12/file_contexts/program/webalizer.fc
--- nsapolicy/file_contexts/program/webalizer.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.12/file_contexts/program/webalizer.fc 2005-04-25 13:16:17.000000000 -0400
@@ -1 +1,3 @@
#
+/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t
+/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.12/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/file_contexts/types.fc 2005-04-21 08:22:16.000000000 -0400
@@ -58,7 +58,7 @@
#
# Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
+# we don not want to change any removable media by default.
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/mnt/[^/]*/.* <<none>>
/media(/[^/]*)? -d system_u:object_r:mnt_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.12/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.12/macros/base_user_macros.te 2005-04-25 14:48:28.000000000 -0400
@@ -317,7 +317,7 @@
allow $1_t devtty_t:chr_file rw_file_perms;
allow $1_t null_device_t:chr_file rw_file_perms;
allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
#
# Added to allow reading of cdrom
#
diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.23.12/macros/core_macros.te
--- nsapolicy/macros/core_macros.te 2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.12/macros/core_macros.te 2005-04-21 08:36:01.000000000 -0400
@@ -361,6 +361,7 @@
# Get the selinuxfs mount point via /proc/self/mounts.
allow $1 proc_t:dir search;
allow $1 proc_t:lnk_file read;
+allow $1 proc_t:file { getattr read };
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.12/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.12/macros/global_macros.te 2005-04-25 13:38:39.000000000 -0400
@@ -406,8 +406,19 @@
role system_r types $2_t;
+ifelse(index(`$3',`transitionbool'), -1, `
+
+domain_auto_trans($1, $2_exec_t, $2_t)
+
+', `
+
+bool $2_disable_trans false;
+
+if (! $2_disable_trans) {
domain_auto_trans($1, $2_exec_t, $2_t)
+}
+');
# Inherit and use descriptors from parent.
allow $2_t $1:fd use;
allow $2_t $1:process sigchld;
@@ -712,6 +723,7 @@
if (allow_execmod) {
# Allow text relocations on system shared libraries, e.g. libGL.
allow $1 texrel_shlib_t:file execmod;
+allow $1 home_type:file execmod;
}
# Create/access any System V IPC objects.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.23.12/macros/program/cdrecord_macros.te
--- nsapolicy/macros/program/cdrecord_macros.te 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.12/macros/program/cdrecord_macros.te 2005-04-25 10:07:49.000000000 -0400
@@ -40,7 +40,7 @@
allow $1_cdrecord_t etc_t:file { getattr read };
# allow searching for cdrom-drive
-allow $1_cdrecord_t device_t:dir { getattr search };
+allow $1_cdrecord_t device_t:dir r_dir_perms;
allow $1_cdrecord_t device_t:lnk_file { getattr read };
# allow cdrecord to write the CD
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.12/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/macros/program/mozilla_macros.te 2005-04-22 06:57:46.000000000 -0400
@@ -32,7 +32,7 @@
file_browse_domain($1_mozilla_t)
can_network_client($1_mozilla_t)
-allow $1_mozilla_t { ftp_port_t http_port_t }:tcp_socket name_connect;
+allow $1_mozilla_t ftp_port_t:tcp_socket name_connect;
#allow $1_mozilla_t port_type:tcp_socket name_connect;
uses_shlib($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.12/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8 2005-04-07 22:22:56.000000000 -0400
+++ policy-1.23.12/man/man8/httpd_selinux.8 2005-04-25 13:37:04.000000000 -0400
@@ -90,6 +90,12 @@
setsebool -P httpd_can_network_connect 1
.TP
+You can disable suexec transition, set httpd_suexec_disable_trans deny this
+.br
+
+setsebool -P httpd_suexec_disable_trans 1
+
+.TP
You can disable SELinux protection for the httpd daemon by executing:
.br
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.23.12/targeted/appconfig/default_contexts
--- nsapolicy/targeted/appconfig/default_contexts 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.12/targeted/appconfig/default_contexts 2005-04-22 14:41:39.000000000 -0400
@@ -1,5 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
system_r:remote_login_t system_r:unconfined_t
system_r:rshd_t system_r:unconfined_t
system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.23.12/targeted/domains/program/compat.te
--- nsapolicy/targeted/domains/program/compat.te 2005-04-25 14:48:59.000000000 -0400
+++ policy-1.23.12/targeted/domains/program/compat.te 2005-04-21 14:12:14.000000000 -0400
@@ -1,7 +1,5 @@
typealias sbin_t alias setfiles_exec_t;
typealias bin_t alias mount_exec_t;
-typealias sbin_t alias restorecon_exec_t;
-typealias sbin_t alias consoletype_exec_t;
typealias bin_t alias loadkeys_exec_t;
typealias bin_t alias dmesg_exec_t;
typealias sbin_t alias fsadm_exec_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/hotplug.te policy-1.23.12/targeted/domains/program/hotplug.te
--- nsapolicy/targeted/domains/program/hotplug.te 2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.12/targeted/domains/program/hotplug.te 1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC Hotplug - Hardware event manager
-#
-# Authors: Daniel Walsh <dwalsh at redhat.com>
-#
-
-#################################
-#
-# Rules for the hotplug domain.
-#
-# hotplug_exec_t is the type of the /sbin/hotplug and other programs.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.
-#
-type hotplug_t, domain;
-type hotplug_exec_t, file_type, sysadmfile, exec_type;
-typealias var_run_t alias hotplug_var_run_t;
-typealias etc_t alias hotplug_etc_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/udev.te policy-1.23.12/targeted/domains/program/udev.te
--- nsapolicy/targeted/domains/program/udev.te 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.12/targeted/domains/program/udev.te 1969-12-31 19:00:00.000000000 -0500
@@ -1,17 +0,0 @@
-#DESC udev - Linux configurable dynamic device naming support
-#
-# Authors: Daniel Walsh <dwalsh at redhat.com>
-#
-
-#################################
-#
-# Rules for the udev domain.
-#
-# udev_exec_t is the type of the /sbin/udev and other programs.
-# This domain is defined just for targeted policy to allow easy conversion to
-# strict policy.
-#
-type udev_exec_t, file_type, sysadmfile, exec_type;
-type udev_helper_exec_t, file_type, sysadmfile, exec_type;
-type udev_tdb_t, file_type, sysadmfile, dev_fs;
-typealias udev_tdb_t alias udev_tbl_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.23.12/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-03-15 08:02:24.000000000 -0500
+++ policy-1.23.12/targeted/domains/program/xdm.te 2005-04-22 09:43:08.000000000 -0400
@@ -20,3 +20,4 @@
type xdm_var_lib_t, file_type, sysadmfile;
type xdm_tmp_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
+domain_auto_trans(init_t, xdm_exec_t, xdm_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.12/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/targeted/domains/unconfined.te 2005-04-22 14:08:54.000000000 -0400
@@ -15,7 +15,7 @@
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
typealias bin_t alias su_exec_t;
-typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
typeattribute tty_device_t admin_tty_type;
typeattribute devpts_t admin_tty_type;
@@ -42,6 +42,7 @@
attribute sysadm_file_type;
allow unconfined_t unlabeled_t:filesystem *;
+allow unconfined_t self:system syslog_read;
allow unlabeled_t self:filesystem associate;
# Support NFS home directories
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/initial_sid_contexts policy-1.23.12/targeted/initial_sid_contexts
--- nsapolicy/targeted/initial_sid_contexts 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.12/targeted/initial_sid_contexts 1969-12-31 19:00:00.000000000 -0500
@@ -1,47 +0,0 @@
-# FLASK
-
-#
-# Define the security context for each initial SID
-# sid sidname context
-
-# Initial state is unconfined in the relaxed policy.
-sid kernel user_u:system_r:unconfined_t
-sid security system_u:object_r:security_t
-sid unlabeled system_u:object_r:unlabeled_t
-sid fs system_u:object_r:fs_t
-sid file system_u:object_r:file_t
-# Persistent label mapping is gone. This initial SID can be removed.
-sid file_labels system_u:object_r:unlabeled_t
-# init_t is still used, but an initial SID is no longer required.
-sid init system_u:object_r:unlabeled_t
-# any_socket is no longer used.
-sid any_socket system_u:object_r:unlabeled_t
-sid port system_u:object_r:port_t
-sid netif system_u:object_r:netif_t
-# netmsg is no longer used.
-sid netmsg system_u:object_r:unlabeled_t
-sid node system_u:object_r:node_t
-# These sockets are now labeled with the kernel SID,
-# and do not require their own initial SIDs.
-sid igmp_packet system_u:object_r:unlabeled_t
-sid icmp_socket system_u:object_r:unlabeled_t
-sid tcp_socket system_u:object_r:unlabeled_t
-# Most of the sysctl SIDs are now computed at runtime
-# from genfs_contexts, so the corresponding initial SIDs
-# are no longer required.
-sid sysctl_modprobe system_u:object_r:unlabeled_t
-# But we still need the base sysctl initial SID as a default.
-sid sysctl system_u:object_r:sysctl_t
-sid sysctl_fs system_u:object_r:unlabeled_t
-sid sysctl_kernel system_u:object_r:unlabeled_t
-sid sysctl_net system_u:object_r:unlabeled_t
-sid sysctl_net_unix system_u:object_r:unlabeled_t
-sid sysctl_vm system_u:object_r:unlabeled_t
-sid sysctl_dev system_u:object_r:unlabeled_t
-# No longer used, can be removed.
-sid kmod system_u:object_r:unlabeled_t
-sid policy system_u:object_r:unlabeled_t
-sid scmp_packet system_u:object_r:unlabeled_t
-sid devnull system_u:object_r:null_device_t
-
-# FLASK
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.12/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.12/tunables/distro.tun 2005-04-21 08:05:17.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.12/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.12/tunables/tunable.tun 2005-04-21 08:05:17.000000000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -20,11 +20,11 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.12/types/network.te
--- nsapolicy/types/network.te 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/types/network.te 2005-04-22 06:57:20.000000000 -0400
@@ -31,6 +31,7 @@
type http_cache_port_t, port_type, reserved_port_type;
type http_port_t, port_type, reserved_port_type;
+allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
ifdef(`cyrus.te', `define(`use_pop')')
ifdef(`courier.te', `define(`use_pop')')
ifdef(`perdition.te', `define(`use_pop')')
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/.cvsignore,v
retrieving revision 1.105
retrieving revision 1.106
diff -u -r1.105 -r1.106
--- .cvsignore 20 Apr 2005 20:10:29 -0000 1.105
+++ .cvsignore 25 Apr 2005 19:13:38 -0000 1.106
@@ -70,3 +70,4 @@
policy-1.23.10.tgz
policy-1.23.11.tgz
policy-1.23.12.tgz
+policy-1.23.13.tgz
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.284
retrieving revision 1.285
diff -u -r1.284 -r1.285
--- selinux-policy-targeted.spec 25 Apr 2005 17:49:34 -0000 1.284
+++ selinux-policy-targeted.spec 25 Apr 2005 19:13:38 -0000 1.285
@@ -10,15 +10,15 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.23.12
-Release: 5
+Version: 1.23.13
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
Source1: booleans
Prefix: %{_prefix}
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050414.patch
+Patch: policy-20050425.patch
Patch1: policy-%{type}.patch
BuildArch: noarch
@@ -234,6 +234,16 @@
exit 0
%changelog
+* Mon Apr 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-1
+- Update to latest from NSA
+ * Merged more changes from Dan Walsh to initrc_t for removal of
+ unconfined_domain.
+ * Merged Dan Walsh's split of auditd policy into auditd_t for the
+ audit daemon and auditctl_t for the autoctl program.
+ * Added use of name_connect to uncond_can_ypbind macro by Dan
+ Walsh.
+ * Merged other cleanup and fixes by Dan Walsh.
+
* Sun Apr 24 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-5
- Fix file_context conflicts for fsadm
- Add Russels patches
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/sources,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- sources 20 Apr 2005 20:10:29 -0000 1.111
+++ sources 25 Apr 2005 19:13:38 -0000 1.112
@@ -1 +1 @@
-dd9c4dfe57e741c30671e44964e623f8 policy-1.23.12.tgz
+fa4f9d32909773c63c05099a59e1b4a9 policy-1.23.13.tgz
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050425.patch, NONE, 1.1 .cvsignore, 1.109, 1.110 policy-20050414.patch, 1.11, 1.12 selinux-policy-strict.spec, 1.287, 1.288 sources, 1.115, 1.116
- Next message (by thread): rpms/selinux-policy-strict/devel selinux-policy-strict.spec, 1.288, 1.289
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list