rpms/selinux-policy-targeted/FC-3 policy-20050104.patch, 1.28, 1.29 selinux-policy-targeted.spec, 1.198, 1.199
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Apr 7 19:04:09 UTC 2005
- Previous message (by thread): rpms/pam/devel pam-0.79-unix-lsb.patch, NONE, 1.1 pam-0.79-unix-nis.patch, NONE, 1.1 pam.spec, 1.66, 1.67
- Next message (by thread): rpms/libwnck/FC-3 libwnck-2.8.1-fix-tasklist-on-xinerama.patch, NONE, 1.1 libwnck.spec, 1.19, 1.20
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv12125
Modified Files:
policy-20050104.patch selinux-policy-targeted.spec
Log Message:
* Thu Apr 7 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-2.95
- Allow snmpd to communicate with self:fifo_file.
- Add execmod/execmem privs
policy-20050104.patch:
Makefile | 47 ++++++---
attrib.te | 3
domains/program/crond.te | 7 +
domains/program/ldconfig.te | 21 +++-
domains/program/login.te | 2
domains/program/logrotate.te | 24 ++---
domains/program/mount.te | 2
domains/program/ssh.te | 7 -
domains/program/syslogd.te | 36 +++++--
domains/program/unused/acct.te | 6 +
domains/program/unused/apache.te | 113 ++++++++++++++++++-----
domains/program/unused/arpwatch.te | 26 +++++
domains/program/unused/cups.te | 55 ++++++++++-
domains/program/unused/dhcpc.te | 5 -
domains/program/unused/dhcpd.te | 16 +++
domains/program/unused/dovecot.te | 3
domains/program/unused/ftpd.te | 2
domains/program/unused/hald.te | 3
domains/program/unused/howl.te | 2
domains/program/unused/innd.te | 7 +
domains/program/unused/ipsec.te | 9 +
domains/program/unused/iptables.te | 3
domains/program/unused/mailman.te | 23 +++-
domains/program/unused/mdadm.te | 3
domains/program/unused/mta.te | 21 +++-
domains/program/unused/mysqld.te | 7 -
domains/program/unused/named.te | 25 ++---
domains/program/unused/nscd.te | 26 +++--
domains/program/unused/ntpd.te | 21 +++-
domains/program/unused/portmap.te | 3
domains/program/unused/postfix.te | 2
domains/program/unused/postgresql.te | 47 ++++++++-
domains/program/unused/procmail.te | 1
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 5 -
domains/program/unused/rsync.te | 2
domains/program/unused/samba.te | 4
domains/program/unused/sendmail.te | 2
domains/program/unused/slrnpull.te | 1
domains/program/unused/snmpd.te | 14 +-
domains/program/unused/spamd.te | 2
domains/program/unused/squid.te | 21 ++--
domains/program/unused/udev.te | 5 -
domains/program/unused/updfstab.te | 1
domains/program/unused/winbind.te | 34 +++++++
domains/program/unused/xdm.te | 4
domains/program/unused/ypbind.te | 2
domains/program/unused/ypserv.te | 7 +
domains/user.te | 6 +
file_contexts/distros.fc | 76 +++++++++++-----
file_contexts/program/apache.fc | 14 ++
file_contexts/program/arpwatch.fc | 3
file_contexts/program/cups.fc | 5 -
file_contexts/program/dhcpd.fc | 2
file_contexts/program/ipsec.fc | 11 +-
file_contexts/program/mailman.fc | 15 +--
file_contexts/program/mta.fc | 5 +
file_contexts/program/mysqld.fc | 4
file_contexts/program/named.fc | 17 ++-
file_contexts/program/nscd.fc | 3
file_contexts/program/ntpd.fc | 2
file_contexts/program/postgresql.fc | 23 +---
file_contexts/program/sendmail.fc | 1
file_contexts/program/snmpd.fc | 3
file_contexts/program/squid.fc | 2
file_contexts/program/winbind.fc | 10 ++
file_contexts/types.fc | 161 +++++++++++-----------------------
flask/access_vectors | 15 +++
macros/base_user_macros.te | 9 +
macros/core_macros.te | 2
macros/global_macros.te | 6 -
macros/program/apache_macros.te | 85 ++++++++++-------
macros/program/mount_macros.te | 2
macros/program/mozilla_macros.te | 2
macros/program/mta_macros.te | 5 -
macros/program/newrole_macros.te | 2
macros/program/spamassassin_macros.te | 5 -
macros/program/ssh_agent_macros.te | 2
macros/program/ssh_macros.te | 2
macros/program/su_macros.te | 2
macros/program/userhelper_macros.te | 3
macros/program/xauth_macros.te | 2
macros/program/xserver_macros.te | 4
macros/program/ypbind_macros.te | 24 +----
targeted/assert.te | 4
targeted/domains/program/hotplug.te | 4
targeted/domains/program/initrc.te | 2
targeted/domains/unconfined.te | 15 ++-
tunables/distro.tun | 2
tunables/tunable.tun | 21 +---
types/device.te | 6 +
types/file.te | 19 ++--
types/network.te | 2
93 files changed, 847 insertions(+), 447 deletions(-)
Index: policy-20050104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/policy-20050104.patch,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- policy-20050104.patch 30 Mar 2005 20:38:20 -0000 1.28
+++ policy-20050104.patch 7 Apr 2005 19:04:06 -0000 1.29
@@ -201,7 +201,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.17.30/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/syslogd.te 2005-03-21 23:08:51.000000000 -0500
++++ policy-1.17.30/domains/program/syslogd.te 2005-03-31 10:51:35.000000000 -0500
@@ -36,19 +36,25 @@
allow syslogd_t etc_t:file r_file_perms;
@@ -230,7 +230,25 @@
# Domains with the privlog attribute may log to syslogd.
allow privlog devlog_t:sock_file rw_file_perms;
-@@ -94,5 +100,17 @@
+@@ -73,16 +79,10 @@
+ dontaudit syslogd_t initrc_var_run_t:file write;
+ allow syslogd_t ttyfile:chr_file { getattr write };
+
+-ifdef(`klogd.te', `', `
+-# Allow access to /proc/kmsg for syslog-ng
+-allow syslogd_t proc_t:dir search;
+-allow syslogd_t proc_kmsg_t:file { getattr read };
+-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+-')
+ #
+ # Special case to handle crashes
+ #
+-allow syslogd_t { device_t file_t }:sock_file unlink;
++allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
+
+ # Allow syslog to a terminal
+ allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
+@@ -94,5 +94,21 @@
# /initrd is not umounted before minilog starts
#
dontaudit syslogd_t file_t:dir search;
@@ -246,8 +264,12 @@
+bool use_syslogng false;
+
+if (use_syslogng) {
-+allow syslogd_t proc_kmsg_t:file write;
-+allow syslogd_t self:capability { sys_admin chown };
++# Allow access to /proc/kmsg for syslog-ng
++allow syslogd_t proc_t:dir search;
++allow syslogd_t proc_kmsg_t:file { getattr read };
++allow syslogd_t kernel_t:system { syslog_mod syslog_console };
++allow syslogd_t self:capability { sys_admin chown fsetid };
++allow syslogd_t var_log_t:dir { create setattr };
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/acct.te policy-1.17.30/domains/program/unused/acct.te
--- nsapolicy/domains/program/unused/acct.te 2004-10-09 21:07:28.000000000 -0400
@@ -1400,8 +1422,8 @@
+allow slrnpull_t slrnpull_spool_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.17.30/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/unused/snmpd.te 2005-03-21 23:08:51.000000000 -0500
-@@ -38,7 +38,7 @@
++++ policy-1.17.30/domains/program/unused/snmpd.te 2005-04-01 13:35:32.000000000 -0500
+@@ -38,19 +38,23 @@
allow snmpd_t self:unix_dgram_socket create_socket_perms;
allow snmpd_t self:unix_stream_socket create_socket_perms;
allow snmpd_t etc_t:lnk_file read;
@@ -1410,7 +1432,14 @@
allow snmpd_t urandom_device_t:chr_file read;
allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
-@@ -49,8 +49,8 @@
+ allow snmpd_t proc_t:dir search;
+ allow snmpd_t proc_t:file r_file_perms;
+ allow snmpd_t self:file { getattr read };
++allow snmpd_t self:fifo_file rw_file_perms;
++
++allow snmpd_t { bin_t sbin_t }:dir search;
++can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
+
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
r_dir_file(snmpd_t, rpm_var_lib_t)
@@ -1421,7 +1450,7 @@
')
')
-@@ -58,7 +58,7 @@
+@@ -58,7 +62,7 @@
allow snmpd_t initrc_var_run_t:file r_file_perms;
dontaudit snmpd_t initrc_var_run_t:file write;
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
@@ -1430,7 +1459,7 @@
read_sysctl(snmpd_t)
dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
allow snmpd_t sysfs_t:dir { getattr read search };
-@@ -72,4 +72,4 @@
+@@ -72,4 +76,4 @@
dontaudit snmpd_t domain:dir { getattr search };
@@ -2440,8 +2469,8 @@
')dnl end general_domain_access
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.30/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/macros/global_macros.te 2005-03-30 14:59:58.000000000 -0500
-@@ -89,7 +89,7 @@
++++ policy-1.17.30/macros/global_macros.te 2005-04-07 14:56:52.000000000 -0400
+@@ -89,9 +89,10 @@
allow $1 ld_so_t:file rx_file_perms;
#allow $1 ld_so_t:file execute_no_trans;
allow $1 ld_so_t:lnk_file r_file_perms;
@@ -2449,8 +2478,11 @@
+allow $1 shlib_t:file { rx_file_perms execmod };
allow $1 shlib_t:lnk_file r_file_perms;
allow $1 ld_so_cache_t:file r_file_perms;
++allow $1 { ld_so_cache_t shlib_t }:file execmod;
allow $1 device_t:dir search;
-@@ -291,9 +291,7 @@
+ allow $1 null_device_t:chr_file rw_file_perms;
+ ')
+@@ -291,9 +292,7 @@
r_dir_file($1_t, sysfs_t)
@@ -2460,7 +2492,7 @@
ifdef(`targeted_policy', `
dontaudit $1_t { tty_device_t devpts_t }:chr_file { read write };
dontaudit $1_t root_t:file { getattr read };
-@@ -396,6 +394,7 @@
+@@ -396,6 +395,7 @@
# for df
allow $1_t fs_type:filesystem getattr;
@@ -3026,7 +3058,7 @@
+typealias var_run_t alias initrc_var_run_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.17.30/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/targeted/domains/unconfined.te 2005-03-21 23:08:51.000000000 -0500
++++ policy-1.17.30/targeted/domains/unconfined.te 2005-04-07 14:56:09.000000000 -0400
@@ -4,7 +4,7 @@
# is not explicitly confined. It has no restrictions.
# It needs to be carefully protected from the confined domains.
@@ -3036,7 +3068,18 @@
role system_r types unconfined_t;
role user_r types unconfined_t;
role sysadm_r types unconfined_t;
-@@ -37,4 +37,11 @@
+@@ -17,6 +17,10 @@
+ type mount_t, domain;
+ type initrc_devpts_t, ptyfile;
+ define(`admin_tty_type', `{ tty_device_t devpts_t }')
++#
++# For FC3 we will not check execmem protections
++#
++allow domain self:process execmem;
+
+ # User home directory type.
+ type user_home_t, file_type, sysadmfile;
+@@ -37,4 +41,11 @@
user_typealias(user)
allow unconfined_t unlabeled_t:filesystem *;
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/selinux-policy-targeted.spec,v
retrieving revision 1.198
retrieving revision 1.199
diff -u -r1.198 -r1.199
--- selinux-policy-targeted.spec 30 Mar 2005 20:38:20 -0000 1.198
+++ selinux-policy-targeted.spec 7 Apr 2005 19:04:06 -0000 1.199
@@ -8,7 +8,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.17.30
-Release: 2.94
+Release: 2.95
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -210,6 +210,10 @@
exit 0
%changelog
+* Thu Apr 7 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-2.95
+- Allow snmpd to communicate with self:fifo_file.
+- Add execmod/execmem privs
+
* Wed Mar 30 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-2.94
- Prepare policy for kernel rebase
- Previous message (by thread): rpms/pam/devel pam-0.79-unix-lsb.patch, NONE, 1.1 pam-0.79-unix-nis.patch, NONE, 1.1 pam.spec, 1.66, 1.67
- Next message (by thread): rpms/libwnck/FC-3 libwnck-2.8.1-fix-tasklist-on-xinerama.patch, NONE, 1.1 libwnck.spec, 1.19, 1.20
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list