rpms/selinux-policy-strict/devel policy-20050414.patch, 1.1, 1.2 selinux-policy-strict.spec, 1.279, 1.280

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Apr 15 18:26:28 UTC 2005 

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv1721

Modified Files:
	policy-20050414.patch selinux-policy-strict.spec 
Log Message:
* Fri Apr 15 2005 Dan Walsh <dwalsh at redhat.com> 1.23.11-2
- Add additional amanda rules


policy-20050414.patch:
 Makefile                                 |    6 +--
 attrib.te                                |    6 ++-
 domains/program/crond.te                 |    4 +-
 domains/program/cvs.te                   |   16 +++++++++
 domains/program/initrc.te                |    6 +--
 domains/program/load_policy.te           |    1 
 domains/program/login.te                 |    2 -
 domains/program/modutil.te               |    1 
 domains/program/ssh.te                   |    2 -
 domains/program/syslogd.te               |    2 +
 domains/program/unused/NetworkManager.te |    7 +++
 domains/program/unused/amanda.te         |   18 +++++++---
 domains/program/unused/apache.te         |    1 
 domains/program/unused/auditd.te         |   26 +++++++++++++-
 domains/program/unused/cups.te           |    8 ++--
 domains/program/unused/dmidecode.te      |    1 
 domains/program/unused/ftpd.te           |    3 -
 domains/program/unused/ntpd.te           |    2 -
 domains/program/unused/publicfile.te     |    6 ---
 domains/program/unused/rshd.te           |    4 --
 domains/program/unused/rsync.te          |    2 -
 domains/program/unused/xdm.te            |    2 -
 domains/program/useradd.te               |    4 ++
 domains/program/uucpd.te                 |   24 +++++++++++++
 file_contexts/distros.fc                 |    6 +--
 file_contexts/program/apache.fc          |    1 
 file_contexts/program/auditd.fc          |    8 +++-
 file_contexts/program/compat.fc          |   55 +++++++++++++++++++++++++++++++
 file_contexts/program/crack.fc           |    1 
 file_contexts/program/cvs.fc             |    2 +
 file_contexts/program/ftpd.fc            |    1 
 file_contexts/program/i18n_input.fc      |    1 
 file_contexts/program/lvm.fc             |    1 
 file_contexts/program/rsync.fc           |    1 
 file_contexts/program/uucpd.fc           |    5 ++
 file_contexts/types.fc                   |    6 +++
 macros/program/apache_macros.te          |    2 -
 macros/program/chkpwd_macros.te          |    1 
 macros/program/mozilla_macros.te         |    5 ++
 net_contexts                             |   12 +++++-
 targeted/domains/program/compat.te       |    9 +++++
 targeted/domains/unconfined.te           |    8 +---
 tunables/distro.tun                      |    2 -
 tunables/tunable.tun                     |    6 +--
 types/file.te                            |    3 +
 types/network.te                         |   10 ++---
 types/security.te                        |    8 ++--
 47 files changed, 243 insertions(+), 65 deletions(-)

Index: policy-20050414.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050414.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20050414.patch	14 Apr 2005 20:25:35 -0000	1.1
+++ policy-20050414.patch	15 Apr 2005 18:26:24 -0000	1.2
@@ -1,3 +1,19 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.11/attrib.te
+--- nsapolicy/attrib.te	2005-04-14 15:01:53.000000000 -0400
++++ policy-1.23.11/attrib.te	2005-04-15 10:17:43.000000000 -0400
+@@ -427,7 +427,11 @@
+ # For clients of nscd that can use shmem interface.
+ attribute nscd_shmem_domain;
+ 
+-# For labeling of content for httpd
++# For labeling of content for httpd.  This attribute is only used by
++# the httpd_unified domain, which says treat all httpdcontent the
++# same.  If you want content to be served in a "non-unified" system
++# you must specifically add "r_dir_file(httpd_t, your_content_t)" to
++# your policy.
+ attribute httpdcontent;
+ 
+ # For labeling of domains whos transition can be disabled
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.11/domains/program/crond.te
 --- nsapolicy/domains/program/crond.te	2005-03-21 22:32:18.000000000 -0500
 +++ policy-1.23.11/domains/program/crond.te	2005-04-14 15:20:16.000000000 -0400
@@ -127,6 +143,48 @@
 +allow syslogd_t syslogd_port_t:tcp_socket name_bind;
 +allow syslogd_t rsh_port_t:tcp_socket name_connect;
  }
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.11/domains/program/unused/amanda.te
+--- nsapolicy/domains/program/unused/amanda.te	2005-03-11 15:31:06.000000000 -0500
++++ policy-1.23.11/domains/program/unused/amanda.te	2005-04-15 14:13:03.000000000 -0400
+@@ -128,10 +128,7 @@
+ 
+ # access to device_t and similar
+ allow amanda_t device_t:dir search;
+-allow amanda_t null_device_t:chr_file { getattr read write };
+ allow amanda_t devpts_t:dir getattr;
+-allow amanda_t fixed_disk_device_t:blk_file getattr;
+-allow amanda_t removable_device_t:blk_file getattr;
+ allow amanda_t devtty_t:chr_file { read write };
+ 
+ # access to boot_t
+@@ -251,6 +248,9 @@
+ allow amanda_recover_t self:fifo_file { getattr ioctl read write };
+ allow amanda_recover_t self:unix_stream_socket { connect create read write };
+ 
++allow amanda_t self:dir search;
++allow amanda_t self:file { getattr read };
++
+ 
+ # amrecover file permissions
+ ############################
+@@ -302,6 +302,16 @@
+ allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
+ 
+ allow amanda_t file_type:dir {getattr read search };
+-allow amanda_t file_type:file {getattr read };
++allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
++dontaudit amanda_t file_type:sock_file getattr;
+ logdir_domain(amanda)
+ 
++dontaudit amanda_t autofs_t:dir { getattr read };
++dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
++dontaudit amanda_t nfs_t:dir { getattr read };
++dontaudit amanda_t proc_t:dir read;
++dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
++dontaudit amanda_t security_t:dir { getattr read };
++dontaudit amanda_t sysfs_t:dir { getattr read };
++dontaudit amanda_t unlabeled_t:file getattr;
++dontaudit amanda_t usbfs_t:dir getattr;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.11/domains/program/unused/apache.te
 --- nsapolicy/domains/program/unused/apache.te	2005-04-07 22:22:55.000000000 -0400
 +++ policy-1.23.11/domains/program/unused/apache.te	2005-04-14 15:20:16.000000000 -0400


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.279
retrieving revision 1.280
diff -u -r1.279 -r1.280
--- selinux-policy-strict.spec	14 Apr 2005 20:22:37 -0000	1.279
+++ selinux-policy-strict.spec	15 Apr 2005 18:26:24 -0000	1.280
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.23.11
-Release: 1
+Release: 2
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -220,6 +220,9 @@
 exit 0
 
 %changelog
+* Fri Apr 15 2005 Dan Walsh <dwalsh at redhat.com> 1.23.11-2
+- Add additional amanda rules
+
 * Thu Apr 14 2005 Dan Walsh <dwalsh at redhat.com> 1.23.11-1
 - Fix login programs handling of audit messages
 - Update to latest from NSA

More information about the fedora-cvs-commits mailing list