rpms/selinux-policy-targeted/devel policy-20050414.patch, 1.7, 1.8 selinux-policy-targeted.spec, 1.281, 1.282
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Apr 22 20:26:57 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050414.patch, 1.8, 1.9 selinux-policy-strict.spec, 1.284, 1.285
- Next message (by thread): rpms/squid/devel squid-2.5.STABLE9-2GB.patch, NONE, 1.1 squid-2.5.STABLE9-CONNECT_truncated.patch, NONE, 1.1 squid-2.5.STABLE9-LDAP_SUN_SDK.patch, NONE, 1.1 squid-2.5.STABLE9-aufs.patch, NONE, 1.1 squid-2.5.STABLE9-aufs_shutdown.patch, NONE, 1.1 squid-2.5.STABLE9-cachemgr_objects.patch, NONE, 1.1 squid-2.5.STABLE9-config_CRLF.patch, NONE, 1.1 squid-2.5.STABLE9-debug_newlines.patch, NONE, 1.1 squid-2.5.STABLE9-disable_hostname_checks.patch, NONE, 1.1 squid-2.5.STABLE9-errpage_user.patch, NONE, 1.1 squid-2.5.STABLE9-extaclauth.patch, NONE, 1.1 squid-2.5.STABLE9-libbind.patch, NONE, 1.1 squid-2.5.STABLE9-long_basic_auth.patch, NONE, 1.1 squid-2.5.STABLE9-rename_cleanup.patch, NONE, 1.1 squid-2.5.STABLE9-squid_k_nohostname.patch, NONE, 1.1 squid-2.5.STABLE9-syslog.patch, NONE, 1.1 squid-2.5.STABLE9-transparent_port.patch, NONE, 1.1 squid.spec, 1.30, 1.31
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv22926
Modified Files:
policy-20050414.patch selinux-policy-targeted.spec
Log Message:
* Thu Apr 21 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-3
- Add udev, hotplug, consoletype,restorecon to targeted
policy-20050414.patch:
domains/misc/kernel.te | 4 ++
domains/program/getty.te | 13 ++-------
domains/program/hostname.te | 6 +---
domains/program/init.te | 2 -
domains/program/initrc.te | 9 +++---
domains/program/klogd.te | 3 ++
domains/program/load_policy.te | 3 --
domains/program/modutil.te | 2 -
domains/program/unused/amanda.te | 18 ++++++++++---
domains/program/unused/amavis.te | 7 -----
domains/program/unused/apache.te | 18 ++++---------
domains/program/unused/auditd.te | 36 ++++++++++++++++++--------
domains/program/unused/clamav.te | 2 -
domains/program/unused/consoletype.te | 11 +++----
domains/program/unused/cups.te | 3 ++
domains/program/unused/dhcpc.te | 11 +++++--
domains/program/unused/hald.te | 4 ++
domains/program/unused/hotplug.te | 8 +----
domains/program/unused/ntpd.te | 3 --
domains/program/unused/prelink.te | 2 -
domains/program/unused/squid.te | 4 --
domains/program/unused/tinydns.te | 2 -
domains/program/unused/udev.te | 7 +++--
domains/user.te | 7 +++++
file_contexts/program/auditd.fc | 2 -
file_contexts/program/compat.fc | 5 ---
file_contexts/program/getty.fc | 2 +
file_contexts/program/i18n_input.fc | 2 -
file_contexts/program/traceroute.fc | 2 +
file_contexts/program/udev.fc | 1
file_contexts/types.fc | 2 -
macros/core_macros.te | 1
macros/program/mozilla_macros.te | 2 -
macros/program/ypbind_macros.te | 4 ++
targeted/appconfig/default_contexts | 1
targeted/domains/program/compat.te | 3 --
targeted/domains/program/hotplug.te | 17 ------------
targeted/domains/program/udev.te | 17 ------------
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 3 +-
targeted/initial_sid_contexts | 47 ----------------------------------
tunables/distro.tun | 2 -
tunables/tunable.tun | 6 ++--
types/network.te | 1
44 files changed, 126 insertions(+), 180 deletions(-)
Index: policy-20050414.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050414.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-20050414.patch 21 Apr 2005 15:27:07 -0000 1.7
+++ policy-20050414.patch 22 Apr 2005 20:26:53 -0000 1.8
@@ -1,14 +1,50 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.12/domains/misc/kernel.te
+--- nsapolicy/domains/misc/kernel.te 2005-04-14 15:01:53.000000000 -0400
++++ policy-1.23.12/domains/misc/kernel.te 2005-04-22 10:14:15.000000000 -0400
+@@ -63,4 +63,6 @@
+ # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
+ can_exec(kernel_t, bin_t)
+
+-
++ifdef(`targeted_policy', `
++typeattribute kernel_t unrestricted;
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.23.12/domains/program/getty.te
--- nsapolicy/domains/program/getty.te 2005-04-14 15:01:53.000000000 -0400
-+++ policy-1.23.12/domains/program/getty.te 2005-04-21 08:05:17.000000000 -0400
-@@ -51,6 +51,7 @@
++++ policy-1.23.12/domains/program/getty.te 2005-04-22 16:17:17.000000000 -0400
+@@ -23,18 +23,9 @@
+ allow getty_t self:unix_dgram_socket create_socket_perms;
+ allow getty_t self:unix_stream_socket create_socket_perms;
+
+-# to allow w to display everyone...
+-bool user_ttyfile_stat false;
+-if (user_ttyfile_stat) {
+-allow userdomain ttyfile:chr_file getattr;
+-}
+-
+ # Use capabilities.
+ allow getty_t self:capability { dac_override chown sys_resource sys_tty_config };
+
+-# fbgetty needs fsetid for some reason
+-#allow getty_t self:capability fsetid;
+-
+ read_locale(getty_t)
+
+ # Run login in local_login_t domain.
+@@ -51,9 +42,13 @@
# Chown, chmod, read and write ttys.
allow getty_t tty_device_t:chr_file { setattr rw_file_perms };
allow getty_t ttyfile:chr_file { setattr rw_file_perms };
-+allow getty_t initrc_devpts_t:chr_file rw_file_perms;
++dontaudit getty_t initrc_devpts_t:chr_file rw_file_perms;
# for error condition handling
allow getty_t fs_t:filesystem getattr;
+
+ lock_domain(getty)
+ r_dir_file(getty_t, sysfs_t)
++# for mgetty
++var_run_domain(getty)
++allow getty_t self:capability { fowner fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.23.12/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.12/domains/program/hostname.te 2005-04-21 08:05:17.000000000 -0400
@@ -30,7 +66,7 @@
allow hostname_t userdomain:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.12/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-04-20 15:40:34.000000000 -0400
-+++ policy-1.23.12/domains/program/initrc.te 2005-04-21 08:05:17.000000000 -0400
++++ policy-1.23.12/domains/program/initrc.te 2005-04-22 15:07:04.000000000 -0400
@@ -208,6 +208,10 @@
file_type_auto_trans({ initrc_t sysadm_t }, root_t, etc_runtime_t, file)
@@ -42,7 +78,15 @@
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-@@ -287,10 +291,6 @@
+@@ -249,6 +253,7 @@
+ allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+ allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+ domain_trans(initrc_t, shell_exec_t, unconfined_t)
++allow initrc_t unconfined_t:system syslog_mod;
+ ', `
+ run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
+ ')
+@@ -287,10 +292,6 @@
r_dir_file(initrc_t,selinux_config_t)
@@ -53,6 +97,30 @@
ifdef(`unlimitedRC', `
unconfined_domain(initrc_t)
')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.12/domains/program/init.te
+--- nsapolicy/domains/program/init.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.12/domains/program/init.te 2005-04-22 14:07:40.000000000 -0400
+@@ -131,10 +131,8 @@
+
+ allow init_t lib_t:file { getattr read };
+
+-ifdef(`rhgb.te', `
+ allow init_t devtty_t:chr_file { read write };
+ allow init_t ramfs_t:dir search;
+-')
+ r_dir_file(init_t, sysfs_t)
+
+ r_dir_file(init_t, selinux_config_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.12/domains/program/klogd.te
+--- nsapolicy/domains/program/klogd.te 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.12/domains/program/klogd.te 2005-04-22 14:10:06.000000000 -0400
+@@ -43,3 +43,6 @@
+ # Read /boot/System.map*
+ allow klogd_t system_map_t:file r_file_perms;
+ allow klogd_t boot_t:dir r_dir_perms;
++ifdef(`targeted_policy', `
++allow klogd_t unconfined_t:system syslog_mod;
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.23.12/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-04-20 15:40:34.000000000 -0400
+++ policy-1.23.12/domains/program/load_policy.te 2005-04-21 08:37:13.000000000 -0400
@@ -124,9 +192,39 @@
+dontaudit amanda_t sysfs_t:dir { getattr read };
+dontaudit amanda_t unlabeled_t:file getattr;
+dontaudit amanda_t usbfs_t:dir getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.12/domains/program/unused/amavis.te
+--- nsapolicy/domains/program/unused/amavis.te 2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.12/domains/program/unused/amavis.te 2005-04-22 07:09:19.000000000 -0400
+@@ -13,7 +13,7 @@
+ type amavisd_lib_t, file_type, sysadmfile;
+
+ # Virus and spam found and quarantined.
+-type amavisd_quarantine_t, file_type, sysadmfile;
++type amavisd_quarantine_t, file_type, sysadmfile, tmpfile;
+
+ # Differentiate between the port where amavisd receives mail, and the
+ # port where it returns cleaned mail back to the MTA.
+@@ -118,8 +118,3 @@
+ dontaudit amavisd_t shadow_t:file { getattr read };
+ dontaudit amavisd_t sysadm_devpts_t:chr_file { read write };
+
+-# Tmp reaper
+-ifdef(`tmpreaper.te', `
+-allow tmpreaper_t amavisd_quarantine_t:dir { read search getattr setattr unlink };
+-allow tmpreaper_t amavisd_quarantine_t:file getattr;
+-')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.12/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-04-20 15:40:34.000000000 -0400
-+++ policy-1.23.12/domains/program/unused/apache.te 2005-04-21 08:05:17.000000000 -0400
++++ policy-1.23.12/domains/program/unused/apache.te 2005-04-22 11:24:55.000000000 -0400
+@@ -290,7 +290,7 @@
+ allow httpd_helper_t httpd_log_t:file { append };
+
+ ########################################
+-# When the admin starts the server, the server wants to acess
++# When the admin starts the server, the server wants to access
+ # the TTY or PTY associated with the session. The httpd appears
+ # to run correctly without this permission, so the permission
+ # are dontaudited here.
@@ -335,8 +335,8 @@
allow httpd_suexec_t { var_t var_log_t }:dir search;
allow httpd_suexec_t home_root_t:dir search;
@@ -138,10 +236,44 @@
allow httpd_suexec_t httpd_t:fifo_file getattr;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
+@@ -361,12 +361,6 @@
+ allow httpd_suexec_t autofs_t:dir { search getattr };
+ tmp_domain(httpd_suexec)
+
+-ifdef(`mta.te', `
+-# apache should set close-on-exec
+-dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
+-dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+-')
+-
+ if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+@@ -374,7 +368,6 @@
+ if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+ create_dir_file(httpd_t, httpdcontent)
+-can_exec(httpd_t, httpdcontent )
+ }
+ if (httpd_enable_cgi) {
+ domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
+@@ -396,9 +389,10 @@
+ r_dir_file(httpd_sys_script_t, squirrelmail_spool_t)
+
+ ifdef(`mta.te', `
++# apache should set close-on-exec
++dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
++dontaudit { system_mail_t mta_user_agent } { httpd_t httpd_sys_script_t }:unix_stream_socket { read write };
+ dontaudit system_mail_t httpd_log_t:file { append getattr };
+ allow system_mail_t httpd_squirrelmail_t:file { append read };
+ dontaudit system_mail_t httpd_t:tcp_socket { read write };
+ ')
+-
+-allow httpd_t var_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.12/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-04-20 15:40:34.000000000 -0400
-+++ policy-1.23.12/domains/program/unused/auditd.te 2005-04-21 08:38:21.000000000 -0400
-@@ -5,30 +5,45 @@
++++ policy-1.23.12/domains/program/unused/auditd.te 2005-04-22 14:08:06.000000000 -0400
+@@ -5,30 +5,46 @@
define(`audit_manager_domain', `
allow $1 auditd_etc_t:file rw_file_perms;
create_dir_file($1, auditd_log_t)
@@ -197,10 +329,75 @@
+allow auditctl_t proc_t:dir search;
+allow auditctl_t sysctl_kernel_t:dir search;
+allow auditctl_t sysctl_kernel_t:file read;
++allow auditd_t self:process setsched;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.23.12/domains/program/unused/clamav.te
+--- nsapolicy/domains/program/unused/clamav.te 2005-04-06 06:57:44.000000000 -0400
++++ policy-1.23.12/domains/program/unused/clamav.te 2005-04-22 07:01:47.000000000 -0400
+@@ -22,7 +22,7 @@
+ # Freshclam
+ #
+
+-daemon_base_domain(freshclam)
++daemon_base_domain(freshclam, `, web_client_domain')
+ read_locale(freshclam_t)
+
+ # not sure why it needs this
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.12/domains/program/unused/consoletype.te
+--- nsapolicy/domains/program/unused/consoletype.te 2005-03-21 22:32:18.000000000 -0500
++++ policy-1.23.12/domains/program/unused/consoletype.te 2005-04-22 10:04:17.000000000 -0400
+@@ -19,19 +19,19 @@
+ uses_shlib(consoletype_t)
+ general_domain_access(consoletype_t)
+
++ifdef(`targeted_domains', `', `
+ domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
+
+-allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
+-allow consoletype_t devtty_t:chr_file { read write };
+-allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
+-
+ ifdef(`xdm.te', `
+ domain_auto_trans(xdm_t, consoletype_exec_t, consoletype_t)
+ allow consoletype_t xdm_tmp_t:file { read write };
+ ')
+
++')
++
++allow consoletype_t {admin_tty_type tty_device_t devtty_t initrc_devpts_t }:chr_file rw_file_perms;
++
+ allow consoletype_t { kernel_t init_t initrc_t privfd sysadm_t }:fd use;
+-allow consoletype_t admin_tty_type:chr_file rw_file_perms;
+ ifdef(`hotplug.te', `
+ domain_auto_trans(hotplug_t, consoletype_exec_t, consoletype_t)
+ ')
+@@ -41,7 +41,6 @@
+
+ allow consoletype_t console_device_t:chr_file { getattr ioctl read write };
+ allow consoletype_t initrc_t:fifo_file write;
+-allow consoletype_t tty_device_t:chr_file read;
+ allow consoletype_t nfs_t:file write;
+ allow consoletype_t sysadm_t:fifo_file rw_file_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.12/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-04-20 15:40:35.000000000 -0400
-+++ policy-1.23.12/domains/program/unused/cups.te 2005-04-21 08:05:17.000000000 -0400
-@@ -254,4 +254,5 @@
++++ policy-1.23.12/domains/program/unused/cups.te 2005-04-21 13:13:45.000000000 -0400
+@@ -17,6 +17,7 @@
+ type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
+
+ can_network(cupsd_t)
++can_ypbind(cupsd_t)
+ allow cupsd_t port_type:tcp_socket name_connect;
+ logdir_domain(cupsd)
+
+@@ -203,6 +204,7 @@
+ file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+
+ can_network_tcp(cupsd_config_t)
++can_ypbind(cupsd_config_t)
+ allow cupsd_config_t port_type:tcp_socket name_connect;
+ can_tcp_connect(cupsd_config_t, cupsd_t)
+ allow cupsd_config_t self:fifo_file rw_file_perms;
+@@ -254,4 +256,5 @@
can_unix_connect(cupsd_t, initrc_t)
allow cupsd_t initrc_t:dbus send_msg;
allow initrc_t cupsd_t:dbus send_msg;
@@ -208,7 +405,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.12/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-04-14 15:01:53.000000000 -0400
-+++ policy-1.23.12/domains/program/unused/dhcpc.te 2005-04-21 08:05:17.000000000 -0400
++++ policy-1.23.12/domains/program/unused/dhcpc.te 2005-04-21 13:32:59.000000000 -0400
@@ -17,7 +17,7 @@
#
type dhcpc_port_t, port_type, reserved_port_type;
@@ -262,6 +459,65 @@
')
+role sysadm_r types dhcpc_t;
+domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.12/domains/program/unused/hald.te
+--- nsapolicy/domains/program/unused/hald.te 2005-04-07 22:22:55.000000000 -0400
++++ policy-1.23.12/domains/program/unused/hald.te 2005-04-22 09:43:35.000000000 -0400
+@@ -93,3 +93,7 @@
+ ifdef(`lvm.te', `
+ allow hald_t lvm_control_t:chr_file r_file_perms;
+ ')
++ifdef(`targeted_policy', `
++allow unconfined_t hald_t:dbus send_msg;
++allow hald_t unconfined_t:dbus send_msg;
++')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.12/domains/program/unused/hotplug.te
+--- nsapolicy/domains/program/unused/hotplug.te 2005-03-11 15:31:06.000000000 -0500
++++ policy-1.23.12/domains/program/unused/hotplug.te 2005-04-22 15:31:15.000000000 -0400
+@@ -83,7 +83,9 @@
+ allow hotplug_t self:file getattr;
+
+ domain_auto_trans(kernel_t, hotplug_exec_t, hotplug_t)
++ifdef(`mount.te', `
+ domain_auto_trans(hotplug_t, mount_exec_t, mount_t)
++')
+ domain_auto_trans(hotplug_t, ifconfig_exec_t, ifconfig_t)
+ ifdef(`updfstab.te', `
+ domain_auto_trans(hotplug_t, updfstab_exec_t, updfstab_t)
+@@ -154,10 +156,4 @@
+ domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
+ ')
+
+-allow restorecon_t hotplug_t:fd use;
+-
+-ifdef(`unlimitedUtils', `
+-unconfined_domain(hotplug_t)
+-')
+-
+ allow kernel_t hotplug_etc_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.12/domains/program/unused/ntpd.te
+--- nsapolicy/domains/program/unused/ntpd.te 2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.12/domains/program/unused/ntpd.te 2005-04-22 11:42:46.000000000 -0400
+@@ -14,7 +14,6 @@
+
+ type ntpdate_exec_t, file_type, sysadmfile, exec_type;
+ domain_auto_trans(initrc_t, ntpdate_exec_t, ntpd_t)
+-allow sysadm_t ntp_port_t:udp_socket name_bind;
+
+ logdir_domain(ntpd)
+
+@@ -45,6 +44,7 @@
+ allow ntpd_t ntp_port_t:tcp_socket name_connect;
+ can_ypbind(ntpd_t)
+ allow ntpd_t ntp_port_t:udp_socket name_bind;
++allow sysadm_t ntp_port_t:udp_socket name_bind;
+ allow ntpd_t self:unix_dgram_socket create_socket_perms;
+ allow ntpd_t self:unix_stream_socket create_socket_perms;
+ allow ntpd_t self:netlink_route_socket r_netlink_socket_perms;
+@@ -85,4 +85,3 @@
+ allow ntpd_t winbind_var_run_t:dir r_dir_perms;
+ allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
+ ')
+-allow sysadm_t ntp_port_t:udp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.23.12/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.12/domains/program/unused/prelink.te 2005-04-21 08:05:17.000000000 -0400
@@ -274,6 +530,20 @@
if (allow_execmem) {
allow prelink_t self:process execmem;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.12/domains/program/unused/squid.te
+--- nsapolicy/domains/program/unused/squid.te 2005-04-04 10:21:11.000000000 -0400
++++ policy-1.23.12/domains/program/unused/squid.te 2005-04-22 06:58:24.000000000 -0400
+@@ -55,9 +55,7 @@
+ can_network(squid_t)
+ if (squid_connect_any) {
+ allow squid_t port_type:tcp_socket name_connect;
+-} else {
+-allow squid_t { http_port_t http_cache_port_t }:tcp_socket name_connect;
+-}
++}
+ can_ypbind(squid_t)
+ can_tcp_connect(web_client_domain, squid_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/tinydns.te policy-1.23.12/domains/program/unused/tinydns.te
--- nsapolicy/domains/program/unused/tinydns.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.12/domains/program/unused/tinydns.te 2005-04-21 08:22:26.000000000 -0400
@@ -288,7 +558,7 @@
r_dir_file(tinydns_t, tinydns_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.12/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-04-14 15:01:54.000000000 -0400
-+++ policy-1.23.12/domains/program/unused/udev.te 2005-04-21 08:05:17.000000000 -0400
++++ policy-1.23.12/domains/program/unused/udev.te 2005-04-21 14:29:25.000000000 -0400
@@ -33,6 +33,7 @@
allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
allow udev_t self:unix_dgram_socket create_socket_perms;
@@ -297,6 +567,44 @@
allow udev_t device_t:sock_file create_file_perms;
allow udev_t device_t:lnk_file create_lnk_perms;
allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
+@@ -75,7 +76,6 @@
+ allow udev_t initrc_var_run_t:file r_file_perms;
+ dontaudit udev_t initrc_var_run_t:file write;
+
+-domain_auto_trans(initrc_t, udev_exec_t, udev_t)
+ domain_auto_trans(kernel_t, udev_exec_t, udev_t)
+ domain_auto_trans(udev_t, restorecon_exec_t, restorecon_t)
+ ifdef(`hide_broken_symptoms', `
+@@ -86,7 +86,6 @@
+ ifdef(`xdm.te', `
+ allow udev_t xdm_var_run_t:file { getattr read };
+ ')
+-dontaudit udev_t staff_home_dir_t:dir search;
+
+ ifdef(`hotplug.te', `
+ r_dir_file(udev_t, hotplug_etc_t)
+@@ -139,3 +138,7 @@
+ ')
+ r_dir_file(udev_t, domain)
+ allow udev_t modules_dep_t:file r_file_perms;
++
++ifdef(`unlimitedUtils', `
++unconfined_domain(udev_t)
++')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.12/domains/user.te
+--- nsapolicy/domains/user.te 2005-04-14 15:01:53.000000000 -0400
++++ policy-1.23.12/domains/user.te 2005-04-22 09:41:28.000000000 -0400
+@@ -132,3 +132,10 @@
+ # "ps aux" and "ls -l /dev/pts" make too much noise without this
+ dontaudit unpriv_userdomain ptyfile:chr_file getattr;
+
++# to allow w to display everyone...
++bool user_ttyfile_stat false;
++
++if (user_ttyfile_stat) {
++allow userdomain ttyfile:chr_file getattr;
++}
++
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/auditd.fc policy-1.23.12/file_contexts/program/auditd.fc
--- nsapolicy/file_contexts/program/auditd.fc 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/file_contexts/program/auditd.fc 2005-04-21 08:05:17.000000000 -0400
@@ -309,15 +617,28 @@
/var/log/audit(/.*)? system_u:object_r:auditd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.12/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc 2005-04-20 08:58:41.000000000 -0400
-+++ policy-1.23.12/file_contexts/program/compat.fc 2005-04-21 11:17:41.000000000 -0400
-@@ -6,7 +6,6 @@
++++ policy-1.23.12/file_contexts/program/compat.fc 2005-04-21 14:12:38.000000000 -0400
+@@ -4,11 +4,6 @@
+ # mount
+ /bin/mount.* -- system_u:object_r:mount_exec_t
/bin/umount.* -- system_u:object_r:mount_exec_t
- # restorecon
- /sbin/restorecon -- system_u:object_r:restorecon_exec_t
+-# restorecon
+-/sbin/restorecon -- system_u:object_r:restorecon_exec_t
-/bin/hostname -- system_u:object_r:hostname_exec_t
- # consoletype
- /sbin/consoletype -- system_u:object_r:consoletype_exec_t
+-# consoletype
+-/sbin/consoletype -- system_u:object_r:consoletype_exec_t
# loadkeys
+ /bin/unikeys -- system_u:object_r:loadkeys_exec_t
+ /bin/loadkeys -- system_u:object_r:loadkeys_exec_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/getty.fc policy-1.23.12/file_contexts/program/getty.fc
+--- nsapolicy/file_contexts/program/getty.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.12/file_contexts/program/getty.fc 2005-04-22 16:17:17.000000000 -0400
+@@ -1,3 +1,5 @@
+ # getty
+ /sbin/.*getty -- system_u:object_r:getty_exec_t
+ /etc/mgetty(/.*)? system_u:object_r:getty_etc_t
++/var/run/mgetty\.pid.* -- system_u:object_r:getty_var_run_t
++/var/log/mgetty\.log.* -- system_u:object_r:getty_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/i18n_input.fc policy-1.23.12/file_contexts/program/i18n_input.fc
--- nsapolicy/file_contexts/program/i18n_input.fc 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/file_contexts/program/i18n_input.fc 2005-04-21 08:05:17.000000000 -0400
@@ -375,6 +696,18 @@
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.12/macros/program/mozilla_macros.te
+--- nsapolicy/macros/program/mozilla_macros.te 2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.12/macros/program/mozilla_macros.te 2005-04-22 06:57:46.000000000 -0400
+@@ -32,7 +32,7 @@
+ file_browse_domain($1_mozilla_t)
+
+ can_network_client($1_mozilla_t)
+-allow $1_mozilla_t { ftp_port_t http_port_t }:tcp_socket name_connect;
++allow $1_mozilla_t ftp_port_t:tcp_socket name_connect;
+ #allow $1_mozilla_t port_type:tcp_socket name_connect;
+
+ uses_shlib($1_mozilla_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ypbind_macros.te policy-1.23.12/macros/program/ypbind_macros.te
--- nsapolicy/macros/program/ypbind_macros.te 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.12/macros/program/ypbind_macros.te 2005-04-21 08:05:17.000000000 -0400
@@ -392,17 +725,149 @@
')
define(`can_ypbind', `
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.23.12/targeted/appconfig/default_contexts
+--- nsapolicy/targeted/appconfig/default_contexts 2005-02-24 14:51:10.000000000 -0500
++++ policy-1.23.12/targeted/appconfig/default_contexts 2005-04-22 14:41:39.000000000 -0400
+@@ -1,5 +1,6 @@
+ system_r:unconfined_t system_r:unconfined_t
+ system_r:initrc_t system_r:unconfined_t
++system_r:local_login_t system_r:unconfined_t
+ system_r:remote_login_t system_r:unconfined_t
+ system_r:rshd_t system_r:unconfined_t
+ system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.23.12/targeted/domains/program/compat.te
--- nsapolicy/targeted/domains/program/compat.te 2005-04-20 08:58:43.000000000 -0400
-+++ policy-1.23.12/targeted/domains/program/compat.te 2005-04-21 08:05:17.000000000 -0400
-@@ -1,7 +1,6 @@
++++ policy-1.23.12/targeted/domains/program/compat.te 2005-04-21 14:12:14.000000000 -0400
+@@ -1,8 +1,5 @@
typealias sbin_t alias setfiles_exec_t;
typealias bin_t alias mount_exec_t;
- typealias sbin_t alias restorecon_exec_t;
+-typealias sbin_t alias restorecon_exec_t;
-typealias bin_t alias hostname_exec_t;
- typealias sbin_t alias consoletype_exec_t;
+-typealias sbin_t alias consoletype_exec_t;
typealias bin_t alias loadkeys_exec_t;
typealias bin_t alias dmesg_exec_t;
+ typealias sbin_t alias fsadm_exec_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/hotplug.te policy-1.23.12/targeted/domains/program/hotplug.te
+--- nsapolicy/targeted/domains/program/hotplug.te 2005-03-11 15:31:07.000000000 -0500
++++ policy-1.23.12/targeted/domains/program/hotplug.te 1969-12-31 19:00:00.000000000 -0500
+@@ -1,17 +0,0 @@
+-#DESC Hotplug - Hardware event manager
+-#
+-# Authors: Daniel Walsh <dwalsh at redhat.com>
+-#
+-
+-#################################
+-#
+-# Rules for the hotplug domain.
+-#
+-# hotplug_exec_t is the type of the /sbin/hotplug and other programs.
+-# This domain is defined just for targeted policy to allow easy conversion to
+-# strict policy.
+-#
+-type hotplug_t, domain;
+-type hotplug_exec_t, file_type, sysadmfile, exec_type;
+-typealias var_run_t alias hotplug_var_run_t;
+-typealias etc_t alias hotplug_etc_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/udev.te policy-1.23.12/targeted/domains/program/udev.te
+--- nsapolicy/targeted/domains/program/udev.te 2005-02-24 14:51:10.000000000 -0500
++++ policy-1.23.12/targeted/domains/program/udev.te 1969-12-31 19:00:00.000000000 -0500
+@@ -1,17 +0,0 @@
+-#DESC udev - Linux configurable dynamic device naming support
+-#
+-# Authors: Daniel Walsh <dwalsh at redhat.com>
+-#
+-
+-#################################
+-#
+-# Rules for the udev domain.
+-#
+-# udev_exec_t is the type of the /sbin/udev and other programs.
+-# This domain is defined just for targeted policy to allow easy conversion to
+-# strict policy.
+-#
+-type udev_exec_t, file_type, sysadmfile, exec_type;
+-type udev_helper_exec_t, file_type, sysadmfile, exec_type;
+-type udev_tdb_t, file_type, sysadmfile, dev_fs;
+-typealias udev_tdb_t alias udev_tbl_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.23.12/targeted/domains/program/xdm.te
+--- nsapolicy/targeted/domains/program/xdm.te 2005-03-15 08:02:24.000000000 -0500
++++ policy-1.23.12/targeted/domains/program/xdm.te 2005-04-22 09:43:08.000000000 -0400
+@@ -20,3 +20,4 @@
+ type xdm_var_lib_t, file_type, sysadmfile;
+ type xdm_tmp_t, file_type, sysadmfile;
+ domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
++domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.12/targeted/domains/unconfined.te
+--- nsapolicy/targeted/domains/unconfined.te 2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.12/targeted/domains/unconfined.te 2005-04-22 14:08:54.000000000 -0400
+@@ -15,7 +15,7 @@
+ # Define some type aliases to help with compatibility with
+ # macros and domains from the "strict" policy.
+ typealias bin_t alias su_exec_t;
+-typealias unconfined_t alias { kernel_t logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
++typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+ typeattribute tty_device_t admin_tty_type;
+ typeattribute devpts_t admin_tty_type;
+
+@@ -42,6 +42,7 @@
+ attribute sysadm_file_type;
+
+ allow unconfined_t unlabeled_t:filesystem *;
++allow unconfined_t self:system syslog_read;
+ allow unlabeled_t self:filesystem associate;
+
+ # Support NFS home directories
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/initial_sid_contexts policy-1.23.12/targeted/initial_sid_contexts
+--- nsapolicy/targeted/initial_sid_contexts 2005-02-24 14:51:10.000000000 -0500
++++ policy-1.23.12/targeted/initial_sid_contexts 1969-12-31 19:00:00.000000000 -0500
+@@ -1,47 +0,0 @@
+-# FLASK
+-
+-#
+-# Define the security context for each initial SID
+-# sid sidname context
+-
+-# Initial state is unconfined in the relaxed policy.
+-sid kernel user_u:system_r:unconfined_t
+-sid security system_u:object_r:security_t
+-sid unlabeled system_u:object_r:unlabeled_t
+-sid fs system_u:object_r:fs_t
+-sid file system_u:object_r:file_t
+-# Persistent label mapping is gone. This initial SID can be removed.
+-sid file_labels system_u:object_r:unlabeled_t
+-# init_t is still used, but an initial SID is no longer required.
+-sid init system_u:object_r:unlabeled_t
+-# any_socket is no longer used.
+-sid any_socket system_u:object_r:unlabeled_t
+-sid port system_u:object_r:port_t
+-sid netif system_u:object_r:netif_t
+-# netmsg is no longer used.
+-sid netmsg system_u:object_r:unlabeled_t
+-sid node system_u:object_r:node_t
+-# These sockets are now labeled with the kernel SID,
+-# and do not require their own initial SIDs.
+-sid igmp_packet system_u:object_r:unlabeled_t
+-sid icmp_socket system_u:object_r:unlabeled_t
+-sid tcp_socket system_u:object_r:unlabeled_t
+-# Most of the sysctl SIDs are now computed at runtime
+-# from genfs_contexts, so the corresponding initial SIDs
+-# are no longer required.
+-sid sysctl_modprobe system_u:object_r:unlabeled_t
+-# But we still need the base sysctl initial SID as a default.
+-sid sysctl system_u:object_r:sysctl_t
+-sid sysctl_fs system_u:object_r:unlabeled_t
+-sid sysctl_kernel system_u:object_r:unlabeled_t
+-sid sysctl_net system_u:object_r:unlabeled_t
+-sid sysctl_net_unix system_u:object_r:unlabeled_t
+-sid sysctl_vm system_u:object_r:unlabeled_t
+-sid sysctl_dev system_u:object_r:unlabeled_t
+-# No longer used, can be removed.
+-sid kmod system_u:object_r:unlabeled_t
+-sid policy system_u:object_r:unlabeled_t
+-sid scmp_packet system_u:object_r:unlabeled_t
+-sid devnull system_u:object_r:null_device_t
+-
+-# FLASK
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.12/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.12/tunables/distro.tun 2005-04-21 08:05:17.000000000 -0400
@@ -441,3 +906,14 @@
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
+diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.12/types/network.te
+--- nsapolicy/types/network.te 2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.12/types/network.te 2005-04-22 06:57:20.000000000 -0400
+@@ -31,6 +31,7 @@
+ type http_cache_port_t, port_type, reserved_port_type;
+ type http_port_t, port_type, reserved_port_type;
+
++allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
+ ifdef(`cyrus.te', `define(`use_pop')')
+ ifdef(`courier.te', `define(`use_pop')')
+ ifdef(`perdition.te', `define(`use_pop')')
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.281
retrieving revision 1.282
diff -u -r1.281 -r1.282
--- selinux-policy-targeted.spec 21 Apr 2005 15:27:07 -0000 1.281
+++ selinux-policy-targeted.spec 22 Apr 2005 20:26:53 -0000 1.282
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.12
-Release: 2
+Release: 3
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -49,9 +49,10 @@
%build
mv domains/misc/*.te domains/misc/unused
+mv domains/misc/unused/kernel.te domains/misc/
mv domains/program/*.te domains/program/unused/
rm domains/*.te
-for i in amanda.te apache.te auditd.te chkpwd.te cups.te cvs.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te hostname.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te uucpd.te winbind.te ypbind.te ypserv.te zebra.te; do
+for i in amanda.te apache.te auditd.te chkpwd.te consoletype.te cups.te cvs.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te uucpd.te winbind.te ypbind.te ypserv.te zebra.te; do
mv domains/program/unused/$i domains/program/
done
rm -rf domains/program/unused
@@ -107,7 +108,7 @@
%{_sysconfdir}/selinux/%{type}/contexts/files/homedir_template
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/files/media
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/dbus_contexts
-%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/default_contexts
+%config %{_sysconfdir}/selinux/%{type}/contexts/default_contexts
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/default_type
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/initrc_context
%config(noreplace) %{_sysconfdir}/selinux/%{type}/contexts/failsafe_context
@@ -233,6 +234,9 @@
exit 0
%changelog
+* Thu Apr 21 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-3
+- Add udev, hotplug, consoletype,restorecon to targeted
+
* Thu Apr 21 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-2
- Fix conflicting context files
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050414.patch, 1.8, 1.9 selinux-policy-strict.spec, 1.284, 1.285
- Next message (by thread): rpms/squid/devel squid-2.5.STABLE9-2GB.patch, NONE, 1.1 squid-2.5.STABLE9-CONNECT_truncated.patch, NONE, 1.1 squid-2.5.STABLE9-LDAP_SUN_SDK.patch, NONE, 1.1 squid-2.5.STABLE9-aufs.patch, NONE, 1.1 squid-2.5.STABLE9-aufs_shutdown.patch, NONE, 1.1 squid-2.5.STABLE9-cachemgr_objects.patch, NONE, 1.1 squid-2.5.STABLE9-config_CRLF.patch, NONE, 1.1 squid-2.5.STABLE9-debug_newlines.patch, NONE, 1.1 squid-2.5.STABLE9-disable_hostname_checks.patch, NONE, 1.1 squid-2.5.STABLE9-errpage_user.patch, NONE, 1.1 squid-2.5.STABLE9-extaclauth.patch, NONE, 1.1 squid-2.5.STABLE9-libbind.patch, NONE, 1.1 squid-2.5.STABLE9-long_basic_auth.patch, NONE, 1.1 squid-2.5.STABLE9-rename_cleanup.patch, NONE, 1.1 squid-2.5.STABLE9-squid_k_nohostname.patch, NONE, 1.1 squid-2.5.STABLE9-syslog.patch, NONE, 1.1 squid-2.5.STABLE9-transparent_port.patch, NONE, 1.1 squid.spec, 1.30, 1.31
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list