rpms/selinux-policy-targeted/devel policy-20050425.patch, 1.2, 1.3 selinux-policy-targeted.spec, 1.286, 1.287

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Apr 26 16:12:40 UTC 2005 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7933

Modified Files:
	policy-20050425.patch selinux-policy-targeted.spec 
Log Message:
* Tue Apr 26 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-3
- Fix turboprint/cups integration


policy-20050425.patch:
 domains/misc/kernel.te                |    4 ++
 domains/program/fsadm.te              |    2 -
 domains/program/getty.te              |   14 ++--------
 domains/program/hostname.te           |    1 
 domains/program/init.te               |    3 --
 domains/program/initrc.te             |    1 
 domains/program/klogd.te              |    3 ++
 domains/program/load_policy.te        |    3 --
 domains/program/unused/amanda.te      |    2 +
 domains/program/unused/amavis.te      |    7 -----
 domains/program/unused/apache.te      |   16 +++--------
 domains/program/unused/apmd.te        |    1 
 domains/program/unused/auditd.te      |   15 ++++++++--
 domains/program/unused/cardmgr.te     |    4 ++
 domains/program/unused/clamav.te      |    2 -
 domains/program/unused/consoletype.te |   13 ++++-----
 domains/program/unused/cups.te        |    2 +
 domains/program/unused/cyrus.te       |    4 --
 domains/program/unused/hald.te        |    4 ++
 domains/program/unused/hotplug.te     |    8 +----
 domains/program/unused/ntpd.te        |    3 --
 domains/program/unused/portmap.te     |    5 ++-
 domains/program/unused/samba.te       |    1 
 domains/program/unused/squid.te       |    4 --
 domains/program/unused/tinydns.te     |    2 -
 domains/program/unused/udev.te        |    8 +++--
 domains/program/unused/webalizer.te   |    2 -
 domains/user.te                       |    7 +++++
 file_contexts/distros.fc              |    1 
 file_contexts/program/apache.fc       |    3 ++
 file_contexts/program/compat.fc       |   17 ++++++++----
 file_contexts/program/crack.fc        |    1 
 file_contexts/program/getty.fc        |    2 +
 file_contexts/program/lvm.fc          |    1 
 file_contexts/program/portmap.fc      |    1 
 file_contexts/program/traceroute.fc   |    1 
 file_contexts/program/webalizer.fc    |    2 +
 file_contexts/types.fc                |    8 +++++
 macros/base_user_macros.te            |    2 -
 macros/core_macros.te                 |    1 
 macros/global_macros.te               |   12 ++++++++
 macros/program/cdrecord_macros.te     |    2 -
 macros/program/mozilla_macros.te      |    2 -
 man/man8/httpd_selinux.8              |    6 ++++
 targeted/appconfig/default_contexts   |    1 
 targeted/domains/program/compat.te    |    7 -----
 targeted/domains/program/crond.te     |    2 -
 targeted/domains/program/hotplug.te   |   17 ------------
 targeted/domains/program/sendmail.te  |    3 +-
 targeted/domains/program/udev.te      |   17 ------------
 targeted/domains/program/xdm.te       |    1 
 targeted/domains/unconfined.te        |    3 +-
 targeted/initial_sid_contexts         |   47 ----------------------------------
 tunables/distro.tun                   |    2 -
 tunables/tunable.tun                  |    6 ++--
 types/network.te                      |    1 
 56 files changed, 138 insertions(+), 172 deletions(-)

Index: policy-20050425.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050425.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050425.patch	26 Apr 2005 01:40:49 -0000	1.2
+++ policy-20050425.patch	26 Apr 2005 16:12:36 -0000	1.3
@@ -1,13 +1,13 @@
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.13/domains/misc/kernel.te
 --- nsapolicy/domains/misc/kernel.te	2005-04-14 15:01:53.000000000 -0400
-+++ policy-1.23.13/domains/misc/kernel.te	2005-04-25 15:18:00.000000000 -0400
++++ policy-1.23.13/domains/misc/kernel.te	2005-04-26 10:00:08.000000000 -0400
 @@ -63,4 +63,6 @@
  # /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
  can_exec(kernel_t, bin_t)
  
 -
 +ifdef(`targeted_policy', `
-+typeattribute kernel_t unrestricted;
++unconfined_domain(kernel_t)
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.13/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-04-04 10:21:10.000000000 -0400
@@ -119,6 +119,25 @@
  read_locale(load_policy_t)
 -r_dir_file(load_policy_t, selinux_config_t)
 -allow load_policy_t proc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.13/domains/program/unused/amanda.te
+--- nsapolicy/domains/program/unused/amanda.te	2005-04-25 14:48:58.000000000 -0400
++++ policy-1.23.13/domains/program/unused/amanda.te	2005-04-26 12:02:46.000000000 -0400
+@@ -303,6 +303,7 @@
+ 
+ allow amanda_t file_type:dir {getattr read search };
+ allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
++allow amanda_t fixed_disk_device_t:blk_file getattr;
+ dontaudit amanda_t file_type:sock_file getattr;
+ logdir_domain(amanda)
+ 
+@@ -310,6 +311,7 @@
+ dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
+ dontaudit amanda_t nfs_t:dir { getattr read };
+ dontaudit amanda_t proc_t:dir read;
++dontaudit amanda_t proc_t:lnk_file read;
+ dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
+ dontaudit amanda_t security_t:dir { getattr read };
+ dontaudit amanda_t sysfs_t:dir { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.13/domains/program/unused/amavis.te
 --- nsapolicy/domains/program/unused/amavis.te	2005-04-06 06:57:44.000000000 -0400
 +++ policy-1.23.13/domains/program/unused/amavis.te	2005-04-25 15:18:00.000000000 -0400
@@ -247,6 +266,20 @@
  allow auditctl_t sysctl_kernel_t:file read;
 +allow auditd_t self:process setsched;
 +dontaudit auditctl_t init_t:fd use; 
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.23.13/domains/program/unused/cardmgr.te
+--- nsapolicy/domains/program/unused/cardmgr.te	2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.13/domains/program/unused/cardmgr.te	2005-04-26 09:57:58.000000000 -0400
+@@ -61,7 +61,9 @@
+ allow cardmgr_t proc_t:file { getattr read ioctl };
+ 
+ # Read /proc/PID directories for all domains (for fuser).
+-can_ps(cardmgr_t, domain)
++can_ps(cardmgr_t, domain -unrestricted)
++dontaudit cardmgr_t unrestricted:dir search;
++
+ allow cardmgr_t device_type:{ chr_file blk_file } getattr;
+ allow cardmgr_t ttyfile:chr_file getattr;
+ dontaudit cardmgr_t ptyfile:chr_file getattr;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.23.13/domains/program/unused/clamav.te
 --- nsapolicy/domains/program/unused/clamav.te	2005-04-06 06:57:44.000000000 -0400
 +++ policy-1.23.13/domains/program/unused/clamav.te	2005-04-25 15:18:00.000000000 -0400
@@ -317,6 +350,33 @@
  allow cupsd_config_t port_type:tcp_socket name_connect;
  can_tcp_connect(cupsd_config_t, cupsd_t)
  allow cupsd_config_t self:fifo_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.23.13/domains/program/unused/cyrus.te
+--- nsapolicy/domains/program/unused/cyrus.te	2005-03-24 08:58:26.000000000 -0500
++++ policy-1.23.13/domains/program/unused/cyrus.te	2005-04-26 11:29:42.000000000 -0400
+@@ -15,8 +15,6 @@
+ allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+ allow cyrus_t self:process setrlimit;
+ 
+-allow initrc_su_t cyrus_var_lib_t:dir search;
+-
+ can_network(cyrus_t)
+ allow cyrus_t port_type:tcp_socket name_connect;
+ can_ypbind(cyrus_t)
+@@ -35,7 +33,6 @@
+ allow cyrus_t proc_t:file { getattr read };
+ allow cyrus_t sysadm_devpts_t:chr_file { read write };
+ 
+-allow cyrus_t staff_t:fd use;
+ allow cyrus_t var_lib_t:dir search;
+ 
+ allow cyrus_t etc_runtime_t:file { read getattr };
+@@ -43,6 +40,5 @@
+ system_crond_entry(cyrus_exec_t, cyrus_t)
+ allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
+ allow system_crond_t cyrus_var_lib_t:file create_file_perms;
+-allow system_crond_su_t cyrus_var_lib_t:dir search;
+ ')
+ allow cyrus_t mail_port_t:tcp_socket name_bind;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.13/domains/program/unused/hald.te
 --- nsapolicy/domains/program/unused/hald.te	2005-04-07 22:22:55.000000000 -0400
 +++ policy-1.23.13/domains/program/unused/hald.te	2005-04-25 15:18:00.000000000 -0400
@@ -435,7 +495,16 @@
  r_dir_file(tinydns_t, tinydns_conf_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.13/domains/program/unused/udev.te
 --- nsapolicy/domains/program/unused/udev.te	2005-04-25 14:48:59.000000000 -0400
-+++ policy-1.23.13/domains/program/unused/udev.te	2005-04-25 15:18:00.000000000 -0400
++++ policy-1.23.13/domains/program/unused/udev.te	2005-04-25 21:41:17.000000000 -0400
+@@ -33,7 +33,7 @@
+ allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
+ allow udev_t self:unix_dgram_socket create_socket_perms;
+ allow udev_t self:fifo_file rw_file_perms;
+-allow udev_t device_t:file rw_file_perms;
++allow udev_t device_t:file { unlink rw_file_perms };
+ allow udev_t device_t:sock_file create_file_perms;
+ allow udev_t device_t:lnk_file create_lnk_perms;
+ allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
 @@ -76,7 +76,6 @@
  allow udev_t initrc_var_run_t:file r_file_perms;
  dontaudit udev_t initrc_var_run_t:file write;
@@ -497,6 +566,16 @@
  /usr/share/ssl/misc(/.*)?		system_u:object_r:bin_t
  #
  # /emul/ia32-linux/usr
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.13/file_contexts/program/apache.fc
+--- nsapolicy/file_contexts/program/apache.fc	2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.13/file_contexts/program/apache.fc	2005-04-26 11:39:32.000000000 -0400
+@@ -47,3 +47,6 @@
+ /var/lib/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
+ /etc/htdig(/.*)?		system_u:object_r:httpd_sys_content_t
+ /var/spool/gosa(/.*)?		system_u:object_r:httpd_sys_script_rw_t
++ifdef(`targeted_policy', `', `
++/var/spool/cron/apache		-- 	system_u:object_r:user_cron_spool_t
++')
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.13/file_contexts/program/compat.fc
 --- nsapolicy/file_contexts/program/compat.fc	2005-04-20 08:58:41.000000000 -0400
 +++ policy-1.23.13/file_contexts/program/compat.fc	2005-04-25 15:18:00.000000000 -0400
@@ -539,6 +618,15 @@
  /usr/sbin/kudzu	--	system_u:object_r:kudzu_exec_t
  /sbin/kmodule	--	system_u:object_r:kudzu_exec_t
 +')
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/crack.fc policy-1.23.13/file_contexts/program/crack.fc
+--- nsapolicy/file_contexts/program/crack.fc	2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.13/file_contexts/program/crack.fc	2005-04-26 10:25:01.000000000 -0400
+@@ -1,4 +1,5 @@
+ # crack - for password checking
++/usr/sbin/cracklib-[a-z]*	--	system_u:object_r:crack_exec_t
+ /usr/sbin/crack_[a-z]*	--	system_u:object_r:crack_exec_t
+ /var/cache/cracklib(/.*)?	system_u:object_r:crack_db_t
+ /usr/lib(64)?/cracklib_dict.* --	system_u:object_r:crack_db_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/getty.fc policy-1.23.13/file_contexts/program/getty.fc
 --- nsapolicy/file_contexts/program/getty.fc	2005-02-24 14:51:09.000000000 -0500
 +++ policy-1.23.13/file_contexts/program/getty.fc	2005-04-25 15:18:00.000000000 -0400
@@ -587,7 +675,7 @@
 +/var/lib/webalizer(/.*)		system_u:object_r:webalizer_var_lib_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.13/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2005-04-20 15:40:35.000000000 -0400
-+++ policy-1.23.13/file_contexts/types.fc	2005-04-25 15:41:29.000000000 -0400
++++ policy-1.23.13/file_contexts/types.fc	2005-04-26 08:20:01.000000000 -0400
 @@ -58,7 +58,7 @@
  
  #
@@ -605,6 +693,18 @@
  /dev/ida/[^/]*	-b	system_u:object_r:fixed_disk_device_t
  /dev/dasd[^/]*	-b	system_u:object_r:fixed_disk_device_t
  /dev/flash[^/]*	-b	system_u:object_r:fixed_disk_device_t
+@@ -461,6 +462,11 @@
+ /usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
+ 
+ #
++# Turboprint
++#
++/usr/share/turboprint/lib(/.*)? 	--     system_u:object_r:bin_t
++
++#
+ # initrd mount point, only used during boot
+ #
+ /initrd			-d	system_u:object_r:root_t
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.13/macros/base_user_macros.te
 --- nsapolicy/macros/base_user_macros.te	2005-04-14 15:01:54.000000000 -0400
 +++ policy-1.23.13/macros/base_user_macros.te	2005-04-25 15:18:00.000000000 -0400
@@ -711,18 +811,20 @@
  system_r:crond_t	system_r:unconfined_t
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.23.13/targeted/domains/program/compat.te
 --- nsapolicy/targeted/domains/program/compat.te	2005-04-25 14:48:59.000000000 -0400
-+++ policy-1.23.13/targeted/domains/program/compat.te	2005-04-25 15:18:00.000000000 -0400
-@@ -1,7 +1,5 @@
- typealias sbin_t alias setfiles_exec_t;
++++ policy-1.23.13/targeted/domains/program/compat.te	2005-04-26 11:45:35.000000000 -0400
+@@ -1,8 +1,3 @@
+-typealias sbin_t alias setfiles_exec_t;
  typealias bin_t alias mount_exec_t;
 -typealias sbin_t alias restorecon_exec_t;
 -typealias sbin_t alias consoletype_exec_t;
- typealias bin_t alias loadkeys_exec_t;
+-typealias bin_t alias loadkeys_exec_t;
  typealias bin_t alias dmesg_exec_t;
- typealias sbin_t alias fsadm_exec_t;
+-typealias sbin_t alias fsadm_exec_t;
+-typealias sbin_t alias kudzu_exec_t;
++typealias bin_t alias loadkeys_exec_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.13/targeted/domains/program/crond.te
 --- nsapolicy/targeted/domains/program/crond.te	2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.13/targeted/domains/program/crond.te	2005-04-25 16:05:04.000000000 -0400
++++ policy-1.23.13/targeted/domains/program/crond.te	2005-04-26 08:38:04.000000000 -0400
 @@ -18,7 +18,6 @@
  type system_cron_spool_t, file_type, sysadmfile;
  type sysadm_cron_spool_t, file_type, sysadmfile;
@@ -735,7 +837,7 @@
  allow crond_t initrc_t:dbus send_msg;
  allow crond_t unconfined_t:dbus send_msg;
  allow crond_t unconfined_t:process transition;
-+var_run_domain(crond_t)
++var_run_domain(crond)
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/hotplug.te policy-1.23.13/targeted/domains/program/hotplug.te
 --- nsapolicy/targeted/domains/program/hotplug.te	2005-03-11 15:31:07.000000000 -0500
 +++ policy-1.23.13/targeted/domains/program/hotplug.te	1969-12-31 19:00:00.000000000 -0500


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.286
retrieving revision 1.287
diff -u -r1.286 -r1.287
--- selinux-policy-targeted.spec	26 Apr 2005 01:40:49 -0000	1.286
+++ selinux-policy-targeted.spec	26 Apr 2005 16:12:36 -0000	1.287
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.23.13
-Release: 2
+Release: 3
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -52,7 +52,7 @@
 mv domains/misc/unused/kernel.te domains/misc/
 mv domains/program/*.te domains/program/unused/
 rm domains/*.te
-for i in amanda.te apache.te apmd.te auditd.te chkpwd.te consoletype.te cups.te cvs.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te winbind.te ypbind.te ypserv.te zebra.te; do
+for i in amanda.te apache.te apmd.te arpwatch.te auditd.te bluetooth.te checkpolicy.te cardmgr.te chkpwd.te comsat.te consoletype.te cpucontrol.te cpuspeed.te cups.te cvs.te cyrus.te dbskkd.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te fsadm.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te hwclock.te kudzu.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te load_policy.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te pppd.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te saslauthd.te samba.te setfiles.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te webalizer.te winbind.te ypbind.te ypserv.te zebra.te; do
 mv domains/program/unused/$i domains/program/ 
 done 
 rm -rf domains/program/unused 
@@ -234,6 +234,9 @@
 exit 0
 
 %changelog
+* Tue Apr 26 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-3
+- Fix turboprint/cups integration
+
 * Mon Apr 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-2
 - Small fixes for targeted policy
 - Add updfstab

More information about the fedora-cvs-commits mailing list