rpms/selinux-policy-targeted/devel policy-20050425.patch, 1.2, 1.3 selinux-policy-targeted.spec, 1.286, 1.287
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Apr 26 16:12:40 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050425.patch, 1.2, 1.3 selinux-policy-strict.spec, 1.290, 1.291
- Next message (by thread): rpms/libselinux/devel .cvsignore, 1.60, 1.61 libselinux.spec, 1.97, 1.98 sources, 1.60, 1.61
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7933
Modified Files:
policy-20050425.patch selinux-policy-targeted.spec
Log Message:
* Tue Apr 26 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-3
- Fix turboprint/cups integration
policy-20050425.patch:
domains/misc/kernel.te | 4 ++
domains/program/fsadm.te | 2 -
domains/program/getty.te | 14 ++--------
domains/program/hostname.te | 1
domains/program/init.te | 3 --
domains/program/initrc.te | 1
domains/program/klogd.te | 3 ++
domains/program/load_policy.te | 3 --
domains/program/unused/amanda.te | 2 +
domains/program/unused/amavis.te | 7 -----
domains/program/unused/apache.te | 16 +++--------
domains/program/unused/apmd.te | 1
domains/program/unused/auditd.te | 15 ++++++++--
domains/program/unused/cardmgr.te | 4 ++
domains/program/unused/clamav.te | 2 -
domains/program/unused/consoletype.te | 13 ++++-----
domains/program/unused/cups.te | 2 +
domains/program/unused/cyrus.te | 4 --
domains/program/unused/hald.te | 4 ++
domains/program/unused/hotplug.te | 8 +----
domains/program/unused/ntpd.te | 3 --
domains/program/unused/portmap.te | 5 ++-
domains/program/unused/samba.te | 1
domains/program/unused/squid.te | 4 --
domains/program/unused/tinydns.te | 2 -
domains/program/unused/udev.te | 8 +++--
domains/program/unused/webalizer.te | 2 -
domains/user.te | 7 +++++
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 3 ++
file_contexts/program/compat.fc | 17 ++++++++----
file_contexts/program/crack.fc | 1
file_contexts/program/getty.fc | 2 +
file_contexts/program/lvm.fc | 1
file_contexts/program/portmap.fc | 1
file_contexts/program/traceroute.fc | 1
file_contexts/program/webalizer.fc | 2 +
file_contexts/types.fc | 8 +++++
macros/base_user_macros.te | 2 -
macros/core_macros.te | 1
macros/global_macros.te | 12 ++++++++
macros/program/cdrecord_macros.te | 2 -
macros/program/mozilla_macros.te | 2 -
man/man8/httpd_selinux.8 | 6 ++++
targeted/appconfig/default_contexts | 1
targeted/domains/program/compat.te | 7 -----
targeted/domains/program/crond.te | 2 -
targeted/domains/program/hotplug.te | 17 ------------
targeted/domains/program/sendmail.te | 3 +-
targeted/domains/program/udev.te | 17 ------------
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 3 +-
targeted/initial_sid_contexts | 47 ----------------------------------
tunables/distro.tun | 2 -
tunables/tunable.tun | 6 ++--
types/network.te | 1
56 files changed, 138 insertions(+), 172 deletions(-)
Index: policy-20050425.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050425.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050425.patch 26 Apr 2005 01:40:49 -0000 1.2
+++ policy-20050425.patch 26 Apr 2005 16:12:36 -0000 1.3
@@ -1,13 +1,13 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.13/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-04-14 15:01:53.000000000 -0400
-+++ policy-1.23.13/domains/misc/kernel.te 2005-04-25 15:18:00.000000000 -0400
++++ policy-1.23.13/domains/misc/kernel.te 2005-04-26 10:00:08.000000000 -0400
@@ -63,4 +63,6 @@
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
can_exec(kernel_t, bin_t)
-
+ifdef(`targeted_policy', `
-+typeattribute kernel_t unrestricted;
++unconfined_domain(kernel_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.13/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-04-04 10:21:10.000000000 -0400
@@ -119,6 +119,25 @@
read_locale(load_policy_t)
-r_dir_file(load_policy_t, selinux_config_t)
-allow load_policy_t proc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.13/domains/program/unused/amanda.te
+--- nsapolicy/domains/program/unused/amanda.te 2005-04-25 14:48:58.000000000 -0400
++++ policy-1.23.13/domains/program/unused/amanda.te 2005-04-26 12:02:46.000000000 -0400
+@@ -303,6 +303,7 @@
+
+ allow amanda_t file_type:dir {getattr read search };
+ allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
++allow amanda_t fixed_disk_device_t:blk_file getattr;
+ dontaudit amanda_t file_type:sock_file getattr;
+ logdir_domain(amanda)
+
+@@ -310,6 +311,7 @@
+ dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
+ dontaudit amanda_t nfs_t:dir { getattr read };
+ dontaudit amanda_t proc_t:dir read;
++dontaudit amanda_t proc_t:lnk_file read;
+ dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
+ dontaudit amanda_t security_t:dir { getattr read };
+ dontaudit amanda_t sysfs_t:dir { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.13/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te 2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.13/domains/program/unused/amavis.te 2005-04-25 15:18:00.000000000 -0400
@@ -247,6 +266,20 @@
allow auditctl_t sysctl_kernel_t:file read;
+allow auditd_t self:process setsched;
+dontaudit auditctl_t init_t:fd use;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.23.13/domains/program/unused/cardmgr.te
+--- nsapolicy/domains/program/unused/cardmgr.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.13/domains/program/unused/cardmgr.te 2005-04-26 09:57:58.000000000 -0400
+@@ -61,7 +61,9 @@
+ allow cardmgr_t proc_t:file { getattr read ioctl };
+
+ # Read /proc/PID directories for all domains (for fuser).
+-can_ps(cardmgr_t, domain)
++can_ps(cardmgr_t, domain -unrestricted)
++dontaudit cardmgr_t unrestricted:dir search;
++
+ allow cardmgr_t device_type:{ chr_file blk_file } getattr;
+ allow cardmgr_t ttyfile:chr_file getattr;
+ dontaudit cardmgr_t ptyfile:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.23.13/domains/program/unused/clamav.te
--- nsapolicy/domains/program/unused/clamav.te 2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.13/domains/program/unused/clamav.te 2005-04-25 15:18:00.000000000 -0400
@@ -317,6 +350,33 @@
allow cupsd_config_t port_type:tcp_socket name_connect;
can_tcp_connect(cupsd_config_t, cupsd_t)
allow cupsd_config_t self:fifo_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.23.13/domains/program/unused/cyrus.te
+--- nsapolicy/domains/program/unused/cyrus.te 2005-03-24 08:58:26.000000000 -0500
++++ policy-1.23.13/domains/program/unused/cyrus.te 2005-04-26 11:29:42.000000000 -0400
+@@ -15,8 +15,6 @@
+ allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+ allow cyrus_t self:process setrlimit;
+
+-allow initrc_su_t cyrus_var_lib_t:dir search;
+-
+ can_network(cyrus_t)
+ allow cyrus_t port_type:tcp_socket name_connect;
+ can_ypbind(cyrus_t)
+@@ -35,7 +33,6 @@
+ allow cyrus_t proc_t:file { getattr read };
+ allow cyrus_t sysadm_devpts_t:chr_file { read write };
+
+-allow cyrus_t staff_t:fd use;
+ allow cyrus_t var_lib_t:dir search;
+
+ allow cyrus_t etc_runtime_t:file { read getattr };
+@@ -43,6 +40,5 @@
+ system_crond_entry(cyrus_exec_t, cyrus_t)
+ allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
+ allow system_crond_t cyrus_var_lib_t:file create_file_perms;
+-allow system_crond_su_t cyrus_var_lib_t:dir search;
+ ')
+ allow cyrus_t mail_port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.13/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te 2005-04-07 22:22:55.000000000 -0400
+++ policy-1.23.13/domains/program/unused/hald.te 2005-04-25 15:18:00.000000000 -0400
@@ -435,7 +495,16 @@
r_dir_file(tinydns_t, tinydns_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.13/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-04-25 14:48:59.000000000 -0400
-+++ policy-1.23.13/domains/program/unused/udev.te 2005-04-25 15:18:00.000000000 -0400
++++ policy-1.23.13/domains/program/unused/udev.te 2005-04-25 21:41:17.000000000 -0400
+@@ -33,7 +33,7 @@
+ allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
+ allow udev_t self:unix_dgram_socket create_socket_perms;
+ allow udev_t self:fifo_file rw_file_perms;
+-allow udev_t device_t:file rw_file_perms;
++allow udev_t device_t:file { unlink rw_file_perms };
+ allow udev_t device_t:sock_file create_file_perms;
+ allow udev_t device_t:lnk_file create_lnk_perms;
+ allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
@@ -76,7 +76,6 @@
allow udev_t initrc_var_run_t:file r_file_perms;
dontaudit udev_t initrc_var_run_t:file write;
@@ -497,6 +566,16 @@
/usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
#
# /emul/ia32-linux/usr
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.13/file_contexts/program/apache.fc
+--- nsapolicy/file_contexts/program/apache.fc 2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.13/file_contexts/program/apache.fc 2005-04-26 11:39:32.000000000 -0400
+@@ -47,3 +47,6 @@
+ /var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+ /etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+ /var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t
++ifdef(`targeted_policy', `', `
++/var/spool/cron/apache -- system_u:object_r:user_cron_spool_t
++')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.13/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc 2005-04-20 08:58:41.000000000 -0400
+++ policy-1.23.13/file_contexts/program/compat.fc 2005-04-25 15:18:00.000000000 -0400
@@ -539,6 +618,15 @@
/usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
/sbin/kmodule -- system_u:object_r:kudzu_exec_t
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/crack.fc policy-1.23.13/file_contexts/program/crack.fc
+--- nsapolicy/file_contexts/program/crack.fc 2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.13/file_contexts/program/crack.fc 2005-04-26 10:25:01.000000000 -0400
+@@ -1,4 +1,5 @@
+ # crack - for password checking
++/usr/sbin/cracklib-[a-z]* -- system_u:object_r:crack_exec_t
+ /usr/sbin/crack_[a-z]* -- system_u:object_r:crack_exec_t
+ /var/cache/cracklib(/.*)? system_u:object_r:crack_db_t
+ /usr/lib(64)?/cracklib_dict.* -- system_u:object_r:crack_db_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/getty.fc policy-1.23.13/file_contexts/program/getty.fc
--- nsapolicy/file_contexts/program/getty.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.13/file_contexts/program/getty.fc 2005-04-25 15:18:00.000000000 -0400
@@ -587,7 +675,7 @@
+/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.13/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-04-20 15:40:35.000000000 -0400
-+++ policy-1.23.13/file_contexts/types.fc 2005-04-25 15:41:29.000000000 -0400
++++ policy-1.23.13/file_contexts/types.fc 2005-04-26 08:20:01.000000000 -0400
@@ -58,7 +58,7 @@
#
@@ -605,6 +693,18 @@
/dev/ida/[^/]* -b system_u:object_r:fixed_disk_device_t
/dev/dasd[^/]* -b system_u:object_r:fixed_disk_device_t
/dev/flash[^/]* -b system_u:object_r:fixed_disk_device_t
+@@ -461,6 +462,11 @@
+ /usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
+
+ #
++# Turboprint
++#
++/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
++
++#
+ # initrd mount point, only used during boot
+ #
+ /initrd -d system_u:object_r:root_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.13/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.13/macros/base_user_macros.te 2005-04-25 15:18:00.000000000 -0400
@@ -711,18 +811,20 @@
system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/compat.te policy-1.23.13/targeted/domains/program/compat.te
--- nsapolicy/targeted/domains/program/compat.te 2005-04-25 14:48:59.000000000 -0400
-+++ policy-1.23.13/targeted/domains/program/compat.te 2005-04-25 15:18:00.000000000 -0400
-@@ -1,7 +1,5 @@
- typealias sbin_t alias setfiles_exec_t;
++++ policy-1.23.13/targeted/domains/program/compat.te 2005-04-26 11:45:35.000000000 -0400
+@@ -1,8 +1,3 @@
+-typealias sbin_t alias setfiles_exec_t;
typealias bin_t alias mount_exec_t;
-typealias sbin_t alias restorecon_exec_t;
-typealias sbin_t alias consoletype_exec_t;
- typealias bin_t alias loadkeys_exec_t;
+-typealias bin_t alias loadkeys_exec_t;
typealias bin_t alias dmesg_exec_t;
- typealias sbin_t alias fsadm_exec_t;
+-typealias sbin_t alias fsadm_exec_t;
+-typealias sbin_t alias kudzu_exec_t;
++typealias bin_t alias loadkeys_exec_t;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.13/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.13/targeted/domains/program/crond.te 2005-04-25 16:05:04.000000000 -0400
++++ policy-1.23.13/targeted/domains/program/crond.te 2005-04-26 08:38:04.000000000 -0400
@@ -18,7 +18,6 @@
type system_cron_spool_t, file_type, sysadmfile;
type sysadm_cron_spool_t, file_type, sysadmfile;
@@ -735,7 +837,7 @@
allow crond_t initrc_t:dbus send_msg;
allow crond_t unconfined_t:dbus send_msg;
allow crond_t unconfined_t:process transition;
-+var_run_domain(crond_t)
++var_run_domain(crond)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/hotplug.te policy-1.23.13/targeted/domains/program/hotplug.te
--- nsapolicy/targeted/domains/program/hotplug.te 2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.13/targeted/domains/program/hotplug.te 1969-12-31 19:00:00.000000000 -0500
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.286
retrieving revision 1.287
diff -u -r1.286 -r1.287
--- selinux-policy-targeted.spec 26 Apr 2005 01:40:49 -0000 1.286
+++ selinux-policy-targeted.spec 26 Apr 2005 16:12:36 -0000 1.287
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.13
-Release: 2
+Release: 3
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -52,7 +52,7 @@
mv domains/misc/unused/kernel.te domains/misc/
mv domains/program/*.te domains/program/unused/
rm domains/*.te
-for i in amanda.te apache.te apmd.te auditd.te chkpwd.te consoletype.te cups.te cvs.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te samba.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te winbind.te ypbind.te ypserv.te zebra.te; do
+for i in amanda.te apache.te apmd.te arpwatch.te auditd.te bluetooth.te checkpolicy.te cardmgr.te chkpwd.te comsat.te consoletype.te cpucontrol.te cpuspeed.te cups.te cvs.te cyrus.te dbskkd.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te fsadm.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te hwclock.te kudzu.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te load_policy.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te portmap.te postgresql.te pppd.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te saslauthd.te samba.te setfiles.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te webalizer.te winbind.te ypbind.te ypserv.te zebra.te; do
mv domains/program/unused/$i domains/program/
done
rm -rf domains/program/unused
@@ -234,6 +234,9 @@
exit 0
%changelog
+* Tue Apr 26 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-3
+- Fix turboprint/cups integration
+
* Mon Apr 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.13-2
- Small fixes for targeted policy
- Add updfstab
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050425.patch, 1.2, 1.3 selinux-policy-strict.spec, 1.290, 1.291
- Next message (by thread): rpms/libselinux/devel .cvsignore, 1.60, 1.61 libselinux.spec, 1.97, 1.98 sources, 1.60, 1.61
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list