[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel policy-20050719.patch, 1.6, 1.7 selinux-policy-strict.spec, 1.362, 1.363



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv17716

Modified Files:
	policy-20050719.patch selinux-policy-strict.spec 
Log Message:
* Mon Aug 1 2005 Dan Walsh <dwalsh redhat com> 1.25.3-10
- Fixes for saslauthd, cyrus communication


policy-20050719.patch:
 domains/misc/kernel.te                   |    2 -
 domains/program/crond.te                 |    7 +++--
 domains/program/fsadm.te                 |    3 +-
 domains/program/getty.te                 |    2 -
 domains/program/hostname.te              |    1 
 domains/program/ifconfig.te              |    3 +-
 domains/program/initrc.te                |    2 -
 domains/program/modutil.te               |    2 -
 domains/program/passwd.te                |    2 -
 domains/program/restorecon.te            |    1 
 domains/program/unused/NetworkManager.te |    8 +++++
 domains/program/unused/alsa.te           |    9 +++++-
 domains/program/unused/apache.te         |    3 ++
 domains/program/unused/apmd.te           |    2 -
 domains/program/unused/certwatch.te      |   11 +++++++
 domains/program/unused/cups.te           |    1 
 domains/program/unused/cvs.te            |    9 ++++++
 domains/program/unused/cyrus.te          |   11 +++++++
 domains/program/unused/evolution.te      |    1 
 domains/program/unused/firstboot.te      |    7 -----
 domains/program/unused/ftpd.te           |    8 +----
 domains/program/unused/hald.te           |    5 +++
 domains/program/unused/hotplug.te        |    3 +-
 domains/program/unused/hwclock.te        |    1 
 domains/program/unused/ipsec.te          |    7 ++---
 domains/program/unused/kudzu.te          |    5 ++-
 domains/program/unused/lvm.te            |    2 -
 domains/program/unused/mta.te            |    4 +-
 domains/program/unused/mysqld.te         |    1 
 domains/program/unused/pamconsole.te     |    2 -
 domains/program/unused/ping.te           |    7 ++---
 domains/program/unused/postgresql.te     |    5 ++-
 domains/program/unused/pppd.te           |   34 ++++++++++++++++++++++++
 domains/program/unused/rlogind.te        |    1 
 domains/program/unused/rpm.te            |    3 +-
 domains/program/unused/rsync.te          |    4 ++
 domains/program/unused/samba.te          |    5 ++-
 domains/program/unused/saslauthd.te      |    2 +
 domains/program/unused/slocate.te        |    4 ++
 domains/program/unused/squid.te          |    1 
 domains/program/unused/thunderbird.te    |    1 
 domains/program/unused/udev.te           |    5 ++-
 domains/program/unused/vpnc.te           |   15 +++++++++-
 domains/program/unused/winbind.te        |    1 
 domains/program/useradd.te               |    1 
 file_contexts/distros.fc                 |    6 ++++
 file_contexts/program/certwatch.fc       |    3 ++
 file_contexts/program/cups.fc            |    1 
 file_contexts/program/kudzu.fc           |    1 
 file_contexts/program/postgresql.fc      |    4 ++
 file_contexts/program/pppd.fc            |   15 +++++++---
 file_contexts/program/vpnc.fc            |    1 
 file_contexts/types.fc                   |    4 +-
 genfs_contexts                           |    3 ++
 macros/admin_macros.te                   |    1 
 macros/base_user_macros.te               |   13 ---------
 macros/content_macros.te                 |    5 ++-
 macros/global_macros.te                  |   43 +++++++++++++++++++++++++++++++
 macros/network_macros.te                 |    6 ++--
 macros/program/apache_macros.te          |    3 +-
 macros/program/cdrecord_macros.te        |   17 ++++--------
 macros/program/chkpwd_macros.te          |   17 +-----------
 macros/program/ethereal_macros.te        |    7 ++---
 macros/program/evolution_macros.te       |    9 ++----
 macros/program/gconf_macros.te           |    1 
 macros/program/gnome_vfs_macros.te       |    6 ++++
 macros/program/mail_client_macros.te     |   13 +++++++--
 macros/program/mozilla_macros.te         |   13 ++++++++-
 macros/program/su_macros.te              |    8 ++++-
 macros/program/thunderbird_macros.te     |   14 +++++-----
 macros/user_macros.te                    |   18 ++----------
 net_contexts                             |    9 ------
 targeted/domains/program/crond.te        |    9 ++++--
 tunables/distro.tun                      |    2 -
 tunables/tunable.tun                     |    7 +----
 types/file.te                            |   10 +++++++
 types/network.te                         |   10 -------
 77 files changed, 330 insertions(+), 163 deletions(-)

Index: policy-20050719.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050719.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20050719.patch	28 Jul 2005 15:52:50 -0000	1.6
+++ policy-20050719.patch	1 Aug 2005 17:31:44 -0000	1.7
@@ -1,6 +1,27 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.25.3/domains/misc/kernel.te
+--- nsapolicy/domains/misc/kernel.te	2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.3/domains/misc/kernel.te	2005-08-01 10:39:07.000000000 -0400
+@@ -11,7 +11,7 @@
+ # kernel_t is the domain of kernel threads.
+ # It is also the target type when checking permissions in the system class.
+ # 
+-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
++type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
+ role system_r types kernel_t;
+ general_domain_access(kernel_t)
+ general_proc_read_access(kernel_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.25.3/domains/program/crond.te
 --- nsapolicy/domains/program/crond.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/crond.te	2005-07-27 13:44:47.000000000 -0400
++++ policy-1.25.3/domains/program/crond.te	2005-07-29 09:12:48.000000000 -0400
+@@ -44,7 +44,7 @@
+ read_locale(crond_t)
+ 
+ # Use capabilities.
+-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
++allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
+ dontaudit crond_t self:capability sys_resource;
+ 
+ # Get security policy decisions.
 @@ -201,11 +201,14 @@
  r_dir_file(system_crond_t, file_context_t)
  can_getsecurity(system_crond_t)
@@ -19,7 +40,7 @@
 +can_exec(system_crond_t, httpd_modules_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.3/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/fsadm.te	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/fsadm.te	2005-07-29 09:31:37.000000000 -0400
 @@ -102,7 +102,7 @@
  allow fsadm_t kernel_t:system syslog_console;
  
@@ -29,6 +50,11 @@
  ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
  allow fsadm_t privfd:fd use;
  allow fsadm_t devpts_t:dir { getattr search };
+@@ -117,3 +117,4 @@
+ allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
+ allow fsadm_t usbfs_t:dir { getattr search };
+ allow fsadm_t ramfs_t:fifo_file rw_file_perms;
++allow fsadm_t v41_device_t:chr_file getattr;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.25.3/domains/program/getty.te
 --- nsapolicy/domains/program/getty.te	2005-07-12 08:50:42.000000000 -0400
 +++ policy-1.25.3/domains/program/getty.te	2005-07-19 15:41:44.000000000 -0400
@@ -110,8 +136,8 @@
  allow restorecon_t etc_t:file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.25.3/domains/program/unused/alsa.te
 --- nsapolicy/domains/program/unused/alsa.te	2005-07-05 15:25:45.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/alsa.te	2005-07-27 16:00:20.000000000 -0400
-@@ -6,12 +6,15 @@
++++ policy-1.25.3/domains/program/unused/alsa.te	2005-08-01 07:21:20.000000000 -0400
+@@ -6,12 +6,17 @@
  type alsa_t, domain, privlog, daemon;
  type alsa_exec_t, file_type, sysadmfile, exec_type;
  uses_shlib(alsa_t)
@@ -121,9 +147,11 @@
 +allow alsa_t { unpriv_userdomain self }:shm  create_shm_perms;
  allow alsa_t self:unix_stream_socket create_stream_socket_perms;
 +allow alsa_t self:unix_dgram_socket create_socket_perms;
++allow unpriv_userdomain alsa_t:sem { unix_read unix_write };
  type alsa_etc_rw_t, file_type, sysadmfile, usercanread;
  rw_dir_create_file(alsa_t,alsa_etc_rw_t)
  allow alsa_t self:capability { setgid setuid ipc_owner };
++dontaudit alsa_t self:capability sys_admin;
  allow alsa_t devpts_t:chr_file { read write };
  allow alsa_t etc_t:file { getattr read };
  domain_auto_trans(pam_console_t, alsa_exec_t, alsa_t)
@@ -500,8 +528,8 @@
  ifdef(`apache.te', `
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.3/domains/program/unused/pppd.te
 --- nsapolicy/domains/program/unused/pppd.te	2005-07-19 10:57:05.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/pppd.te	2005-07-22 07:38:03.000000000 -0400
-@@ -110,3 +110,35 @@
++++ policy-1.25.3/domains/program/unused/pppd.te	2005-07-28 15:05:54.000000000 -0400
+@@ -110,3 +110,37 @@
  domain_auto_trans(pppd_t, insmod_exec_t, insmod_t)
  ')
  }
@@ -532,7 +560,9 @@
 +# Allow pptp to append to pppd log files
 +allow pptp_t pppd_log_t:file append;
 +
++ifdef(`named.te', `
 +dontaudit ndc_t pppd_t:fd use;
++')
 +
 +# Allow /etc/ppp/ip-{up,down} to run most anything
 +type pppd_script_exec_t, file_type, sysadmfile;
@@ -605,6 +635,15 @@
  file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
  read_locale(samba_net_t) 
  allow samba_net_t samba_etc_t:file r_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/saslauthd.te policy-1.25.3/domains/program/unused/saslauthd.te
+--- nsapolicy/domains/program/unused/saslauthd.te	2005-07-19 10:57:05.000000000 -0400
++++ policy-1.25.3/domains/program/unused/saslauthd.te	2005-08-01 12:30:31.000000000 -0400
+@@ -29,3 +29,5 @@
+ if (allow_saslauthd_read_shadow) {
+ allow saslauthd_t shadow_t:file r_file_perms;
+ }
++dontaudit saslauthd_t selinux_config_t:dir search;
++dontaudit saslauthd_t selinux_config_t:file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slocate.te policy-1.25.3/domains/program/unused/slocate.te
 --- nsapolicy/domains/program/unused/slocate.te	2005-04-27 10:28:53.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/slocate.te	2005-07-21 09:07:15.000000000 -0400
@@ -671,7 +710,7 @@
  # to read the file_contexts file
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.25.3/domains/program/unused/vpnc.te
 --- nsapolicy/domains/program/unused/vpnc.te	2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/vpnc.te	2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/unused/vpnc.te	2005-08-01 07:21:32.000000000 -0400
 @@ -10,13 +10,15 @@
  # vpnc_t is the domain for the vpnc program.
  # vpnc_exec_t is the type of the vpnc executable.
@@ -712,8 +751,8 @@
 +allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
 +file_type_auto_trans(vpnc_t, etc_t, net_conf_t, file)
 +allow vpnc_t etc_t:file { execute execute_no_trans ioctl };
-+allow vpnc_t user_home_dir_t:dir search;
-+allow vpnc_t user_home_t:dir search;
++dontaudit vpnc_t home_root_t:dir search;
++dontaudit vpnc_t user_home_dir_type:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.3/domains/program/unused/winbind.te
 --- nsapolicy/domains/program/unused/winbind.te	2005-07-19 10:57:05.000000000 -0400
 +++ policy-1.25.3/domains/program/unused/winbind.te	2005-07-19 15:41:44.000000000 -0400
@@ -917,7 +956,7 @@
  `} else {
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.3/macros/global_macros.te
 --- nsapolicy/macros/global_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/global_macros.te	2005-07-25 14:22:43.000000000 -0400
++++ policy-1.25.3/macros/global_macros.te	2005-08-01 12:31:45.000000000 -0400
 @@ -595,6 +595,18 @@
  ')dnl end polyinstantiater
  
@@ -937,7 +976,7 @@
  # Define a domain that can do anything, so that it is
  # effectively unconfined by the SELinux policy.  This
  # means that it is only restricted by the normal Linux 
-@@ -708,3 +720,36 @@
+@@ -708,3 +720,34 @@
  ')
  
  ')dnl end unconfined_domain
@@ -966,9 +1005,7 @@
 +can_kerberos($1)
 +can_ldap($1)
 +can_resolve($1)
-+ifdef(`winbind.te', `
-+r_dir_file($1, winbind_var_run_t)
-+')
++can_winbind($1)
 +r_dir_file($1, cert_t)
 +allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
 +allow $1 self:capability { audit_write audit_control };
@@ -976,7 +1013,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.3/macros/network_macros.te
 --- nsapolicy/macros/network_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/network_macros.te	2005-07-25 14:53:19.000000000 -0400
++++ policy-1.25.3/macros/network_macros.te	2005-08-01 12:31:58.000000000 -0400
 @@ -16,9 +16,7 @@
  # Allow the domain to send or receive using any network interface.
  # netif_type is a type attribute for all network interface types.
@@ -1202,8 +1239,8 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.3/macros/program/mozilla_macros.te
 --- nsapolicy/macros/program/mozilla_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/macros/program/mozilla_macros.te	2005-07-19 15:43:10.000000000 -0400
-@@ -130,8 +130,12 @@
++++ policy-1.25.3/macros/program/mozilla_macros.te	2005-07-29 09:37:24.000000000 -0400
+@@ -130,12 +130,23 @@
  domain_auto_trans($1_mozilla_t, evolution_webcal_exec_t, $1_evolution_webcal_t)
  ') dnl if evolution.te
  
@@ -1217,6 +1254,17 @@
  }
  allow $1_mozilla_t texrel_shlib_t:file execmod;
  
++ifdef(`dbusd.te', `
+ dbusd_client(system, $1_mozilla)
++allow $1_mozilla_t system_dbusd_t:dbus send_msg;
++ifdef(`cups.te', `
++allow cupsd_t $1_mozilla_t:dbus send_msg;
++')
++')
++
+ ifdef(`apache.te', `
+ ifelse($1, sysadm, `', `
+ r_dir_file($1_mozilla_t, { httpd_$1_script_exec_t httpd_$1_content_t })
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.25.3/macros/program/su_macros.te
 --- nsapolicy/macros/program/su_macros.te	2005-05-25 11:28:11.000000000 -0400
 +++ policy-1.25.3/macros/program/su_macros.te	2005-07-25 14:18:04.000000000 -0400


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.362
retrieving revision 1.363
diff -u -r1.362 -r1.363
--- selinux-policy-strict.spec	28 Jul 2005 15:52:50 -0000	1.362
+++ selinux-policy-strict.spec	1 Aug 2005 17:31:44 -0000	1.363
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.3
-Release: 8
+Release: 10
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -236,6 +236,12 @@
 exit 0
 
 %changelog
+* Mon Aug 1 2005 Dan Walsh <dwalsh redhat com> 1.25.3-10
+- Fixes for saslauthd, cyrus communication
+
+* Thu Jul 28 2005 Dan Walsh <dwalsh redhat com> 1.25.3-9
+- Bump for FC4
+
 * Thu Jul 28 2005 Dan Walsh <dwalsh redhat com> 1.25.3-8
 - Fixes for cups, hwclock, system_passwd, samba_net
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]