rpms/selinux-policy-targeted/devel policy-20050719.patch, 1.8, 1.9 selinux-policy-targeted.spec, 1.358, 1.359
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Aug 2 18:28:24 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv11135
Modified Files:
policy-20050719.patch selinux-policy-targeted.spec
Log Message:
* Tue Aug 2 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-11
- Fix NetworkManager-vpnc stuff
policy-20050719.patch:
domains/misc/kernel.te | 2 -
domains/program/crond.te | 7 +++--
domains/program/fsadm.te | 3 +-
domains/program/getty.te | 2 -
domains/program/hostname.te | 1
domains/program/ifconfig.te | 3 +-
domains/program/initrc.te | 2 -
domains/program/modutil.te | 2 -
domains/program/passwd.te | 2 -
domains/program/restorecon.te | 1
domains/program/unused/NetworkManager.te | 15 +++++++++-
domains/program/unused/alsa.te | 9 +++++-
domains/program/unused/apache.te | 3 ++
domains/program/unused/apmd.te | 4 ++
domains/program/unused/backup.te | 2 +
domains/program/unused/bootloader.te | 2 +
domains/program/unused/cardmgr.te | 2 +
domains/program/unused/certwatch.te | 11 +++++++
domains/program/unused/clockspeed.te | 3 +-
domains/program/unused/cups.te | 1
domains/program/unused/cvs.te | 9 ++++++
domains/program/unused/cyrus.te | 11 +++++++
domains/program/unused/dhcpc.te | 4 +-
domains/program/unused/evolution.te | 1
domains/program/unused/firstboot.te | 7 -----
domains/program/unused/ftpd.te | 8 +----
domains/program/unused/hald.te | 5 +++
domains/program/unused/hotplug.te | 3 +-
domains/program/unused/hwclock.te | 3 ++
domains/program/unused/ipsec.te | 7 ++---
domains/program/unused/kudzu.te | 7 +++--
domains/program/unused/lvm.te | 2 -
domains/program/unused/mta.te | 4 +-
domains/program/unused/mysqld.te | 1
domains/program/unused/pamconsole.te | 2 -
domains/program/unused/ping.te | 7 ++---
domains/program/unused/postgresql.te | 5 ++-
domains/program/unused/pppd.te | 34 ++++++++++++++++++++++++
domains/program/unused/rlogind.te | 1
domains/program/unused/rpm.te | 3 +-
domains/program/unused/rsync.te | 4 ++
domains/program/unused/samba.te | 5 ++-
domains/program/unused/saslauthd.te | 2 +
domains/program/unused/slocate.te | 4 ++
domains/program/unused/squid.te | 1
domains/program/unused/thunderbird.te | 1
domains/program/unused/udev.te | 5 ++-
domains/program/unused/vpnc.te | 15 +++++++++-
domains/program/unused/winbind.te | 1
domains/program/useradd.te | 1
file_contexts/distros.fc | 6 ++++
file_contexts/program/certwatch.fc | 3 ++
file_contexts/program/cups.fc | 1
file_contexts/program/kudzu.fc | 1
file_contexts/program/postgresql.fc | 4 ++
file_contexts/program/pppd.fc | 15 +++++++---
file_contexts/program/vpnc.fc | 1
file_contexts/types.fc | 4 +-
genfs_contexts | 3 ++
macros/admin_macros.te | 1
macros/base_user_macros.te | 13 ---------
macros/content_macros.te | 5 ++-
macros/global_macros.te | 43 +++++++++++++++++++++++++++++++
macros/network_macros.te | 6 ++--
macros/program/apache_macros.te | 3 +-
macros/program/cdrecord_macros.te | 17 ++++--------
macros/program/chkpwd_macros.te | 17 +-----------
macros/program/ethereal_macros.te | 7 ++---
macros/program/evolution_macros.te | 9 ++----
macros/program/gconf_macros.te | 1
macros/program/gnome_vfs_macros.te | 6 ++++
macros/program/mail_client_macros.te | 13 +++++++--
macros/program/mozilla_macros.te | 13 ++++++++-
macros/program/su_macros.te | 8 ++++-
macros/program/thunderbird_macros.te | 14 +++++-----
macros/user_macros.te | 18 ++----------
net_contexts | 9 ------
targeted/domains/program/crond.te | 9 ++++--
tunables/distro.tun | 2 -
tunables/tunable.tun | 7 +----
types/file.te | 10 +++++++
types/network.te | 10 -------
82 files changed, 351 insertions(+), 168 deletions(-)
Index: policy-20050719.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050719.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20050719.patch 1 Aug 2005 17:40:13 -0000 1.8
+++ policy-20050719.patch 2 Aug 2005 18:28:19 -0000 1.9
@@ -172,8 +172,17 @@
can_unix_connect(httpd_php_t, mysqld_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.3/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/apmd.te 2005-07-19 15:41:44.000000000 -0400
-@@ -23,7 +23,7 @@
++++ policy-1.25.3/domains/program/unused/apmd.te 2005-08-02 11:05:02.000000000 -0400
+@@ -16,14 +16,16 @@
+
+ type apm_t, domain, privlog;
+ type apm_exec_t, file_type, sysadmfile, exec_type;
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, apm_exec_t, apm_t)
++')
+ uses_shlib(apm_t)
+ allow apm_t privfd:fd use;
+ allow apm_t admin_tty_type:chr_file rw_file_perms;
allow apm_t device_t:dir search;
allow apm_t self:capability { dac_override sys_admin };
allow apm_t proc_t:dir search;
@@ -182,6 +191,45 @@
allow apm_t fs_t:filesystem getattr;
allow apm_t apm_bios_t:chr_file rw_file_perms;
role sysadm_r types apm_t;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.25.3/domains/program/unused/backup.te
+--- nsapolicy/domains/program/unused/backup.te 2005-04-27 10:28:49.000000000 -0400
++++ policy-1.25.3/domains/program/unused/backup.te 2005-08-02 11:05:32.000000000 -0400
+@@ -16,7 +16,9 @@
+ role system_r types backup_t;
+ role sysadm_r types backup_t;
+
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, backup_exec_t, backup_t)
++')
+ allow backup_t privfd:fd use;
+ ifdef(`crond.te', `
+ system_crond_entry(backup_exec_t, backup_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bootloader.te policy-1.25.3/domains/program/unused/bootloader.te
+--- nsapolicy/domains/program/unused/bootloader.te 2005-04-27 10:28:49.000000000 -0400
++++ policy-1.25.3/domains/program/unused/bootloader.te 2005-08-02 11:05:41.000000000 -0400
+@@ -24,7 +24,9 @@
+ # for nscd
+ dontaudit bootloader_t var_run_t:dir search;
+
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, bootloader_exec_t, bootloader_t)
++')
+ allow bootloader_t { initrc_t privfd }:fd use;
+
+ tmp_domain(bootloader, `, device_type', { dir file lnk_file chr_file blk_file })
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cardmgr.te policy-1.25.3/domains/program/unused/cardmgr.te
+--- nsapolicy/domains/program/unused/cardmgr.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.25.3/domains/program/unused/cardmgr.te 2005-08-02 11:05:50.000000000 -0400
+@@ -15,7 +15,9 @@
+ allow cardmgr_t urandom_device_t:chr_file read;
+
+ type cardctl_exec_t, file_type, sysadmfile, exec_type;
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, cardctl_exec_t, cardmgr_t)
++')
+ role sysadm_r types cardmgr_t;
+ allow cardmgr_t admin_tty_type:chr_file { read write };
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/certwatch.te policy-1.25.3/domains/program/unused/certwatch.te
--- nsapolicy/domains/program/unused/certwatch.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.25.3/domains/program/unused/certwatch.te 2005-07-27 13:40:10.000000000 -0400
@@ -197,6 +245,17 @@
+can_exec(certwatch_t, httpd_modules_t)
+system_crond_entry(certwatch_exec_t, certwatch_t)
+read_locale(certwatch_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.25.3/domains/program/unused/clockspeed.te
+--- nsapolicy/domains/program/unused/clockspeed.te 2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.3/domains/program/unused/clockspeed.te 2005-08-02 11:06:04.000000000 -0400
+@@ -21,5 +21,6 @@
+
+ # sysadm can play with clockspeed
+ role sysadm_r types clockspeed_t;
++ifdef(`targeted_policy', `', `
+ domain_auto_trans( sysadm_t, clockspeed_exec_t, clockspeed_t)
+-
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.3/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-07-12 08:50:43.000000000 -0400
+++ policy-1.25.3/domains/program/unused/cups.te 2005-07-28 11:47:11.000000000 -0400
@@ -252,6 +311,18 @@
+
+r_dir_file(cyrus_t, cert_t)
+allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.3/domains/program/unused/dhcpc.te
+--- nsapolicy/domains/program/unused/dhcpc.te 2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.3/domains/program/unused/dhcpc.te 2005-08-02 11:32:50.000000000 -0400
+@@ -156,6 +156,6 @@
+ domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
+ allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
+ allow dhcpc_t self:dbus send_msg;
+-allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
+-allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
++allow { unconfined_t NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
++allow dhcpc_t { unconfined_t NetworkManager_t initrc_t }:dbus send_msg;
+ ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/evolution.te policy-1.25.3/domains/program/unused/evolution.te
--- nsapolicy/domains/program/unused/evolution.te 2005-07-05 15:25:46.000000000 -0400
+++ policy-1.25.3/domains/program/unused/evolution.te 2005-07-19 15:41:44.000000000 -0400
@@ -337,8 +408,18 @@
+dontaudit hotplug_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.3/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/hwclock.te 2005-07-28 11:40:17.000000000 -0400
-@@ -44,3 +44,4 @@
++++ policy-1.25.3/domains/program/unused/hwclock.te 2005-08-02 11:04:50.000000000 -0400
+@@ -17,7 +17,9 @@
+ #
+ daemon_base_domain(hwclock)
+ role sysadm_r types hwclock_t;
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
++')
+ type adjtime_t, file_type, sysadmfile;
+
+ allow hwclock_t fs_t:filesystem getattr;
+@@ -44,3 +46,4 @@
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
@@ -376,7 +457,7 @@
can_exec(ipsec_mgmt_t, consoletype_exec_t )
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.25.3/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/kudzu.te 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/unused/kudzu.te 2005-08-02 11:07:14.000000000 -0400
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -395,7 +476,17 @@
allow kudzu_t kernel_t:system syslog_console;
allow kudzu_t self:udp_socket { create ioctl };
allow kudzu_t var_lock_t:dir search;
-@@ -109,3 +109,4 @@
+@@ -48,7 +48,9 @@
+ allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
+
+ role sysadm_r types kudzu_t;
++ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, kudzu_exec_t, kudzu_t)
++')
+ ifdef(`anaconda.te', `
+ domain_auto_trans(anaconda_t, kudzu_exec_t, kudzu_t)
+ ')
+@@ -109,3 +111,4 @@
allow kudzu_t initrc_t:unix_stream_socket connectto;
allow kudzu_t net_conf_t:file { getattr read };
@@ -441,7 +532,22 @@
allow mysqld_t self:netlink_route_socket r_netlink_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.3/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.3/domains/program/unused/NetworkManager.te 2005-07-19 15:41:44.000000000 -0400
++++ policy-1.25.3/domains/program/unused/NetworkManager.te 2005-08-02 11:53:15.000000000 -0400
+@@ -15,12 +15,12 @@
+
+ can_network(NetworkManager_t)
+ allow NetworkManager_t port_type:tcp_socket name_connect;
+-allow NetworkManager_t dhcpc_port_t:udp_socket name_bind;
++allow NetworkManager_t { isakmp_port_t dhcpc_port_t }:udp_socket name_bind;
+ allow NetworkManager_t dhcpc_t:process signal;
+
+ can_ypbind(NetworkManager_t)
+ uses_shlib(NetworkManager_t)
+-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module};
++allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service sys_module ipc_lock};
+
+ allow NetworkManager_t { random_device_t urandom_device_t }:chr_file { getattr read };
+
@@ -62,6 +62,8 @@
allow NetworkManager_t unconfined_t:dbus send_msg;
allow unconfined_t NetworkManager_t:dbus send_msg;
@@ -451,7 +557,17 @@
')
allow NetworkManager_t usr_t:file { getattr read };
-@@ -98,3 +100,9 @@
+@@ -91,6 +93,9 @@
+
+ domain_auto_trans(NetworkManager_t, insmod_exec_t, insmod_t)
+ allow NetworkManager_t self:netlink_route_socket r_netlink_socket_perms;
++# allow vpnc connections
++allow NetworkManager_t self:rawip_socket create_socket_perms;
++allow NetworkManager_t tun_tap_device_t:chr_file rw_file_perms;
+
+ domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
+ domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+@@ -98,3 +103,9 @@
domain_auto_trans(NetworkManager_t, vpnc_exec_t, vpnc_t)
')
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.358
retrieving revision 1.359
diff -u -r1.358 -r1.359
--- selinux-policy-targeted.spec 1 Aug 2005 17:32:15 -0000 1.358
+++ selinux-policy-targeted.spec 2 Aug 2005 18:28:19 -0000 1.359
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.25.3
-Release: 10
+Release: 11
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -237,6 +237,9 @@
exit 0
%changelog
+* Tue Aug 2 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-11
+- Fix NetworkManager-vpnc stuff
+
* Mon Aug 1 2005 Dan Walsh <dwalsh at redhat.com> 1.25.3-10
- Fixes for saslauthd, cyrus communication
More information about the fedora-cvs-commits
mailing list