[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-strict/devel policy-20050811.patch, 1.4, 1.5 selinux-policy-strict.spec, 1.369, 1.370



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31918

Modified Files:
	policy-20050811.patch selinux-policy-strict.spec 
Log Message:
* Wed Aug 17 2005 Dan Walsh <dwalsh redhat com> 1.25.4-4
- Add more access for amanda
- Allow dovecot to create files in mail_spool_t


policy-20050811.patch:
 Makefile                                 |   42 +++++-
 domains/misc/kernel.te                   |    2 
 domains/program/crond.te                 |    7 -
 domains/program/fsadm.te                 |    7 -
 domains/program/hostname.te              |    3 
 domains/program/ifconfig.te              |    5 
 domains/program/initrc.te                |    3 
 domains/program/ldconfig.te              |    3 
 domains/program/load_policy.te           |    6 
 domains/program/login.te                 |   12 -
 domains/program/modutil.te               |   11 -
 domains/program/mount.te                 |    3 
 domains/program/netutils.te              |    3 
 domains/program/passwd.te                |    3 
 domains/program/restorecon.te            |    2 
 domains/program/setfiles.te              |    2 
 domains/program/ssh.te                   |    3 
 domains/program/unused/NetworkManager.te |    7 -
 domains/program/unused/alsa.te           |   11 +
 domains/program/unused/amanda.te         |   51 -------
 domains/program/unused/apache.te         |   12 +
 domains/program/unused/apmd.te           |    6 
 domains/program/unused/automount.te      |    4 
 domains/program/unused/backup.te         |    2 
 domains/program/unused/bluetooth.te      |    5 
 domains/program/unused/bootloader.te     |    2 
 domains/program/unused/cardmgr.te        |    3 
 domains/program/unused/certwatch.te      |   11 +
 domains/program/unused/clockspeed.te     |    3 
 domains/program/unused/cups.te           |    1 
 domains/program/unused/cvs.te            |   10 -
 domains/program/unused/cyrus.te          |   10 +
 domains/program/unused/dbusd.te          |    7 -
 domains/program/unused/ddclient.te       |    6 
 domains/program/unused/dhcpc.te          |    4 
 domains/program/unused/dovecot.te        |    4 
 domains/program/unused/firstboot.te      |    7 -
 domains/program/unused/ftpd.te           |    8 -
 domains/program/unused/hald.te           |    1 
 domains/program/unused/hwclock.te        |    3 
 domains/program/unused/ipsec.te          |    7 -
 domains/program/unused/kudzu.te          |    4 
 domains/program/unused/mta.te            |    2 
 domains/program/unused/mysqld.te         |    4 
 domains/program/unused/pamconsole.te     |    2 
 domains/program/unused/ping.te           |   11 -
 domains/program/unused/postgresql.te     |    4 
 domains/program/unused/pppd.te           |   21 ++-
 domains/program/unused/procmail.te       |    3 
 domains/program/unused/rlogind.te        |    2 
 domains/program/unused/rpm.te            |    3 
 domains/program/unused/rsync.te          |    4 
 domains/program/unused/samba.te          |    8 -
 domains/program/unused/saslauthd.te      |   10 +
 domains/program/unused/slocate.te        |    4 
 domains/program/unused/udev.te           |    4 
 domains/program/unused/vpnc.te           |   17 ++
 domains/program/unused/winbind.te        |    1 
 domains/program/useradd.te               |    2 
 file_contexts/program/apache.fc          |    2 
 file_contexts/program/certwatch.fc       |    3 
 file_contexts/program/cups.fc            |    1 
 file_contexts/program/fsadm.fc           |    1 
 file_contexts/program/postgresql.fc      |    4 
 file_contexts/program/pppd.fc            |   14 +-
 file_contexts/program/radvd.fc           |    1 
 file_contexts/types.fc                   |    4 
 macros/base_user_macros.te               |    4 
 macros/core_macros.te                    |    3 
 macros/global_macros.te                  |   32 ++++
 macros/network_macros.te                 |   18 ++
 macros/program/apache_macros.te          |    8 -
 macros/program/cdrecord_macros.te        |   16 --
 macros/program/chkpwd_macros.te          |   17 --
 macros/program/ethereal_macros.te        |    7 -
 macros/program/evolution_macros.te       |    2 
 macros/program/mail_client_macros.te     |    5 
 macros/program/mozilla_macros.te         |    7 +
 macros/program/mta_macros.te             |    2 
 macros/program/pyzor_macros.te           |    2 
 macros/program/razor_macros.te           |    2 
 macros/program/spamassassin_macros.te    |    2 
 macros/program/su_macros.te              |   10 +
 macros/program/thunderbird_macros.te     |    6 
 macros/program/uml_macros.te             |    2 
 mcs                                      |  212 +++++++++++++++++++++++++++++++
 net_contexts                             |    8 -
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    4 
 types/file.te                            |    1 
 types/network.te                         |    9 -
 91 files changed, 593 insertions(+), 226 deletions(-)

Index: policy-20050811.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050811.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20050811.patch	17 Aug 2005 02:03:26 -0000	1.4
+++ policy-20050811.patch	17 Aug 2005 21:25:29 -0000	1.5
@@ -42,7 +42,7 @@
 +can_exec(system_crond_t, httpd_modules_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.25.4/domains/program/fsadm.te
 --- nsapolicy/domains/program/fsadm.te	2005-08-11 06:57:12.000000000 -0400
-+++ policy-1.25.4/domains/program/fsadm.te	2005-08-16 13:51:27.000000000 -0400
++++ policy-1.25.4/domains/program/fsadm.te	2005-08-17 09:34:40.000000000 -0400
 @@ -64,7 +64,7 @@
  allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
  
@@ -338,12 +338,105 @@
 +read_locale(alsa_t) 
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.25.4/domains/program/unused/amanda.te
 --- nsapolicy/domains/program/unused/amanda.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/amanda.te	2005-08-16 13:21:52.000000000 -0400
-@@ -320,3 +320,4 @@
- dontaudit amanda_t sysfs_t:dir { getattr read };
++++ policy-1.25.4/domains/program/unused/amanda.te	2005-08-17 09:13:07.000000000 -0400
+@@ -84,7 +84,6 @@
+ 
+ # configuration files -> read only
+ allow amanda_t amanda_config_t:file { getattr read };
+-allow amanda_t amanda_config_t:dir search;
+ 
+ # access to amanda_amandates_t
+ allow amanda_t amanda_amandates_t:file { getattr lock read write };
+@@ -97,43 +96,18 @@
+ allow amanda_t amanda_data_t:file { read write };
+ 
+ # access to proc_t
+-allow amanda_t proc_t:dir { getattr search };
+ allow amanda_t proc_t:file { getattr read };
+ 
+ # access to etc_t and similar
+-allow amanda_t etc_t:dir { getattr search };
+ allow amanda_t etc_t:file { getattr read };
+ allow amanda_t etc_runtime_t:file { getattr read };
+ 
+-# access to var_t and similar
+-allow amanda_t var_t:dir search;
+-allow amanda_t var_lib_t:dir search;
+-allow amanda_t amanda_var_lib_t:dir search;
+-
+ # access to amanda_gnutarlists_t (/var/lib/amanda/gnutar-lists)
+-allow amanda_t amanda_gnutarlists_t:dir { add_name read remove_name search write };
+-allow amanda_t amanda_gnutarlists_t:file { create getattr read rename setattr unlink write };
+-
+-# access to var_run_t
+-allow amanda_t var_run_t:dir search;
+-
+-# access to var_log_t
+-allow amanda_t var_log_t:dir getattr;
+-
+-# access to var_spool_t
+-allow amanda_t var_spool_t:dir getattr;
+-
+-# access to amanda_usr_lib_t
+-allow amanda_t amanda_usr_lib_t:dir search;
++rw_dir_create_file(amanda_t, amanda_gnutarlists_t)
+ 
+ # access to device_t and similar
+-allow amanda_t device_t:dir search;
+-allow amanda_t devpts_t:dir getattr;
+ allow amanda_t devtty_t:chr_file { read write };
+ 
+-# access to boot_t
+-allow amanda_t boot_t:dir getattr;
+-
+ # access to fs_t
+ allow amanda_t fs_t:filesystem getattr;
+ 
+@@ -192,18 +166,8 @@
+ ########################
+ 
+ # access to user_home_t
+-allow amanda_t { user_home_dir_type user_home_type }:dir { search getattr read };
+ allow amanda_t user_home_type:file { getattr read };
+ 
+-# access to file_t ( /floppy, /cdrom )
+-allow amanda_t mnt_t:dir getattr;
+-
+-###########
+-# Dontaudit
+-###########
+-dontaudit amanda_t lost_found_t:dir { getattr read };
+-	
+-	
+ ##############################################################################
+ # AMANDA RECOVER DECLARATIONS
+ ##############################################################################
+@@ -301,7 +265,8 @@
+ #
+ allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
+ 
+-allow amanda_t file_type:dir {getattr read search };
++#amanda needs to look at fs_type directories to decide whether it should backup
++allow amanda_t { fs_type file_type }:dir {getattr read search };
+ allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+ allow amanda_t device_type:{ blk_file chr_file } getattr;
+ allow amanda_t fixed_disk_device_t:blk_file read;
+@@ -310,13 +275,7 @@
+ dontaudit amanda_t file_type:sock_file getattr;
+ logdir_domain(amanda)
+ 
+-dontaudit amanda_t autofs_t:dir { getattr read search };
+-dontaudit amanda_t binfmt_misc_fs_t:dir getattr;
+-dontaudit amanda_t nfs_t:dir { getattr read };
+-dontaudit amanda_t proc_t:dir read;
+ dontaudit amanda_t proc_t:lnk_file read;
+-dontaudit amanda_t rpc_pipefs_t:dir { getattr read };
+-dontaudit amanda_t security_t:dir { getattr read };
+-dontaudit amanda_t sysfs_t:dir { getattr read };
  dontaudit amanda_t unlabeled_t:file getattr;
- dontaudit amanda_t usbfs_t:dir getattr;
-+dontaudit amanda_t nfsd_fs_t:dir getattr;
+-dontaudit amanda_t usbfs_t:dir getattr;
++#amanda wants to check attributes on fifo_files
++allow amanda_t file_type:fifo_file getattr;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.4/domains/program/unused/apache.te
 --- nsapolicy/domains/program/unused/apache.te	2005-07-12 08:50:43.000000000 -0400
 +++ policy-1.25.4/domains/program/unused/apache.te	2005-08-16 13:31:53.000000000 -0400
@@ -404,7 +497,7 @@
 +')dnl end if logrotate.te
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.25.4/domains/program/unused/automount.te
 --- nsapolicy/domains/program/unused/automount.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/automount.te	2005-08-16 08:53:01.000000000 -0400
++++ policy-1.25.4/domains/program/unused/automount.te	2005-08-17 06:47:20.000000000 -0400
 @@ -34,7 +34,9 @@
  can_exec(automount_t, { etc_t automount_etc_t })
  
@@ -415,7 +508,15 @@
  
  ifdef(`fsadm.te', `
  domain_auto_trans(automount_t, fsadm_exec_t, fsadm_t)
-@@ -73,3 +75,4 @@
+@@ -56,6 +58,7 @@
+ 
+ allow automount_t { bin_t sbin_t }:dir search;
+ can_exec(automount_t, mount_exec_t)
++can_exec(automount_t, shell_exec_t)
+ 
+ allow mount_t autofs_t:dir getattr;
+ dontaudit automount_t var_t:dir write;
+@@ -73,3 +76,4 @@
  
  allow automount_t var_lib_t:dir search;
  allow automount_t var_lib_nfs_t:dir search;
@@ -537,7 +638,7 @@
 +dontaudit cvs_t krb5_conf_t:file write;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.4/domains/program/unused/cyrus.te
 --- nsapolicy/domains/program/unused/cyrus.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/cyrus.te	2005-08-11 23:07:13.000000000 -0400
++++ policy-1.25.4/domains/program/unused/cyrus.te	2005-08-17 08:53:28.000000000 -0400
 @@ -20,7 +20,7 @@
  can_ypbind(cyrus_t)
  can_exec(cyrus_t, bin_t)
@@ -551,7 +652,7 @@
  create_dir_file(cyrus_t, mail_spool_t)
  allow cyrus_t var_spool_t:dir search;
  
-+ifdef(`saslaudthd.te', `
++ifdef(`saslauthd.te', `
 +allow cyrus_t saslauthd_var_run_t:dir search;
 +allow cyrus_t saslauthd_var_run_t:sock_file { read write };
 +allow cyrus_t saslauthd_t:unix_stream_socket { connectto };
@@ -603,6 +704,20 @@
 +allow { unconfined_t NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
 +allow dhcpc_t { unconfined_t NetworkManager_t initrc_t }:dbus send_msg;
  ')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.25.4/domains/program/unused/dovecot.te
+--- nsapolicy/domains/program/unused/dovecot.te	2005-07-12 08:50:43.000000000 -0400
++++ policy-1.25.4/domains/program/unused/dovecot.te	2005-08-17 14:15:44.000000000 -0400
+@@ -43,7 +43,9 @@
+ can_kerberos(dovecot_t)
+ 
+ allow dovecot_t tmp_t:dir search;
+-rw_dir_file(dovecot_t, mail_spool_t)
++ra_dir_create_file(dovecot_t, mail_spool_t)
++
++
+ create_dir_file(dovecot_t, dovecot_spool_t)
+ create_dir_file(mta_delivery_agent, dovecot_spool_t)
+ allow dovecot_t mail_spool_t:lnk_file read;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.25.4/domains/program/unused/firstboot.te
 --- nsapolicy/domains/program/unused/firstboot.te	2005-06-01 06:11:22.000000000 -0400
 +++ policy-1.25.4/domains/program/unused/firstboot.te	2005-08-11 23:07:13.000000000 -0400
@@ -704,7 +819,16 @@
  can_exec(ipsec_mgmt_t, consoletype_exec_t )
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.25.4/domains/program/unused/kudzu.te
 --- nsapolicy/domains/program/unused/kudzu.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/kudzu.te	2005-08-11 23:07:13.000000000 -0400
++++ policy-1.25.4/domains/program/unused/kudzu.te	2005-08-17 09:30:14.000000000 -0400
+@@ -20,7 +20,7 @@
+ allow kudzu_t ramfs_t:dir search;
+ allow kudzu_t ramfs_t:sock_file write;
+ allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+-allow kudzu_t modules_conf_t:file { getattr read unlink };
++allow kudzu_t modules_conf_t:file { getattr read unlink rename };
+ allow kudzu_t modules_object_t:dir r_dir_perms;
+ allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
+ allow kudzu_t mouse_device_t:chr_file { read write };
 @@ -48,7 +48,9 @@
  allow kudzu_t { tty_device_t devtty_t admin_tty_type }:chr_file rw_file_perms;
  


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.369
retrieving revision 1.370
diff -u -r1.369 -r1.370
--- selinux-policy-strict.spec	17 Aug 2005 02:03:26 -0000	1.369
+++ selinux-policy-strict.spec	17 Aug 2005 21:25:29 -0000	1.370
@@ -12,7 +12,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.4
-Release: 3
+Release: 4
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -239,6 +239,10 @@
 exit 0
 
 %changelog
+* Wed Aug 17 2005 Dan Walsh <dwalsh redhat com> 1.25.4-4
+- Add more access for amanda
+- Allow dovecot to create files in mail_spool_t
+
 * Tue Aug 16 2005 Dan Walsh <dwalsh redhat com> 1.25.4-3
 - add can_access_pty macro
 - Add nsswitch_macro for lots of ldap fixes


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]