rpms/selinux-policy-targeted/devel policy-20050811.patch, 1.8, 1.9 selinux-policy-targeted.spec, 1.368, 1.369
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Aug 29 17:48:00 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050811.patch, 1.9, 1.10 selinux-policy-strict.spec, 1.373, 1.374
- Next message (by thread): rpms/kernel/devel jwltest-b44-alloc.patch, NONE, 1.1.2.1 jwltest-dma-x86_64.patch, NONE, 1.1.2.1 jwltest-libata-atapi.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.1526.2.1, 1.1526.2.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2533
Modified Files:
policy-20050811.patch selinux-policy-targeted.spec
Log Message:
* Mon Aug 29 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-11
- Change can_resolv to allow tcp_socket name_connect to dns port.
policy-20050811.patch:
Makefile | 38 +++++
attrib.te | 2
domains/misc/kernel.te | 2
domains/program/crond.te | 7 -
domains/program/fsadm.te | 7 -
domains/program/hostname.te | 3
domains/program/ifconfig.te | 5
domains/program/initrc.te | 16 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 6
domains/program/login.te | 12 -
domains/program/modutil.te | 14 +-
domains/program/mount.te | 3
domains/program/netutils.te | 3
domains/program/passwd.te | 3
domains/program/restorecon.te | 5
domains/program/setfiles.te | 2
domains/program/ssh.te | 18 +-
domains/program/unused/NetworkManager.te | 8 -
domains/program/unused/acct.te | 10 -
domains/program/unused/alsa.te | 11 +
domains/program/unused/amanda.te | 53 -------
domains/program/unused/apache.te | 12 +
domains/program/unused/apmd.te | 8 +
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4
domains/program/unused/backup.te | 2
domains/program/unused/bluetooth.te | 5
domains/program/unused/bootloader.te | 2
domains/program/unused/cardmgr.te | 3
domains/program/unused/certwatch.te | 11 +
domains/program/unused/clockspeed.te | 3
domains/program/unused/cups.te | 8 +
domains/program/unused/cvs.te | 10 -
domains/program/unused/cyrus.te | 10 +
domains/program/unused/dbusd.te | 9 +
domains/program/unused/ddclient.te | 6
domains/program/unused/dhcpc.te | 5
domains/program/unused/dovecot.te | 4
domains/program/unused/dpkg.te | 3
domains/program/unused/firstboot.te | 7 -
domains/program/unused/fs_daemon.te | 2
domains/program/unused/ftpd.te | 8 -
domains/program/unused/hald.te | 1
domains/program/unused/hwclock.te | 5
domains/program/unused/i18n_input.te | 2
domains/program/unused/ipsec.te | 7 -
domains/program/unused/kudzu.te | 4
domains/program/unused/lvm.te | 1
domains/program/unused/mailman.te | 2
domains/program/unused/mta.te | 6
domains/program/unused/mysqld.te | 7 -
domains/program/unused/ntpd.te | 2
domains/program/unused/openct.te | 16 ++
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 12 +
domains/program/unused/postgresql.te | 4
domains/program/unused/pppd.te | 22 ++-
domains/program/unused/procmail.te | 3
domains/program/unused/readahead.te | 21 +++
domains/program/unused/rlogind.te | 2
domains/program/unused/roundup.te | 29 ++++
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 3
domains/program/unused/rsync.te | 4
domains/program/unused/samba.te | 16 +-
domains/program/unused/saslauthd.te | 10 +
domains/program/unused/slocate.te | 4
domains/program/unused/squid.te | 2
domains/program/unused/sxid.te | 1
domains/program/unused/udev.te | 4
domains/program/unused/vpnc.te | 17 ++
domains/program/unused/winbind.te | 1
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 2
file_contexts/distros.fc | 5
file_contexts/program/apache.fc | 8 -
file_contexts/program/certwatch.fc | 3
file_contexts/program/clamav.fc | 2
file_contexts/program/cups.fc | 1
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 2
file_contexts/program/fsadm.fc | 1
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/postfix.fc | 2
file_contexts/program/postgresql.fc | 4
file_contexts/program/pppd.fc | 14 +-
file_contexts/program/qmail.fc | 2
file_contexts/program/radvd.fc | 1
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 8 -
genfs_contexts | 1
macros/base_user_macros.te | 4
macros/core_macros.te | 3
macros/global_macros.te | 32 ++++
macros/network_macros.te | 21 ++-
macros/program/apache_macros.te | 12 +
macros/program/cdrecord_macros.te | 16 --
macros/program/chkpwd_macros.te | 17 --
macros/program/ethereal_macros.te | 7 -
macros/program/evolution_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 +++
macros/program/mail_client_macros.te | 5
macros/program/mozilla_macros.te | 7 +
macros/program/mta_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/spamassassin_macros.te | 2
macros/program/su_macros.te | 10 +
macros/program/thunderbird_macros.te | 6
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
mcs | 216 +++++++++++++++++++++++++++++++
net_contexts | 8 -
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/unconfined.te | 6
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/file.te | 4
types/network.te | 9 -
types/security.te | 4
127 files changed, 805 insertions(+), 264 deletions(-)
Index: policy-20050811.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050811.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20050811.patch 25 Aug 2005 20:35:53 -0000 1.8
+++ policy-20050811.patch 29 Aug 2005 17:47:56 -0000 1.9
@@ -116,7 +116,7 @@
allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/initrc.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/initrc.te 2005-08-29 08:07:06.000000000 -0400
@@ -214,7 +214,15 @@
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
@@ -134,13 +134,16 @@
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-@@ -319,3 +327,6 @@
+@@ -319,3 +327,9 @@
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
++
++# Slapd needs to read cert files from its initscript
++r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.25.4/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.4/domains/program/ldconfig.te 2005-08-25 10:28:34.000000000 -0400
@@ -463,7 +466,7 @@
+read_locale(alsa_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.25.4/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/amanda.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/amanda.te 2005-08-29 11:43:44.000000000 -0400
@@ -84,7 +84,6 @@
# configuration files -> read only
@@ -536,7 +539,7 @@
##############################################################################
# AMANDA RECOVER DECLARATIONS
##############################################################################
-@@ -301,7 +265,8 @@
+@@ -301,22 +265,17 @@
#
allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
@@ -546,8 +549,10 @@
allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
allow amanda_t device_type:{ blk_file chr_file } getattr;
allow amanda_t fixed_disk_device_t:blk_file read;
-@@ -310,13 +275,7 @@
- dontaudit amanda_t file_type:sock_file getattr;
+ domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
+-dontaudit amanda_t file_type:sock_file getattr;
++allow amanda_t file_type:sock_file getattr;
logdir_domain(amanda)
-dontaudit amanda_t autofs_t:dir { getattr read search };
@@ -601,7 +606,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.4/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/apmd.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/apmd.te 2005-08-29 11:30:30.000000000 -0400
@@ -16,7 +16,9 @@
type apm_t, domain, privlog;
@@ -612,7 +617,7 @@
uses_shlib(apm_t)
allow apm_t privfd:fd use;
allow apm_t admin_tty_type:chr_file rw_file_perms;
-@@ -138,3 +140,7 @@
+@@ -138,3 +140,9 @@
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
@@ -620,6 +625,17 @@
+ifdef(`logrotate.te', `
+allow apmd_t logrotate_t:fd use;
+')dnl end if logrotate.te
++allow apmd_t devpts_t:dir { getattr search };
++allow apmd_t security_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.25.4/domains/program/unused/auditd.te
+--- nsapolicy/domains/program/unused/auditd.te 2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.4/domains/program/unused/auditd.te 2005-08-29 11:35:53.000000000 -0400
+@@ -65,3 +65,5 @@
+ allow auditctl_t privfd:fd use;
+
+
++allow auditd_t sbin_t:dir search;
++can_exec(auditd_t, sbin_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.25.4/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.25.4/domains/program/unused/automount.te 2005-08-25 10:28:34.000000000 -0400
@@ -730,8 +746,41 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.4/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/cups.te 2005-08-25 10:28:34.000000000 -0400
-@@ -245,6 +245,7 @@
++++ policy-1.25.4/domains/program/unused/cups.te 2005-08-27 04:24:14.000000000 -0400
+@@ -188,6 +188,7 @@
+ # Uses networking to talk to the daemons
+ allow hplip_t self:unix_dgram_socket create_socket_perms;
+ allow hplip_t self:unix_stream_socket create_socket_perms;
++allow hplip_t self:rawip_socket create_socket_perms;
+
+ # for python
+ can_exec(hplip_t, bin_t)
+@@ -196,6 +197,9 @@
+ allow hplip_t proc_t:file r_file_perms;
+ allow hplip_t urandom_device_t:chr_file { getattr read };
+ allow hplip_t usr_t:{ file lnk_file } r_file_perms;
++allow hplip_t devpts_t:dir search;
++allow hplip_t devpts_t:chr_file { getattr ioctl };
++
+
+ dontaudit cupsd_t selinux_config_t:dir search;
+ dontaudit cupsd_t selinux_config_t:file { getattr read };
+@@ -231,12 +235,13 @@
+ allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+ can_ps(cupsd_config_t, cupsd_t)
+
+-allow cupsd_config_t self:capability chown;
++allow cupsd_config_t self:capability { chown sys_tty_config };
+
+ rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
+ rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
+ file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+ file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
++allow cupsd_config_t var_t:lnk_file read;
+
+ can_network_tcp(cupsd_config_t)
+ can_ypbind(cupsd_config_t)
+@@ -245,6 +250,7 @@
allow cupsd_config_t self:fifo_file rw_file_perms;
allow cupsd_config_t self:unix_stream_socket create_socket_perms;
@@ -787,8 +836,8 @@
+allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.25.4/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dbusd.te 2005-08-25 10:28:34.000000000 -0400
-@@ -12,9 +12,14 @@
++++ policy-1.25.4/domains/program/unused/dbusd.te 2005-08-26 15:05:37.000000000 -0400
+@@ -12,9 +12,16 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
allow system_dbusd_t self:capability { dac_override setgid setuid };
@@ -804,6 +853,8 @@
+can_exec(system_dbusd_t, sbin_t)
+allow system_dbusd_t self:fifo_file { read write };
+allow system_dbusd_t self:unix_stream_socket connectto;
++allow system_dbusd_t self:unix_stream_socket connectto;
++allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.25.4/domains/program/unused/ddclient.te
--- nsapolicy/domains/program/unused/ddclient.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/domains/program/unused/ddclient.te 2005-08-25 10:28:34.000000000 -0400
@@ -819,8 +870,16 @@
+dontaudit httpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.4/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dhcpc.te 2005-08-25 10:28:34.000000000 -0400
-@@ -156,6 +156,6 @@
++++ policy-1.25.4/domains/program/unused/dhcpc.te 2005-08-29 09:58:32.000000000 -0400
+@@ -134,7 +134,6 @@
+ allow dhcpc_t home_root_t:dir search;
+ allow initrc_t dhcpc_state_t:file { getattr read };
+ dontaudit dhcpc_t var_lock_t:dir search;
+-dontaudit dhcpc_t selinux_config_t:dir search;
+ allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
+ dontaudit dhcpc_t domain:dir getattr;
+ allow dhcpc_t initrc_var_run_t:file rw_file_perms;
+@@ -156,6 +155,6 @@
domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
allow dhcpc_t self:dbus send_msg;
@@ -920,8 +979,8 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.4/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/hwclock.te 2005-08-25 10:28:34.000000000 -0400
-@@ -17,7 +17,9 @@
++++ policy-1.25.4/domains/program/unused/hwclock.te 2005-08-27 04:28:02.000000000 -0400
+@@ -17,9 +17,10 @@
#
daemon_base_domain(hwclock)
role sysadm_r types hwclock_t;
@@ -929,13 +988,16 @@
domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
+')
type adjtime_t, file_type, sysadmfile;
-
+-
allow hwclock_t fs_t:filesystem getattr;
-@@ -44,3 +46,4 @@
+
+ read_locale(hwclock_t)
+@@ -44,3 +45,5 @@
# for when /usr is not mounted
dontaudit hwclock_t file_t:dir search;
+allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++r_dir_file(hwclock_t, etc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.25.4/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te 2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.4/domains/program/unused/i18n_input.te 2005-08-25 10:28:34.000000000 -0400
@@ -1073,7 +1135,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.4/domains/program/unused/NetworkManager.te
--- nsapolicy/domains/program/unused/NetworkManager.te 2005-08-11 06:57:14.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/NetworkManager.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/NetworkManager.te 2005-08-29 11:30:40.000000000 -0400
@@ -15,12 +15,12 @@
can_network(NetworkManager_t)
@@ -1099,6 +1161,11 @@
domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+@@ -106,3 +109,4 @@
+ ')
+ allow NetworkManager_t var_lib_t:dir search;
+ dontaudit NetworkManager_t user_tty_type:chr_file { read write };
++allow NetworkManager_t security_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.25.4/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.4/domains/program/unused/ntpd.te 2005-08-25 10:28:34.000000000 -0400
@@ -1149,7 +1216,7 @@
+nsswitch_domain(pam_console_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.4/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ping.te 2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ping.te 2005-08-29 11:21:58.000000000 -0400
@@ -17,7 +17,9 @@
in_user_role(ping_t)
type ping_exec_t, file_type, sysadmfile, exec_type;
@@ -1161,7 +1228,15 @@
bool user_ping false;
if (user_ping) {
-@@ -42,9 +44,6 @@
+@@ -35,6 +37,7 @@
+ uses_shlib(ping_t)
+ can_network_client(ping_t)
+ can_resolve(ping_t)
++allow ping_t dns_port_t:tcp_socket name_connect;
+ can_ypbind(ping_t)
+ allow ping_t etc_t:file { getattr read };
+ allow ping_t self:unix_stream_socket create_socket_perms;
+@@ -42,9 +45,6 @@
# Let ping create raw ICMP packets.
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
@@ -1171,7 +1246,7 @@
# Use capabilities.
allow ping_t self:capability { net_raw setuid };
-@@ -52,11 +51,13 @@
+@@ -52,11 +52,13 @@
allow ping_t admin_tty_type:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
allow ping_t privfd:fd use;
@@ -1962,7 +2037,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.4/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/macros/network_macros.te 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/network_macros.te 2005-08-29 11:49:26.000000000 -0400
@@ -16,9 +16,7 @@
# Allow the domain to send or receive using any network interface.
# netif_type is a type attribute for all network interface types.
@@ -1974,7 +2049,17 @@
#
# Allow the domain to send to or receive from any node.
# node_type is a type attribute for all node types.
-@@ -175,3 +173,17 @@
+@@ -155,7 +153,8 @@
+ ')dnl end can_network definition
+
+ define(`can_resolve',`
+-can_network_udp($1, `dns_port_t')
++can_network_client($1, `dns_port_t')
++allow $1 dns_port_t:tcp_socket name_connect;
+ ')
+
+ define(`can_portmap',`
+@@ -175,3 +174,17 @@
allow $1 winbind_var_run_t:sock_file { getattr read write };
')
')
@@ -2345,7 +2430,7 @@
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.25.4/Makefile
--- nsapolicy/Makefile 2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/Makefile 2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/Makefile 2005-08-27 04:40:05.000000000 -0400
@@ -15,6 +15,9 @@
# Set to y if MLS is enabled in the policy.
MLS=n
@@ -2415,7 +2500,7 @@
@echo "Done"
+
+mcsconvert:
-+ @for file in $(DEFCONTEXTFILES) appconfig/*; do \
++ @for file in $(CONTEXTFILES); do \
+ echo "Converting $$file"; \
+ sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
+ mv $$file.new $$file; \
@@ -2789,3 +2874,17 @@
#
# node_t is the default type of network nodes.
+diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.25.4/types/security.te
+--- nsapolicy/types/security.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.4/types/security.te 2005-08-29 09:59:24.000000000 -0400
+@@ -19,6 +19,10 @@
+ # the security server policy configuration.
+ #
+ type policy_config_t, file_type, secadmfile;
++# Since libselinux attempts to read these by default, most domains
++# do not need it.
++dontaudit domain selinux_config_t:dir search;
++dontaudit domain selinux_config_t:file { getattr read };
+
+ #
+ # policy_src_t is the type of the policy source
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.368
retrieving revision 1.369
diff -u -r1.368 -r1.369
--- selinux-policy-targeted.spec 25 Aug 2005 20:15:54 -0000 1.368
+++ selinux-policy-targeted.spec 29 Aug 2005 17:47:56 -0000 1.369
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.25.4
-Release: 9
+Release: 11
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -238,6 +238,12 @@
exit 0
%changelog
+* Mon Aug 29 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-11
+- Change can_resolv to allow tcp_socket name_connect to dns port.
+
+* Thu Aug 25 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-10
+- Bump for FC4
+
* Thu Aug 25 2005 Dan Walsh <dwalsh at redhat.com> 1.25.4-9
- Allow i18n_input to read homedirs
- Remove i18n_input from targeted
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050811.patch, 1.9, 1.10 selinux-policy-strict.spec, 1.373, 1.374
- Next message (by thread): rpms/kernel/devel jwltest-b44-alloc.patch, NONE, 1.1.2.1 jwltest-dma-x86_64.patch, NONE, 1.1.2.1 jwltest-libata-atapi.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.1526.2.1, 1.1526.2.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list