[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/devel policy-20050811.patch, 1.8, 1.9 selinux-policy-targeted.spec, 1.368, 1.369



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2533

Modified Files:
	policy-20050811.patch selinux-policy-targeted.spec 
Log Message:
* Mon Aug 29 2005 Dan Walsh <dwalsh redhat com> 1.25.4-11
- Change can_resolv to allow tcp_socket name_connect to dns port.


policy-20050811.patch:
 Makefile                                 |   38 +++++
 attrib.te                                |    2 
 domains/misc/kernel.te                   |    2 
 domains/program/crond.te                 |    7 -
 domains/program/fsadm.te                 |    7 -
 domains/program/hostname.te              |    3 
 domains/program/ifconfig.te              |    5 
 domains/program/initrc.te                |   16 ++
 domains/program/ldconfig.te              |    3 
 domains/program/load_policy.te           |    6 
 domains/program/login.te                 |   12 -
 domains/program/modutil.te               |   14 +-
 domains/program/mount.te                 |    3 
 domains/program/netutils.te              |    3 
 domains/program/passwd.te                |    3 
 domains/program/restorecon.te            |    5 
 domains/program/setfiles.te              |    2 
 domains/program/ssh.te                   |   18 +-
 domains/program/unused/NetworkManager.te |    8 -
 domains/program/unused/acct.te           |   10 -
 domains/program/unused/alsa.te           |   11 +
 domains/program/unused/amanda.te         |   53 -------
 domains/program/unused/apache.te         |   12 +
 domains/program/unused/apmd.te           |    8 +
 domains/program/unused/auditd.te         |    2 
 domains/program/unused/automount.te      |    4 
 domains/program/unused/backup.te         |    2 
 domains/program/unused/bluetooth.te      |    5 
 domains/program/unused/bootloader.te     |    2 
 domains/program/unused/cardmgr.te        |    3 
 domains/program/unused/certwatch.te      |   11 +
 domains/program/unused/clockspeed.te     |    3 
 domains/program/unused/cups.te           |    8 +
 domains/program/unused/cvs.te            |   10 -
 domains/program/unused/cyrus.te          |   10 +
 domains/program/unused/dbusd.te          |    9 +
 domains/program/unused/ddclient.te       |    6 
 domains/program/unused/dhcpc.te          |    5 
 domains/program/unused/dovecot.te        |    4 
 domains/program/unused/dpkg.te           |    3 
 domains/program/unused/firstboot.te      |    7 -
 domains/program/unused/fs_daemon.te      |    2 
 domains/program/unused/ftpd.te           |    8 -
 domains/program/unused/hald.te           |    1 
 domains/program/unused/hwclock.te        |    5 
 domains/program/unused/i18n_input.te     |    2 
 domains/program/unused/ipsec.te          |    7 -
 domains/program/unused/kudzu.te          |    4 
 domains/program/unused/lvm.te            |    1 
 domains/program/unused/mailman.te        |    2 
 domains/program/unused/mta.te            |    6 
 domains/program/unused/mysqld.te         |    7 -
 domains/program/unused/ntpd.te           |    2 
 domains/program/unused/openct.te         |   16 ++
 domains/program/unused/pamconsole.te     |    2 
 domains/program/unused/ping.te           |   12 +
 domains/program/unused/postgresql.te     |    4 
 domains/program/unused/pppd.te           |   22 ++-
 domains/program/unused/procmail.te       |    3 
 domains/program/unused/readahead.te      |   21 +++
 domains/program/unused/rlogind.te        |    2 
 domains/program/unused/roundup.te        |   29 ++++
 domains/program/unused/rpcd.te           |    2 
 domains/program/unused/rpm.te            |    3 
 domains/program/unused/rsync.te          |    4 
 domains/program/unused/samba.te          |   16 +-
 domains/program/unused/saslauthd.te      |   10 +
 domains/program/unused/slocate.te        |    4 
 domains/program/unused/squid.te          |    2 
 domains/program/unused/sxid.te           |    1 
 domains/program/unused/udev.te           |    4 
 domains/program/unused/vpnc.te           |   17 ++
 domains/program/unused/winbind.te        |    1 
 domains/program/unused/ypserv.te         |    1 
 domains/program/useradd.te               |    2 
 file_contexts/distros.fc                 |    5 
 file_contexts/program/apache.fc          |    8 -
 file_contexts/program/certwatch.fc       |    3 
 file_contexts/program/clamav.fc          |    2 
 file_contexts/program/cups.fc            |    1 
 file_contexts/program/dhcpc.fc           |    1 
 file_contexts/program/dhcpd.fc           |    2 
 file_contexts/program/fsadm.fc           |    1 
 file_contexts/program/ipsec.fc           |    1 
 file_contexts/program/openct.fc          |    2 
 file_contexts/program/postfix.fc         |    2 
 file_contexts/program/postgresql.fc      |    4 
 file_contexts/program/pppd.fc            |   14 +-
 file_contexts/program/qmail.fc           |    2 
 file_contexts/program/radvd.fc           |    1 
 file_contexts/program/readahead.fc       |    1 
 file_contexts/program/roundup.fc         |    2 
 file_contexts/program/xdm.fc             |    2 
 file_contexts/program/ypserv.fc          |    1 
 file_contexts/types.fc                   |    8 -
 genfs_contexts                           |    1 
 macros/base_user_macros.te               |    4 
 macros/core_macros.te                    |    3 
 macros/global_macros.te                  |   32 ++++
 macros/network_macros.te                 |   21 ++-
 macros/program/apache_macros.te          |   12 +
 macros/program/cdrecord_macros.te        |   16 --
 macros/program/chkpwd_macros.te          |   17 --
 macros/program/ethereal_macros.te        |    7 -
 macros/program/evolution_macros.te       |    2 
 macros/program/gpg_macros.te             |    2 
 macros/program/i18n_input_macros.te      |   21 +++
 macros/program/mail_client_macros.te     |    5 
 macros/program/mozilla_macros.te         |    7 +
 macros/program/mta_macros.te             |    2 
 macros/program/pyzor_macros.te           |    2 
 macros/program/razor_macros.te           |    2 
 macros/program/spamassassin_macros.te    |    2 
 macros/program/su_macros.te              |   10 +
 macros/program/thunderbird_macros.te     |    6 
 macros/program/uml_macros.te             |    2 
 macros/user_macros.te                    |    1 
 mcs                                      |  216 +++++++++++++++++++++++++++++++
 net_contexts                             |    8 -
 targeted/appconfig/root_default_contexts |    4 
 targeted/assert.te                       |    2 
 targeted/domains/unconfined.te           |    6 
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    4 
 types/file.te                            |    4 
 types/network.te                         |    9 -
 types/security.te                        |    4 
 127 files changed, 805 insertions(+), 264 deletions(-)

Index: policy-20050811.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050811.patch,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- policy-20050811.patch	25 Aug 2005 20:35:53 -0000	1.8
+++ policy-20050811.patch	29 Aug 2005 17:47:56 -0000	1.9
@@ -116,7 +116,7 @@
  allow ifconfig_t tun_tap_device_t:chr_file { read write };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.25.4/domains/program/initrc.te
 --- nsapolicy/domains/program/initrc.te	2005-08-11 06:57:13.000000000 -0400
-+++ policy-1.25.4/domains/program/initrc.te	2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/initrc.te	2005-08-29 08:07:06.000000000 -0400
 @@ -214,7 +214,15 @@
  allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
  allow initrc_t self:capability sys_admin;
@@ -134,13 +134,16 @@
  ')dnl end distro_redhat
  
  allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-@@ -319,3 +327,6 @@
+@@ -319,3 +327,9 @@
  ')
  allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
  allow initrc_t device_t:lnk_file create_file_perms;
 +ifdef(`dbusd.te', `
 +allow initrc_t system_dbusd_var_run_t:sock_file write;
 +')
++
++# Slapd needs to read cert files from its initscript
++r_dir_file(initrc_t, cert_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.25.4/domains/program/ldconfig.te
 --- nsapolicy/domains/program/ldconfig.te	2005-05-25 11:28:09.000000000 -0400
 +++ policy-1.25.4/domains/program/ldconfig.te	2005-08-25 10:28:34.000000000 -0400
@@ -463,7 +466,7 @@
 +read_locale(alsa_t) 
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.25.4/domains/program/unused/amanda.te
 --- nsapolicy/domains/program/unused/amanda.te	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/amanda.te	2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/amanda.te	2005-08-29 11:43:44.000000000 -0400
 @@ -84,7 +84,6 @@
  
  # configuration files -> read only
@@ -536,7 +539,7 @@
  ##############################################################################
  # AMANDA RECOVER DECLARATIONS
  ##############################################################################
-@@ -301,7 +265,8 @@
+@@ -301,22 +265,17 @@
  #
  allow inetd_t amanda_port_t:{ tcp_socket udp_socket } name_bind;
  
@@ -546,8 +549,10 @@
  allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
  allow amanda_t device_type:{ blk_file chr_file } getattr;
  allow amanda_t fixed_disk_device_t:blk_file read;
-@@ -310,13 +275,7 @@
- dontaudit amanda_t file_type:sock_file getattr;
+ domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+ 
+-dontaudit amanda_t file_type:sock_file getattr;
++allow amanda_t file_type:sock_file getattr;
  logdir_domain(amanda)
  
 -dontaudit amanda_t autofs_t:dir { getattr read search };
@@ -601,7 +606,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.4/domains/program/unused/apmd.te
 --- nsapolicy/domains/program/unused/apmd.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/apmd.te	2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/apmd.te	2005-08-29 11:30:30.000000000 -0400
 @@ -16,7 +16,9 @@
  
  type apm_t, domain, privlog;
@@ -612,7 +617,7 @@
  uses_shlib(apm_t)
  allow apm_t privfd:fd use;
  allow apm_t admin_tty_type:chr_file rw_file_perms;
-@@ -138,3 +140,7 @@
+@@ -138,3 +140,9 @@
  allow apmd_t user_tty_type:chr_file rw_file_perms;
  # Access /dev/apm_bios.
  allow initrc_t apm_bios_t:chr_file { setattr getattr read };
@@ -620,6 +625,17 @@
 +ifdef(`logrotate.te', `
 +allow apmd_t logrotate_t:fd use;
 +')dnl end if logrotate.te
++allow apmd_t devpts_t:dir { getattr search };
++allow apmd_t security_t:dir search;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.25.4/domains/program/unused/auditd.te
+--- nsapolicy/domains/program/unused/auditd.te	2005-07-06 17:15:06.000000000 -0400
++++ policy-1.25.4/domains/program/unused/auditd.te	2005-08-29 11:35:53.000000000 -0400
+@@ -65,3 +65,5 @@
+ allow auditctl_t privfd:fd use;
+ 
+ 
++allow auditd_t sbin_t:dir search;
++can_exec(auditd_t, sbin_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.25.4/domains/program/unused/automount.te
 --- nsapolicy/domains/program/unused/automount.te	2005-06-01 06:11:22.000000000 -0400
 +++ policy-1.25.4/domains/program/unused/automount.te	2005-08-25 10:28:34.000000000 -0400
@@ -730,8 +746,41 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.4/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/cups.te	2005-08-25 10:28:34.000000000 -0400
-@@ -245,6 +245,7 @@
++++ policy-1.25.4/domains/program/unused/cups.te	2005-08-27 04:24:14.000000000 -0400
+@@ -188,6 +188,7 @@
+ # Uses networking to talk to the daemons
+ allow hplip_t self:unix_dgram_socket create_socket_perms;
+ allow hplip_t self:unix_stream_socket create_socket_perms;
++allow hplip_t self:rawip_socket create_socket_perms;
+ 
+ # for python
+ can_exec(hplip_t, bin_t)
+@@ -196,6 +197,9 @@
+ allow hplip_t proc_t:file r_file_perms;
+ allow hplip_t urandom_device_t:chr_file { getattr read };
+ allow hplip_t usr_t:{ file lnk_file } r_file_perms;
++allow hplip_t devpts_t:dir search;
++allow hplip_t devpts_t:chr_file { getattr ioctl };
++
+ 
+ dontaudit cupsd_t selinux_config_t:dir search;
+ dontaudit cupsd_t selinux_config_t:file { getattr read };
+@@ -231,12 +235,13 @@
+ allow cupsd_config_t cupsd_t:{ file lnk_file } { getattr read };
+ can_ps(cupsd_config_t, cupsd_t)
+ 
+-allow cupsd_config_t self:capability chown;
++allow cupsd_config_t self:capability { chown sys_tty_config };
+ 
+ rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
+ rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
+ file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
+ file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
++allow cupsd_config_t var_t:lnk_file read;
+ 
+ can_network_tcp(cupsd_config_t)
+ can_ypbind(cupsd_config_t)
+@@ -245,6 +250,7 @@
  allow cupsd_config_t self:fifo_file rw_file_perms;
  
  allow cupsd_config_t self:unix_stream_socket create_socket_perms;
@@ -787,8 +836,8 @@
 +allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.25.4/domains/program/unused/dbusd.te
 --- nsapolicy/domains/program/unused/dbusd.te	2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dbusd.te	2005-08-25 10:28:34.000000000 -0400
-@@ -12,9 +12,14 @@
++++ policy-1.25.4/domains/program/unused/dbusd.te	2005-08-26 15:05:37.000000000 -0400
+@@ -12,9 +12,16 @@
  
  # dac_override: /var/run/dbus is owned by messagebus on Debian
  allow system_dbusd_t self:capability { dac_override setgid setuid };
@@ -804,6 +853,8 @@
 +can_exec(system_dbusd_t, sbin_t)
 +allow system_dbusd_t self:fifo_file { read write };
 +allow system_dbusd_t self:unix_stream_socket connectto;
++allow system_dbusd_t self:unix_stream_socket connectto;
++allow system_dbusd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.25.4/domains/program/unused/ddclient.te
 --- nsapolicy/domains/program/unused/ddclient.te	2005-07-06 17:15:06.000000000 -0400
 +++ policy-1.25.4/domains/program/unused/ddclient.te	2005-08-25 10:28:34.000000000 -0400
@@ -819,8 +870,16 @@
 +dontaudit httpd_t selinux_config_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.4/domains/program/unused/dhcpc.te
 --- nsapolicy/domains/program/unused/dhcpc.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/dhcpc.te	2005-08-25 10:28:34.000000000 -0400
-@@ -156,6 +156,6 @@
++++ policy-1.25.4/domains/program/unused/dhcpc.te	2005-08-29 09:58:32.000000000 -0400
+@@ -134,7 +134,6 @@
+ allow dhcpc_t home_root_t:dir search;
+ allow initrc_t dhcpc_state_t:file { getattr read };
+ dontaudit dhcpc_t var_lock_t:dir search;
+-dontaudit dhcpc_t selinux_config_t:dir search;
+ allow dhcpc_t self:netlink_route_socket r_netlink_socket_perms;
+ dontaudit dhcpc_t domain:dir getattr;
+ allow dhcpc_t initrc_var_run_t:file rw_file_perms;
+@@ -156,6 +155,6 @@
  domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
  allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
  allow dhcpc_t self:dbus send_msg;
@@ -920,8 +979,8 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.25.4/domains/program/unused/hwclock.te
 --- nsapolicy/domains/program/unused/hwclock.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/hwclock.te	2005-08-25 10:28:34.000000000 -0400
-@@ -17,7 +17,9 @@
++++ policy-1.25.4/domains/program/unused/hwclock.te	2005-08-27 04:28:02.000000000 -0400
+@@ -17,9 +17,10 @@
  #
  daemon_base_domain(hwclock)
  role sysadm_r types hwclock_t;
@@ -929,13 +988,16 @@
  domain_auto_trans(sysadm_t, hwclock_exec_t, hwclock_t)
 +')
  type adjtime_t, file_type, sysadmfile;
- 
+-
  allow hwclock_t fs_t:filesystem getattr;
-@@ -44,3 +46,4 @@
+ 
+ read_locale(hwclock_t)
+@@ -44,3 +45,5 @@
  
  # for when /usr is not mounted
  dontaudit hwclock_t file_t:dir search;
 +allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++r_dir_file(hwclock_t, etc_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.25.4/domains/program/unused/i18n_input.te
 --- nsapolicy/domains/program/unused/i18n_input.te	2005-07-06 17:15:06.000000000 -0400
 +++ policy-1.25.4/domains/program/unused/i18n_input.te	2005-08-25 10:28:34.000000000 -0400
@@ -1073,7 +1135,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/NetworkManager.te policy-1.25.4/domains/program/unused/NetworkManager.te
 --- nsapolicy/domains/program/unused/NetworkManager.te	2005-08-11 06:57:14.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/NetworkManager.te	2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/NetworkManager.te	2005-08-29 11:30:40.000000000 -0400
 @@ -15,12 +15,12 @@
  
  can_network(NetworkManager_t)
@@ -1099,6 +1161,11 @@
  
  domain_auto_trans(NetworkManager_t, initrc_exec_t, initrc_t)
  domain_auto_trans(NetworkManager_t, dhcpc_exec_t, dhcpc_t)
+@@ -106,3 +109,4 @@
+ ')
+ allow NetworkManager_t var_lib_t:dir search;
+ dontaudit NetworkManager_t user_tty_type:chr_file { read write };
++allow NetworkManager_t security_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.25.4/domains/program/unused/ntpd.te
 --- nsapolicy/domains/program/unused/ntpd.te	2005-07-06 17:15:07.000000000 -0400
 +++ policy-1.25.4/domains/program/unused/ntpd.te	2005-08-25 10:28:34.000000000 -0400
@@ -1149,7 +1216,7 @@
 +nsswitch_domain(pam_console_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.25.4/domains/program/unused/ping.te
 --- nsapolicy/domains/program/unused/ping.te	2005-08-11 06:57:15.000000000 -0400
-+++ policy-1.25.4/domains/program/unused/ping.te	2005-08-25 10:28:34.000000000 -0400
++++ policy-1.25.4/domains/program/unused/ping.te	2005-08-29 11:21:58.000000000 -0400
 @@ -17,7 +17,9 @@
  in_user_role(ping_t)
  type ping_exec_t, file_type, sysadmfile, exec_type;
@@ -1161,7 +1228,15 @@
  bool user_ping false;
  
  if (user_ping) {
-@@ -42,9 +44,6 @@
+@@ -35,6 +37,7 @@
+ uses_shlib(ping_t)
+ can_network_client(ping_t)
+ can_resolve(ping_t)
++allow ping_t dns_port_t:tcp_socket name_connect;
+ can_ypbind(ping_t)
+ allow ping_t etc_t:file { getattr read };
+ allow ping_t self:unix_stream_socket create_socket_perms;
+@@ -42,9 +45,6 @@
  # Let ping create raw ICMP packets.
  allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
  
@@ -1171,7 +1246,7 @@
  # Use capabilities.
  allow ping_t self:capability { net_raw setuid };
  
-@@ -52,11 +51,13 @@
+@@ -52,11 +52,13 @@
  allow ping_t admin_tty_type:chr_file rw_file_perms;
  ifdef(`gnome-pty-helper.te', `allow ping_t sysadm_gph_t:fd use;')
  allow ping_t privfd:fd use;
@@ -1962,7 +2037,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.25.4/macros/network_macros.te
 --- nsapolicy/macros/network_macros.te	2005-07-12 08:50:43.000000000 -0400
-+++ policy-1.25.4/macros/network_macros.te	2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/macros/network_macros.te	2005-08-29 11:49:26.000000000 -0400
 @@ -16,9 +16,7 @@
  # Allow the domain to send or receive using any network interface.
  # netif_type is a type attribute for all network interface types.
@@ -1974,7 +2049,17 @@
  #
  # Allow the domain to send to or receive from any node.
  # node_type is a type attribute for all node types.
-@@ -175,3 +173,17 @@
+@@ -155,7 +153,8 @@
+ ')dnl end can_network definition
+ 
+ define(`can_resolve',`
+-can_network_udp($1, `dns_port_t')
++can_network_client($1, `dns_port_t')
++allow $1 dns_port_t:tcp_socket name_connect;
+ ')
+ 
+ define(`can_portmap',`
+@@ -175,3 +174,17 @@
  allow $1 winbind_var_run_t:sock_file { getattr read write };
  ')
  ')
@@ -2345,7 +2430,7 @@
  ifdef(`lockdev.te', `lockdev_domain($1)')
 diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.25.4/Makefile
 --- nsapolicy/Makefile	2005-07-06 17:15:06.000000000 -0400
-+++ policy-1.25.4/Makefile	2005-08-25 10:28:35.000000000 -0400
++++ policy-1.25.4/Makefile	2005-08-27 04:40:05.000000000 -0400
 @@ -15,6 +15,9 @@
  # Set to y if MLS is enabled in the policy.
  MLS=n
@@ -2415,7 +2500,7 @@
  	@echo "Done"
 +
 +mcsconvert: 
-+	@for file in $(DEFCONTEXTFILES) appconfig/*; do \
++	@for file in $(CONTEXTFILES); do \
 +		echo "Converting $$file"; \
 +		sed -e 's/_t\b/_t:s0/g' $$file > $$file.new && \
 +		mv $$file.new $$file; \
@@ -2789,3 +2874,17 @@
  
  #
  # node_t is the default type of network nodes.
+diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.25.4/types/security.te
+--- nsapolicy/types/security.te	2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.4/types/security.te	2005-08-29 09:59:24.000000000 -0400
+@@ -19,6 +19,10 @@
+ # the security server policy configuration.
+ #
+ type policy_config_t, file_type, secadmfile;
++# Since libselinux attempts to read these by default, most domains 
++# do not need it.
++dontaudit domain selinux_config_t:dir search;
++dontaudit domain selinux_config_t:file { getattr read };
+ 
+ #
+ # policy_src_t is the type of the policy source


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.368
retrieving revision 1.369
diff -u -r1.368 -r1.369
--- selinux-policy-targeted.spec	25 Aug 2005 20:15:54 -0000	1.368
+++ selinux-policy-targeted.spec	29 Aug 2005 17:47:56 -0000	1.369
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.4
-Release: 9
+Release: 11
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -238,6 +238,12 @@
 exit 0
 
 %changelog
+* Mon Aug 29 2005 Dan Walsh <dwalsh redhat com> 1.25.4-11
+- Change can_resolv to allow tcp_socket name_connect to dns port.
+
+* Thu Aug 25 2005 Dan Walsh <dwalsh redhat com> 1.25.4-10
+- Bump for FC4
+
 * Thu Aug 25 2005 Dan Walsh <dwalsh redhat com> 1.25.4-9
 - Allow i18n_input to read homedirs
 - Remove i18n_input from targeted


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]