rpms/selinux-policy/devel policy-20051114.patch, 1.20, 1.21 selinux-policy.spec, 1.29, 1.30

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Tue Dec 6 17:42:29 UTC 2005 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv29610

Modified Files:
	policy-20051114.patch selinux-policy.spec 
Log Message:
* Fri Dec  2 2005 Dan Walsh <dwalsh at redhat.com> 2.0.9-1.
Update from upstream


policy-20051114.patch:
 Makefile                                |    7 +------
 Rules.modular                           |    7 +++++++
 Rules.monolithic                        |    7 ++++++-
 policy/modules/admin/su.if              |    3 +++
 policy/modules/services/canna.te        |    1 -
 policy/modules/services/cups.te         |    1 +
 policy/modules/services/dbus.te         |    2 +-
 policy/modules/services/ftp.te          |    3 +++
 policy/modules/services/mta.te          |    9 ---------
 policy/modules/services/nis.if          |    2 ++
 policy/modules/services/sasl.te         |    4 +++-
 policy/modules/services/spamassassin.te |    1 +
 policy/modules/system/hostname.te       |    1 -
 policy/modules/system/init.if           |   31 -------------------------------
 policy/modules/system/locallogin.te     |    7 -------
 policy/modules/system/mount.te          |    5 +----
 16 files changed, 29 insertions(+), 62 deletions(-)

Index: policy-20051114.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051114.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20051114.patch	6 Dec 2005 04:12:01 -0000	1.20
+++ policy-20051114.patch	6 Dec 2005 17:42:25 -0000	1.21
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.0.9/Makefile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.0.10/Makefile
 --- nsaserefpolicy/Makefile	2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.0.9/Makefile	2005-12-05 23:07:35.000000000 -0500
++++ serefpolicy-2.0.10/Makefile	2005-12-06 11:40:43.000000000 -0500
 @@ -92,7 +92,7 @@
  
  # enable MLS if requested.
@@ -22,59 +22,228 @@
  $(APPDIR)/default_type: $(APPCONF)/default_type
  	@mkdir -p $(APPDIR)
  	$(QUIET) install -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.0.9/policy/modules/admin/rpm.te
---- nsaserefpolicy/policy/modules/admin/rpm.te	2005-11-28 10:42:52.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/admin/rpm.te	2005-12-05 22:38:01.000000000 -0500
-@@ -201,9 +201,6 @@
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.0.10/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if	2005-11-29 18:36:30.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/admin/su.if	2005-12-06 11:40:43.000000000 -0500
+@@ -50,6 +50,9 @@
+ 	selinux_compute_relabel_context($1_su_t)
+ 	selinux_compute_user_contexts($1_su_t)
  
- ifdef(`TODO',`
--# cjp: this seems way out of place
--role sysadm_r types initrc_t;
--
- # read/write/create any files in the system
- dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
- allow rpm_t ttyfile:chr_file unlink;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.0.9/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te	2005-11-28 10:42:53.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/services/dbus.te	2005-12-05 22:38:01.000000000 -0500
-@@ -30,7 +30,7 @@
++	files_dontaudit_getattr_tmp_dir($1_su_t)
++	files_dontaudit_read_etc_runtime_files($1_su_t)
++
+ 	auth_domtrans_chk_passwd($1_su_t)
+ 	auth_dontaudit_read_shadow($1_su_t)
+ 	auth_use_nsswitch($1_su_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-2.0.10/policy/modules/services/canna.te
+--- nsaserefpolicy/policy/modules/services/canna.te	2005-12-02 17:53:26.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/canna.te	2005-12-06 11:46:51.000000000 -0500
+@@ -47,7 +47,6 @@
+ 
+ kernel_read_kernel_sysctl(canna_t)
+ kernel_read_system_state(canna_t)
+-kernel_dontaudit_use_fd(canna_t)
+ 
+ corenet_tcp_sendrecv_all_if(canna_t)
+ corenet_raw_sendrecv_all_if(canna_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.0.10/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te	2005-12-02 17:53:53.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/cups.te	2005-12-06 11:40:43.000000000 -0500
+@@ -468,6 +468,7 @@
+ # Cups configuration daemon local policy
+ #
  
- # dac_override: /var/run/dbus is owned by messagebus on Debian
++allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+ allow cupsd_config_t self:capability { chown sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+ allow cupsd_config_t self:process signal_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.0.10/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te	2005-12-06 11:36:01.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/dbus.te	2005-12-06 11:40:43.000000000 -0500
+@@ -32,7 +32,7 @@
  # cjp: dac_override should probably go in a distro_debian
--allow system_dbusd_t self:capability { dac_override setgid setuid };
-+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+ allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
  dontaudit system_dbusd_t self:capability sys_tty_config;
- allow system_dbusd_t self:process { getattr signal_perms };
+-allow system_dbusd_t self:process { getattr signal_perms };
++allow system_dbusd_t self:process { getattr signal_perms setcap };
  allow system_dbusd_t self:fifo_file { read write };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.0.9/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te	2005-11-28 10:42:53.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/system/authlogin.te	2005-12-05 22:38:01.000000000 -0500
-@@ -278,6 +278,7 @@
- fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
- 
- term_dontaudit_use_unallocated_tty(system_chkpwd_t)
-+term_dontaudit_use_generic_pty(system_chkpwd_t)
- 
- corecmd_search_sbin(system_chkpwd_t)
- 
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.0.9/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te	2005-11-28 10:42:54.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/system/logging.te	2005-12-05 22:38:01.000000000 -0500
-@@ -69,7 +69,9 @@
- allow auditctl_t auditd_etc_t:file r_file_perms;
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+ allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.0.10/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te	2005-11-28 10:42:53.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/ftp.te	2005-12-06 11:40:43.000000000 -0500
+@@ -104,6 +104,9 @@
+ 
+ domain_use_wide_inherit_fd(ftpd_t)
+ 
++files_search_var_lib_dir(ftpd_t)
++auth_use_nsswitch(ftpd_t)
++
+ files_search_etc(ftpd_t)
+ files_read_etc_files(ftpd_t)
+ files_read_etc_runtime_files(ftpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.0.10/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te	2005-12-05 22:35:03.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/mta.te	2005-12-06 11:41:43.000000000 -0500
+@@ -57,15 +57,6 @@
+ 
+ userdom_use_sysadm_terms(system_mail_t)
+ 
+-ifdef(`hide_broken_symptoms',`
+-	# Red Hat systems seem to have a stray
+-	# fds open from the initrd
+-	ifdef(`distro_redhat',`
+-		kernel_dontaudit_use_fd(system_mail_t)
+-		storage_dontaudit_read_fixed_disk(system_mail_t)
+-	')
+-')
+-
+ ifdef(`targeted_policy',`
+ 	typealias system_mail_t alias sysadm_mail_t;
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.0.10/policy/modules/services/nis.if
+--- nsaserefpolicy/policy/modules/services/nis.if	2005-12-06 11:36:01.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/nis.if	2005-12-06 12:25:49.000000000 -0500
+@@ -148,8 +148,10 @@
+ interface(`nis_signal_ypbind',`
+ 	gen_require(`
+ 		type ypbind_t;
++		type ypbind_var_run_t;
+ 	')
  
- kernel_read_kernel_sysctl(auditctl_t)
-+kernel_read_proc_symlinks(auditctl_t)
++	allow $1 ypbind_var_run_t:file read;
+ 	allow $1 ypbind_t:process signal;
+ ')
  
-+domain_read_all_domains_state(auditctl_t)
- domain_use_wide_inherit_fd(auditctl_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.0.10/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te	2005-11-29 18:36:31.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/sasl.te	2005-12-06 11:40:43.000000000 -0500
+@@ -18,6 +18,7 @@
+ # Local policy
+ #
  
- init_use_script_pty(auditctl_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.0.9/policy/modules/system/mount.te
++allow saslauthd_t self:capability setuid;
+ dontaudit saslauthd_t self:capability sys_tty_config;
+ allow saslauthd_t self:process signal_perms;
+ allow saslauthd_t self:fifo_file { read write };
+@@ -55,9 +56,10 @@
+ domain_use_wide_inherit_fd(saslauthd_t)
+ 
+ files_read_etc_files(saslauthd_t)
+-files_read_etc_runtime_files(saslauthd_t)
++files_dontaudit_read_etc_runtime_files(saslauthd_t)
+ files_search_var_lib(saslauthd_t)
+ files_dontaudit_getattr_home_dir(saslauthd_t)
++files_dontaudit_getattr_tmp_dir(saslauthd_t)
+ 
+ init_use_fd(saslauthd_t)
+ init_use_script_pty(saslauthd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.0.10/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te	2005-12-02 17:53:26.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/spamassassin.te	2005-12-06 11:40:43.000000000 -0500
+@@ -72,6 +72,7 @@
+ corenet_tcp_bind_all_nodes(spamd_t)
+ corenet_udp_bind_all_nodes(spamd_t)
+ corenet_tcp_bind_spamd_port(spamd_t)
++corenet_udp_bind_generic_port(spamd_t)
+ 
+ dev_read_sysfs(spamd_t)
+ dev_read_urand(spamd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.0.10/policy/modules/system/hostname.te
+--- nsaserefpolicy/policy/modules/system/hostname.te	2005-11-25 08:11:12.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/system/hostname.te	2005-12-06 11:48:09.000000000 -0500
+@@ -22,7 +22,6 @@
+ allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+ dontaudit hostname_t self:capability sys_tty_config;
+ 
+-kernel_dontaudit_use_fd(hostname_t)
+ kernel_list_proc(hostname_t)
+ kernel_read_proc_symlinks(hostname_t)
+ 
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.0.10/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if	2005-12-05 22:35:03.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/system/init.if	2005-12-06 11:43:22.000000000 -0500
+@@ -31,18 +31,6 @@
+ 	allow init_t $1:fd use;
+ 	allow $1 init_t:fifo_file rw_file_perms;
+ 	allow $1 init_t:process sigchld;
+-
+-	# Red Hat systems seem to have stray
+-	# fds open from the initrd
+-	ifdef(`hide_broken_symptoms',`
+-		# Red Hat systems seem to have a stray
+-		# fds open from the initrd
+-		ifdef(`distro_redhat',`
+-			kernel_dontaudit_use_fd($1)
+-			storage_dontaudit_read_fixed_disk($1)
+-			files_dontaudit_read_root_file($1)
+-		')
+-	')
+ ')
+ 
+ ########################################
+@@ -82,16 +70,6 @@
+ 		typeattribute $2 direct_init_entry;
+ 	')
+ 
+-	ifdef(`hide_broken_symptoms',`
+-		# Red Hat systems seem to have a stray
+-		# fds open from the initrd
+-		ifdef(`distro_redhat',`
+-			kernel_dontaudit_use_fd($1)
+-			storage_dontaudit_read_fixed_disk($1)
+-			files_dontaudit_read_root_file($1)
+-		')
+-	')
+-
+ 	ifdef(`targeted_policy',`
+ 		# this regex is a hack, since it assumes there is a
+ 		# _t at the end of the domain type.  If there is no _t
+@@ -164,15 +142,6 @@
+ 	allow $1 initrc_t:fifo_file rw_file_perms;
+ 	allow $1 initrc_t:process sigchld;
+ 
+-	ifdef(`hide_broken_symptoms',`
+-		# Red Hat systems seem to have a stray
+-		# fds open from the initrd
+-		ifdef(`distro_redhat',`
+-			kernel_dontaudit_use_fd($1)
+-			storage_dontaudit_read_fixed_disk($1)
+-			files_dontaudit_read_root_file($1)
+-		')
+-	')
+ ')
+ 
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.0.10/policy/modules/system/locallogin.te
+--- nsaserefpolicy/policy/modules/system/locallogin.te	2005-11-25 08:11:12.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/system/locallogin.te	2005-12-06 11:47:34.000000000 -0500
+@@ -168,13 +168,6 @@
+ # Search for mail spool file.
+ mta_getattr_spool(local_login_t)
+ 
+-# Red Hat systems seem to have a stray
+-# fd open from the initrd
+-ifdef(`distro_redhat',`
+-	kernel_dontaudit_use_fd(local_login_t)
+-	files_dontaudit_read_root_file(local_login_t)
+-')
+-
+ ifdef(`targeted_policy',`
+ 	unconfined_domain_template(local_login_t)
+ 	unconfined_shell_domtrans(local_login_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.0.10/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2005-11-28 10:42:54.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/system/mount.te	2005-12-05 22:38:01.000000000 -0500
-@@ -95,9 +95,7 @@
++++ serefpolicy-2.0.10/policy/modules/system/mount.te	2005-12-06 11:47:52.000000000 -0500
+@@ -26,7 +26,6 @@
+ files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
+ 
+ kernel_read_system_state(mount_t)
+-kernel_dontaudit_use_fd(mount_t)
+ 
+ corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
+@@ -95,9 +94,7 @@
  
  optional_policy(`portmap',`
  	# for nfs
@@ -85,9 +254,9 @@
  	corenet_tcp_sendrecv_all_if(mount_t)
  	corenet_raw_sendrecv_all_if(mount_t)
  	corenet_udp_sendrecv_all_if(mount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.0.9/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.0.10/Rules.modular
 --- nsaserefpolicy/Rules.modular	2005-11-23 10:06:37.000000000 -0500
-+++ serefpolicy-2.0.9/Rules.modular	2005-12-05 23:10:27.000000000 -0500
++++ serefpolicy-2.0.10/Rules.modular	2005-12-06 11:40:43.000000000 -0500
 @@ -41,6 +41,8 @@
  
  install: $(INSTPKG) $(APPFILES)
@@ -109,9 +278,9 @@
  tmp/base.mod: base.conf
  	@echo "Compiling $(NAME) base module"
  	$(QUIET) $(CHECKMODULE) $^ -o $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-2.0.9/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic	2005-11-28 10:42:52.000000000 -0500
-+++ serefpolicy-2.0.9/Rules.monolithic	2005-12-05 23:11:15.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-2.0.10/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic	2005-12-06 11:36:00.000000000 -0500
++++ serefpolicy-2.0.10/Rules.monolithic	2005-12-06 11:40:43.000000000 -0500
 @@ -14,6 +14,11 @@
  
  APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
@@ -124,3 +293,12 @@
  # for monolithic policy use all base and module to create policy
  ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
  
+@@ -22,7 +27,7 @@
+ ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
+ 
+ PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+-POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
++POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
+ 
+ POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+ 


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- selinux-policy.spec	6 Dec 2005 04:12:01 -0000	1.29
+++ selinux-policy.spec	6 Dec 2005 17:42:25 -0000	1.30
@@ -8,7 +8,7 @@
 %define CHECKPOLICYVER 1.27.17-7
 Summary: SELinux policy configuration
 Name: selinux-policy
-Version: 2.0.9
+Version: 2.0.10
 Release: 1
 License: GPL
 Group: System Environment/Base

More information about the fedora-cvs-commits mailing list