rpms/selinux-policy/devel policy-20051114.patch, 1.20, 1.21 selinux-policy.spec, 1.29, 1.30
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Dec 6 17:42:29 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv29610
Modified Files:
policy-20051114.patch selinux-policy.spec
Log Message:
* Fri Dec 2 2005 Dan Walsh <dwalsh at redhat.com> 2.0.9-1.
Update from upstream
policy-20051114.patch:
Makefile | 7 +------
Rules.modular | 7 +++++++
Rules.monolithic | 7 ++++++-
policy/modules/admin/su.if | 3 +++
policy/modules/services/canna.te | 1 -
policy/modules/services/cups.te | 1 +
policy/modules/services/dbus.te | 2 +-
policy/modules/services/ftp.te | 3 +++
policy/modules/services/mta.te | 9 ---------
policy/modules/services/nis.if | 2 ++
policy/modules/services/sasl.te | 4 +++-
policy/modules/services/spamassassin.te | 1 +
policy/modules/system/hostname.te | 1 -
policy/modules/system/init.if | 31 -------------------------------
policy/modules/system/locallogin.te | 7 -------
policy/modules/system/mount.te | 5 +----
16 files changed, 29 insertions(+), 62 deletions(-)
Index: policy-20051114.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051114.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20051114.patch 6 Dec 2005 04:12:01 -0000 1.20
+++ policy-20051114.patch 6 Dec 2005 17:42:25 -0000 1.21
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.0.9/Makefile
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.0.10/Makefile
--- nsaserefpolicy/Makefile 2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.0.9/Makefile 2005-12-05 23:07:35.000000000 -0500
++++ serefpolicy-2.0.10/Makefile 2005-12-06 11:40:43.000000000 -0500
@@ -92,7 +92,7 @@
# enable MLS if requested.
@@ -22,59 +22,228 @@
$(APPDIR)/default_type: $(APPCONF)/default_type
@mkdir -p $(APPDIR)
$(QUIET) install -m 644 $< $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.0.9/policy/modules/admin/rpm.te
---- nsaserefpolicy/policy/modules/admin/rpm.te 2005-11-28 10:42:52.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/admin/rpm.te 2005-12-05 22:38:01.000000000 -0500
-@@ -201,9 +201,6 @@
- ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.0.10/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if 2005-11-29 18:36:30.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/admin/su.if 2005-12-06 11:40:43.000000000 -0500
+@@ -50,6 +50,9 @@
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
- ifdef(`TODO',`
--# cjp: this seems way out of place
--role sysadm_r types initrc_t;
--
- # read/write/create any files in the system
- dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
- allow rpm_t ttyfile:chr_file unlink;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.0.9/policy/modules/services/dbus.te
---- nsaserefpolicy/policy/modules/services/dbus.te 2005-11-28 10:42:53.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/services/dbus.te 2005-12-05 22:38:01.000000000 -0500
-@@ -30,7 +30,7 @@
++ files_dontaudit_getattr_tmp_dir($1_su_t)
++ files_dontaudit_read_etc_runtime_files($1_su_t)
++
+ auth_domtrans_chk_passwd($1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/canna.te serefpolicy-2.0.10/policy/modules/services/canna.te
+--- nsaserefpolicy/policy/modules/services/canna.te 2005-12-02 17:53:26.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/canna.te 2005-12-06 11:46:51.000000000 -0500
+@@ -47,7 +47,6 @@
+
+ kernel_read_kernel_sysctl(canna_t)
+ kernel_read_system_state(canna_t)
+-kernel_dontaudit_use_fd(canna_t)
+
+ corenet_tcp_sendrecv_all_if(canna_t)
+ corenet_raw_sendrecv_all_if(canna_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.0.10/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2005-12-02 17:53:53.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/cups.te 2005-12-06 11:40:43.000000000 -0500
+@@ -468,6 +468,7 @@
+ # Cups configuration daemon local policy
+ #
- # dac_override: /var/run/dbus is owned by messagebus on Debian
++allow cupsd_config_t cupsd_log_t:file rw_file_perms;
+ allow cupsd_config_t self:capability { chown sys_tty_config };
+ dontaudit cupsd_config_t self:capability sys_tty_config;
+ allow cupsd_config_t self:process signal_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.0.10/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te 2005-12-06 11:36:01.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/dbus.te 2005-12-06 11:40:43.000000000 -0500
+@@ -32,7 +32,7 @@
# cjp: dac_override should probably go in a distro_debian
--allow system_dbusd_t self:capability { dac_override setgid setuid };
-+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+ allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
dontaudit system_dbusd_t self:capability sys_tty_config;
- allow system_dbusd_t self:process { getattr signal_perms };
+-allow system_dbusd_t self:process { getattr signal_perms };
++allow system_dbusd_t self:process { getattr signal_perms setcap };
allow system_dbusd_t self:fifo_file { read write };
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.0.9/policy/modules/system/authlogin.te
---- nsaserefpolicy/policy/modules/system/authlogin.te 2005-11-28 10:42:53.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/system/authlogin.te 2005-12-05 22:38:01.000000000 -0500
-@@ -278,6 +278,7 @@
- fs_dontaudit_getattr_xattr_fs(system_chkpwd_t)
-
- term_dontaudit_use_unallocated_tty(system_chkpwd_t)
-+term_dontaudit_use_generic_pty(system_chkpwd_t)
-
- corecmd_search_sbin(system_chkpwd_t)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.0.9/policy/modules/system/logging.te
---- nsaserefpolicy/policy/modules/system/logging.te 2005-11-28 10:42:54.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/system/logging.te 2005-12-05 22:38:01.000000000 -0500
-@@ -69,7 +69,9 @@
- allow auditctl_t auditd_etc_t:file r_file_perms;
+ allow system_dbusd_t self:dbus { send_msg acquire_svc };
+ allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.0.10/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2005-11-28 10:42:53.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/ftp.te 2005-12-06 11:40:43.000000000 -0500
+@@ -104,6 +104,9 @@
+
+ domain_use_wide_inherit_fd(ftpd_t)
+
++files_search_var_lib_dir(ftpd_t)
++auth_use_nsswitch(ftpd_t)
++
+ files_search_etc(ftpd_t)
+ files_read_etc_files(ftpd_t)
+ files_read_etc_runtime_files(ftpd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.0.10/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te 2005-12-05 22:35:03.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/mta.te 2005-12-06 11:41:43.000000000 -0500
+@@ -57,15 +57,6 @@
+
+ userdom_use_sysadm_terms(system_mail_t)
+
+-ifdef(`hide_broken_symptoms',`
+- # Red Hat systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_redhat',`
+- kernel_dontaudit_use_fd(system_mail_t)
+- storage_dontaudit_read_fixed_disk(system_mail_t)
+- ')
+-')
+-
+ ifdef(`targeted_policy',`
+ typealias system_mail_t alias sysadm_mail_t;
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.0.10/policy/modules/services/nis.if
+--- nsaserefpolicy/policy/modules/services/nis.if 2005-12-06 11:36:01.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/nis.if 2005-12-06 12:25:49.000000000 -0500
+@@ -148,8 +148,10 @@
+ interface(`nis_signal_ypbind',`
+ gen_require(`
+ type ypbind_t;
++ type ypbind_var_run_t;
+ ')
- kernel_read_kernel_sysctl(auditctl_t)
-+kernel_read_proc_symlinks(auditctl_t)
++ allow $1 ypbind_var_run_t:file read;
+ allow $1 ypbind_t:process signal;
+ ')
-+domain_read_all_domains_state(auditctl_t)
- domain_use_wide_inherit_fd(auditctl_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.0.10/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te 2005-11-29 18:36:31.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/sasl.te 2005-12-06 11:40:43.000000000 -0500
+@@ -18,6 +18,7 @@
+ # Local policy
+ #
- init_use_script_pty(auditctl_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.0.9/policy/modules/system/mount.te
++allow saslauthd_t self:capability setuid;
+ dontaudit saslauthd_t self:capability sys_tty_config;
+ allow saslauthd_t self:process signal_perms;
+ allow saslauthd_t self:fifo_file { read write };
+@@ -55,9 +56,10 @@
+ domain_use_wide_inherit_fd(saslauthd_t)
+
+ files_read_etc_files(saslauthd_t)
+-files_read_etc_runtime_files(saslauthd_t)
++files_dontaudit_read_etc_runtime_files(saslauthd_t)
+ files_search_var_lib(saslauthd_t)
+ files_dontaudit_getattr_home_dir(saslauthd_t)
++files_dontaudit_getattr_tmp_dir(saslauthd_t)
+
+ init_use_fd(saslauthd_t)
+ init_use_script_pty(saslauthd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.0.10/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te 2005-12-02 17:53:26.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/services/spamassassin.te 2005-12-06 11:40:43.000000000 -0500
+@@ -72,6 +72,7 @@
+ corenet_tcp_bind_all_nodes(spamd_t)
+ corenet_udp_bind_all_nodes(spamd_t)
+ corenet_tcp_bind_spamd_port(spamd_t)
++corenet_udp_bind_generic_port(spamd_t)
+
+ dev_read_sysfs(spamd_t)
+ dev_read_urand(spamd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.0.10/policy/modules/system/hostname.te
+--- nsaserefpolicy/policy/modules/system/hostname.te 2005-11-25 08:11:12.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/system/hostname.te 2005-12-06 11:48:09.000000000 -0500
+@@ -22,7 +22,6 @@
+ allow hostname_t self:unix_stream_socket create_stream_socket_perms;
+ dontaudit hostname_t self:capability sys_tty_config;
+
+-kernel_dontaudit_use_fd(hostname_t)
+ kernel_list_proc(hostname_t)
+ kernel_read_proc_symlinks(hostname_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.0.10/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2005-12-05 22:35:03.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/system/init.if 2005-12-06 11:43:22.000000000 -0500
+@@ -31,18 +31,6 @@
+ allow init_t $1:fd use;
+ allow $1 init_t:fifo_file rw_file_perms;
+ allow $1 init_t:process sigchld;
+-
+- # Red Hat systems seem to have stray
+- # fds open from the initrd
+- ifdef(`hide_broken_symptoms',`
+- # Red Hat systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_redhat',`
+- kernel_dontaudit_use_fd($1)
+- storage_dontaudit_read_fixed_disk($1)
+- files_dontaudit_read_root_file($1)
+- ')
+- ')
+ ')
+
+ ########################################
+@@ -82,16 +70,6 @@
+ typeattribute $2 direct_init_entry;
+ ')
+
+- ifdef(`hide_broken_symptoms',`
+- # Red Hat systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_redhat',`
+- kernel_dontaudit_use_fd($1)
+- storage_dontaudit_read_fixed_disk($1)
+- files_dontaudit_read_root_file($1)
+- ')
+- ')
+-
+ ifdef(`targeted_policy',`
+ # this regex is a hack, since it assumes there is a
+ # _t at the end of the domain type. If there is no _t
+@@ -164,15 +142,6 @@
+ allow $1 initrc_t:fifo_file rw_file_perms;
+ allow $1 initrc_t:process sigchld;
+
+- ifdef(`hide_broken_symptoms',`
+- # Red Hat systems seem to have a stray
+- # fds open from the initrd
+- ifdef(`distro_redhat',`
+- kernel_dontaudit_use_fd($1)
+- storage_dontaudit_read_fixed_disk($1)
+- files_dontaudit_read_root_file($1)
+- ')
+- ')
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.0.10/policy/modules/system/locallogin.te
+--- nsaserefpolicy/policy/modules/system/locallogin.te 2005-11-25 08:11:12.000000000 -0500
++++ serefpolicy-2.0.10/policy/modules/system/locallogin.te 2005-12-06 11:47:34.000000000 -0500
+@@ -168,13 +168,6 @@
+ # Search for mail spool file.
+ mta_getattr_spool(local_login_t)
+
+-# Red Hat systems seem to have a stray
+-# fd open from the initrd
+-ifdef(`distro_redhat',`
+- kernel_dontaudit_use_fd(local_login_t)
+- files_dontaudit_read_root_file(local_login_t)
+-')
+-
+ ifdef(`targeted_policy',`
+ unconfined_domain_template(local_login_t)
+ unconfined_shell_domtrans(local_login_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.0.10/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2005-11-28 10:42:54.000000000 -0500
-+++ serefpolicy-2.0.9/policy/modules/system/mount.te 2005-12-05 22:38:01.000000000 -0500
-@@ -95,9 +95,7 @@
++++ serefpolicy-2.0.10/policy/modules/system/mount.te 2005-12-06 11:47:52.000000000 -0500
+@@ -26,7 +26,6 @@
+ files_create_tmp_files(mount_t,mount_tmp_t,{ file dir })
+
+ kernel_read_system_state(mount_t)
+-kernel_dontaudit_use_fd(mount_t)
+
+ corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
+@@ -95,9 +94,7 @@
optional_policy(`portmap',`
# for nfs
@@ -85,9 +254,9 @@
corenet_tcp_sendrecv_all_if(mount_t)
corenet_raw_sendrecv_all_if(mount_t)
corenet_udp_sendrecv_all_if(mount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.0.9/Rules.modular
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.0.10/Rules.modular
--- nsaserefpolicy/Rules.modular 2005-11-23 10:06:37.000000000 -0500
-+++ serefpolicy-2.0.9/Rules.modular 2005-12-05 23:10:27.000000000 -0500
++++ serefpolicy-2.0.10/Rules.modular 2005-12-06 11:40:43.000000000 -0500
@@ -41,6 +41,8 @@
install: $(INSTPKG) $(APPFILES)
@@ -109,9 +278,9 @@
tmp/base.mod: base.conf
@echo "Compiling $(NAME) base module"
$(QUIET) $(CHECKMODULE) $^ -o $@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-2.0.9/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic 2005-11-28 10:42:52.000000000 -0500
-+++ serefpolicy-2.0.9/Rules.monolithic 2005-12-05 23:11:15.000000000 -0500
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-2.0.10/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic 2005-12-06 11:36:00.000000000 -0500
++++ serefpolicy-2.0.10/Rules.monolithic 2005-12-06 11:40:43.000000000 -0500
@@ -14,6 +14,11 @@
APPFILES += $(APPDIR)/customizable_types $(INSTALLDIR)/booleans
@@ -124,3 +293,12 @@
# for monolithic policy use all base and module to create policy
ALL_MODULES := $(strip $(BASE_MODS) $(MOD_MODS))
+@@ -22,7 +27,7 @@
+ ALL_FC_FILES := $(ALL_MODULES:.te=.fc)
+
+ PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
+-POST_TE_FILES := $(USER_FILES) $(POLDIR)/constraints
++POST_TE_FILES := $(POLDIR)/systemuser $(POLDIR)/users $(POLDIR)/constraints
+
+ POLICY_SECTIONS := tmp/pre_te_files.conf tmp/generated_definitions.conf tmp/all_interfaces.conf tmp/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) tmp/only_te_rules.conf tmp/all_post.conf
+
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- selinux-policy.spec 6 Dec 2005 04:12:01 -0000 1.29
+++ selinux-policy.spec 6 Dec 2005 17:42:25 -0000 1.30
@@ -8,7 +8,7 @@
%define CHECKPOLICYVER 1.27.17-7
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.0.9
+Version: 2.0.10
Release: 1
License: GPL
Group: System Environment/Base
More information about the fedora-cvs-commits
mailing list