rpms/selinux-policy/devel modules-mls.conf, 1.3, 1.4 policy-20051208.patch, 1.17, 1.18 selinux-policy.spec, 1.54, 1.55

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri Dec 16 18:36:03 UTC 2005


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8778

Modified Files:
	modules-mls.conf policy-20051208.patch selinux-policy.spec 
Log Message:
* Fri Dec 16 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-7
- Update mls file from old version



Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- modules-mls.conf	15 Dec 2005 23:19:08 -0000	1.3
+++ modules-mls.conf	16 Dec 2005 18:36:00 -0000	1.4
@@ -779,7 +779,7 @@
 #
 # Policy for changing the system host name.
 # 
-hostname = base
+hostname = off
 
 # Layer: system
 # Module: getty

policy-20051208.patch:
 Makefile                                   |    2 
 config/appconfig-strict-mcs/default_type   |    6 
 config/appconfig-strict-mls/default_type   |    6 
 config/appconfig-targeted-mcs/default_type |    2 
 config/appconfig-targeted-mls/default_type |    2 
 policy/global_tunables                     |    3 
 policy/mcs                                 |  321 ++++---------------------
 policy/mls                                 |  372 ++++++-----------------------
 policy/modules/admin/kudzu.te              |    2 
 policy/modules/admin/logrotate.te          |    4 
 policy/modules/admin/rpm.fc                |    1 
 policy/modules/admin/rpm.te                |    7 
 policy/modules/admin/tmpreaper.te          |    3 
 policy/modules/apps/java.fc                |    4 
 policy/modules/apps/java.if                |   23 +
 policy/modules/apps/java.te                |   24 +
 policy/modules/apps/webalizer.te           |    1 
 policy/modules/kernel/corenetwork.te.in    |    2 
 policy/modules/kernel/devices.fc           |    9 
 policy/modules/kernel/files.fc             |   27 +-
 policy/modules/kernel/kernel.te            |   24 -
 policy/modules/kernel/mls.te               |    9 
 policy/modules/kernel/selinux.te           |    2 
 policy/modules/kernel/storage.fc           |   44 +--
 policy/modules/services/automount.te       |    9 
 policy/modules/services/cvs.fc             |    2 
 policy/modules/services/cvs.te             |    6 
 policy/modules/services/remotelogin.te     |    1 
 policy/modules/services/sasl.te            |    8 
 policy/modules/services/ssh.te             |   10 
 policy/modules/system/authlogin.if         |   12 
 policy/modules/system/authlogin.te         |    1 
 policy/modules/system/getty.te             |    3 
 policy/modules/system/init.te              |    1 
 policy/modules/system/iptables.te          |    2 
 policy/modules/system/libraries.fc         |   17 +
 policy/modules/system/locallogin.te        |    1 
 policy/modules/system/logging.fc           |    7 
 policy/modules/system/logging.te           |    5 
 policy/modules/system/selinuxutil.fc       |    6 
 policy/modules/system/udev.fc              |    1 
 policy/modules/system/udev.te              |    3 
 policy/modules/system/unconfined.te        |    5 
 policy/modules/system/userdomain.fc        |    2 
 policy/users                               |    8 
 45 files changed, 377 insertions(+), 633 deletions(-)

Index: policy-20051208.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051208.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20051208.patch	16 Dec 2005 15:56:59 -0000	1.17
+++ policy-20051208.patch	16 Dec 2005 18:36:00 -0000	1.18
@@ -388,7 +388,7 @@
  # Each MCS level specifies a sensitivity and zero or more categories which may
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.1.6/policy/mls
 --- nsaserefpolicy/policy/mls	2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/mls	2005-12-16 10:28:32.000000000 -0500
++++ serefpolicy-2.1.6/policy/mls	2005-12-16 13:06:24.000000000 -0500
 @@ -1,4 +1,3 @@
 -
  ifdef(`enable_mls',`
@@ -726,25 +726,16 @@
  	( l2 eq h2 );
  
 -# new file labels must be dominated by the relabeling subject clearance
-+# new file labels must be dominated by the relabeling subject's clearance
++# new file labels must be dominated by the relabeling subjects clearance
  mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto
  	( h1 dom h2 );
  
-@@ -413,7 +220,7 @@
- 
- # create can also require the upgrade/downgrade checks if the creating process
- # has used setfscreate (note that both the high and low level of the object
--# default to the process sensitivity level)
-+# default to the process' sensitivity level)
- mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } create
- 	((( l1 eq l2 ) or
- 	  (( t1 == mlsfileupgrade ) and ( l1 domby l2 )) or
 @@ -431,7 +238,7 @@
  # MLS policy for the filesystem class
  #
  
 -# new filesystem labels must be dominated by the relabeling subject clearance
-+# new filesystem labels must be dominated by the relabeling subject's clearance
++# new filesystem labels must be dominated by the relabeling subjects clearance
  mlsconstrain filesystem relabelto
  	( h1 dom h2 );
  
@@ -753,7 +744,7 @@
  #
  
 -# new socket labels must be dominated by the relabeling subject clearance
-+# new socket labels must be dominated by the relabeling subject's clearance
++# new socket labels must be dominated by the relabeling subjects clearance
  mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
  	( h1 dom h2 );
  
@@ -762,7 +753,7 @@
  #
  
 -# new process labels must be dominated by the relabeling subject clearance
-+# new process labels must be dominated by the relabeling subject's clearance
++# new process labels must be dominated by the relabeling subjects clearance
  # and sensitivity level changes require privilege
  mlsconstrain process transition
  	(( h1 dom h2 ) and
@@ -1065,7 +1056,7 @@
  /dev/s(ou)?nd/.*	-c	gen_context(system_u:object_r:sound_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.1.6/policy/modules/kernel/files.fc
 --- nsaserefpolicy/policy/modules/kernel/files.fc	2005-12-01 17:57:16.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/files.fc	2005-12-16 10:52:50.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/files.fc	2005-12-16 13:31:57.000000000 -0500
 @@ -24,7 +24,7 @@
  # /boot
  #
@@ -1142,7 +1133,7 @@
  /var/lost\+found/.*		<<none>>
  
 -/var/run(/.*)?			gen_context(system_u:object_r:var_run_t,s0)
-+/var/run		-d	gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255))
++/var/run		-d	gen_context(system_u:object_r:var_run_t,s0-s15:c0.c255)
 +/var/run/.*			gen_context(system_u:object_r:var_run_t,s0)
  /var/run/.*\.*pid		<<none>>
  
@@ -1157,7 +1148,7 @@
  /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.1.6/policy/modules/kernel/kernel.te
 --- nsaserefpolicy/policy/modules/kernel/kernel.te	2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te	2005-12-16 09:32:12.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te	2005-12-16 12:48:11.000000000 -0500
 @@ -38,7 +38,7 @@
  domain_base_type(kernel_t)
  mls_rangetrans_source(kernel_t)
@@ -1183,45 +1174,7 @@
  
  type proc_mdstat_t, proc_type;
  genfscon proc /mdstat gen_context(system_u:object_r:proc_mdstat_t,s0)
-@@ -96,11 +96,11 @@
- # /proc/sys/fs directory and files
- type sysctl_fs_t, sysctl_type;
- files_mountpoint(sysctl_fs_t)
--genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s0)
-+genfscon proc /sys/fs gen_context(system_u:object_r:sysctl_fs_t,s15:c0.c255)
- 
- # /proc/sys/kernel directory and files
- type sysctl_kernel_t, sysctl_type;
--genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s0)
-+genfscon proc /sys/kernel gen_context(system_u:object_r:sysctl_kernel_t,s15:c0.c255)
- 
- # /proc/sys/kernel/modprobe file
- type sysctl_modprobe_t, sysctl_type;
-@@ -112,19 +112,19 @@
- 
- # /proc/sys/net directory and files
- type sysctl_net_t, sysctl_type;
--genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s0)
-+genfscon proc /sys/net gen_context(system_u:object_r:sysctl_net_t,s15:c0.c255)
- 
- # /proc/sys/net/unix directory and files
- type sysctl_net_unix_t, sysctl_type;
--genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s0)
-+genfscon proc /sys/net/unix gen_context(system_u:object_r:sysctl_net_unix_t,s15:c0.c255)
- 
- # /proc/sys/vm directory and files
- type sysctl_vm_t, sysctl_type;
--genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s0)
-+genfscon proc /sys/vm gen_context(system_u:object_r:sysctl_vm_t,s15:c0.c255)
- 
- # /proc/sys/dev directory and files
- type sysctl_dev_t, sysctl_type;
--genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s0)
-+genfscon proc /sys/dev gen_context(system_u:object_r:sysctl_dev_t,s15:c0.c255)
- 
- #
- # unlabeled_t is the type of unlabeled objects.
-@@ -132,26 +132,26 @@
+@@ -132,18 +132,18 @@
  # have labels that are no longer valid are treated as having this type.
  #
  type unlabeled_t;
@@ -1246,17 +1199,13 @@
 +sid policy		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 +sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
  sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
--sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
--sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
-+sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-+sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
- sid sysctl_net		gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_fs		gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_kernel	gen_context(system_u:object_r:unlabeled_t,s0)
+@@ -151,7 +151,7 @@
  sid sysctl_net_unix	gen_context(system_u:object_r:unlabeled_t,s0)
--sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
--sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s0)
+ sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s0)
 -sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,s0)
-+sid sysctl_vm		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
-+sid sysctl_dev		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
 +sid tcp_socket		gen_context(system_u:object_r:unlabeled_t,s15:c0.c255)
  
  ########################################
@@ -1559,6 +1508,17 @@
  dev_read_sysfs(getty_t)
  
  fs_search_auto_mountpoints(getty_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.6/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te	2005-12-12 15:35:53.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/init.te	2005-12-16 11:29:46.000000000 -0500
+@@ -369,6 +369,7 @@
+ mls_file_write_down(initrc_t)
+ mls_process_read_up(initrc_t)
+ mls_process_write_down(initrc_t)
++mls_rangetrans_source(initrc_t)
+ 
+ modutils_read_module_conf(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.1.6/policy/modules/system/iptables.te
 --- nsaserefpolicy/policy/modules/system/iptables.te	2005-12-09 23:35:07.000000000 -0500
 +++ serefpolicy-2.1.6/policy/modules/system/iptables.te	2005-12-16 09:28:14.000000000 -0500
@@ -1669,13 +1629,10 @@
  optional_policy(`udev',`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc
 --- nsaserefpolicy/policy/modules/system/selinuxutil.fc	2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc	2005-12-16 09:28:14.000000000 -0500
-@@ -7,11 +7,11 @@
- 
- /etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
++++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc	2005-12-16 13:03:05.000000000 -0500
+@@ -9,9 +9,9 @@
  
--/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-+/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s15:c0.c255)
+ /etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
  
 -/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,s0)
 -


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.54
retrieving revision 1.55
diff -u -r1.54 -r1.55
--- selinux-policy.spec	16 Dec 2005 15:30:02 -0000	1.54
+++ selinux-policy.spec	16 Dec 2005 18:36:00 -0000	1.55
@@ -7,7 +7,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.1.6
-Release: 6
+Release: 7
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -243,7 +243,7 @@
 
 
 %changelog
-* Fri Dec 16 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-6
+* Fri Dec 16 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-7
 - Update mls file from old version
 
 * Thu Dec 15 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-5




More information about the fedora-cvs-commits mailing list