rpms/selinux-policy-strict/devel policy-20050706.patch, NONE, 1.1 .cvsignore, 1.116, 1.117 selinux-policy-strict.spec, 1.342, 1.343 sources, 1.122, 1.123

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Jul 6 21:38:31 UTC 2005 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv25344

Modified Files:
	.cvsignore selinux-policy-strict.spec sources 
Added Files:
	policy-20050706.patch 
Log Message:
* Wed Jul 6 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-1
- Update to NSA
- Fix strict policy audit_write so you can login 


policy-20050706.patch:
 domains/program/getty.te             |    7 +++++++
 domains/program/netutils.te          |    2 ++
 domains/program/passwd.te            |    5 +++++
 domains/program/unused/apache.te     |    1 +
 domains/program/unused/apmd.te       |    4 ++--
 domains/program/unused/bluetooth.te  |    3 ++-
 domains/program/unused/ciped.te      |    3 +--
 domains/program/unused/cups.te       |    6 ++++--
 domains/program/unused/cyrus.te      |    5 +----
 domains/program/unused/dhcpc.te      |    1 +
 domains/program/unused/dovecot.te    |    1 +
 domains/program/unused/hald.te       |    3 ++-
 domains/program/unused/hotplug.te    |    4 +++-
 domains/program/unused/nscd.te       |    1 +
 domains/program/unused/prelink.te    |    3 ---
 domains/program/unused/radvd.te      |    3 ++-
 domains/program/unused/rpcd.te       |    6 +++++-
 domains/program/unused/squid.te      |    3 +++
 domains/program/unused/winbind.te    |   10 ++++++++++
 file_contexts/program/cups.fc        |    2 ++
 file_contexts/program/winbind.fc     |    1 +
 file_contexts/types.fc               |   14 +++++++-------
 macros/admin_macros.te               |    3 ---
 macros/base_user_macros.te           |    4 +---
 macros/global_macros.te              |    1 +
 macros/program/apache_macros.te      |    1 +
 macros/program/chkpwd_macros.te      |    2 ++
 macros/program/dbusd_macros.te       |    2 +-
 macros/program/evolution_macros.te   |    6 ------
 macros/program/games_domain.te       |    3 ---
 macros/program/java_macros.te        |    2 --
 macros/program/mail_client_macros.te |   10 ++++++++--
 macros/program/mozilla_macros.te     |    2 --
 macros/program/mplayer_macros.te     |    2 +-
 macros/program/xserver_macros.te     |    4 ----
 net_contexts                         |    2 ++
 targeted/domains/unconfined.te       |    5 +++++
 tunables/distro.tun                  |    2 +-
 tunables/tunable.tun                 |    4 ++--
 types/network.te                     |    1 -
 40 files changed, 88 insertions(+), 56 deletions(-)

--- NEW FILE policy-20050706.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.25.1/domains/program/getty.te
--- nsapolicy/domains/program/getty.te	2005-05-02 14:06:54.000000000 -0400
+++ policy-1.25.1/domains/program/getty.te	2005-07-06 17:29:15.000000000 -0400
@@ -52,3 +52,10 @@
 # for mgetty
 var_run_domain(getty)
 allow getty_t self:capability { fowner fsetid };
+
+#
+# getty needs to be able to run pppd
+#
+ifdef(`pppd.te', `
+domain_auto_trans(getty_t, pppd_exec_t, pppd_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.25.1/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te	2005-04-27 10:28:49.000000000 -0400
+++ policy-1.25.1/domains/program/netutils.te	2005-07-06 17:29:15.000000000 -0400
@@ -21,7 +21,9 @@
 tmp_domain(netutils)
 
 domain_auto_trans(initrc_t, netutils_exec_t, netutils_t)
+ifdef(`targeted_policy', `', `
 domain_auto_trans(sysadm_t, netutils_exec_t, netutils_t)
+')
 
 # Inherit and use descriptors from init.
 allow netutils_t { userdomain init_t }:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.25.1/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.1/domains/program/passwd.te	2005-07-06 17:29:15.000000000 -0400
@@ -149,3 +149,8 @@
 allow passwd_t userdomain:process getattr;
 
 allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file { read write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.25.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/apache.te	2005-07-06 17:29:15.000000000 -0400
@@ -114,6 +114,7 @@
 can_kerberos(httpd_t)
 can_resolve(httpd_t)
 can_ypbind(httpd_t)
+can_ldap(httpd_t)
 allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
 
 if (httpd_can_network_connect) {
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.25.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/apmd.te	2005-07-06 17:29:15.000000000 -0400
@@ -21,7 +21,7 @@
 allow apm_t privfd:fd use;
 allow apm_t admin_tty_type:chr_file rw_file_perms;
 allow apm_t device_t:dir search;
-allow apm_t self:capability sys_admin;
+allow apm_t self:capability { dac_override sys_admin };
 allow apm_t proc_t:dir search;
 allow apm_t proc_t:file { read getattr };
 allow apm_t fs_t:filesystem getattr;
@@ -54,7 +54,7 @@
 allow apmd_t self:process getsession;
 
 # Use capabilities.
-allow apmd_t self:capability { sys_admin sys_nice sys_time };
+allow apmd_t self:capability { sys_admin sys_nice sys_time kill };
 
 # controlling an orderly resume of PCMCIA requires creating device
 # nodes 254,{0,1,2} for some reason.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.25.1/domains/program/unused/bluetooth.te
--- nsapolicy/domains/program/unused/bluetooth.te	2005-05-25 11:28:09.000000000 -0400
+++ policy-1.25.1/domains/program/unused/bluetooth.te	2005-07-06 17:29:15.000000000 -0400
@@ -26,7 +26,8 @@
 dbusd_client(system, bluetooth)
 allow bluetooth_t system_dbusd_t:dbus send_msg;
 ')
-allow bluetooth_t self:socket { create setopt ioctl bind listen };
+allow bluetooth_t self:socket create_stream_socket_perms;
+
 allow bluetooth_t self:unix_dgram_socket create_socket_perms;
 allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ciped.te policy-1.25.1/domains/program/unused/ciped.te
--- nsapolicy/domains/program/unused/ciped.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/ciped.te	2005-07-06 17:29:15.000000000 -0400
@@ -5,8 +5,7 @@
 # for SSP
 allow ciped_t urandom_device_t:chr_file read;
 
-# cipe uses the afs3-bos port (udp 7007)
-allow ciped_t afs_bos_port_t:udp_socket name_bind;
+allow ciped_t cipe_port_t:udp_socket name_bind;
 
 can_network_udp(ciped_t)
 can_ypbind(ciped_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.25.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/cups.te	2005-07-06 17:37:14.000000000 -0400
@@ -77,7 +77,7 @@
 allow cupsd_t self:fifo_file rw_file_perms;
 
 # Use capabilities.
-allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config };
+allow cupsd_t self:capability { dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_tty_config audit_write };
 dontaudit cupsd_t self:capability net_admin;
 
 #
@@ -125,7 +125,9 @@
 #
 # lots of errors generated requiring the following
 #
-allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
+allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
+
 #
 # Satisfy readahead
 #
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.25.1/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/cyrus.te	2005-07-06 17:29:15.000000000 -0400
@@ -26,9 +26,7 @@
 read_locale(cyrus_t)
 read_sysctl(cyrus_t)
 tmp_domain(cyrus)
-ifdef(`use_pop', `
-allow cyrus_t pop_port_t:tcp_socket name_bind;
-')
+allow cyrus_t { mail_port_t pop_port_t }:tcp_socket name_bind;
 allow cyrus_t proc_t:dir search;
 allow cyrus_t proc_t:file { getattr read };
 allow cyrus_t sysadm_devpts_t:chr_file { read write };
@@ -41,6 +39,5 @@
 allow system_crond_t cyrus_var_lib_t:dir rw_dir_perms;
 allow system_crond_t cyrus_var_lib_t:file create_file_perms;
 ')
-allow cyrus_t mail_port_t:tcp_socket name_bind;
 create_dir_file(cyrus_t, mail_spool_t)
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.25.1/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/dhcpc.te	2005-07-06 17:29:15.000000000 -0400
@@ -153,6 +153,7 @@
 domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
 ifdef(`dbusd.te', `
 dbusd_client(system, dhcpc)
+domain_auto_trans(system_dbusd_t, dhcpc_exec_t, dhcpc_t)
 allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
 allow dhcpc_t self:dbus send_msg;
 allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.25.1/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/dovecot.te	2005-07-06 17:29:15.000000000 -0400
@@ -35,6 +35,7 @@
 allow dovecot_t urandom_device_t:chr_file { getattr read };
 allow dovecot_t cert_t:dir search;
 r_dir_file(dovecot_t, dovecot_cert_t)
+r_dir_file(dovecot_t, cert_t)
 
 allow dovecot_t { self proc_t }:file { getattr read };
 allow dovecot_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.25.1/domains/program/unused/hald.te
--- nsapolicy/domains/program/unused/hald.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.1/domains/program/unused/hald.te	2005-07-06 17:29:15.000000000 -0400
@@ -65,7 +65,8 @@
 r_dir_file(hald_t, hotplug_etc_t)
 ')
 allow hald_t fs_type:dir { search getattr };
-allow hald_t { usbdevfs_t usbfs_t }:file { getattr read };
+allow hald_t usbfs_t:dir r_dir_perms;
+allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
 allow hald_t bin_t:lnk_file read;
 r_dir_file(hald_t, { selinux_config_t default_context_t } )
 allow hald_t initrc_t:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.25.1/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/domains/program/unused/hotplug.te	2005-07-06 17:29:15.000000000 -0400
@@ -65,7 +65,7 @@
 allow hotplug_t etc_t:dir r_dir_perms;
 allow hotplug_t etc_t:{ file lnk_file } r_file_perms;
 
-allow hotplug_t kernel_t:process sigchld;
+allow hotplug_t kernel_t:process { sigchld setpgid };
 
 ifdef(`distro_redhat', `
 allow hotplug_t var_lock_t:dir search;
@@ -157,3 +157,5 @@
 ')
 
 allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
+allow hotplug_t self:netlink_route_socket r_netlink_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.25.1/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/nscd.te	2005-07-06 17:29:15.000000000 -0400
@@ -75,3 +75,4 @@
 allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
 log_domain(nscd)
 r_dir_file(nscd_t, cert_t)
+allow nscd_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.25.1/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.1/domains/program/unused/prelink.te	2005-07-06 17:34:19.000000000 -0400
@@ -14,10 +14,7 @@
 if (allow_execmem) {
 allow prelink_t self:process execmem;
 }
-if (allow_execmod) {
 allow prelink_t texrel_shlib_t:file execmod;
-}
-
 allow prelink_t fs_t:filesystem getattr;
 
 ifdef(`crond.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/radvd.te policy-1.25.1/domains/program/unused/radvd.te
--- nsapolicy/domains/program/unused/radvd.te	2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.1/domains/program/unused/radvd.te	2005-07-06 17:29:15.000000000 -0400
@@ -15,11 +15,12 @@
 
 allow radvd_t self:{ rawip_socket unix_dgram_socket } rw_socket_perms;
 
-allow radvd_t self:capability net_raw;
+allow radvd_t self:capability { net_raw setgid };
 allow radvd_t self:{ unix_dgram_socket rawip_socket } create;
 allow radvd_t self:unix_stream_socket create_socket_perms;
 
 can_network_server(radvd_t)
+can_ypbind(radvd_t)
 
 allow radvd_t proc_t:dir r_dir_perms;
 allow radvd_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.25.1/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/rpcd.te	2005-07-06 17:29:15.000000000 -0400
@@ -11,7 +11,11 @@
 # Rules for the rpcd_t and nfsd_t domain.
 #
 define(`rpc_domain', `
+ifdef(`targeted_policy', `
+daemon_base_domain($1, `, transitionbool')
+', `
 daemon_base_domain($1)
+')
 can_network($1_t)
 allow $1_t port_type:tcp_socket name_connect;
 can_ypbind($1_t)
@@ -114,7 +118,7 @@
 allow nfsd_t var_run_t:dir search;
 
 allow nfsd_t self:capability { sys_admin sys_resource };
-allow nfsd_t fs_t:filesystem getattr;
+allow nfsd_t fs_type:filesystem getattr;
 
 can_udp_send(nfsd_t, portmap_t)
 can_udp_send(portmap_t, nfsd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/squid.te	2005-07-06 17:29:15.000000000 -0400
@@ -78,3 +78,6 @@
 #squid requires the following when run in diskd mode, the recommended setting
 allow squid_t tmpfs_t:file { read write };
 r_dir_file(squid_t, cert_t)
+ifdef(`winbind.te', `
+domain_auto_trans(squid_t, winbind_helper_exec_t, winbind_helper_t)
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te	2005-05-25 11:28:10.000000000 -0400
+++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-06 17:29:15.000000000 -0400
@@ -21,6 +21,9 @@
 type samba_log_t, file_type, sysadmfile, logfile;
 type samba_var_t, file_type, sysadmfile;
 type samba_secrets_t, file_type, sysadmfile;
+allow smbd_t winbind_t:unix_stream_socket connectto;
+allow smbd_t winbind_var_run_t:dir r_dir_perms;
+allow smbd_t winbind_var_run_t:sock_file getattr;
 ')
 rw_dir_file(winbind_t, samba_etc_t)
 rw_dir_create_file(winbind_t, samba_log_t)
@@ -33,3 +36,10 @@
 can_kerberos(winbind_t)
 allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
 allow winbind_t winbind_var_run_t:sock_file create_file_perms;
+
+application_domain(winbind_helper, `, nscd_client_domain')
+access_terminal(winbind_helper_t, sysadm)
+read_locale(winbind_helper_t) 
+r_dir_file(winbind_helper_t, samba_etc_t)
+allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.25.1/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/file_contexts/program/cups.fc	2005-07-06 17:29:15.000000000 -0400
@@ -41,3 +41,5 @@
 /usr/share/hplip/hpssd.py	--	system_u:object_r:hplip_exec_t
 /usr/share/foomatic/db/oldprinterids 	--	system_u:object_r:cupsd_rw_etc_t
 /var/cache/foomatic(/.*)? 	--	system_u:object_r:cupsd_rw_etc_t
+/var/run/hp.*\.pid		--	system_u:object_r:hplip_var_run_t
+/var/run/hp.*\.port		--	system_u:object_r:hplip_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.25.1/file_contexts/program/winbind.fc
--- nsapolicy/file_contexts/program/winbind.fc	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.1/file_contexts/program/winbind.fc	2005-07-06 17:29:15.000000000 -0400
@@ -8,3 +8,4 @@
 /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
 ')
 /var/cache/samba/winbindd_privileged(/.*)?	system_u:object_r:winbind_var_run_t
+/usr/bin/ntlm_auth --	system_u:object_r:winbind_helper_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.25.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/file_contexts/types.fc	2005-07-06 17:29:15.000000000 -0400
@@ -261,13 +261,13 @@
 # /opt
 #
 /opt(/.*)?			system_u:object_r:usr_t
-/opt/.*/lib(64)?(/.*)?				system_u:object_r:lib_t
-/opt/.*/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
-/opt/.*/libexec(/.*)?	system_u:object_r:bin_t
-/opt/.*/bin(/.*)?		system_u:object_r:bin_t
-/opt/.*/sbin(/.*)?		system_u:object_r:sbin_t
-/opt/.*/man(/.*)?		system_u:object_r:man_t
-/opt/.*/var/lib(64)?(/.*)?		system_u:object_r:var_lib_t
+/opt(/.*)?/lib(64)?(/.*)?				system_u:object_r:lib_t
+/opt(/.*)?/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+/opt(/.*)?/libexec(/.*)?	system_u:object_r:bin_t
+/opt(/.*)?/bin(/.*)?		system_u:object_r:bin_t
+/opt(/.*)?/sbin(/.*)?		system_u:object_r:sbin_t
+/opt(/.*)?/man(/.*)?		system_u:object_r:man_t
+/opt(/.*)?/var/lib(64)?(/.*)?		system_u:object_r:var_lib_t
 
 #
 # /etc
diff --exclude-from=exclude -N -u -r nsapolicy/macros/admin_macros.te policy-1.25.1/macros/admin_macros.te
--- nsapolicy/macros/admin_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/admin_macros.te	2005-07-06 17:29:15.000000000 -0400
@@ -49,9 +49,6 @@
 # Allow system log read
 allow $1_t kernel_t:system syslog_read;
 
-# Allow autrace
-# allow sysadm_t self:netlink_audit_socket nlmsg_readpriv;
-
 # Use capabilities other than sys_module.
 allow $1_t self:capability ~sys_module;
 
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.25.1/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/base_user_macros.te	2005-07-06 17:35:02.000000000 -0400
@@ -63,10 +63,8 @@
 allow $1_t self:process execstack;
 }
 
-if (allow_execmod) {
 # Allow text relocations on system shared libraries, e.g. libGL.
 allow $1_t texrel_shlib_t:file execmod;
-}
 
 #
 # kdeinit wants this access
@@ -349,7 +347,7 @@
 allow $1_t devtty_t:chr_file rw_file_perms;
 allow $1_t null_device_t:chr_file rw_file_perms;
 allow $1_t zero_device_t:chr_file { rw_file_perms execute };
-allow $1_t { random_device_t urandom_device_t }:chr_file { getattr read ioctl };
+allow $1_t { random_device_t urandom_device_t }:chr_file ra_file_perms;
 #
 # Added to allow reading of cdrom
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.25.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/global_macros.te	2005-07-06 17:33:15.000000000 -0400
@@ -106,6 +106,7 @@
 allow $1 ld_so_t:lnk_file r_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:file rx_file_perms;
 allow $1 { texrel_shlib_t shlib_t }:lnk_file r_file_perms;
+allow $1 texrel_shlib_t:file execmod;
 allow $1 ld_so_cache_t:file r_file_perms;
 allow $1 device_t:dir search;
 allow $1 null_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/apache_macros.te	2005-07-06 17:29:15.000000000 -0400
@@ -108,6 +108,7 @@
 
 if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 create_dir_file(httpd_$1_script_t, httpdcontent)
+can_exec(httpd_$1_script_t, httpdcontent)
 }
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te	2005-06-01 06:11:23.000000000 -0400
+++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-06 17:29:15.000000000 -0400
@@ -32,6 +32,8 @@
 domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
 allow auth_chkpwd sbin_t:dir search;
 allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow auth_chkpwd self:capability audit_write;
+
 dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
 dontaudit auth_chkpwd shadow_t:file { getattr read };
 can_ypbind(auth_chkpwd)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.25.1/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/dbusd_macros.te	2005-07-06 17:29:15.000000000 -0400
@@ -37,7 +37,7 @@
 allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
 
 allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
-allow $1_dbusd_t self:file { getattr read };
+allow $1_dbusd_t self:file { getattr read write };
 allow $1_dbusd_t proc_t:file read;
 
 can_getsecurity($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.25.1/macros/program/evolution_macros.te
--- nsapolicy/macros/program/evolution_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.1/macros/program/evolution_macros.te	2005-07-06 17:29:15.000000000 -0400
@@ -221,12 +221,6 @@
 domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
 ') dnl spamassasin.te
 
-### Start links in web browser
-ifdef(`mozilla.te', `
-can_exec($1_evolution_t, shell_exec_t)
-domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
-') dnl mozilla.te
-
 ') dnl evolution_domain
 
 #################################
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.25.1/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/games_domain.te	2005-07-06 17:34:46.000000000 -0400
@@ -33,10 +33,7 @@
 allow $1_games_t self:process execmem;
 }
 
-if (allow_execmod) {
 allow $1_games_t texrel_shlib_t:file execmod;
-}
-
 allow $1_games_t var_t:dir { search getattr };
 rw_dir_create_file($1_games_t, games_data_t)
 allow $1_games_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.25.1/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te	2005-06-01 06:11:23.000000000 -0400
+++ policy-1.25.1/macros/program/java_macros.te	2005-07-06 17:32:24.000000000 -0400
@@ -52,9 +52,7 @@
 can_exec($1_javaplugin_t, java_exec_t)
 
 # libdeploy.so legacy
-if (allow_execmod) {
 allow $1_javaplugin_t texrel_shlib_t:file execmod;
-}
 if (allow_execmem) {
 allow $1_javaplugin_t self:process execmem;
 }
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.25.1/macros/program/mail_client_macros.te
--- nsapolicy/macros/program/mail_client_macros.te	2005-07-05 15:25:49.000000000 -0400
+++ policy-1.25.1/macros/program/mail_client_macros.te	2005-07-06 17:29:15.000000000 -0400
@@ -21,8 +21,8 @@
 
 # Allow POP/IMAP/SMTP/NNTP/LDAP/IPP(printing)
 can_ypbind($1_t)
-can_network_client_tcp($1_t, { pop_port_t smtp_port_t ifdef(`innd.te', `innd_port_t') ldap_port_t ipp_port_t })
-allow $1_t { pop_port_t smtp_port_t ifdef(`innd.te', `innd_port_t') ldap_port_t ipp_port_t }:tcp_socket name_connect;
+can_network_client_tcp($1_t, { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t })
+allow $1_t { pop_port_t smtp_port_t innd_port_t ldap_port_t ipp_port_t }:tcp_socket name_connect;
 
 # Allow printing the mail
 ifdef(`cups.te',`
@@ -45,4 +45,10 @@
 allow $1_t $2_gpg_t:process signal;
 ')
 
+# Start links in web browser
+ifdef(`mozilla.te', `
+can_exec($1_t, shell_exec_t)
+domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
+') 
+
 ')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.25.1/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/mozilla_macros.te	2005-07-06 17:31:56.000000000 -0400
@@ -133,9 +133,7 @@
 if (allow_execmem) {
 allow $1_mozilla_t self:process execmem;
 }
-if (allow_execmod) {
 allow $1_mozilla_t texrel_shlib_t:file execmod;
-}
 
 dbusd_client(system, $1_mozilla)
 ifdef(`apache.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.25.1/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/mplayer_macros.te	2005-07-06 17:33:44.000000000 -0400
@@ -44,8 +44,8 @@
 
 if (allow_execmod) {
 allow $1_$2_t zero_device_t:chr_file execmod;
-allow $1_$2_t texrel_shlib_t:file execmod;
 }
+allow $1_$2_t texrel_shlib_t:file execmod;
 
 # Access to DVD/CD/V4L
 allow $1_$2_t device_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.25.1/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/xserver_macros.te	2005-07-06 17:30:59.000000000 -0400
@@ -52,9 +52,7 @@
 
 uses_shlib($1_xserver_t)
 
-if (allow_execmod) {
 allow $1_xserver_t texrel_shlib_t:file execmod;
-}
 
 can_network($1_xserver_t)
 allow $1_xserver_t port_type:tcp_socket name_connect;
@@ -64,11 +62,9 @@
 # for access within the domain
 general_domain_access($1_xserver_t)
 
-if (allow_execmem) {
 allow $1_xserver_t self:process execmem;
 # Until the X module loader is fixed.
 allow $1_xserver_t self:process execheap;
-}
 
 allow $1_xserver_t etc_runtime_t:file { getattr read };
 
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.25.1/net_contexts
--- nsapolicy/net_contexts	2005-07-06 17:15:06.000000000 -0400
+++ policy-1.25.1/net_contexts	2005-07-06 17:29:15.000000000 -0400
@@ -58,6 +58,8 @@
 
 portcon tcp 80  system_u:object_r:http_port_t
 portcon tcp 443  system_u:object_r:http_port_t
+portcon tcp 488  system_u:object_r:http_port_t
+portcon tcp 8008  system_u:object_r:http_port_t
 
 portcon tcp 106 system_u:object_r:pop_port_t
 portcon tcp 109 system_u:object_r:pop_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.25.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/targeted/domains/unconfined.te	2005-07-06 17:30:17.000000000 -0400
@@ -72,3 +72,8 @@
 
 # allow reading of default file context
 bool read_default_t true;
+
+if (allow_execmem) {
+allow domain self:process execmem;
+}
+
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.25.1/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.1/tunables/distro.tun	2005-07-06 17:29:15.000000000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.25.1/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-05-25 11:28:11.000000000 -0400
+++ policy-1.25.1/tunables/tunable.tun	2005-07-06 17:29:15.000000000 -0400
@@ -2,7 +2,7 @@
 dnl define(`user_can_mount')
 
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.25.1/types/network.te
--- nsapolicy/types/network.te	2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/types/network.te	2005-07-06 17:29:15.000000000 -0400
@@ -158,7 +158,6 @@
 type snmp_port_t, port_type, reserved_port_type;
 type biff_port_t, port_type, reserved_port_type;
 type hplip_port_t, port_type;
-type cipe_port_t, port_type;
 
 #inetd_child_ports
 


Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/.cvsignore,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117
--- .cvsignore	29 Jun 2005 20:39:00 -0000	1.116
+++ .cvsignore	6 Jul 2005 21:38:28 -0000	1.117
@@ -82,3 +82,4 @@
 policy-1.23.17.tgz
 policy-1.23.18.tgz
 policy-1.24.tgz
+policy-1.25.1.tgz


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.342
retrieving revision 1.343
diff -u -r1.342 -r1.343
--- selinux-policy-strict.spec	6 Jul 2005 14:27:15 -0000	1.342
+++ selinux-policy-strict.spec	6 Jul 2005 21:38:28 -0000	1.343
@@ -10,8 +10,8 @@
 
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
-Version: 1.24
-Release: 5
+Version: 1.25.1
+Release: 1
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -20,7 +20,7 @@
 Source3: selinux.csh
 Prefix: %{_prefix}
 BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050629.patch
+Patch: policy-20050706.patch
 
 BuildArch: noarch
 BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
@@ -229,6 +229,10 @@
 exit 0
 
 %changelog
+* Wed Jul 6 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-1
+- Update to NSA
+- Fix strict policy audit_write so you can login 
+
 * Wed Jul 6 2005 Dan Walsh <dwalsh at redhat.com> 1.24-5
 - Add winbind_helper_t
 


Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/sources,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -r1.122 -r1.123
--- sources	29 Jun 2005 20:39:01 -0000	1.122
+++ sources	6 Jul 2005 21:38:28 -0000	1.123
@@ -1,2 +1,3 @@
 c5e6564854d306ad0487c6d56c98bb81  policy-1.23.18.tgz
 da7bb54f26402c4c640e9086dafb8041  policy-1.24.tgz
+c796981eb7f40135c19198841f76f0e7  policy-1.25.1.tgz

More information about the fedora-cvs-commits mailing list