rpms/selinux-policy-targeted/devel policy-20050706.patch, 1.3, 1.4 selinux-policy-targeted.spec, 1.341, 1.342
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jul 7 12:38:37 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050706.patch, 1.4, 1.5 selinux-policy-strict.spec, 1.346, 1.347 policy-20050502.patch, 1.11, NONE policy-20050516.patch, 1.10, NONE policy-20050525.patch, 1.4, NONE
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050706.patch, 1.4, 1.5 policy-20050502.patch, 1.10, NONE policy-20050516.patch, 1.8, NONE policy-20050525.patch, 1.5, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv13581
Modified Files:
policy-20050706.patch selinux-policy-targeted.spec
Log Message:
* Thu Jul 7 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-5
- Allow cgi script to append to httpd_log_t
- More fixes for samba net command
policy-20050706.patch:
domains/admin.te | 5 +++++
domains/program/getty.te | 7 +++++++
domains/program/netutils.te | 2 ++
domains/program/passwd.te | 5 +++++
domains/program/unused/apache.te | 1 +
domains/program/unused/apmd.te | 7 +++++--
domains/program/unused/bluetooth.te | 3 ++-
domains/program/unused/ciped.te | 3 +--
domains/program/unused/cups.te | 7 +++++--
domains/program/unused/cyrus.te | 5 +----
domains/program/unused/dhcpc.te | 1 +
domains/program/unused/dovecot.te | 1 +
domains/program/unused/hald.te | 3 ++-
domains/program/unused/hotplug.te | 4 +++-
domains/program/unused/hwclock.te | 3 ---
domains/program/unused/nscd.te | 1 +
domains/program/unused/pppd.te | 7 ++++---
domains/program/unused/prelink.te | 3 ---
domains/program/unused/radvd.te | 3 ++-
domains/program/unused/rpcd.te | 6 +++++-
domains/program/unused/samba.te | 33 +++++++++++++++++++++++++++++++--
domains/program/unused/squid.te | 3 +++
domains/program/unused/winbind.te | 12 +++++++++++-
file_contexts/program/cups.fc | 2 ++
file_contexts/program/rpcd.fc | 3 ++-
file_contexts/program/samba.fc | 1 +
file_contexts/program/winbind.fc | 1 +
file_contexts/types.fc | 14 +++++++-------
macros/admin_macros.te | 3 ---
macros/base_user_macros.te | 4 +---
macros/global_macros.te | 1 +
macros/program/apache_macros.te | 5 ++---
macros/program/chkpwd_macros.te | 7 +++++++
macros/program/dbusd_macros.te | 2 +-
macros/program/evolution_macros.te | 6 ------
macros/program/games_domain.te | 3 ---
macros/program/java_macros.te | 2 --
macros/program/mail_client_macros.te | 10 ++++++++--
macros/program/mozilla_macros.te | 2 --
macros/program/mplayer_macros.te | 2 +-
macros/program/xserver_macros.te | 4 ----
net_contexts | 2 ++
targeted/domains/unconfined.te | 5 +++++
tunables/distro.tun | 2 +-
tunables/tunable.tun | 4 ++--
types/network.te | 1 -
46 files changed, 142 insertions(+), 69 deletions(-)
Index: policy-20050706.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050706.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20050706.patch 6 Jul 2005 22:34:08 -0000 1.3
+++ policy-20050706.patch 7 Jul 2005 12:38:35 -0000 1.4
@@ -244,6 +244,34 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
+allow nscd_t tun_tap_device_t:chr_file { read write };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.1/domains/program/unused/pppd.te
+--- nsapolicy/domains/program/unused/pppd.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.1/domains/program/unused/pppd.te 2005-07-07 07:09:25.000000000 -0400
+@@ -36,8 +36,7 @@
+ can_ypbind(pppd_t)
+
+ # Use capabilities.
+-allow pppd_t self:capability { net_admin setuid setgid fsetid };
+-
++allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+ lock_domain(pppd)
+
+ # Access secret files
+@@ -93,7 +92,7 @@
+ # for pppoe
+ can_create_pty(pppd)
+ allow pppd_t self:file { read getattr };
+-allow pppd_t self:capability { fowner net_raw };
++
+ allow pppd_t self:packet_socket create_socket_perms;
+
+ file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
+@@ -101,3 +100,5 @@
+ allow pppd_t sysctl_net_t:dir search;
+ allow pppd_t sysctl_net_t:file r_file_perms;
+ allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
++allow pppd_t initrc_var_run_t:file r_file_perms;
++dontaudit pppd_t initrc_var_run_t:file { lock write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.25.1/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.1/domains/program/unused/prelink.te 2005-07-06 17:34:19.000000000 -0400
@@ -299,6 +327,60 @@
can_udp_send(nfsd_t, portmap_t)
can_udp_send(portmap_t, nfsd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.1/domains/program/unused/samba.te
+--- nsapolicy/domains/program/unused/samba.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.1/domains/program/unused/samba.te 2005-07-07 06:25:59.000000000 -0400
+@@ -47,6 +47,8 @@
+
+ # Use the network.
+ can_network(smbd_t)
++can_ldap(smbd_t)
++can_kerberos(smbd_t)
+ allow smbd_t ipp_port_t:tcp_socket name_connect;
+
+ allow smbd_t urandom_device_t:chr_file { getattr read };
+@@ -61,8 +63,10 @@
+
+ # Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
+ allow smbd_t var_lib_t:dir search;
+-allow smbd_t samba_var_t:dir create_dir_perms;
+-allow smbd_t samba_var_t:file create_file_perms;
++create_dir_file(smbd_t, samba_var_t)
++
++# Needed for shared printers
++allow smbd_t var_spool_t:dir search;
+
+ # Permissions to write log files.
+ allow smbd_t samba_log_t:file { create ra_file_perms };
+@@ -182,3 +186,28 @@
+ allow smbmount_t userdomain:fd use;
+ allow smbmount_t local_login_t:fd use;
+ ')
++# Derive from app. domain. Transition from mount.
++application_domain(samba_net, `, nscd_client_domain, privfd')
++file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
++read_locale(samba_net_t)
++allow samba_net_t samba_etc_t:file r_file_perms;
++r_dir_file(samba_net_t, samba_var_t)
++can_network_udp(samba_net_t)
++access_terminal(samba_net_t, sysadm)
++allow samba_net_t self:unix_dgram_socket create_socket_perms;
++allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
++rw_dir_create_file(samba_net_t, samba_var_t)
++allow samba_net_t etc_t:file { getattr read };
++can_network_client(samba_net_t)
++allow samba_net_t smbd_port_t:tcp_socket name_connect;
++can_ldap(samba_net_t)
++allow samba_net_t newrole_t:fd use;
++can_kerberos(samba_net_t)
++allow samba_net_t urandom_device_t:chr_file r_file_perms;
++allow samba_net_t proc_t:dir search;
++allow samba_net_t proc_t:lnk_file read;
++allow samba_net_t self:dir search;
++allow samba_net_t self:file read;
++allow samba_net_t self:process signal;
++tmp_domain(samba_net)
++dontaudit samba_net_t sysadm_home_dir_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/domains/program/unused/squid.te 2005-07-06 17:29:15.000000000 -0400
@@ -311,8 +393,8 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/winbind.te 2005-07-06 17:29:15.000000000 -0400
-@@ -21,6 +21,9 @@
++++ policy-1.25.1/domains/program/unused/winbind.te 2005-07-06 19:23:53.000000000 -0400
+@@ -21,8 +21,11 @@
type samba_log_t, file_type, sysadmfile, logfile;
type samba_var_t, file_type, sysadmfile;
type samba_secrets_t, file_type, sysadmfile;
@@ -320,8 +402,11 @@
+allow smbd_t winbind_var_run_t:dir r_dir_perms;
+allow smbd_t winbind_var_run_t:sock_file getattr;
')
- rw_dir_file(winbind_t, samba_etc_t)
+-rw_dir_file(winbind_t, samba_etc_t)
++file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
rw_dir_create_file(winbind_t, samba_log_t)
+ allow winbind_t samba_secrets_t:file rw_file_perms;
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
@@ -33,3 +36,10 @@
can_kerberos(winbind_t)
allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
@@ -342,6 +427,33 @@
/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
+/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t
+/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.25.1/file_contexts/program/rpcd.fc
+--- nsapolicy/file_contexts/program/rpcd.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.25.1/file_contexts/program/rpcd.fc 2005-07-07 08:36:47.000000000 -0400
+@@ -1,6 +1,6 @@
+ # RPC daemons
+ /sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
+-/usr/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
++/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t
+ /usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t
+ /usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t
+ /usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t
+@@ -9,3 +9,4 @@
+ /var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t
+ /var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t
+ /etc/exports -- system_u:object_r:exports_t
++
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.25.1/file_contexts/program/samba.fc
+--- nsapolicy/file_contexts/program/samba.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.25.1/file_contexts/program/samba.fc 2005-07-06 18:52:13.000000000 -0400
+@@ -1,6 +1,7 @@
+ # samba scripts
+ /usr/sbin/smbd -- system_u:object_r:smbd_exec_t
+ /usr/sbin/nmbd -- system_u:object_r:nmbd_exec_t
++/usr/bin/net -- system_u:object_r:samba_net_exec_t
+ /etc/samba(/.*)? system_u:object_r:samba_etc_t
+ /var/log/samba(/.*)? system_u:object_r:samba_log_t
+ /var/cache/samba(/.*)? system_u:object_r:samba_var_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.25.1/file_contexts/program/winbind.fc
--- nsapolicy/file_contexts/program/winbind.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.25.1/file_contexts/program/winbind.fc 2005-07-06 17:29:15.000000000 -0400
@@ -423,8 +535,18 @@
allow $1 null_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/apache_macros.te 2005-07-06 17:29:15.000000000 -0400
-@@ -108,6 +108,7 @@
++++ policy-1.25.1/macros/program/apache_macros.te 2005-07-07 06:44:49.000000000 -0400
+@@ -78,9 +78,6 @@
+
+ allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+-# for nscd
+-dontaudit httpd_$1_script_t var_t:dir search;
+-
+ ###########################################################################
+ # Allow the script interpreters to run the scripts. So
+ # the perl executable will be able to run a perl script
+@@ -108,6 +105,7 @@
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
create_dir_file(httpd_$1_script_t, httpdcontent)
@@ -432,10 +554,18 @@
}
#
+@@ -126,6 +124,7 @@
+ ############################################
+ # Allow scripts to append to http logs
+ #########################################
++allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
+ allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+ # apache should set close-on-exec
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.25.1/macros/program/chkpwd_macros.te 2005-07-06 17:29:15.000000000 -0400
-@@ -32,6 +32,8 @@
++++ policy-1.25.1/macros/program/chkpwd_macros.te 2005-07-06 19:35:03.000000000 -0400
+@@ -32,9 +32,16 @@
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
allow auth_chkpwd sbin_t:dir search;
allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -444,6 +574,14 @@
dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
dontaudit auth_chkpwd shadow_t:file { getattr read };
can_ypbind(auth_chkpwd)
++can_kerberos(auth_chkpwd)
++can_ldap(auth_chkpwd)
++ifdef(`winbind.te', `
++r_dir_file(auth_chkpwd, winbind_var_run_t)
++')
+ ', `
+ domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+ allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.25.1/macros/program/dbusd_macros.te
--- nsapolicy/macros/program/dbusd_macros.te 2005-07-06 17:15:07.000000000 -0400
+++ policy-1.25.1/macros/program/dbusd_macros.te 2005-07-06 17:29:15.000000000 -0400
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.341
retrieving revision 1.342
diff -u -r1.341 -r1.342
--- selinux-policy-targeted.spec 6 Jul 2005 23:40:41 -0000 1.341
+++ selinux-policy-targeted.spec 7 Jul 2005 12:38:35 -0000 1.342
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.25.1
-Release: 4
+Release: 5
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -237,6 +237,10 @@
exit 0
%changelog
+* Thu Jul 7 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-5
+- Allow cgi script to append to httpd_log_t
+- More fixes for samba net command
+
* Wed Jul 6 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-4
- Add boolean to allow sysadm_t to ptrace
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050706.patch, 1.4, 1.5 selinux-policy-strict.spec, 1.346, 1.347 policy-20050502.patch, 1.11, NONE policy-20050516.patch, 1.10, NONE policy-20050525.patch, 1.4, NONE
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050706.patch, 1.4, 1.5 policy-20050502.patch, 1.10, NONE policy-20050516.patch, 1.8, NONE policy-20050525.patch, 1.5, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list