rpms/selinux-policy-targeted/FC-3 booleans, 1.6, 1.7 policy-20050104.patch, 1.42, 1.43 selinux-policy-targeted.spec, 1.210, 1.211
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jun 15 20:23:07 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv29832
Modified Files:
booleans policy-20050104.patch selinux-policy-targeted.spec
Log Message:
* Tue Jun 14 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-3.10
- Add additional shlib_t and texrel_shlib_t
Index: booleans
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/booleans,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- booleans 13 Jun 2005 15:23:30 -0000 1.6
+++ booleans 15 Jun 2005 20:23:04 -0000 1.7
@@ -1,8 +1,11 @@
httpd_enable_cgi=1
httpd_enable_homedirs=1
httpd_ssi_exec=1
+httpd_builtin_scripting=1
named_write_master_zones=0
httpd_unified=1
httpd_tty_comm=0
allow_execmod=1
allow_execmem=1
+allow_ypbind=1
+
policy-20050104.patch:
Makefile | 50 +++--
attrib.te | 29 +++
domains/program/crond.te | 7
domains/program/ldconfig.te | 24 ++
domains/program/login.te | 2
domains/program/logrotate.te | 24 +-
domains/program/mount.te | 2
domains/program/ssh.te | 7
domains/program/syslogd.te | 40 ++--
domains/program/unused/acct.te | 6
domains/program/unused/apache.te | 307 ++++++++++++++++++++++------------
domains/program/unused/arpwatch.te | 26 ++
domains/program/unused/cups.te | 58 +++++-
domains/program/unused/dhcpc.te | 5
domains/program/unused/dhcpd.te | 20 +-
domains/program/unused/dovecot.te | 3
domains/program/unused/ftpd.te | 2
domains/program/unused/hald.te | 3
domains/program/unused/howl.te | 2
domains/program/unused/innd.te | 7
domains/program/unused/ipsec.te | 9
domains/program/unused/iptables.te | 3
domains/program/unused/mailman.te | 29 ++-
domains/program/unused/mdadm.te | 3
domains/program/unused/mta.te | 25 ++
domains/program/unused/mysqld.te | 28 +--
domains/program/unused/named.te | 39 ++--
domains/program/unused/nscd.te | 62 +++---
domains/program/unused/ntpd.te | 27 ++
domains/program/unused/portmap.te | 21 ++
domains/program/unused/postfix.te | 2
domains/program/unused/postgresql.te | 62 +++++-
domains/program/unused/procmail.te | 1
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 5
domains/program/unused/rsync.te | 2
domains/program/unused/samba.te | 4
domains/program/unused/sendmail.te | 2
domains/program/unused/slrnpull.te | 1
domains/program/unused/snmpd.te | 31 ++-
domains/program/unused/spamd.te | 2
domains/program/unused/squid.te | 30 ++-
domains/program/unused/udev.te | 5
domains/program/unused/updfstab.te | 1
domains/program/unused/winbind.te | 35 +++
domains/program/unused/xdm.te | 4
domains/program/unused/ypbind.te | 15 -
domains/program/unused/ypserv.te | 7
domains/user.te | 6
file_contexts/distros.fc | 174 +++++++++++++++++--
file_contexts/program/apache.fc | 24 ++
file_contexts/program/arpwatch.fc | 3
file_contexts/program/cups.fc | 5
file_contexts/program/dhcpd.fc | 25 ++
file_contexts/program/ipsec.fc | 11 -
file_contexts/program/mailman.fc | 15 -
file_contexts/program/mta.fc | 5
file_contexts/program/mysqld.fc | 4
file_contexts/program/named.fc | 18 +
file_contexts/program/nscd.fc | 3
file_contexts/program/ntpd.fc | 10 -
file_contexts/program/portmap.fc | 9
file_contexts/program/postgresql.fc | 23 --
file_contexts/program/sendmail.fc | 1
file_contexts/program/snmpd.fc | 4
file_contexts/program/squid.fc | 2
file_contexts/program/syslogd.fc | 3
file_contexts/program/winbind.fc | 10 +
file_contexts/types.fc | 212 +++++++++--------------
flask/access_vectors | 31 +++
flask/security_classes | 6
genfs_contexts | 2
macros/base_user_macros.te | 9
macros/core_macros.te | 98 +++++++---
macros/global_macros.te | 95 +++-------
macros/network_macros.te | 172 +++++++++++++++++++
macros/program/apache_macros.te | 144 ++++++++-------
macros/program/kerberos_macros.te | 11 +
macros/program/mount_macros.te | 2
macros/program/mozilla_macros.te | 2
macros/program/mta_macros.te | 5
macros/program/newrole_macros.te | 2
macros/program/spamassassin_macros.te | 5
macros/program/ssh_agent_macros.te | 2
macros/program/ssh_macros.te | 2
macros/program/su_macros.te | 2
macros/program/userhelper_macros.te | 3
macros/program/xauth_macros.te | 2
macros/program/xserver_macros.te | 4
macros/program/ypbind_macros.te | 24 --
man/man8/httpd_selinux.8 | 114 ++++++++++++
man/man8/named_selinux.8 | 29 +++
net_contexts | 99 +++++++---
targeted/assert.te | 6
targeted/domains/program/hotplug.te | 4
targeted/domains/program/initrc.te | 2
targeted/domains/program/sendmail.te | 17 +
targeted/domains/unconfined.te | 63 +++++-
targeted/types/apache.te | 5
tunables/distro.tun | 2
tunables/tunable.tun | 21 --
types/device.te | 9
types/file.te | 89 ++++++---
types/network.te | 56 ++++--
types/procfs.te | 4
105 files changed, 1976 insertions(+), 815 deletions(-)
Index: policy-20050104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/policy-20050104.patch,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -r1.42 -r1.43
--- policy-20050104.patch 13 Jun 2005 15:23:30 -0000 1.42
+++ policy-20050104.patch 15 Jun 2005 20:23:04 -0000 1.43
@@ -1259,7 +1259,16 @@
+allow system_mail_t { random_device_t urandom_device_t }:chr_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.17.30/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/unused/mysqld.te 2005-06-10 06:52:30.000000000 -0400
++++ policy-1.17.30/domains/program/unused/mysqld.te 2005-06-15 10:45:59.000000000 -0400
+@@ -10,7 +10,7 @@
+ #
+ # mysqld_exec_t is the type of the mysqld executable.
+ #
+-daemon_domain(mysqld)
++daemon_domain(mysqld, `, nscd_client_domain')
+
+ type mysqld_port_t, port_type;
+ allow mysqld_t mysqld_port_t:tcp_socket name_bind;
@@ -18,7 +18,6 @@
allow mysqld_t mysqld_var_run_t:sock_file create_file_perms;
@@ -2231,7 +2240,7 @@
# and may change other protocols
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.17.30/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/file_contexts/distros.fc 2005-06-10 06:52:30.000000000 -0400
++++ policy-1.17.30/file_contexts/distros.fc 2005-06-13 11:47:40.000000000 -0400
@@ -1,34 +1,168 @@
ifdef(`distro_redhat', `
-/usr/share/system-config-network(/netconfig)?/[^/]+.py -- system_u:object_r:bin_t
@@ -2320,8 +2329,8 @@
+
+ifdef(`dbusd.te', `', `
+/var/run/dbus(/.*)? system_u:object_r:system_dbusd_var_run_t
-+')
-+
+ ')
+
+# The following are libraries with text relocations in need of execmod permissions
+# Some of them should be fixed and removed from this list
+
@@ -2410,9 +2419,9 @@
+/usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
++/usr(/.*)?/Reader/intellinux/SPPlugins/ADMPlugin\.apl -- system_u:object_r:texrel_shlib_t
++')
+
- ')
-
+ifdef(`distro_suse', `
+/var/lib/samba/bin/.+ system_u:object_r:bin_t
+/var/lib/samba/bin/.*\.so(\.[^/]*)* -l system_u:object_r:lib_t
@@ -2804,7 +2813,7 @@
+/var/cache/samba/winbindd_privileged(/.*)? system_u:object_r:winbind_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.30/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/file_contexts/types.fc 2005-06-10 06:52:30.000000000 -0400
++++ policy-1.17.30/file_contexts/types.fc 2005-06-14 12:47:11.000000000 -0400
@@ -54,11 +54,11 @@
HOME_DIR -d system_u:object_r:ROLE_home_dir_t
HOME_DIR/.+ system_u:object_r:ROLE_home_t
@@ -2902,7 +2911,7 @@
-/opt/[^/]*/man(/.*)? system_u:object_r:man_t
-/opt/[^/]*/libexec(/.*)? system_u:object_r:bin_t
+/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t
-+/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
++/opt/.*/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+/opt/.*/libexec(/.*)? system_u:object_r:bin_t
+/opt/.*/bin(/.*)? system_u:object_r:bin_t
+/opt/.*/sbin(/.*)? system_u:object_r:sbin_t
@@ -2975,7 +2984,7 @@
#
# /sbin
-@@ -330,99 +333,56 @@
+@@ -330,114 +333,66 @@
# /usr
#
/usr(/.*)? system_u:object_r:usr_t
@@ -3004,6 +3013,8 @@
+/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t
+
+# nvidia share libraries
++/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
++/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
+/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
+
@@ -3098,11 +3109,13 @@
-#
-/usr/X11R6/(.*/)?lib(64)?(/.*)? system_u:object_r:lib_t
-/usr/X11R6/(.*/)?lib(64)?(/.*)+\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+-
+/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-
++/usr(/local)?/lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t
++/usr(/local)?/lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t
#
# /usr/X11R6/man
-@@ -430,14 +390,6 @@
+ #
/usr/X11R6/man(/.*)? system_u:object_r:man_t
#
@@ -3117,7 +3130,7 @@
# Fonts dir
#
/usr/X11R6/lib/X11/fonts(/.*)? system_u:object_r:fonts_t
-@@ -445,6 +397,7 @@
+@@ -445,6 +400,7 @@
/var/lib/msttcorefonts(/.*)? system_u:object_r:fonts_t
')
/usr/share/fonts(/.*)? system_u:object_r:fonts_t
@@ -3125,7 +3138,7 @@
/usr/local/share/fonts(/.*)? system_u:object_r:fonts_t
#
-@@ -458,6 +411,7 @@
+@@ -458,6 +414,7 @@
#
/var/spool(/.*)? system_u:object_r:var_spool_t
/var/spool/texmf(/.*)? system_u:object_r:tetex_data_t
@@ -3133,7 +3146,7 @@
#
# /var/log
-@@ -510,20 +464,31 @@
+@@ -510,20 +467,31 @@
/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
#
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/selinux-policy-targeted.spec,v
retrieving revision 1.210
retrieving revision 1.211
diff -u -r1.210 -r1.211
--- selinux-policy-targeted.spec 13 Jun 2005 15:23:30 -0000 1.210
+++ selinux-policy-targeted.spec 15 Jun 2005 20:23:04 -0000 1.211
@@ -8,7 +8,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.17.30
-Release: 3.9
+Release: 3.10
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -214,6 +214,9 @@
exit 0
%changelog
+* Tue Jun 14 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-3.10
+- Add additional shlib_t and texrel_shlib_t
+
* Mon Jun 13 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-3.9
- Allow unconfined_t full execmod access.
More information about the fedora-cvs-commits
mailing list