rpms/selinux-policy-targeted/FC-4 policy-20050606.patch, NONE, 1.1 .cvsignore, 1.110, 1.111 sources, 1.116, 1.117
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jun 15 15:07:28 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv7168
Modified Files:
.cvsignore sources
Added Files:
policy-20050606.patch
Log Message:
Update FC4 to match rawhide
policy-20050606.patch:
Makefile | 5
attrib.te | 2
domains/misc/kernel.te | 7 -
domains/misc/local.te | 5
domains/program/fsadm.te | 5
domains/program/init.te | 4
domains/program/initrc.te | 10 +
domains/program/klogd.te | 2
domains/program/login.te | 2
domains/program/modutil.te | 2
domains/program/mount.te | 2
domains/program/restorecon.te | 5
domains/program/ssh.te | 2
domains/program/syslogd.te | 2
domains/program/unused/acct.te | 2
domains/program/unused/alsa.te | 17 ++
domains/program/unused/apache.te | 2
domains/program/unused/bonobo.te | 9 +
domains/program/unused/consoletype.te | 2
domains/program/unused/cups.te | 6
domains/program/unused/dhcpc.te | 5
domains/program/unused/ethereal.te | 48 ++++++
domains/program/unused/evolution.te | 13 +
domains/program/unused/gconf.te | 12 +
domains/program/unused/gift.te | 1
domains/program/unused/gnome.te | 7 +
domains/program/unused/gnome_vfs.te | 9 +
domains/program/unused/i18n_input.te | 1
domains/program/unused/iceauth.te | 12 +
domains/program/unused/orbit.te | 7 +
domains/program/unused/pam.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 2
domains/program/unused/rpcd.te | 3
domains/program/unused/thunderbird.te | 9 +
domains/program/unused/udev.te | 2
domains/program/unused/utempter.te | 5
domains/program/unused/xdm.te | 20 ++
domains/program/unused/xserver.te | 3
file_contexts/distros.fc | 3
file_contexts/program/alsa.fc | 3
file_contexts/program/apache.fc | 2
file_contexts/program/bonobo.fc | 1
file_contexts/program/ethereal.fc | 3
file_contexts/program/evolution.fc | 8 +
file_contexts/program/fontconfig.fc | 6
file_contexts/program/gconf.fc | 5
file_contexts/program/gnome.fc | 8 +
file_contexts/program/gnome_vfs.fc | 1
file_contexts/program/iceauth.fc | 3
file_contexts/program/mozilla.fc | 3
file_contexts/program/orbit.fc | 3
file_contexts/program/thunderbird.fc | 2
file_contexts/program/xauth.fc | 1
file_contexts/program/xdm.fc | 1
file_contexts/program/xserver.fc | 2
file_contexts/types.fc | 2
macros/admin_macros.te | 8 -
macros/base_user_macros.te | 36 ++++-
macros/global_macros.te | 37 ++---
macros/program/bonobo_macros.te | 119 +++++++++++++++++
macros/program/dbusd_macros.te | 3
macros/program/ethereal_macros.te | 82 +++++++++++
macros/program/evolution_macros.te | 238 ++++++++++++++++++++++++++++++++++
macros/program/fontconfig_macros.te | 38 ++++-
macros/program/games_domain.te | 38 +----
macros/program/gconf_macros.te | 55 +++++++
macros/program/gift_macros.te | 57 ++------
macros/program/gnome_macros.te | 115 ++++++++++++++++
macros/program/gnome_vfs_macros.te | 49 +++++++
macros/program/gpg_agent_macros.te | 1
macros/program/gpg_macros.te | 3
macros/program/ice_macros.te | 38 +++++
macros/program/iceauth_macros.te | 39 +++++
macros/program/lpr_macros.te | 3
macros/program/mail_client_macros.te | 60 ++++++++
macros/program/mozilla_macros.te | 63 +++------
macros/program/orbit_macros.te | 44 ++++++
macros/program/spamassassin_macros.te | 7 -
macros/program/ssh_agent_macros.te | 3
macros/program/thunderbird_macros.te | 59 ++++++++
macros/program/userhelper_macros.te | 3
macros/program/x_client_macros.te | 12 -
macros/program/xauth_macros.te | 2
macros/program/xdm_macros.te | 11 +
macros/program/xserver_macros.te | 17 +-
macros/user_macros.te | 4
mls | 41 ++---
net_contexts | 25 +--
targeted/domains/program/crond.te | 2
targeted/domains/unconfined.te | 3
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 7 +
types/devpts.te | 2
types/file.te | 4
types/network.te | 8 -
types/security.te | 2
98 files changed, 1392 insertions(+), 268 deletions(-)
--- NEW FILE policy-20050606.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.18/attrib.te
--- nsapolicy/attrib.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/attrib.te 2005-06-08 09:04:15.000000000 -0400
@@ -30,7 +30,7 @@
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.18/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/misc/kernel.te 2005-06-08 09:04:15.000000000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer') ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
@@ -28,6 +28,11 @@
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+
# Share state with the init process.
allow kernel_t init_t:process share;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/local.te policy-1.23.18/domains/misc/local.te
--- nsapolicy/domains/misc/local.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/misc/local.te 2005-06-09 14:57:58.000000000 -0400
@@ -0,0 +1,5 @@
+# Local customization of existing policy should be done in this file.
+# If you are creating brand new policy for a new "target" domain, you
+# need to create a type enforcement (.te) file in domains/program
+# and a file context (.fc) file in file_context/program.
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.18/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/program/fsadm.te 2005-06-08 09:38:00.000000000 -0400
@@ -12,14 +12,14 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
-type fsadm_t, domain, privlog, fs_domain;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
+r_dir_file(fsadm_t, sysfs_t)
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
@@ -116,3 +116,4 @@
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.18/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/initrc.te 2005-06-10 14:11:21.000000000 -0400
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
role system_r types initrc_t;
uses_shlib(initrc_t);
@@ -120,7 +120,13 @@
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t { file_t default_t }:dir { read search getattr mounton };
+allow initrc_t file_t:dir { read search getattr mounton };
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir { read search getattr mounton };
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.18/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/init.te 2005-06-08 09:04:15.000000000 -0400
@@ -14,11 +14,11 @@
# by init during initialization. This pipe is used
# to communicate with init.
#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs;
+type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.18/domains/program/klogd.te
--- nsapolicy/domains/program/klogd.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/klogd.te 2005-06-08 09:04:15.000000000 -0400
@@ -8,7 +8,7 @@
#
# Rules for the klogd_t domain.
#
-daemon_domain(klogd, `, privmem, privkmsg')
+daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.18/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/login.te 2005-06-08 09:04:15.000000000 -0400
@@ -13,7 +13,7 @@
# $1 is the name of the domain (local or remote)
define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
+type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.18/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/program/modutil.te 2005-06-08 09:04:15.000000000 -0400
@@ -72,7 +72,7 @@
# Rules for the insmod_t domain.
#
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.18/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/mount.te 2005-06-08 09:04:15.000000000 -0400
@@ -11,7 +11,7 @@
type mount_exec_t, file_type, sysadmfile, exec_type;
-mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
mount_loopback_privs(sysadm, mount)
role sysadm_r types mount_t;
role system_r types mount_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.18/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/restorecon.te 2005-06-10 14:11:36.000000000 -0400
@@ -12,7 +12,7 @@
#
# needs auth_write attribute because it has relabelfrom/relabelto
# access to shadow_t
-type restorecon_t, domain, privlog, privowner, auth_write, change_context;
+type restorecon_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
type restorecon_exec_t, file_type, sysadmfile, exec_type;
role system_r types restorecon_t;
@@ -20,7 +20,7 @@
role secadm_r types restorecon_t;
allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
-allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
+allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
allow restorecon_t { userdomain init_t privfd }:fd use;
@@ -61,4 +61,3 @@
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.18/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/ssh.te 2005-06-08 09:04:15.000000000 -0400
@@ -25,7 +25,7 @@
# privowner is for changing the identity on the terminal device
# privfd is for passing the terminal file handle to the user process
# auth_chkpwd is for running unix_chkpwd and unix_verify.
-type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain;
+type $1_t, domain, privuser, privrole, privlog, privowner, privfd, auth_chkpwd, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade, mlsprocsetsl;
can_exec($1_t, sshd_exec_t)
r_dir_file($1_t, self)
[...2519 lines suppressed...]
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.18/net_contexts
--- nsapolicy/net_contexts 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/net_contexts 2005-06-08 22:57:41.000000000 -0400
@@ -50,19 +50,25 @@
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
-ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t')
-ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
+ifdef(`dhcpc.te', `
+portcon udp 67 system_u:object_r:dhcpd_port_t
+portcon udp 68 system_u:object_r:dhcpc_port_t
+')
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
portcon tcp 80 system_u:object_r:http_port_t
portcon tcp 443 system_u:object_r:http_port_t
-ifdef(`use_pop', `
portcon tcp 106 system_u:object_r:pop_port_t
portcon tcp 109 system_u:object_r:pop_port_t
portcon tcp 110 system_u:object_r:pop_port_t
-')
+portcon tcp 143 system_u:object_r:pop_port_t
+portcon tcp 220 system_u:object_r:pop_port_t
+portcon tcp 993 system_u:object_r:pop_port_t
+portcon tcp 995 system_u:object_r:pop_port_t
+portcon tcp 1109 system_u:object_r:pop_port_t
+
portcon udp 111 system_u:object_r:portmap_port_t
portcon tcp 111 system_u:object_r:portmap_port_t
@@ -77,10 +83,6 @@
portcon udp 139 system_u:object_r:nmbd_port_t
portcon tcp 445 system_u:object_r:smbd_port_t
-ifdef(`use_pop', `
-portcon tcp 143 system_u:object_r:pop_port_t
-portcon tcp 220 system_u:object_r:pop_port_t
-')
ifdef(`snmpd.te', `
portcon udp 161 system_u:object_r:snmp_port_t
portcon udp 162 system_u:object_r:snmp_port_t
@@ -131,10 +133,8 @@
')
ifdef(`swat.te', `portcon tcp 901 system_u:object_r:swat_port_t')
ifdef(`named.te', `portcon tcp 953 system_u:object_r:rndc_port_t')
-ifdef(`use_pop', `
-portcon tcp 993 system_u:object_r:pop_port_t
-portcon tcp 995 system_u:object_r:pop_port_t
-portcon tcp 1109 system_u:object_r:pop_port_t
+ifdef(`gift.te', `
+portcon tcp 1213 system_u:object_r:giftd_port_t
')
ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
@@ -191,6 +191,7 @@
')
ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
+ifdef(`cups.te', `portcon tcp 5703 system_u:object_r:ptal_port_t')
ifdef(`xdm.te', `
portcon tcp 5900 system_u:object_r:vnc_port_t
')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.18/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te 2005-06-01 06:11:23.000000000 -0400
+++ policy-1.23.18/targeted/domains/program/crond.te 2005-06-08 09:04:15.000000000 -0400
@@ -17,13 +17,11 @@
type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
type system_cron_spool_t, file_type, sysadmfile;
type sysadm_cron_spool_t, file_type, sysadmfile;
-type crond_log_t, file_type, sysadmfile;
role system_r types crond_t;
domain_auto_trans(initrc_t, crond_exec_t, crond_t)
domain_auto_trans(initrc_t, anacron_exec_t, crond_t)
unconfined_domain(crond_t)
# Access log files
-file_type_auto_trans(crond_t, var_log_t, crond_log_t, file)
file_type_auto_trans(crond_t, user_home_dir_t, user_home_t)
file_type_auto_trans(crond_t, tmp_t, system_crond_tmp_t)
allow crond_t initrc_t:dbus send_msg;
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.18/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/targeted/domains/unconfined.te 2005-06-08 09:22:54.000000000 -0400
@@ -63,8 +63,7 @@
bool use_samba_home_dirs false;
if (allow_execmod) {
-allow unconfined_t { ld_so_t shlib_t }:file execmod;
-allow unconfined_t { bin_t sbin_t exec_type }:file execmod;
+allow unconfined_t file_type:file execmod;
}
ifdef(`samba.te', `samba_domain(user)')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.18/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.18/tunables/distro.tun 2005-06-08 09:04:15.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.18/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/tunables/tunable.tun 2005-06-08 09:04:15.000000000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.23.18/types/device.te
--- nsapolicy/types/device.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/device.te 2005-06-08 09:04:15.000000000 -0400
@@ -154,3 +154,10 @@
# for other device nodes such as the NVidia binary-only driver
type xserver_misc_device_t, device_type, dev_fs;
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_type, dev_fs;
+
+
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.23.18/types/devpts.te
--- nsapolicy/types/devpts.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/devpts.te 2005-06-08 09:04:15.000000000 -0400
@@ -10,7 +10,7 @@
#
# ptmx_t is the type for /dev/ptmx.
#
-type ptmx_t, sysadmfile, device_type, dev_fs;
+type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
#
# devpts_t is the type of the devpts file system and
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.18/types/file.te
--- nsapolicy/types/file.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/file.te 2005-06-08 23:14:54.000000000 -0400
@@ -325,4 +325,8 @@
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+allow customizable self:filesystem associate;
+
+# type for /tmp/.ICE-unix
+type ice_tmp_t, file_type, sysadmfile, tmpfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.18/types/network.te
--- nsapolicy/types/network.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/network.te 2005-06-08 09:04:15.000000000 -0400
@@ -33,15 +33,7 @@
type ipp_port_t, port_type, reserved_port_type;
allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
-ifdef(`cyrus.te', `define(`use_pop')')
-ifdef(`courier.te', `define(`use_pop')')
-ifdef(`perdition.te', `define(`use_pop')')
-ifdef(`dovecot.te', `define(`use_pop')')
-ifdef(`uwimapd.te', `define(`use_pop')')
-ifdef(`fetchmail.te', `define(`use_pop')')
-ifdef(`use_pop', `
type pop_port_t, port_type, reserved_port_type;
-')
type ftp_port_t, port_type, reserved_port_type;
type ftp_data_port_t, port_type, reserved_port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.18/types/security.te
--- nsapolicy/types/security.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/security.te 2005-06-08 09:04:15.000000000 -0400
@@ -12,7 +12,7 @@
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
-type security_t, mount_point, fs_type;
+type security_t, mount_point, fs_type, mlstrustedobject;
#
# policy_config_t is the type of /etc/security/selinux/*
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/.cvsignore,v
retrieving revision 1.110
retrieving revision 1.111
diff -u -r1.110 -r1.111
--- .cvsignore 25 May 2005 15:46:46 -0000 1.110
+++ .cvsignore 15 Jun 2005 15:07:25 -0000 1.111
@@ -75,3 +75,4 @@
policy-1.23.15.tgz
policy-1.23.16.tgz
policy-1.23.17.tgz
+policy-1.23.18.tgz
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/sources,v
retrieving revision 1.116
retrieving revision 1.117
diff -u -r1.116 -r1.117
--- sources 25 May 2005 15:46:46 -0000 1.116
+++ sources 15 Jun 2005 15:07:25 -0000 1.117
@@ -1 +1 @@
-6f4a8a6cd4eb487ff7f3a2d334fa4478 policy-1.23.17.tgz
+c5e6564854d306ad0487c6d56c98bb81 policy-1.23.18.tgz
More information about the fedora-cvs-commits
mailing list