[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/FC-4 policy-20050606.patch, 1.1, 1.2 selinux-policy-targeted.spec, 1.314, 1.315



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv2723

Modified Files:
	policy-20050606.patch selinux-policy-targeted.spec 
Log Message:
* Thu Jun 16 2005 Dan Walsh <dwalsh redhat com> 1.23.18-12
- Update for FC4


policy-20050606.patch:
 Makefile                                 |   14 -
 attrib.te                                |    2 
 domains/misc/kernel.te                   |    7 
 domains/misc/local.te                    |    5 
 domains/program/fsadm.te                 |    5 
 domains/program/init.te                  |    4 
 domains/program/initrc.te                |   11 +
 domains/program/klogd.te                 |    2 
 domains/program/login.te                 |    2 
 domains/program/modutil.te               |    2 
 domains/program/mount.te                 |    4 
 domains/program/restorecon.te            |    5 
 domains/program/ssh.te                   |    2 
 domains/program/syslogd.te               |    2 
 domains/program/unused/NetworkManager.te |    4 
 domains/program/unused/acct.te           |    2 
 domains/program/unused/alsa.te           |   17 ++
 domains/program/unused/apache.te         |    2 
 domains/program/unused/auditd.te         |    2 
 domains/program/unused/bonobo.te         |    9 +
 domains/program/unused/consoletype.te    |    2 
 domains/program/unused/cups.te           |   30 +++
 domains/program/unused/dhcpc.te          |   14 +
 domains/program/unused/ethereal.te       |   48 ++++++
 domains/program/unused/evolution.te      |   13 +
 domains/program/unused/gconf.te          |   12 +
 domains/program/unused/gift.te           |    1 
 domains/program/unused/gnome.te          |    7 
 domains/program/unused/gnome_vfs.te      |    9 +
 domains/program/unused/gpg.te            |    3 
 domains/program/unused/hotplug.te        |    2 
 domains/program/unused/i18n_input.te     |    1 
 domains/program/unused/iceauth.te        |   12 +
 domains/program/unused/innd.te           |    1 
 domains/program/unused/mozilla.te        |    6 
 domains/program/unused/mysqld.te         |    3 
 domains/program/unused/nscd.te           |    1 
 domains/program/unused/orbit.te          |    7 
 domains/program/unused/pam.te            |    5 
 domains/program/unused/pamconsole.te     |    2 
 domains/program/unused/ping.te           |    2 
 domains/program/unused/rpcd.te           |    5 
 domains/program/unused/thunderbird.te    |    9 +
 domains/program/unused/udev.te           |    2 
 domains/program/unused/utempter.te       |    5 
 domains/program/unused/xdm.te            |   22 ++
 domains/program/unused/xserver.te        |    3 
 domains/user.te                          |   14 +
 file_contexts/distros.fc                 |   18 --
 file_contexts/program/alsa.fc            |    3 
 file_contexts/program/apache.fc          |    2 
 file_contexts/program/bonobo.fc          |    1 
 file_contexts/program/cups.fc            |    3 
 file_contexts/program/ethereal.fc        |    3 
 file_contexts/program/evolution.fc       |    8 +
 file_contexts/program/fontconfig.fc      |    6 
 file_contexts/program/gconf.fc           |    5 
 file_contexts/program/gnome.fc           |    8 +
 file_contexts/program/gnome_vfs.fc       |    1 
 file_contexts/program/iceauth.fc         |    3 
 file_contexts/program/irc.fc             |    2 
 file_contexts/program/mozilla.fc         |    4 
 file_contexts/program/orbit.fc           |    3 
 file_contexts/program/thunderbird.fc     |    2 
 file_contexts/program/xauth.fc           |    1 
 file_contexts/program/xdm.fc             |    1 
 file_contexts/program/xserver.fc         |    2 
 file_contexts/types.fc                   |    2 
 macros/admin_macros.te                   |   12 +
 macros/base_user_macros.te               |   75 ++++++---
 macros/content_macros.te                 |  185 +++++++++++++++++++++++
 macros/global_macros.te                  |  121 +--------------
 macros/home_macros.te                    |  130 ++++++++++++++++
 macros/program/bonobo_macros.te          |  119 +++++++++++++++
 macros/program/dbusd_macros.te           |    3 
 macros/program/ethereal_macros.te        |   83 ++++++++++
 macros/program/evolution_macros.te       |  241 +++++++++++++++++++++++++++++++
 macros/program/fontconfig_macros.te      |   38 ++++
 macros/program/games_domain.te           |   38 +---
 macros/program/gconf_macros.te           |   56 +++++++
 macros/program/gift_macros.te            |   60 ++-----
 macros/program/gnome_macros.te           |  115 ++++++++++++++
 macros/program/gnome_vfs_macros.te       |   49 ++++++
 macros/program/gpg_agent_macros.te       |    1 
 macros/program/gpg_macros.te             |   45 -----
 macros/program/ice_macros.te             |   38 ++++
 macros/program/iceauth_macros.te         |   40 +++++
 macros/program/irc_macros.te             |    1 
 macros/program/lpr_macros.te             |   24 ---
 macros/program/mail_client_macros.te     |   48 ++++++
 macros/program/mozilla_macros.te         |  131 +++++-----------
 macros/program/mplayer_macros.te         |   15 +
 macros/program/orbit_macros.te           |   44 +++++
 macros/program/pyzor_macros.te           |    1 
 macros/program/razor_macros.te           |    1 
 macros/program/spamassassin_macros.te    |    9 -
 macros/program/ssh_agent_macros.te       |    3 
 macros/program/thunderbird_macros.te     |   57 +++++++
 macros/program/tvtime_macros.te          |    1 
 macros/program/userhelper_macros.te      |    3 
 macros/program/x_client_macros.te        |   12 -
 macros/program/xauth_macros.te           |    1 
 macros/program/xdm_macros.te             |   11 +
 macros/program/xserver_macros.te         |   17 +-
 macros/user_macros.te                    |    8 -
 mls                                      |   41 ++---
 net_contexts                             |   31 ++-
 targeted/domains/program/crond.te        |    2 
 targeted/domains/unconfined.te           |   10 -
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    4 
 types/device.te                          |    7 
 types/devpts.te                          |    2 
 types/file.te                            |    8 +
 types/network.te                         |    9 -
 types/security.te                        |    2 
 116 files changed, 1835 insertions(+), 541 deletions(-)

View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.1 -r 1.2 policy-20050606.patch
Index: policy-20050606.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/policy-20050606.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20050606.patch	15 Jun 2005 15:07:25 -0000	1.1
+++ policy-20050606.patch	17 Jun 2005 03:45:33 -0000	1.2
@@ -70,7 +70,7 @@
 +allow fsadm_t ramfs_t:fifo_file rw_file_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.18/domains/program/initrc.te
 --- nsapolicy/domains/program/initrc.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/initrc.te	2005-06-10 14:11:21.000000000 -0400
++++ policy-1.23.18/domains/program/initrc.te	2005-06-16 16:54:14.000000000 -0400
 @@ -12,7 +12,7 @@
  # initrc_exec_t is the type of the init program.
  #
@@ -95,6 +95,14 @@
  
  # Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
  file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
+@@ -253,6 +259,7 @@
+ domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
+ allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
+ allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
++typeattribute initrc_t privuser;
+ domain_trans(initrc_t, shell_exec_t, unconfined_t)
+ allow initrc_t unconfined_t:system syslog_mod;
+ ', `
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.18/domains/program/init.te
 --- nsapolicy/domains/program/init.te	2005-05-25 11:28:09.000000000 -0400
 +++ policy-1.23.18/domains/program/init.te	2005-06-08 09:04:15.000000000 -0400
@@ -150,7 +158,7 @@
  role sysadm_r types insmod_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.18/domains/program/mount.te
 --- nsapolicy/domains/program/mount.te	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/mount.te	2005-06-08 09:04:15.000000000 -0400
++++ policy-1.23.18/domains/program/mount.te	2005-06-16 14:01:56.000000000 -0400
 @@ -11,7 +11,7 @@
  
  type mount_exec_t, file_type, sysadmfile, exec_type;
@@ -160,6 +168,15 @@
  mount_loopback_privs(sysadm, mount)
  role sysadm_r types mount_t;
  role system_r types mount_t;
+@@ -68,7 +68,7 @@
+ # for localization
+ allow mount_t lib_t:file { getattr read };
+ allow mount_t autofs_t:dir read;
+-allow mount_t fs_t:filesystem relabelfrom;
++allow mount_t fs_type:filesystem relabelfrom;
+ #
+ # This rule needs to be generalized.  Only admin, initrc should have it.
+ #
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.18/domains/program/restorecon.te
 --- nsapolicy/domains/program/restorecon.te	2005-05-25 11:28:09.000000000 -0400
 +++ policy-1.23.18/domains/program/restorecon.te	2005-06-10 14:11:36.000000000 -0400
@@ -255,6 +272,18 @@
  # for modules that want to access /etc/mtab and /proc/meminfo
  allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
  
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.18/domains/program/unused/auditd.te
+--- nsapolicy/domains/program/unused/auditd.te	2005-06-01 06:11:22.000000000 -0400
++++ policy-1.23.18/domains/program/unused/auditd.te	2005-06-16 22:40:17.000000000 -0400
+@@ -16,7 +16,7 @@
+ allow auditd_t self:unix_dgram_socket create_socket_perms;
+ allow auditd_t self:capability { audit_write audit_control sys_nice };
+ allow auditd_t self:process setsched;
+-allow auditd_t self:file { getattr read };
++allow auditd_t self:file { getattr read write };
+ allow auditd_t etc_t:file { getattr read };
+ 
+ # Do not use logdir_domain since this is a security file
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bonobo.te policy-1.23.18/domains/program/unused/bonobo.te
 --- nsapolicy/domains/program/unused/bonobo.te	1969-12-31 19:00:00.000000000 -0500
 +++ policy-1.23.18/domains/program/unused/bonobo.te	2005-06-08 09:04:15.000000000 -0400
@@ -282,7 +311,7 @@
  role system_r types consoletype_t;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.18/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/cups.te	2005-06-08 09:04:15.000000000 -0400
++++ policy-1.23.18/domains/program/unused/cups.te	2005-06-15 11:14:26.000000000 -0400
 @@ -150,6 +150,12 @@
  allow ptal_t self:capability { chown sys_rawio };
  allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
@@ -296,9 +325,40 @@
  allow ptal_t self:fifo_file rw_file_perms;
  allow ptal_t device_t:dir read;
  allow ptal_t printer_device_t:chr_file rw_file_perms;
+@@ -166,6 +172,30 @@
+ allow initrc_t ptal_var_run_t:fifo_file unlink;
+ 
+ 
++# HPLIP
++type hplip_port_t, port_type, reserved_port_type;
++daemon_domain(hplip)
++etcdir_domain(hplip)
++allow hplip_t etc_t:file r_file_perms;
++allow hplip_t printer_device_t:chr_file rw_file_perms;
++allow cupsd_t hplip_var_run_t:file { read getattr };
++allow hplip_t cupsd_etc_t:dir search;
++can_network(hplip_t)
++allow hplip_t { hplip_port_t ipp_port_t }:tcp_socket name_connect;
++allow hplip_t hplip_port_t:tcp_socket name_bind;
++
++# Uses networking to talk to the daemons
++allow hplip_t self:unix_dgram_socket create_socket_perms;
++allow hplip_t self:unix_stream_socket create_socket_perms;
++
++# for python
++can_exec(hplip_t, bin_t)
++allow hplip_t { sbin_t bin_t }:dir search;
++allow hplip_t self:file { getattr read };
++allow hplip_t proc_t:file r_file_perms;
++allow hplip_t urandom_device_t:chr_file { getattr read };
++allow hplip_t usr_t:{ file lnk_file } r_file_perms;
++
+ dontaudit cupsd_t selinux_config_t:dir search;
+ dontaudit cupsd_t selinux_config_t:file { getattr read };
+ 
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.18/domains/program/unused/dhcpc.te
 --- nsapolicy/domains/program/unused/dhcpc.te	2005-04-27 10:28:50.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/dhcpc.te	2005-06-13 11:52:32.000000000 -0400
++++ policy-1.23.18/domains/program/unused/dhcpc.te	2005-06-16 17:52:55.000000000 -0400
 @@ -68,6 +68,9 @@
  ifdef(`cardmgr.te', `
  allow ping_t cardmgr_t:fd use;
@@ -309,7 +369,16 @@
  ') dnl end if ping
  
  ifdef(`dhcpd.te', `', `
-@@ -143,7 +146,7 @@
+@@ -127,7 +130,7 @@
+ ifdef(`hostname.te', `
+ domain_auto_trans(dhcpc_t, hostname_exec_t, hostname_t)
+ ')
+-dontaudit dhcpc_t { ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
++dontaudit dhcpc_t { devpts_t ttyfile ptyfile tty_device_t }:chr_file rw_file_perms;
+ allow dhcpc_t { userdomain kernel_t }:fd use;
+ 
+ allow dhcpc_t home_root_t:dir search;
+@@ -143,10 +146,17 @@
  can_exec(dhcpc_t, initrc_exec_t)
  ifdef(`ypbind.te', `
  domain_auto_trans(dhcpc_t, ypbind_exec_t, ypbind_t)
@@ -318,6 +387,16 @@
  ')
  ifdef(`ntpd.te', `
  domain_auto_trans(dhcpc_t, ntpd_exec_t, ntpd_t)
+ ')
+ role sysadm_r types dhcpc_t;
+ domain_auto_trans(sysadm_t, dhcpc_exec_t, dhcpc_t)
++ifdef(`dbusd.te', `
++dbusd_client(system, dhcpc)
++allow dhcpc_t system_dbusd_t:dbus { acquire_svc send_msg };
++allow dhcpc_t self:dbus send_msg;
++allow { NetworkManager_t initrc_t } dhcpc_t:dbus send_msg;
++allow dhcpc_t { NetworkManager_t initrc_t }:dbus send_msg;
++')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ethereal.te policy-1.23.18/domains/program/unused/ethereal.te
 --- nsapolicy/domains/program/unused/ethereal.te	1969-12-31 19:00:00.000000000 -0500
 +++ policy-1.23.18/domains/program/unused/ethereal.te	2005-06-13 11:53:36.000000000 -0400
@@ -437,6 +516,30 @@
 +type gnome_vfs_exec_t, file_type, exec_type, sysadmfile;
 +
 +# Everything else is in macros/gnome_vfs_macros.te
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/gpg.te policy-1.23.18/domains/program/unused/gpg.te
+--- nsapolicy/domains/program/unused/gpg.te	2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/gpg.te	2005-06-16 14:01:02.000000000 -0400
+@@ -11,8 +11,5 @@
+ allow sysadm_gpg_t { home_root_t user_home_dir_type }:dir search;
+ allow sysadm_gpg_t ptyfile:chr_file rw_file_perms;
+ 
+-# Allow gpg exec stack
+-bool allow_gpg_execstack false;
+-
+ # Everything else is in the gpg_domain macro in
+ # macros/program/gpg_macros.te.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.18/domains/program/unused/hotplug.te
+--- nsapolicy/domains/program/unused/hotplug.te	2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/hotplug.te	2005-06-16 23:25:55.000000000 -0400
+@@ -130,7 +130,7 @@
+ 
+ allow hotplug_t self:capability { net_admin sys_tty_config mknod };
+ allow hotplug_t sysfs_t:dir { getattr read search write };
+-allow hotplug_t sysfs_t:file { getattr read };
++allow hotplug_t sysfs_t:file rw_file_perms;
+ allow hotplug_t sysfs_t:lnk_file { getattr read };
+ allow hotplug_t udev_runtime_t:file rw_file_perms;
+ ifdef(`lpd.te', `
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.18/domains/program/unused/i18n_input.te
 --- nsapolicy/domains/program/unused/i18n_input.te	2005-05-07 00:41:09.000000000 -0400
 +++ policy-1.23.18/domains/program/unused/i18n_input.te	2005-06-08 09:04:15.000000000 -0400
@@ -461,6 +564,83 @@
 +
 +# Everything else is in the iceauth_domain macro in
 +# macros/program/iceauth_macros.te.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.23.18/domains/program/unused/innd.te
+--- nsapolicy/domains/program/unused/innd.te	2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/innd.te	2005-06-16 23:11:43.000000000 -0400
[...1736 lines suppressed...]
-+++ policy-1.23.18/macros/program/xdm_macros.te	2005-06-10 14:12:16.000000000 -0400
++++ policy-1.23.18/macros/program/xdm_macros.te	2005-06-16 14:05:26.000000000 -0400
 @@ -0,0 +1,11 @@
 +########################################
 +#
@@ -2537,7 +3509,7 @@
 +
 +define(`can_pipe_xdm', `
 +allow $1 xdm_t:fd use;
-+allow $1 xdm_t:fifo_file { getattr read write };
++allow $1 xdm_t:fifo_file { getattr read write ioctl };
 +') dnl can_pipe_xdm
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.23.18/macros/program/xserver_macros.te
 --- nsapolicy/macros/program/xserver_macros.te	2005-05-02 14:06:57.000000000 -0400
@@ -2592,16 +3564,20 @@
  ', `
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.18/macros/user_macros.te
 --- nsapolicy/macros/user_macros.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.23.18/macros/user_macros.te	2005-06-10 14:12:18.000000000 -0400
-@@ -22,6 +22,7 @@
++++ policy-1.23.18/macros/user_macros.te	2005-06-16 14:05:32.000000000 -0400
+@@ -21,7 +21,10 @@
+ type $1_home_dir_t, file_type, sysadmfile, home_dir_type, home_type, user_home_dir_type, polydir;
  type $1_home_t, file_type, sysadmfile, home_type, user_home_type, $1_file_type, polymember;
  
- tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
+-tmp_domain($1, `, user_tmpfile, $1_file_type', `{ file lnk_file dir sock_file fifo_file }')
++# Transition manually for { lnk sock fifo }. The rest is in content macros.
++tmp_domain_notrans($1, `, user_tmpfile, $1_file_type')
++file_type_auto_trans($1_t, tmp_t, $1_tmp_t, { lnk_file sock_file fifo_file })
 +allow $1_t $1_tmp_t:{ dir file } { relabelto relabelfrom };
  
  ifdef(`support_polyinstantiation', `
  type_member $1_t tmp_t:dir $1_tmp_t;
-@@ -243,8 +244,7 @@
+@@ -243,8 +246,7 @@
  allow $1_mount_t removable_t:filesystem { mount relabelto };
  allow $1_mount_t removable_t:dir mounton;
  ifdef(`xdm.te', `
@@ -2613,8 +3589,18 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.18/Makefile
 --- nsapolicy/Makefile	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/Makefile	2005-06-10 14:12:18.000000000 -0400
-@@ -155,11 +155,6 @@
++++ policy-1.23.18/Makefile	2005-06-16 14:05:37.000000000 -0400
+@@ -144,9 +144,6 @@
+ 	@mkdir -p $(POLICYPATH)
+ 	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ ifneq ($(MLS),y)
+-ifneq ($(VERS),18)
+-	$(CHECKPOLICY) -c 18 -o $(POLICYPATH)/policy.18 policy.conf
+-endif
+ endif
+ # Note: Can't use install, so not sure how to deal with mode, user, and group
+ #	other than by default.
+@@ -155,21 +152,12 @@
  
  $(POLICYVER):  policy.conf $(FC) $(CHECKPOLICY)
  	$(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
@@ -2626,6 +3612,25 @@
  	@echo "Validating file contexts files ..."
  	$(SETFILES) -q -c $(POLICYVER) $(FC)
  
+ reload tmp/load: $(LOADPATH) 
+ 	@echo "Loading Policy ..."
+-ifeq ($(VERS), $(KERNVERS))
+ 	$(LOADPOLICY) $(LOADPATH)
+-else
+-	$(LOADPOLICY) $(POLICYPATH)/policy.18
+-endif
+ 	touch tmp/load
+ 
+ load: tmp/load $(FCPATH) 
+@@ -242,7 +230,7 @@
+ 	  --regex-te='/^[ \t]*bool[ \t]+(\w+)/\1/b,bool/' $^
+  
+ clean:
+-	rm -f policy.conf $(POLICYVER) policy.18
++	rm -f policy.conf $(POLICYVER)
+ 	rm -f tags
+ 	rm -f tmp/*
+ 	rm -f $(FC)
 diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.23.18/mls
 --- nsapolicy/mls	2005-04-14 15:01:53.000000000 -0400
 +++ policy-1.23.18/mls	2005-06-08 09:04:15.000000000 -0400
@@ -2721,8 +3726,8 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.18/net_contexts
 --- nsapolicy/net_contexts	2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/net_contexts	2005-06-08 22:57:41.000000000 -0400
-@@ -50,19 +50,25 @@
++++ policy-1.23.18/net_contexts	2005-06-16 23:12:27.000000000 -0400
+@@ -50,23 +50,29 @@
  portcon udp 53 system_u:object_r:dns_port_t
  portcon tcp 53 system_u:object_r:dns_port_t
  
@@ -2752,6 +3757,11 @@
  portcon udp 111 system_u:object_r:portmap_port_t
  portcon tcp 111 system_u:object_r:portmap_port_t
  
+-ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
++portcon tcp 119 system_u:object_r:innd_port_t
+ ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
+ 
+ portcon tcp 137 system_u:object_r:smbd_port_t
 @@ -77,10 +83,6 @@
  portcon udp 139 system_u:object_r:nmbd_port_t
  portcon tcp 445 system_u:object_r:smbd_port_t
@@ -2776,11 +3786,15 @@
  ')
  ifdef(`nessusd.te', `portcon tcp 1241 system_u:object_r:nessus_port_t')
  ifdef(`monopd.te', `portcon tcp 1234 system_u:object_r:monopd_port_t')
-@@ -191,6 +191,7 @@
+@@ -191,6 +191,11 @@
  ')
  ifdef(`postgresql.te', `portcon tcp 5432 system_u:object_r:postgresql_port_t')
  ifdef(`nrpe.te', `portcon tcp 5666 system_u:object_r:inetd_child_port_t')
-+ifdef(`cups.te', `portcon tcp 5703 system_u:object_r:ptal_port_t')
++ifdef(`cups.te', `
++portcon tcp 5703 system_u:object_r:ptal_port_t
++portcon tcp 50000 system_u:object_r:hplip_port_t
++portcon tcp 50002 system_u:object_r:hplip_port_t
++')
  ifdef(`xdm.te', `
  portcon tcp 5900  system_u:object_r:vnc_port_t 
  ')
@@ -2803,17 +3817,28 @@
  allow crond_t initrc_t:dbus send_msg;
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.18/targeted/domains/unconfined.te
 --- nsapolicy/targeted/domains/unconfined.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.18/targeted/domains/unconfined.te	2005-06-08 09:22:54.000000000 -0400
-@@ -63,8 +63,7 @@
++++ policy-1.23.18/targeted/domains/unconfined.te	2005-06-16 13:48:06.000000000 -0400
+@@ -62,11 +62,6 @@
+ # Support SAMBA home directories
  bool use_samba_home_dirs false;
  
- if (allow_execmod) {
+-if (allow_execmod) {
 -allow unconfined_t { ld_so_t shlib_t }:file execmod;
 -allow unconfined_t { bin_t sbin_t exec_type }:file execmod;
-+allow unconfined_t file_type:file execmod;
- }
- 
+-}
+-
  ifdef(`samba.te', `samba_domain(user)')
+ 
+ # Allow system to run with NIS
+@@ -77,8 +72,3 @@
+ 
+ # allow reading of default file context
+ bool read_default_t true;
+-
+-if (allow_execmem) {
+-allow domain self:process execmem;
+-}
+-
 diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.18/tunables/distro.tun
 --- nsapolicy/tunables/distro.tun	2005-02-24 14:51:09.000000000 -0500
 +++ policy-1.23.18/tunables/distro.tun	2005-06-08 09:04:15.000000000 -0400
@@ -2875,8 +3900,20 @@
  # devpts_t is the type of the devpts file system and 
 diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.18/types/file.te
 --- nsapolicy/types/file.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.18/types/file.te	2005-06-08 23:14:54.000000000 -0400
-@@ -325,4 +325,8 @@
++++ policy-1.23.18/types/file.te	2005-06-16 14:56:25.000000000 -0400
+@@ -137,7 +137,11 @@
+ # texrel_shlib_t is the type of shared objects in the system lib
+ # directories, which require text relocation.
+ #
++ifdef(`targeted_policy', `
++typealias lib_t alias texrel_shlib_t;
++', `
+ type texrel_shlib_t, file_type, sysadmfile;
++')
+ 
+ # ld_so_t is the type of the system dynamic loaders.
+ #
+@@ -325,4 +329,8 @@
  # Type for anonymous FTP data, used by ftp and rsync
  type ftpd_anon_t, file_type, sysadmfile, customizable;
  
@@ -2887,9 +3924,12 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.18/types/network.te
 --- nsapolicy/types/network.te	2005-05-25 11:28:11.000000000 -0400
-+++ policy-1.23.18/types/network.te	2005-06-08 09:04:15.000000000 -0400
-@@ -33,15 +33,7 @@
++++ policy-1.23.18/types/network.te	2005-06-16 23:11:57.000000000 -0400
+@@ -31,17 +31,10 @@
+ type http_cache_port_t, port_type, reserved_port_type;
+ type http_port_t, port_type, reserved_port_type;
  type ipp_port_t, port_type, reserved_port_type;
++type innd_port_t, port_type, reserved_port_type;
  
  allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
 -ifdef(`cyrus.te', `define(`use_pop')')


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-4/selinux-policy-targeted.spec,v
retrieving revision 1.314
retrieving revision 1.315
diff -u -r1.314 -r1.315
--- selinux-policy-targeted.spec	15 Jun 2005 15:09:00 -0000	1.314
+++ selinux-policy-targeted.spec	17 Jun 2005 03:45:33 -0000	1.315
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.23.18
-Release: 7
+Release: 12
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -234,8 +234,19 @@
 exit 0
 
 %changelog
+* Thu Jun 16 2005 Dan Walsh <dwalsh redhat com> 1.23.18-12
+- Update for FC4
+
+* Thu Jun 16 2005 Dan Walsh <dwalsh redhat com> 1.23.18-11
+- Fix NetworkManager dhcpd communications
+- Fix hotplug
+
+* Thu Jun 16 2005 Dan Walsh <dwalsh redhat com> 1.23.18-9
+- Update Ivan trusted/untrusted patch
+- add texrel_shlib_t to targeted
+
 * Wed Jun 15 2005 Dan Walsh <dwalsh redhat com> 1.23.18-7
-- Move FC4 to match rawhide policy
+- Fixed for new cups domain hplip
 
 * Mon Jun 13 2005 Dan Walsh <dwalsh redhat com> 1.23.18-6
 - Further cleanup of user separation patches from Ivan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]