rpms/selinux-policy-targeted/devel policy-20050606.patch, 1.16, 1.17 selinux-policy-targeted.spec, 1.329, 1.330
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Jun 25 11:06:25 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12035
Modified Files:
policy-20050606.patch selinux-policy-targeted.spec
Log Message:
* Sat Jun 27 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-18
- Add passwd policy to targeted to maintain context on shadow file
policy-20050606.patch:
Makefile | 23 +-
attrib.te | 2
domains/misc/kernel.te | 7
domains/misc/local.te | 5
domains/program/fsadm.te | 5
domains/program/init.te | 4
domains/program/initrc.te | 11 +
domains/program/klogd.te | 2
domains/program/login.te | 4
domains/program/modutil.te | 2
domains/program/mount.te | 4
domains/program/passwd.te | 5
domains/program/restorecon.te | 5
domains/program/ssh.te | 4
domains/program/syslogd.te | 3
domains/program/unused/NetworkManager.te | 9 +
domains/program/unused/acct.te | 2
domains/program/unused/afs.te | 1
domains/program/unused/alsa.te | 17 ++
domains/program/unused/amanda.te | 7
domains/program/unused/amavis.te | 5
domains/program/unused/apache.te | 4
domains/program/unused/apmd.te | 2
domains/program/unused/asterisk.te | 2
domains/program/unused/auditd.te | 10 +
domains/program/unused/bonobo.te | 9 +
domains/program/unused/ciped.te | 5
domains/program/unused/clamav.te | 1
domains/program/unused/clockspeed.te | 2
domains/program/unused/consoletype.te | 2
domains/program/unused/cups.te | 33 ++++
domains/program/unused/cyrus.te | 2
domains/program/unused/dante.te | 1
domains/program/unused/dcc.te | 3
domains/program/unused/ddclient.te | 4
domains/program/unused/dhcpc.te | 16 +-
domains/program/unused/dhcpd.te | 3
domains/program/unused/dictd.te | 1
domains/program/unused/distcc.te | 1
domains/program/unused/dovecot.te | 4
domains/program/unused/ethereal.te | 48 ++++++
domains/program/unused/evolution.te | 13 +
domains/program/unused/fingerd.te | 1
domains/program/unused/gatekeeper.te | 1
domains/program/unused/gconf.te | 12 +
domains/program/unused/gift.te | 2
domains/program/unused/gnome.te | 7
domains/program/unused/gnome_vfs.te | 9 +
domains/program/unused/gpg.te | 3
domains/program/unused/hotplug.te | 2
domains/program/unused/howl.te | 1
domains/program/unused/i18n_input.te | 7
domains/program/unused/iceauth.te | 12 +
domains/program/unused/imazesrv.te | 1
domains/program/unused/inetd.te | 7
domains/program/unused/innd.te | 1
domains/program/unused/ircd.te | 1
domains/program/unused/jabberd.te | 3
domains/program/unused/lpd.te | 1
domains/program/unused/lrrd.te | 1
domains/program/unused/mdadm.te | 2
domains/program/unused/monopd.te | 1
domains/program/unused/mozilla.te | 6
domains/program/unused/mysqld.te | 4
domains/program/unused/named.te | 1
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/openvpn.te | 2
domains/program/unused/orbit.te | 7
domains/program/unused/pam.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 2
domains/program/unused/postgresql.te | 4
domains/program/unused/postgrey.te | 2
domains/program/unused/pppd.te | 7
domains/program/unused/pxe.te | 1
domains/program/unused/pyzor.te | 2
domains/program/unused/radius.te | 2
domains/program/unused/razor.te | 2
domains/program/unused/rpcd.te | 5
domains/program/unused/samba.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/sound-server.te | 1
domains/program/unused/spamd.te | 1
domains/program/unused/squid.te | 1
domains/program/unused/stunnel.te | 1
domains/program/unused/tftpd.te | 2
domains/program/unused/thunderbird.te | 9 +
domains/program/unused/transproxy.te | 2
domains/program/unused/ucspi-tcp.te | 2
domains/program/unused/udev.te | 2
domains/program/unused/utempter.te | 5
domains/program/unused/watchdog.te | 2
domains/program/unused/xdm.te | 23 ++
domains/program/unused/xserver.te | 3
domains/program/unused/zebra.te | 1
domains/user.te | 14 +
file_contexts/distros.fc | 21 --
file_contexts/program/alsa.fc | 3
file_contexts/program/apache.fc | 2
file_contexts/program/bonobo.fc | 1
file_contexts/program/cups.fc | 4
file_contexts/program/cyrus.fc | 1
file_contexts/program/ethereal.fc | 3
file_contexts/program/evolution.fc | 8 +
file_contexts/program/fontconfig.fc | 6
file_contexts/program/fsadm.fc | 1
file_contexts/program/gconf.fc | 5
file_contexts/program/gnome.fc | 8 +
file_contexts/program/gnome_vfs.fc | 1
file_contexts/program/iceauth.fc | 3
file_contexts/program/irc.fc | 2
file_contexts/program/mozilla.fc | 4
file_contexts/program/orbit.fc | 3
file_contexts/program/thunderbird.fc | 2
file_contexts/program/xauth.fc | 1
file_contexts/program/xdm.fc | 1
file_contexts/program/xserver.fc | 2
file_contexts/types.fc | 9 -
macros/admin_macros.te | 12 +
macros/base_user_macros.te | 75 ++++++---
macros/content_macros.te | 185 +++++++++++++++++++++++
macros/global_macros.te | 121 +--------------
macros/home_macros.te | 130 ++++++++++++++++
macros/network_macros.te | 2
macros/program/apache_macros.te | 4
macros/program/bonobo_macros.te | 119 +++++++++++++++
macros/program/dbusd_macros.te | 3
macros/program/ethereal_macros.te | 83 ++++++++++
macros/program/evolution_macros.te | 241 +++++++++++++++++++++++++++++++
macros/program/fontconfig_macros.te | 38 ++++
macros/program/games_domain.te | 38 +---
macros/program/gconf_macros.te | 56 +++++++
macros/program/gift_macros.te | 60 ++-----
macros/program/gnome_macros.te | 115 ++++++++++++++
macros/program/gnome_vfs_macros.te | 49 ++++++
macros/program/gpg_agent_macros.te | 1
macros/program/gpg_macros.te | 45 -----
macros/program/ice_macros.te | 38 ++++
macros/program/iceauth_macros.te | 40 +++++
macros/program/inetd_macros.te | 1
macros/program/irc_macros.te | 1
macros/program/lpr_macros.te | 24 ---
macros/program/mail_client_macros.te | 48 ++++++
macros/program/mozilla_macros.te | 131 ++++++----------
macros/program/mplayer_macros.te | 15 +
macros/program/orbit_macros.te | 44 +++++
macros/program/pyzor_macros.te | 1
macros/program/razor_macros.te | 1
macros/program/spamassassin_macros.te | 9 -
macros/program/ssh_agent_macros.te | 3
macros/program/ssh_macros.te | 5
macros/program/thunderbird_macros.te | 57 +++++++
macros/program/tvtime_macros.te | 1
macros/program/userhelper_macros.te | 3
macros/program/x_client_macros.te | 12 -
macros/program/xauth_macros.te | 1
macros/program/xdm_macros.te | 11 +
macros/program/xserver_macros.te | 17 +-
macros/user_macros.te | 8 -
mls | 41 ++---
net_contexts | 133 +++++------------
targeted/domains/program/crond.te | 2
targeted/domains/program/ssh.te | 1
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 10 -
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 7
types/devpts.te | 2
types/file.te | 8 +
types/network.te | 98 +++++++++---
types/security.te | 2
174 files changed, 2011 insertions(+), 737 deletions(-)
Index: policy-20050606.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050606.patch,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- policy-20050606.patch 24 Jun 2005 10:19:40 -0000 1.16
+++ policy-20050606.patch 25 Jun 2005 11:06:22 -0000 1.17
@@ -134,7 +134,7 @@
allow klogd_t proc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.18/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/login.te 2005-06-08 09:04:15.000000000 -0400
++++ policy-1.23.18/domains/program/login.te 2005-06-24 23:34:03.000000000 -0400
@@ -13,7 +13,7 @@
# $1 is the name of the domain (local or remote)
@@ -144,6 +144,15 @@
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
+@@ -111,7 +111,7 @@
+ allow $1_login_t lastlog_t:file rw_file_perms;
+
+ # Write to /var/log/btmp
+-allow $1_login_t faillog_t:file { append read write };
++allow $1_login_t faillog_t:file { lock append read write };
+
+ # Search for mail spool file.
+ allow $1_login_t mail_spool_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.18/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/program/modutil.te 2005-06-08 09:04:15.000000000 -0400
@@ -177,6 +186,18 @@
#
# This rule needs to be generalized. Only admin, initrc should have it.
#
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.23.18/domains/program/passwd.te
+--- nsapolicy/domains/program/passwd.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/passwd.te 2005-06-25 07:05:49.000000000 -0400
+@@ -149,3 +149,8 @@
+ allow passwd_t userdomain:process getattr;
+
+ allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
++ifdef(`targeted_policy', `
++role system_r types sysadm_passwd_t;
++allow sysadm_passwd_t devpts_t:chr_file { read write };
++')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.18/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/restorecon.te 2005-06-10 14:11:36.000000000 -0400
@@ -205,7 +226,7 @@
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.18/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/ssh.te 2005-06-18 06:38:47.000000000 -0400
++++ policy-1.23.18/domains/program/ssh.te 2005-06-24 23:58:49.000000000 -0400
@@ -19,13 +19,11 @@
type sshd_exec_t, file_type, exec_type, sysadmfile;
type sshd_key_t, file_type, sysadmfile;
@@ -990,6 +1011,18 @@
log_domain(lrrd)
tmp_domain(lrrd)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mdadm.te policy-1.23.18/domains/program/unused/mdadm.te
+--- nsapolicy/domains/program/unused/mdadm.te 2005-04-27 10:28:51.000000000 -0400
++++ policy-1.23.18/domains/program/unused/mdadm.te 2005-06-24 23:55:04.000000000 -0400
+@@ -3,7 +3,7 @@
+ # Author: Colin Walters <walters at redhat.com>
+ #
+
+-daemon_base_domain(mdadm, `, fs_domain')
++daemon_base_domain(mdadm, `, fs_domain, privmail')
+ role sysadm_r types mdadm_t;
+
+ allow initrc_t mdadm_var_run_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/monopd.te policy-1.23.18/domains/program/unused/monopd.te
--- nsapolicy/domains/program/unused/monopd.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.18/domains/program/unused/monopd.te 2005-06-18 06:39:01.000000000 -0400
@@ -1837,7 +1870,7 @@
/tmp/\.ICE-unix/.* -s <<none>>
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.18/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.18/file_contexts/types.fc 2005-06-17 16:00:39.000000000 -0400
++++ policy-1.23.18/file_contexts/types.fc 2005-06-25 00:01:10.000000000 -0400
@@ -249,6 +249,7 @@
/dev/dri/.+ -c system_u:object_r:dri_device_t
/dev/radeon -c system_u:object_r:dri_device_t
@@ -1855,6 +1888,17 @@
# nvidia share libraries
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+@@ -386,8 +389,8 @@
+ /usr/local/src(/.*)? system_u:object_r:src_t
+ /usr/local/man(/.*)? system_u:object_r:man_t
+ /usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
+-/usr(/local)?/lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t
+-/usr(/local)?/lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t
++/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t
++/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t
+
+
+ #
@@ -471,6 +474,7 @@
/usr/lib/locale(/.*)? system_u:object_r:locale_t
/etc/localtime -- system_u:object_r:locale_t
@@ -4199,6 +4243,28 @@
# kdm: sigchld
allow $1_ssh_agent_t xdm_t:process sigchld;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.18/macros/program/ssh_macros.te
+--- nsapolicy/macros/program/ssh_macros.te 2005-04-27 10:28:55.000000000 -0400
++++ policy-1.23.18/macros/program/ssh_macros.te 2005-06-24 23:59:15.000000000 -0400
+@@ -143,7 +143,9 @@
+
+ type $1_ssh_keysign_t, domain, nscd_client_domain;
+ role $1_r types $1_ssh_keysign_t;
+-domain_auto_trans($1_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
++
++if (allow_ssh_keysign) {
++domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
+ allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
+ allow $1_ssh_keysign_t self:capability { setgid setuid };
+ allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
+@@ -156,6 +158,7 @@
+ allow $1_ssh_keysign_t self:dir search;
+ allow $1_ssh_keysign_t self:file { getattr read };
+ allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
++}
+
+ ')dnl end macro definition
+ ', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/thunderbird_macros.te policy-1.23.18/macros/program/thunderbird_macros.te
--- nsapolicy/macros/program/thunderbird_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/macros/program/thunderbird_macros.te 2005-06-16 14:05:10.000000000 -0400
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.329
retrieving revision 1.330
diff -u -r1.329 -r1.330
--- selinux-policy-targeted.spec 24 Jun 2005 11:02:35 -0000 1.329
+++ selinux-policy-targeted.spec 25 Jun 2005 11:06:22 -0000 1.330
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.18
-Release: 16
+Release: 18
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -52,7 +52,7 @@
mv domains/misc/unused/kernel.te domains/misc/
mv domains/program/*.te domains/program/unused/
rm domains/*.te
-for i in acct.te anaconda.te amanda.te apache.te apmd.te arpwatch.te auditd.te bluetooth.te checkpolicy.te canna.te cardmgr.te chkpwd.te comsat.te consoletype.te cpucontrol.te cpuspeed.te cups.te cvs.te cyrus.te dbskkd.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te firstboot.te fsadm.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te hwclock.te kudzu.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te load_policy.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te ping.te portmap.te postgresql.te pppd.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te saslauthd.te samba.te setfiles.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te webalizer.te winbind.te ypbind.te ypserv.te zebra.te; do
+for i in acct.te anaconda.te amanda.te apache.te apmd.te arpwatch.te auditd.te bluetooth.te checkpolicy.te canna.te cardmgr.te chkpwd.te comsat.te consoletype.te cpucontrol.te cpuspeed.te cups.te cvs.te cyrus.te dbskkd.te dmidecode.te dbusd.te dhcpc.te dhcpd.te dictd.te dovecot.te fingerd.te firstboot.te fsadm.te ftpd.te getty.te hald.te hostname.te hotplug.te howl.te hwclock.te kudzu.te i18n_input.te ifconfig.te init.te initrc.te inetd.te innd.te kerberos.te klogd.te ktalkd.te ldconfig.te load_policy.te login.te lpd.te mailman.te modutil.te mta.te mysqld.te named.te netutils.te NetworkManager.te nscd.te ntpd.te passwd.te ping.te portmap.te postgresql.te pppd.te privoxy.te radius.te radvd.te restorecon.te rlogind.te rpcd.te rshd.te rsync.te saslauthd.te samba.te setfiles.te slapd.te snmpd.te squid.te stunnel.te syslogd.te telnetd.te tftpd.te udev.te updfstab.te uucpd.te webalizer.te winbind.te ypbind.te ypserv.te zebra.te; do
mv domains/program/unused/$i domains/program/
done
rm -rf domains/program/unused
@@ -235,6 +235,9 @@
exit 0
%changelog
+* Sat Jun 27 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-18
+- Add passwd policy to targeted to maintain context on shadow file
+
* Thu Jun 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-16
- Fix postgres to allow it to connect to auth
- Change cyrus-imapd to write to /var/spool/imap
More information about the fedora-cvs-commits
mailing list