rpms/selinux-policy-strict/devel policy-20050629.patch, NONE, 1.1 .cvsignore, 1.115, 1.116 policy-20050606.patch, 1.22, 1.23 selinux-policy-strict.spec, 1.338, 1.339 selinux.csh, 1.5, 1.6 selinux.sh, 1.5, 1.6 sources, 1.121, 1.122
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jun 29 20:39:04 UTC 2005
- Previous message (by thread): rpms/libsepol/devel .cvsignore, 1.23, 1.24 libsepol.spec, 1.36, 1.37 sources, 1.23, 1.24
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050629.patch, NONE, 1.1 .cvsignore, 1.111, 1.112 policy-20050606.patch, 1.19, 1.20 selinux-policy-targeted.spec, 1.332, 1.333 sources, 1.117, 1.118
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv26923
Modified Files:
.cvsignore policy-20050606.patch selinux-policy-strict.spec
selinux.csh selinux.sh sources
Added Files:
policy-20050629.patch
Log Message:
* Wed Jun 29 2005 Dan Walsh <dwalsh at redhat.com> 1.24-1
- Upgrade from NSA
* Updated version for release.
policy-20050629.patch:
Makefile | 23 +--
attrib.te | 2
domains/misc/kernel.te | 7
domains/misc/local.te | 5
domains/program/fsadm.te | 5
domains/program/init.te | 4
domains/program/initrc.te | 11 +
domains/program/klogd.te | 2
domains/program/login.te | 4
domains/program/modutil.te | 2
domains/program/mount.te | 4
domains/program/passwd.te | 5
domains/program/restorecon.te | 5
domains/program/ssh.te | 4
domains/program/syslogd.te | 3
domains/program/unused/NetworkManager.te | 9 +
domains/program/unused/acct.te | 2
domains/program/unused/afs.te | 1
domains/program/unused/alsa.te | 17 ++
domains/program/unused/amanda.te | 7
domains/program/unused/amavis.te | 5
domains/program/unused/apache.te | 5
domains/program/unused/apmd.te | 4
domains/program/unused/asterisk.te | 2
domains/program/unused/auditd.te | 10 +
domains/program/unused/bluetooth.te | 3
domains/program/unused/bonobo.te | 9 +
domains/program/unused/ciped.te | 5
domains/program/unused/clamav.te | 1
domains/program/unused/clockspeed.te | 2
domains/program/unused/consoletype.te | 2
domains/program/unused/cups.te | 36 ++++
domains/program/unused/cyrus.te | 2
domains/program/unused/dante.te | 1
domains/program/unused/dcc.te | 3
domains/program/unused/ddclient.te | 4
domains/program/unused/dhcpc.te | 16 +-
domains/program/unused/dhcpd.te | 3
domains/program/unused/dictd.te | 1
domains/program/unused/distcc.te | 1
domains/program/unused/dovecot.te | 4
domains/program/unused/ethereal.te | 48 ++++++
domains/program/unused/evolution.te | 13 +
domains/program/unused/fingerd.te | 1
domains/program/unused/gatekeeper.te | 1
domains/program/unused/gconf.te | 12 +
domains/program/unused/gift.te | 2
domains/program/unused/gnome.te | 7
domains/program/unused/gnome_vfs.te | 9 +
domains/program/unused/gpg.te | 3
domains/program/unused/hald.te | 4
domains/program/unused/hotplug.te | 3
domains/program/unused/howl.te | 1
domains/program/unused/i18n_input.te | 7
domains/program/unused/iceauth.te | 12 +
domains/program/unused/imazesrv.te | 1
domains/program/unused/inetd.te | 7
domains/program/unused/innd.te | 1
domains/program/unused/ircd.te | 1
domains/program/unused/jabberd.te | 3
domains/program/unused/lpd.te | 1
domains/program/unused/lrrd.te | 1
domains/program/unused/mdadm.te | 2
domains/program/unused/monopd.te | 1
domains/program/unused/mozilla.te | 6
domains/program/unused/mysqld.te | 4
domains/program/unused/named.te | 1
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/openvpn.te | 2
domains/program/unused/orbit.te | 7
domains/program/unused/pam.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 2
domains/program/unused/postgresql.te | 4
domains/program/unused/postgrey.te | 2
domains/program/unused/pppd.te | 7
domains/program/unused/pxe.te | 1
domains/program/unused/pyzor.te | 2
domains/program/unused/radius.te | 2
domains/program/unused/razor.te | 2
domains/program/unused/rpcd.te | 5
domains/program/unused/samba.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/sound-server.te | 1
domains/program/unused/spamd.te | 1
domains/program/unused/squid.te | 1
domains/program/unused/ssh-agent.te | 3
domains/program/unused/stunnel.te | 1
domains/program/unused/tftpd.te | 2
domains/program/unused/thunderbird.te | 9 +
domains/program/unused/transproxy.te | 2
domains/program/unused/ucspi-tcp.te | 2
domains/program/unused/udev.te | 2
domains/program/unused/utempter.te | 5
domains/program/unused/watchdog.te | 2
domains/program/unused/xdm.te | 23 ++-
domains/program/unused/xserver.te | 3
domains/program/unused/zebra.te | 1
domains/user.te | 14 +
file_contexts/distros.fc | 21 --
file_contexts/program/alsa.fc | 3
file_contexts/program/apache.fc | 2
file_contexts/program/bonobo.fc | 1
file_contexts/program/cups.fc | 6
file_contexts/program/cyrus.fc | 1
file_contexts/program/ethereal.fc | 3
file_contexts/program/evolution.fc | 8 +
file_contexts/program/fontconfig.fc | 6
file_contexts/program/fsadm.fc | 1
file_contexts/program/gconf.fc | 5
file_contexts/program/gnome.fc | 8 +
file_contexts/program/gnome_vfs.fc | 1
file_contexts/program/iceauth.fc | 3
file_contexts/program/irc.fc | 2
file_contexts/program/mozilla.fc | 6
file_contexts/program/orbit.fc | 3
file_contexts/program/thunderbird.fc | 2
file_contexts/program/xauth.fc | 1
file_contexts/program/xdm.fc | 1
file_contexts/program/xserver.fc | 2
file_contexts/types.fc | 23 +--
macros/admin_macros.te | 12 +
macros/base_user_macros.te | 75 ++++++---
macros/content_macros.te | 185 ++++++++++++++++++++++++
macros/global_macros.te | 121 +--------------
macros/home_macros.te | 130 +++++++++++++++++
macros/network_macros.te | 2
macros/program/apache_macros.te | 5
macros/program/bonobo_macros.te | 119 +++++++++++++++
macros/program/dbusd_macros.te | 3
macros/program/ethereal_macros.te | 83 ++++++++++
macros/program/evolution_macros.te | 235 +++++++++++++++++++++++++++++++
macros/program/fontconfig_macros.te | 38 ++++-
macros/program/games_domain.te | 38 +----
macros/program/gconf_macros.te | 56 +++++++
macros/program/gift_macros.te | 60 ++-----
macros/program/gnome_macros.te | 115 +++++++++++++++
macros/program/gnome_vfs_macros.te | 49 ++++++
macros/program/gpg_agent_macros.te | 1
macros/program/gpg_macros.te | 45 -----
macros/program/ice_macros.te | 38 +++++
macros/program/iceauth_macros.te | 40 +++++
macros/program/inetd_macros.te | 1
macros/program/irc_macros.te | 1
macros/program/lpr_macros.te | 24 ---
macros/program/mail_client_macros.te | 54 +++++++
macros/program/mozilla_macros.te | 131 ++++++-----------
macros/program/mplayer_macros.te | 15 +
macros/program/orbit_macros.te | 44 +++++
macros/program/pyzor_macros.te | 1
macros/program/razor_macros.te | 1
macros/program/spamassassin_macros.te | 9 -
macros/program/ssh_agent_macros.te | 3
macros/program/ssh_macros.te | 5
macros/program/thunderbird_macros.te | 57 +++++++
macros/program/tvtime_macros.te | 1
macros/program/userhelper_macros.te | 3
macros/program/x_client_macros.te | 12 -
macros/program/xauth_macros.te | 1
macros/program/xdm_macros.te | 11 +
macros/program/xserver_macros.te | 17 +-
macros/user_macros.te | 8 -
mls | 41 ++---
net_contexts | 135 +++++------------
targeted/domains/program/crond.te | 2
targeted/domains/program/ssh.te | 1
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 10 -
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 7
types/devpts.te | 2
types/file.te | 8 +
types/network.te | 98 ++++++++++--
types/security.te | 2
177 files changed, 2038 insertions(+), 748 deletions(-)
--- NEW FILE policy-20050629.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.18/attrib.te
--- nsapolicy/attrib.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/attrib.te 2005-06-08 09:04:15.000000000 -0400
@@ -30,7 +30,7 @@
attribute mlsnetwritetoclr;
attribute mlsnetupgrade;
attribute mlsnetdowngrade;
-attribute mlsnetbindall;
+attribute mlsnetrecvall;
attribute mlsipcread;
attribute mlsipcreadtoclr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.18/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/misc/kernel.te 2005-06-08 09:04:15.000000000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer') ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
@@ -28,6 +28,11 @@
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
+ifdef(`mls_policy', `
+# run init with maximum MLS range
+range_transition kernel_t init_exec_t s0 - s9:c0.c127;
+')
+
# Share state with the init process.
allow kernel_t init_t:process share;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/local.te policy-1.23.18/domains/misc/local.te
--- nsapolicy/domains/misc/local.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/misc/local.te 2005-06-09 14:57:58.000000000 -0400
@@ -0,0 +1,5 @@
+# Local customization of existing policy should be done in this file.
+# If you are creating brand new policy for a new "target" domain, you
+# need to create a type enforcement (.te) file in domains/program
+# and a file context (.fc) file in file_context/program.
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.18/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/program/fsadm.te 2005-06-08 09:38:00.000000000 -0400
@@ -12,14 +12,14 @@
# administration.
# fsadm_exec_t is the type of the corresponding programs.
#
-type fsadm_t, domain, privlog, fs_domain;
+type fsadm_t, domain, privlog, fs_domain, mlsfileread;
role system_r types fsadm_t;
role sysadm_r types fsadm_t;
general_domain_access(fsadm_t)
# for swapon
-allow fsadm_t sysfs_t:dir { search getattr };
+r_dir_file(fsadm_t, sysfs_t)
# Read system information files in /proc.
r_dir_file(fsadm_t, proc_t)
@@ -116,3 +116,4 @@
allow fsadm_t { file_t unlabeled_t }:dir rw_dir_perms;
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
+allow fsadm_t ramfs_t:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.18/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/initrc.te 2005-06-16 16:54:14.000000000 -0400
@@ -12,7 +12,7 @@
# initrc_exec_t is the type of the init program.
#
# do not use privmail for sendmail as it creates a type transition conflict
-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain;
+type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
role system_r types initrc_t;
uses_shlib(initrc_t);
@@ -120,7 +120,13 @@
# Mount and unmount file systems.
allow initrc_t fs_type:filesystem mount_fs_perms;
-allow initrc_t { file_t default_t }:dir { read search getattr mounton };
+allow initrc_t file_t:dir { read search getattr mounton };
+
+# during boot up initrc needs to do the following
+allow initrc_t default_t:dir { read search getattr mounton };
+
+# rhgb-console writes to ramfs
+allow initrc_t ramfs_t:fifo_file write;
# Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
@@ -253,6 +259,7 @@
domain_auto_trans(unconfined_t, initrc_exec_t, initrc_t)
allow unconfined_t initrc_t:dbus { acquire_svc send_msg };
allow initrc_t unconfined_t:dbus { acquire_svc send_msg };
+typeattribute initrc_t privuser;
domain_trans(initrc_t, shell_exec_t, unconfined_t)
allow initrc_t unconfined_t:system syslog_mod;
', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.23.18/domains/program/init.te
--- nsapolicy/domains/program/init.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/init.te 2005-06-08 09:04:15.000000000 -0400
@@ -14,11 +14,11 @@
# by init during initialization. This pipe is used
# to communicate with init.
#
-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain;
+type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
role system_r types init_t;
uses_shlib(init_t);
type init_exec_t, file_type, sysadmfile, exec_type;
-type initctl_t, file_type, sysadmfile, dev_fs;
+type initctl_t, file_type, sysadmfile, dev_fs, mlstrustedobject;
# for init to determine whether SE Linux is active so it can know whether to
# activate it
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.18/domains/program/klogd.te
--- nsapolicy/domains/program/klogd.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/klogd.te 2005-06-08 09:04:15.000000000 -0400
@@ -8,7 +8,7 @@
#
# Rules for the klogd_t domain.
#
-daemon_domain(klogd, `, privmem, privkmsg')
+daemon_domain(klogd, `, privmem, privkmsg, mlsfileread')
tmp_domain(klogd)
allow klogd_t proc_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.23.18/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/login.te 2005-06-24 23:34:03.000000000 -0400
@@ -13,7 +13,7 @@
# $1 is the name of the domain (local or remote)
define(`login_domain', `
-type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain;
+type $1_login_t, domain, privuser, privrole, privlog, auth_chkpwd, privowner, privfd, nscd_client_domain, mlsfilewrite, mlsprocsetsl, mlsfileupgrade, mlsfiledowngrade;
role system_r types $1_login_t;
dontaudit $1_login_t shadow_t:file { getattr read };
@@ -111,7 +111,7 @@
allow $1_login_t lastlog_t:file rw_file_perms;
# Write to /var/log/btmp
-allow $1_login_t faillog_t:file { append read write };
+allow $1_login_t faillog_t:file { lock append read write };
# Search for mail spool file.
allow $1_login_t mail_spool_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.18/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-06-01 06:11:22.000000000 -0400
+++ policy-1.23.18/domains/program/modutil.te 2005-06-08 09:04:15.000000000 -0400
@@ -72,7 +72,7 @@
# Rules for the insmod_t domain.
#
-type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' )
+type insmod_t, domain, privlog, sysctl_kernel_writer, privmem, privsysmod ifdef(`unlimitedUtils', `, admin, etc_writer, fs_domain, auth_write, privowner, privmodule' ), mlsfilewrite
;
role system_r types insmod_t;
role sysadm_r types insmod_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.18/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/mount.te 2005-06-16 14:01:56.000000000 -0400
@@ -11,7 +11,7 @@
type mount_exec_t, file_type, sysadmfile, exec_type;
-mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain')
+mount_domain(sysadm, mount, `, fs_domain, nscd_client_domain, mlsfileread, mlsfilewrite')
mount_loopback_privs(sysadm, mount)
role sysadm_r types mount_t;
role system_r types mount_t;
@@ -68,7 +68,7 @@
# for localization
allow mount_t lib_t:file { getattr read };
allow mount_t autofs_t:dir read;
-allow mount_t fs_t:filesystem relabelfrom;
+allow mount_t fs_type:filesystem relabelfrom;
#
# This rule needs to be generalized. Only admin, initrc should have it.
#
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.23.18/domains/program/passwd.te
--- nsapolicy/domains/program/passwd.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.18/domains/program/passwd.te 2005-06-25 07:05:49.000000000 -0400
@@ -149,3 +149,8 @@
allow passwd_t userdomain:process getattr;
allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+ifdef(`targeted_policy', `
+role system_r types sysadm_passwd_t;
+allow sysadm_passwd_t devpts_t:chr_file { read write };
[...4926 lines suppressed...]
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/device.te policy-1.23.18/types/device.te
--- nsapolicy/types/device.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/device.te 2005-06-08 09:04:15.000000000 -0400
@@ -154,3 +154,10 @@
# for other device nodes such as the NVidia binary-only driver
type xserver_misc_device_t, device_type, dev_fs;
+
+# for the IBM zSeries z90crypt hardware ssl accelorator
+type crypt_device_t, device_type, dev_fs;
+
+
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/devpts.te policy-1.23.18/types/devpts.te
--- nsapolicy/types/devpts.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/devpts.te 2005-06-08 09:04:15.000000000 -0400
@@ -10,7 +10,7 @@
#
# ptmx_t is the type for /dev/ptmx.
#
-type ptmx_t, sysadmfile, device_type, dev_fs;
+type ptmx_t, sysadmfile, device_type, dev_fs, mlstrustedobject;
#
# devpts_t is the type of the devpts file system and
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.18/types/file.te
--- nsapolicy/types/file.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/file.te 2005-06-25 16:08:39.000000000 -0400
@@ -137,7 +137,11 @@
# texrel_shlib_t is the type of shared objects in the system lib
# directories, which require text relocation.
#
+ifdef(`targeted_policy', `
+typealias lib_t alias texrel_shlib_t;
+', `
type texrel_shlib_t, file_type, sysadmfile;
+')
# ld_so_t is the type of the system dynamic loaders.
#
@@ -325,4 +329,8 @@
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+allow customizable self:filesystem associate;
+
+# type for /tmp/.ICE-unix
+type ice_tmp_t, file_type, sysadmfile, tmpfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.18/types/network.te
--- nsapolicy/types/network.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/network.te 2005-06-23 16:41:20.000000000 -0400
@@ -8,17 +8,7 @@
# Modified by Russell Coker
# Move port types to their respective domains, add ifdefs, other cleanups.
-# generally we do not want to define port types in this file, but some things
-# are insanely difficult to do elsewhere, xserver_port_t is a good example
-# getting the type defined is the easy part for X, conditional code for many
-# other domains (including one that starts with a) is the hard part.
-ifdef(`xdm.te', `define(`use_x_ports')')
-ifdef(`startx.te', `define(`use_x_ports')')
-ifdef(`xauth.te', `define(`use_x_ports')')
-ifdef(`xserver.te', `define(`use_x_ports')')
-ifdef(`use_x_ports', `
type xserver_port_t, port_type;
-')
#
# Defines used by the te files need to be defined outside of net_constraints
#
@@ -31,24 +21,14 @@
type http_cache_port_t, port_type, reserved_port_type;
type http_port_t, port_type, reserved_port_type;
type ipp_port_t, port_type, reserved_port_type;
+type gopher_port_t, port_type, reserved_port_type;
allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
-ifdef(`cyrus.te', `define(`use_pop')')
-ifdef(`courier.te', `define(`use_pop')')
-ifdef(`perdition.te', `define(`use_pop')')
-ifdef(`dovecot.te', `define(`use_pop')')
-ifdef(`uwimapd.te', `define(`use_pop')')
-ifdef(`fetchmail.te', `define(`use_pop')')
-ifdef(`use_pop', `
type pop_port_t, port_type, reserved_port_type;
-')
type ftp_port_t, port_type, reserved_port_type;
type ftp_data_port_t, port_type, reserved_port_type;
-ifdef(`dhcpd.te', `define(`use_pxe')')
-ifdef(`pxe.te', `define(`use_pxe')')
-
############################################
#
# Network types
@@ -126,3 +106,79 @@
# Kernel-generated traffic, e.g. TCP resets.
allow kernel_t netif_type:netif { tcp_send tcp_recv };
allow kernel_t node_type:node { tcp_send tcp_recv };
+type radius_port_t, port_type;
+type radacct_port_t, port_type;
+type rndc_port_t, port_type, reserved_port_type;
+type tftp_port_t, port_type, reserved_port_type;
+type printer_port_t, port_type, reserved_port_type;
+type mysqld_port_t, port_type;
+type postgresql_port_t, port_type;
+type ptal_port_t, port_type, reserved_port_type;
+type howl_port_t, port_type;
+type dict_port_t, port_type;
+type syslogd_port_t, port_type, reserved_port_type;
+type spamd_port_t, port_type, reserved_port_type;
+type ssh_port_t, port_type, reserved_port_type;
+type pxe_port_t, port_type;
+type amanda_port_t, port_type;
+type fingerd_port_t, port_type, reserved_port_type;
+type dhcpc_port_t, port_type, reserved_port_type;
+type ntp_port_t, port_type, reserved_port_type;
+type stunnel_port_t, port_type;
+type zebra_port_t, port_type;
+type i18n_input_port_t, port_type;
+type vnc_port_t, port_type;
+type openvpn_port_t, port_type;
+type clamd_port_t, port_type, reserved_port_type;
+type transproxy_port_t, port_type;
+type clockspeed_port_t, port_type;
+type pyzor_port_t, port_type, reserved_port_type;
+type postgrey_port_t, port_type;
+type asterisk_port_t, port_type;
+type utcpserver_port_t, port_type;
+type nessus_port_t, port_type;
+type razor_port_t, port_type;
+type distccd_port_t, port_type;
+type socks_port_t, port_type;
+type gatekeeper_port_t, port_type;
+type dcc_port_t, port_type;
+type lrrd_port_t, port_type;
+type jabber_client_port_t, port_type;
+type jabber_interserver_port_t, port_type;
+type ircd_port_t, port_type;
+type giftd_port_t, port_type;
+type soundd_port_t, port_type;
+type imaze_port_t, port_type;
+type monopd_port_t, port_type;
+# Differentiate between the port where amavisd receives mail, and the
+# port where it returns cleaned mail back to the MTA.
+type amavisd_recv_port_t, port_type;
+type amavisd_send_port_t, port_type;
+type innd_port_t, port_type, reserved_port_type;
+type snmp_port_t, port_type, reserved_port_type;
+type biff_port_t, port_type, reserved_port_type;
+type hplip_port_t, port_type;
+
+#inetd_child_ports
+
+type rlogind_port_t, port_type, reserved_port_type;
+type telnetd_port_t, port_type, reserved_port_type;
+type comsat_port_t, port_type, reserved_port_type;
+type cvs_port_t, port_type;
+type dbskkd_port_t, port_type, reserved_port_type;
+type inetd_child_port_t, port_type, reserved_port_type;
+type ktalkd_port_t, port_type, reserved_port_type;
+type rsync_port_t, port_type, reserved_port_type;
+type uucpd_port_t, port_type, reserved_port_type;
+type swat_port_t, port_type, reserved_port_type;
+type zope_port_t, port_type;
+type auth_port_t, port_type, reserved_port_type;
+
+# afs ports
+
+type afs_fs_port_t, port_type;
+type afs_pt_port_t, port_type;
+type afs_vl_port_t, port_type;
+type afs_ka_port_t, port_type;
+type afs_bos_port_t, port_type;
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.23.18/types/security.te
--- nsapolicy/types/security.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.18/types/security.te 2005-06-08 09:04:15.000000000 -0400
@@ -12,7 +12,7 @@
# the permissions in the security class. It is also
# applied to selinuxfs inodes.
#
-type security_t, mount_point, fs_type;
+type security_t, mount_point, fs_type, mlstrustedobject;
#
# policy_config_t is the type of /etc/security/selinux/*
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/.cvsignore,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -r1.115 -r1.116
--- .cvsignore 7 Jun 2005 20:28:02 -0000 1.115
+++ .cvsignore 29 Jun 2005 20:39:00 -0000 1.116
@@ -81,3 +81,4 @@
policy-1.23.16.tgz
policy-1.23.17.tgz
policy-1.23.18.tgz
+policy-1.24.tgz
policy-20050606.patch:
Makefile | 23 +--
attrib.te | 2
domains/misc/kernel.te | 7
domains/misc/local.te | 5
domains/program/fsadm.te | 5
domains/program/init.te | 4
domains/program/initrc.te | 11 +
domains/program/klogd.te | 2
domains/program/login.te | 4
domains/program/modutil.te | 2
domains/program/mount.te | 4
domains/program/passwd.te | 5
domains/program/restorecon.te | 5
domains/program/ssh.te | 4
domains/program/syslogd.te | 3
domains/program/unused/NetworkManager.te | 9 +
domains/program/unused/acct.te | 2
domains/program/unused/afs.te | 1
domains/program/unused/alsa.te | 17 ++
domains/program/unused/amanda.te | 7
domains/program/unused/amavis.te | 5
domains/program/unused/apache.te | 5
domains/program/unused/apmd.te | 4
domains/program/unused/asterisk.te | 2
domains/program/unused/auditd.te | 10 +
domains/program/unused/bluetooth.te | 3
domains/program/unused/bonobo.te | 9 +
domains/program/unused/ciped.te | 5
domains/program/unused/clamav.te | 1
domains/program/unused/clockspeed.te | 2
domains/program/unused/consoletype.te | 2
domains/program/unused/cups.te | 36 ++++
domains/program/unused/cyrus.te | 2
domains/program/unused/dante.te | 1
domains/program/unused/dcc.te | 3
domains/program/unused/ddclient.te | 4
domains/program/unused/dhcpc.te | 16 +-
domains/program/unused/dhcpd.te | 3
domains/program/unused/dictd.te | 1
domains/program/unused/distcc.te | 1
domains/program/unused/dovecot.te | 4
domains/program/unused/ethereal.te | 48 ++++++
domains/program/unused/evolution.te | 13 +
domains/program/unused/fingerd.te | 1
domains/program/unused/gatekeeper.te | 1
domains/program/unused/gconf.te | 12 +
domains/program/unused/gift.te | 2
domains/program/unused/gnome.te | 7
domains/program/unused/gnome_vfs.te | 9 +
domains/program/unused/gpg.te | 3
domains/program/unused/hald.te | 4
domains/program/unused/hotplug.te | 3
domains/program/unused/howl.te | 1
domains/program/unused/i18n_input.te | 7
domains/program/unused/iceauth.te | 12 +
domains/program/unused/imazesrv.te | 1
domains/program/unused/inetd.te | 7
domains/program/unused/innd.te | 1
domains/program/unused/ircd.te | 1
domains/program/unused/jabberd.te | 3
domains/program/unused/lpd.te | 1
domains/program/unused/lrrd.te | 1
domains/program/unused/mdadm.te | 2
domains/program/unused/monopd.te | 1
domains/program/unused/mozilla.te | 6
domains/program/unused/mysqld.te | 4
domains/program/unused/named.te | 1
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/openvpn.te | 2
domains/program/unused/orbit.te | 7
domains/program/unused/pam.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/ping.te | 2
domains/program/unused/postgresql.te | 4
domains/program/unused/postgrey.te | 2
domains/program/unused/pppd.te | 7
domains/program/unused/pxe.te | 1
domains/program/unused/pyzor.te | 2
domains/program/unused/radius.te | 2
domains/program/unused/razor.te | 2
domains/program/unused/rpcd.te | 5
domains/program/unused/samba.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/sound-server.te | 1
domains/program/unused/spamd.te | 1
domains/program/unused/squid.te | 1
domains/program/unused/ssh-agent.te | 3
domains/program/unused/stunnel.te | 1
domains/program/unused/tftpd.te | 2
domains/program/unused/thunderbird.te | 9 +
domains/program/unused/transproxy.te | 2
domains/program/unused/ucspi-tcp.te | 2
domains/program/unused/udev.te | 2
domains/program/unused/utempter.te | 5
domains/program/unused/watchdog.te | 2
domains/program/unused/xdm.te | 23 ++-
domains/program/unused/xserver.te | 3
domains/program/unused/zebra.te | 1
domains/user.te | 14 +
file_contexts/distros.fc | 21 --
file_contexts/program/alsa.fc | 3
file_contexts/program/apache.fc | 2
file_contexts/program/bonobo.fc | 1
file_contexts/program/cups.fc | 6
file_contexts/program/cyrus.fc | 1
file_contexts/program/ethereal.fc | 3
file_contexts/program/evolution.fc | 8 +
file_contexts/program/fontconfig.fc | 6
file_contexts/program/fsadm.fc | 1
file_contexts/program/gconf.fc | 5
file_contexts/program/gnome.fc | 8 +
file_contexts/program/gnome_vfs.fc | 1
file_contexts/program/iceauth.fc | 3
file_contexts/program/irc.fc | 2
file_contexts/program/mozilla.fc | 6
file_contexts/program/orbit.fc | 3
file_contexts/program/thunderbird.fc | 2
file_contexts/program/xauth.fc | 1
file_contexts/program/xdm.fc | 1
file_contexts/program/xserver.fc | 2
file_contexts/types.fc | 23 +--
macros/admin_macros.te | 12 +
macros/base_user_macros.te | 75 ++++++---
macros/content_macros.te | 185 ++++++++++++++++++++++++
macros/global_macros.te | 121 +--------------
macros/home_macros.te | 130 +++++++++++++++++
macros/network_macros.te | 2
macros/program/apache_macros.te | 5
macros/program/bonobo_macros.te | 119 +++++++++++++++
macros/program/dbusd_macros.te | 3
macros/program/ethereal_macros.te | 83 ++++++++++
macros/program/evolution_macros.te | 235 +++++++++++++++++++++++++++++++
macros/program/fontconfig_macros.te | 38 ++++-
macros/program/games_domain.te | 38 +----
macros/program/gconf_macros.te | 56 +++++++
macros/program/gift_macros.te | 60 ++-----
macros/program/gnome_macros.te | 115 +++++++++++++++
macros/program/gnome_vfs_macros.te | 49 ++++++
macros/program/gpg_agent_macros.te | 1
macros/program/gpg_macros.te | 45 -----
macros/program/ice_macros.te | 38 +++++
macros/program/iceauth_macros.te | 40 +++++
macros/program/inetd_macros.te | 1
macros/program/irc_macros.te | 1
macros/program/lpr_macros.te | 24 ---
macros/program/mail_client_macros.te | 54 +++++++
macros/program/mozilla_macros.te | 131 ++++++-----------
macros/program/mplayer_macros.te | 15 +
macros/program/orbit_macros.te | 44 +++++
macros/program/pyzor_macros.te | 1
macros/program/razor_macros.te | 1
macros/program/spamassassin_macros.te | 9 -
macros/program/ssh_agent_macros.te | 3
macros/program/ssh_macros.te | 5
macros/program/thunderbird_macros.te | 57 +++++++
macros/program/tvtime_macros.te | 1
macros/program/userhelper_macros.te | 3
macros/program/x_client_macros.te | 12 -
macros/program/xauth_macros.te | 1
macros/program/xdm_macros.te | 11 +
macros/program/xserver_macros.te | 17 +-
macros/user_macros.te | 8 -
mls | 41 ++---
net_contexts | 135 +++++------------
targeted/domains/program/crond.te | 2
targeted/domains/program/ssh.te | 1
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 10 -
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 7
types/devpts.te | 2
types/file.te | 8 +
types/network.te | 98 ++++++++++--
types/security.te | 2
177 files changed, 2038 insertions(+), 748 deletions(-)
Index: policy-20050606.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050606.patch,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- policy-20050606.patch 26 Jun 2005 11:16:46 -0000 1.22
+++ policy-20050606.patch 29 Jun 2005 20:39:01 -0000 1.23
@@ -359,7 +359,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.18/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/apache.te 2005-06-20 14:20:15.000000000 -0400
++++ policy-1.23.18/domains/program/unused/apache.te 2005-06-29 15:03:46.000000000 -0400
@@ -86,6 +86,8 @@
read_sysctl(httpd_t)
@@ -369,7 +369,15 @@
# for modules that want to access /etc/mtab and /proc/meminfo
allow httpd_t { proc_t etc_runtime_t }:file { getattr read };
-@@ -363,7 +365,9 @@
+@@ -112,6 +114,7 @@
+ can_kerberos(httpd_t)
+ can_resolve(httpd_t)
+ can_ypbind(httpd_t)
++can_ldap(httpd_t)
+ allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
+
+ if (httpd_can_network_connect) {
+@@ -363,7 +366,9 @@
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
@@ -381,7 +389,16 @@
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.18/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/apmd.te 2005-06-23 11:55:58.000000000 -0400
++++ policy-1.23.18/domains/program/unused/apmd.te 2005-06-29 16:35:36.000000000 -0400
+@@ -21,7 +21,7 @@
+ allow apm_t privfd:fd use;
+ allow apm_t admin_tty_type:chr_file rw_file_perms;
+ allow apm_t device_t:dir search;
+-allow apm_t self:capability sys_admin;
++allow apm_t self:capability { dac_override sys_admin };
+ allow apm_t proc_t:dir search;
+ allow apm_t proc_t:file { read getattr };
+ allow apm_t fs_t:filesystem getattr;
@@ -30,7 +30,7 @@
role system_r types apm_t;
@@ -435,6 +452,19 @@
allow auditctl_t privfd:fd use;
+
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.23.18/domains/program/unused/bluetooth.te
+--- nsapolicy/domains/program/unused/bluetooth.te 2005-05-25 11:28:09.000000000 -0400
++++ policy-1.23.18/domains/program/unused/bluetooth.te 2005-06-26 07:52:17.000000000 -0400
+@@ -26,7 +26,8 @@
+ dbusd_client(system, bluetooth)
+ allow bluetooth_t system_dbusd_t:dbus send_msg;
+ ')
+-allow bluetooth_t self:socket { create setopt ioctl bind listen };
++allow bluetooth_t self:socket create_stream_socket_perms;
++
+ allow bluetooth_t self:unix_dgram_socket create_socket_perms;
+ allow bluetooth_t self:unix_stream_socket create_stream_socket_perms;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bonobo.te policy-1.23.18/domains/program/unused/bonobo.te
--- nsapolicy/domains/program/unused/bonobo.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/domains/program/unused/bonobo.te 2005-06-08 09:04:15.000000000 -0400
@@ -501,8 +531,18 @@
role system_r types consoletype_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.18/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-06-01 06:11:22.000000000 -0400
-+++ policy-1.23.18/domains/program/unused/cups.te 2005-06-23 08:54:40.000000000 -0400
-@@ -150,6 +150,11 @@
++++ policy-1.23.18/domains/program/unused/cups.te 2005-06-29 12:12:59.000000000 -0400
+@@ -125,7 +125,8 @@
+ #
+ # lots of errors generated requiring the following
+ #
+-allow cupsd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
++allow cupsd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
+ #
+ # Satisfy readahead
+ #
+@@ -150,6 +151,11 @@
allow ptal_t self:capability { chown sys_rawio };
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
@@ -514,7 +554,7 @@
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
allow ptal_t printer_device_t:chr_file rw_file_perms;
-@@ -166,6 +171,29 @@
+@@ -166,6 +172,29 @@
allow initrc_t ptal_var_run_t:fifo_file unlink;
@@ -544,7 +584,7 @@
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
-@@ -273,3 +301,8 @@
+@@ -273,3 +302,8 @@
allow unconfined_t cupsd_config_t:dbus send_msg;
allow { cupsd_t cupsd_config_t } unconfined_t:fifo_file read;
')
@@ -852,6 +892,24 @@
-
# Everything else is in the gpg_domain macro in
# macros/program/gpg_macros.te.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.18/domains/program/unused/hald.te
+--- nsapolicy/domains/program/unused/hald.te 2005-05-25 11:28:10.000000000 -0400
++++ policy-1.23.18/domains/program/unused/hald.te 2005-06-27 06:29:04.000000000 -0400
+@@ -65,7 +65,8 @@
+ r_dir_file(hald_t, hotplug_etc_t)
+ ')
+ allow hald_t fs_type:dir { search getattr };
+-allow hald_t { usbdevfs_t usbfs_t }:file { getattr read };
++allow hald_t usbfs_t:dir r_dir_perms;
++allow hald_t { usbdevfs_t usbfs_t }:file rw_file_perms;
+ allow hald_t bin_t:lnk_file read;
+ r_dir_file(hald_t, { selinux_config_t default_context_t } )
+ allow hald_t initrc_t:dbus send_msg;
+@@ -95,3 +96,4 @@
+ allow unconfined_t hald_t:dbus send_msg;
+ allow hald_t unconfined_t:dbus send_msg;
+ ')
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.18/domains/program/unused/hotplug.te
--- nsapolicy/domains/program/unused/hotplug.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.18/domains/program/unused/hotplug.te 2005-06-25 07:21:25.000000000 -0400
@@ -1831,7 +1889,7 @@
+HOME_DIR/\.ircmotd -- system_u:object_r:ROLE_irc_home_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/mozilla.fc policy-1.23.18/file_contexts/program/mozilla.fc
--- nsapolicy/file_contexts/program/mozilla.fc 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.18/file_contexts/program/mozilla.fc 2005-06-16 14:03:04.000000000 -0400
++++ policy-1.23.18/file_contexts/program/mozilla.fc 2005-06-29 12:16:32.000000000 -0400
@@ -3,10 +3,6 @@
HOME_DIR/\.netscape(/.*)? system_u:object_r:ROLE_mozilla_home_t
HOME_DIR/\.mozilla(/.*)? system_u:object_r:ROLE_mozilla_home_t
@@ -1843,6 +1901,15 @@
HOME_DIR/\.java(/.*)? system_u:object_r:ROLE_mozilla_home_t
/usr/bin/netscape -- system_u:object_r:mozilla_exec_t
/usr/bin/mozilla -- system_u:object_r:mozilla_exec_t
+@@ -20,6 +16,8 @@
+ /usr/lib(64)?/mozilla[^/]*/reg.+ -- system_u:object_r:mozilla_exec_t
+ /usr/lib(64)?/mozilla[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
+ /usr/lib(64)?/firefox[^/]*/mozilla-.* -- system_u:object_r:mozilla_exec_t
++/usr/lib(64)?/[^/]*mozilla[^/]*/run-mozilla\.sh -- system_u:object_r:mozilla_exec_t
++/usr/lib(64)?/[^/]*firefox[^/]*/run-mozilla\.sh -- system_u:object_r:mozilla_exec_t
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox-bin -- system_u:object_r:mozilla_exec_t
+ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- system_u:object_r:bin_t
+ /etc/mozpluggerrc system_u:object_r:mozilla_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/orbit.fc policy-1.23.18/file_contexts/program/orbit.fc
--- nsapolicy/file_contexts/program/orbit.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.18/file_contexts/program/orbit.fc 2005-06-10 14:12:06.000000000 -0400
@@ -2630,8 +2697,14 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.18/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.23.18/macros/program/apache_macros.te 2005-06-20 14:19:53.000000000 -0400
-@@ -113,9 +113,11 @@
++++ policy-1.23.18/macros/program/apache_macros.te 2005-06-29 15:20:58.000000000 -0400
+@@ -108,14 +108,17 @@
+
+ if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
+ create_dir_file(httpd_$1_script_t, httpdcontent)
++can_exec(httpd_$1_script_t, httpdcontent)
+ }
+
#
# If a user starts a script by hand it gets the proper context
#
@@ -2869,8 +2942,8 @@
+') dnl ethereal_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/evolution_macros.te policy-1.23.18/macros/program/evolution_macros.te
--- nsapolicy/macros/program/evolution_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.18/macros/program/evolution_macros.te 2005-06-16 14:03:45.000000000 -0400
-@@ -0,0 +1,241 @@
++++ policy-1.23.18/macros/program/evolution_macros.te 2005-06-29 12:16:32.000000000 -0400
+@@ -0,0 +1,235 @@
+#
+# Evolution
+#
@@ -3094,12 +3167,6 @@
+domain_auto_trans($1_evolution_t, spamassassin_exec_t, $1_spamassassin_t)
+') dnl spamassasin.te
+
-+### Start links in web browser
-+ifdef(`mozilla.te', `
-+can_exec($1_evolution_t, shell_exec_t)
-+domain_auto_trans($1_evolution_t, mozilla_exec_t, $1_mozilla_t)
-+') dnl mozilla.te
-+
+') dnl evolution_domain
+
+#################################
@@ -3851,8 +3918,8 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mail_client_macros.te policy-1.23.18/macros/program/mail_client_macros.te
--- nsapolicy/macros/program/mail_client_macros.te 1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.23.18/macros/program/mail_client_macros.te 2005-06-16 23:11:27.000000000 -0400
-@@ -0,0 +1,48 @@
++++ policy-1.23.18/macros/program/mail_client_macros.te 2005-06-29 12:16:32.000000000 -0400
+@@ -0,0 +1,54 @@
+#
+# Shared macro for mail clients
+#
@@ -3900,6 +3967,12 @@
+allow $1_t $2_gpg_t:process signal;
+')
+
++# Start links in web browser
++ifdef(`mozilla.te', `
++can_exec($1_t, shell_exec_t)
++domain_auto_trans($1_t, mozilla_exec_t, $2_mozilla_t)
++')
++
+')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.18/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-05-25 11:28:10.000000000 -0400
@@ -4697,7 +4770,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.18/net_contexts
--- nsapolicy/net_contexts 2005-05-25 11:28:09.000000000 -0400
-+++ policy-1.23.18/net_contexts 2005-06-23 16:38:05.000000000 -0400
++++ policy-1.23.18/net_contexts 2005-06-27 07:14:04.000000000 -0400
@@ -17,7 +17,6 @@
# protocol number context
# protocol low-high context
@@ -4729,7 +4802,7 @@
portcon tcp 25 system_u:object_r:smtp_port_t
portcon tcp 465 system_u:object_r:smtp_port_t
-@@ -50,24 +48,31 @@
+@@ -50,24 +48,33 @@
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
@@ -4747,6 +4820,8 @@
portcon tcp 80 system_u:object_r:http_port_t
portcon tcp 443 system_u:object_r:http_port_t
++portcon tcp 488 system_u:object_r:http_port_t
++portcon tcp 8008 system_u:object_r:http_port_t
-ifdef(`use_pop', `
portcon tcp 106 system_u:object_r:pop_port_t
@@ -4769,7 +4844,7 @@
portcon tcp 137 system_u:object_r:smbd_port_t
portcon udp 137 system_u:object_r:nmbd_port_t
-@@ -77,35 +82,23 @@
+@@ -77,35 +84,23 @@
portcon udp 139 system_u:object_r:nmbd_port_t
portcon tcp 445 system_u:object_r:smbd_port_t
@@ -4807,7 +4882,7 @@
portcon tcp 631 system_u:object_r:ipp_port_t
portcon udp 631 system_u:object_r:ipp_port_t
portcon tcp 88 system_u:object_r:kerberos_port_t
-@@ -117,41 +110,25 @@
+@@ -117,41 +112,25 @@
portcon udp 750 system_u:object_r:kerberos_port_t
portcon tcp 4444 system_u:object_r:kerberos_master_port_t
portcon udp 4444 system_u:object_r:kerberos_master_port_t
@@ -4855,7 +4930,7 @@
portcon tcp 2040 system_u:object_r:afs_fs_port_t
portcon udp 7000 system_u:object_r:afs_fs_port_t
portcon udp 7002 system_u:object_r:afs_pt_port_t
-@@ -159,42 +136,31 @@
+@@ -159,42 +138,31 @@
portcon udp 7004 system_u:object_r:afs_ka_port_t
portcon udp 7005 system_u:object_r:afs_fs_port_t
portcon udp 7007 system_u:object_r:afs_bos_port_t
@@ -4909,7 +4984,7 @@
portcon tcp 6000 system_u:object_r:xserver_port_t
portcon tcp 6001 system_u:object_r:xserver_port_t
portcon tcp 6002 system_u:object_r:xserver_port_t
-@@ -215,51 +181,34 @@
+@@ -215,51 +183,34 @@
portcon tcp 6017 system_u:object_r:xserver_port_t
portcon tcp 6018 system_u:object_r:xserver_port_t
portcon tcp 6019 system_u:object_r:xserver_port_t
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.338
retrieving revision 1.339
diff -u -r1.338 -r1.339
--- selinux-policy-strict.spec 26 Jun 2005 11:16:46 -0000 1.338
+++ selinux-policy-strict.spec 29 Jun 2005 20:39:01 -0000 1.339
@@ -10,8 +10,8 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.23.18
-Release: 20
+Version: 1.24
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -20,7 +20,7 @@
Source3: selinux.csh
Prefix: %{_prefix}
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050606.patch
+Patch: policy-20050629.patch
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
@@ -221,13 +221,21 @@
if [ -x /usr/sbin/selinuxenabled -a -f /etc/selinux/config ]; then
. /etc/selinux/config
if [ "${SELINUXTYPE}" = "%{type}" ] && /usr/sbin/selinuxenabled; then
- make -C %{POLICYDIR}/src/policy load > /dev/null 2>&1
+ make -C %{POLICYDIR}/src/policy -W %{POLICYDIR}/src/policy/users load > /dev/null 2>&1
[ -f %{PRE_FILE_CONTEXT} ] && fixfiles -l /dev/null -C %{PRE_FILE_CONTEXT} restore && rm -f %{PRE_FILE_CONTEXT}
fi
fi
exit 0
%changelog
+* Wed Jun 29 2005 Dan Walsh <dwalsh at redhat.com> 1.24-1
+- Upgrade from NSA
+ * Updated version for release.
+
+* Mon Jun 27 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-22
+- Add additional http ports
+- Force make reload when sourses installed
+
* Sun Jun 26 2005 Dan Walsh <dwalsh at redhat.com> 1.23.18-20
- Fix hplip for cups
Index: selinux.csh
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux.csh,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- selinux.csh 18 Jun 2005 03:11:29 -0000 1.5
+++ selinux.csh 29 Jun 2005 20:39:01 -0000 1.6
@@ -1,4 +1,4 @@
-[ `/usr/bin/id -u` -gt 500 ] || exit
+[ `/usr/bin/id -u` -ge 500 ] || exit
([ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled) || exit
eval set `grep ^SELINUXTYPE /etc/selinux/config`
Index: selinux.sh
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux.sh,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- selinux.sh 18 Jun 2005 03:11:29 -0000 1.5
+++ selinux.sh 29 Jun 2005 20:39:01 -0000 1.6
@@ -1,4 +1,4 @@
-[ `/usr/bin/id -u` -gt 500 ] || return
+[ `/usr/bin/id -u` -ge 500 ] || return
([ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled) || return
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/sources,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- sources 7 Jun 2005 20:28:02 -0000 1.121
+++ sources 29 Jun 2005 20:39:01 -0000 1.122
@@ -1 +1,2 @@
c5e6564854d306ad0487c6d56c98bb81 policy-1.23.18.tgz
+da7bb54f26402c4c640e9086dafb8041 policy-1.24.tgz
- Previous message (by thread): rpms/libsepol/devel .cvsignore, 1.23, 1.24 libsepol.spec, 1.36, 1.37 sources, 1.23, 1.24
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050629.patch, NONE, 1.1 .cvsignore, 1.111, 1.112 policy-20050606.patch, 1.19, 1.20 selinux-policy-targeted.spec, 1.332, 1.333 sources, 1.117, 1.118
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list