rpms/selinux-policy-strict/devel policy-20050317.patch, NONE, 1.1 .cvsignore, 1.100, 1.101 policy-20050311.patch, 1.3, 1.4 selinux-policy-strict.spec, 1.255, 1.256 sources, 1.106, 1.107 policy-20050201.patch, 1.10, NONE policy-20050208.patch, 1.5, NONE policy-20050210.patch, 1.5, NONE policy-20050217.patch, 1.4, NONE policy-20050224.patch, 1.12, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Mar 18 20:47:51 UTC 2005
- Previous message (by thread): rpms/kernel/FC-3 jwltest-b44-bounce-bufs.patch, NONE, 1.1.4.1 jwltest-e1000-update-5_7_6-k2.patch, NONE, 1.1.2.1 jwltest-e1000-watchdog.patch, NONE, 1.1.2.1 jwltest-e1000-workqueue-flush.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.790, 1.790.2.1 linux-2.6.9-module_version.patch, 1.6, 1.6.2.1
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050317.patch, NONE, 1.1 .cvsignore, 1.96, 1.97 selinux-policy-targeted.spec, 1.254, 1.255 sources, 1.101, 1.102
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31358
Modified Files:
.cvsignore policy-20050311.patch selinux-policy-strict.spec
sources
Added Files:
policy-20050317.patch
Removed Files:
policy-20050201.patch policy-20050208.patch
policy-20050210.patch policy-20050217.patch
policy-20050224.patch
Log Message:
* Fri Mar 18 2005 Dan Walsh <dwalsh at redhat.com> 1.23.3-2
- Allow cups/lpd to bind to a port
policy-20050317.patch:
ChangeLog | 5 -----
domains/program/crond.te | 4 ++--
domains/program/logrotate.te | 2 +-
domains/program/syslogd.te | 13 +++++++++++--
domains/program/unused/apache.te | 2 ++
domains/program/unused/arpwatch.te | 6 ++++++
domains/program/unused/consoletype.te | 1 +
domains/program/unused/cups.te | 2 ++
domains/program/unused/dhcpc.te | 1 +
domains/program/unused/dovecot.te | 17 +++++++++++++++--
domains/program/unused/firstboot.te | 2 ++
domains/program/unused/games.te | 3 +++
domains/program/unused/mozilla.te | 3 +++
domains/program/unused/mrtg.te | 2 +-
domains/program/unused/mta.te | 11 +----------
file_contexts/program/dovecot.fc | 3 +++
macros/program/games_domain.te | 19 +++++++++++++++++--
macros/program/gift_macros.te | 16 +++++++---------
macros/program/mozilla_macros.te | 12 ++++++++----
macros/program/mplayer_macros.te | 20 ++++++++++++--------
macros/program/screen_macros.te | 2 +-
macros/program/tvtime_macros.te | 10 ++++++++--
macros/program/x_client_macros.te | 32 ++------------------------------
tunables/distro.tun | 2 +-
tunables/tunable.tun | 12 ++++++------
25 files changed, 116 insertions(+), 86 deletions(-)
--- NEW FILE policy-20050317.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/ChangeLog policy-1.23.3/ChangeLog
--- nsapolicy/ChangeLog 2005-03-17 10:18:56.000000000 -0500
+++ policy-1.23.3/ChangeLog 2005-03-17 10:51:55.000000000 -0500
@@ -1,8 +1,3 @@
-1.23.3 2005-03-15
- * Added policy for nx_server from Thomas Bleher.
- * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
- publicfile from Petre Rodan.
-
1.23.2 2005-03-14
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
gift policy.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.3/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/crond.te 2005-03-17 16:46:53.000000000 -0500
@@ -205,11 +205,11 @@
r_dir_file(system_crond_t, file_context_t)
can_getsecurity(system_crond_t)
}
-allow system_crond_t removable_t:filesystem { getattr };
+allow system_crond_t removable_t:filesystem getattr;
#
# Required for webalizer
#
ifdef(`apache.te', `
allow system_crond_t httpd_log_t:file { getattr read };
')
-dontaudit crond_t self:capability { sys_tty_config };
+dontaudit crond_t self:capability sys_tty_config;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.23.3/domains/program/logrotate.te
--- nsapolicy/domains/program/logrotate.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/logrotate.te 2005-03-18 15:43:30.000000000 -0500
@@ -128,7 +128,7 @@
allow logrotate_t fs_t:filesystem getattr;
can_exec(logrotate_t, shell_exec_t)
-can_exec(logrotate_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(logrotate_t, hostname_exec_t)')
can_exec(logrotate_t,logfile)
allow logrotate_t net_conf_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.3/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.3/domains/program/syslogd.te 2005-03-17 15:10:27.000000000 -0500
@@ -36,7 +36,7 @@
allow syslogd_t etc_t:file r_file_perms;
# Use capabilities.
-allow syslogd_t self:capability { dac_override net_bind_service sys_resource sys_tty_config };
+allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
# Modify/create log files.
create_append_log_file(syslogd_t, var_log_t)
@@ -103,5 +103,14 @@
allow syslogd_t { tmpfs_t devpts_t }:dir search;
dontaudit syslogd_t unlabeled_t:file read;
dontaudit syslogd_t { userpty_type devpts_t }:chr_file getattr;
-allow syslogd_t self:capability net_admin;
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ifdef(`targeted_policy', `
+allow syslogd_t var_run_t:fifo_file { ioctl read write };
+')
+
+bool use_syslogng false;
+
+if (use_syslogng) {
+allow syslogd_t proc_kmsg_t:file write;
+allow syslogd_t self:capability { sys_admin chown };
+}
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.3/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.3/domains/program/unused/apache.te 2005-03-17 15:19:16.000000000 -0500
@@ -270,9 +270,11 @@
if (use_nfs_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(nfs_t)
}
+
if (use_samba_home_dirs && httpd_enable_homedirs) {
httpd_home_dirs(cifs_t)
}
+
r_dir_file(httpd_t, fonts_t)
#
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/arpwatch.te policy-1.23.3/domains/program/unused/arpwatch.te
--- nsapolicy/domains/program/unused/arpwatch.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/unused/arpwatch.te 2005-03-17 15:36:40.000000000 -0500
@@ -40,3 +40,9 @@
allow initrc_t arpwatch_data_t:file create;
')dnl end distro_gentoo
+# why is mail delivered to a directory of type arpwatch_data_t?
+allow mta_delivery_agent arpwatch_data_t:dir search;
+allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
+ifdef(`hide_broken_symptoms', `
+dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.3/domains/program/unused/consoletype.te
--- nsapolicy/domains/program/unused/consoletype.te 2005-03-15 08:02:23.000000000 -0500
+++ policy-1.23.3/domains/program/unused/consoletype.te 2005-03-17 11:37:45.000000000 -0500
@@ -22,6 +22,7 @@
domain_auto_trans(initrc_t, consoletype_exec_t, consoletype_t)
allow consoletype_t tty_device_t:chr_file { getattr ioctl write };
+allow consoletype_t devtty_t:chr_file { read write };
allow consoletype_t initrc_devpts_t:chr_file { read write getattr ioctl };
ifdef(`xdm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.3/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/cups.te 2005-03-18 11:28:15.000000000 -0500
@@ -71,6 +71,8 @@
can_exec(cupsd_t, cupsd_exec_t)
allow cupsd_t cupsd_exec_t:dir search;
allow cupsd_t cupsd_exec_t:lnk_file read;
+allow cupsd_t reserved_port_t:tcp_socket name_bind;
+dontaudit cupsd_t reserved_port_type:tcp_socket name_bind;
allow cupsd_t self:unix_stream_socket create_socket_perms;
allow cupsd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.3/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/dhcpc.te 2005-03-18 15:40:57.000000000 -0500
@@ -86,6 +86,7 @@
# Use capabilities
allow dhcpc_t self:capability { dac_override fsetid net_admin net_raw net_bind_service sys_resource sys_tty_config };
+dontaudit dhcpc_t self:capability sys_admin;
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.23.3/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/dovecot.te 2005-03-17 14:38:20.000000000 -0500
@@ -3,13 +3,19 @@
# Author: Russell Coker <russell at coker.com.au>
# X-Debian-Packages: dovecot-imapd, dovecot-pop3d
+#
+# Main dovecot daemon
+#
daemon_domain(dovecot, `, privhome')
+etc_domain(dovecot);
allow dovecot_t dovecot_var_run_t:sock_file create_file_perms;
can_exec(dovecot_t, dovecot_exec_t)
type dovecot_cert_t, file_type, sysadmfile;
+type dovecot_passwd_t, file_type, sysadmfile;
+type dovecot_spool_t, file_type, sysadmfile;
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
allow dovecot_t self:process setrlimit;
@@ -25,9 +31,10 @@
can_exec(dovecot_t, bin_t)
allow dovecot_t pop_port_t:tcp_socket name_bind;
-allow dovecot_t urandom_device_t:chr_file read;
+allow dovecot_t urandom_device_t:chr_file { getattr read };
allow dovecot_t cert_t:dir search;
allow dovecot_t dovecot_cert_t:file { getattr read };
+allow dovecot_t cert_t:dir search;
allow dovecot_t { self proc_t }:file { getattr read };
allow dovecot_t self:fifo_file rw_file_perms;
@@ -36,11 +43,17 @@
allow dovecot_t tmp_t:dir search;
rw_dir_file(dovecot_t, mail_spool_t)
+create_dir_file(dovecot_t, dovecot_spool_t)
+create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
allow dovecot_t var_spool_t:dir { search };
+#
+# Dovecot auth daemon
+#
daemon_sub_domain(dovecot_t, dovecot_auth, `, auth_chkpwd')
allow dovecot_auth_t self:process { fork signal_perms };
+allow dovecot_auth_t self:capability { setgid setuid };
allow dovecot_auth_t dovecot_t:unix_stream_socket { getattr accept read write ioctl };
allow dovecot_auth_t self:unix_dgram_socket create_socket_perms;
allow dovecot_auth_t self:unix_stream_socket create_stream_socket_perms;
@@ -50,6 +63,6 @@
allow dovecot_auth_t { self proc_t }:file { getattr read };
read_locale(dovecot_auth_t)
read_sysctl(dovecot_auth_t)
-allow dovecot_auth_t sysctl_t:dir search;
+allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
dontaudit dovecot_auth_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.23.3/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.3/domains/program/unused/firstboot.te 2005-03-18 15:42:54.000000000 -0500
@@ -107,8 +107,10 @@
allow firstboot_t var_run_t:dir getattr;
allow firstboot_t var_t:dir getattr;
+ifdef(`hostname.te', `
allow hostname_t devtty_t:chr_file { read write };
allow hostname_t firstboot_t:fd use;
+')
ifdef(`iptables.te', `
allow iptables_t devtty_t:chr_file { read write };
allow iptables_t firstboot_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/games.te policy-1.23.3/domains/program/unused/games.te
--- nsapolicy/domains/program/unused/games.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/unused/games.te 2005-03-17 10:58:45.000000000 -0500
@@ -13,5 +13,8 @@
rw_dir_create_file(games_t, games_data_t)
r_dir_file(initrc_t, games_data_t)
+# Run in user_t
+bool disable_games_trans false;
+
# Everything else is in the x_client_domain macro in
# macros/program/x_client_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mozilla.te policy-1.23.3/domains/program/unused/mozilla.te
--- nsapolicy/domains/program/unused/mozilla.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.3/domains/program/unused/mozilla.te 2005-03-17 10:58:34.000000000 -0500
@@ -14,5 +14,8 @@
# Allow mozilla to write files in the user home directory
bool mozilla_writehome false;
+# Run in user_t
+bool disable_mozilla_trans false;
+
# Everything else is in the mozilla_domain macro in
# macros/program/mozilla_macros.te.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.23.3/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/mrtg.te 2005-03-18 15:43:05.000000000 -0500
@@ -94,5 +94,5 @@
dontaudit mrtg_t root_t:lnk_file getattr;
allow mrtg_t self:capability { setgid setuid };
-can_exec(mrtg_t, hostname_exec_t)
+ifdef(`hostname.te', `can_exec(mrtg_t, hostname_exec_t)')
allow mrtg_t var_spool_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.3/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.3/domains/program/unused/mta.te 2005-03-17 15:36:31.000000000 -0500
@@ -59,15 +59,6 @@
allow { system_mail_t mta_user_agent } privmail:fifo_file { read write };
allow { system_mail_t mta_user_agent } admin_tty_type:chr_file { read write };
-ifdef(`arpwatch.te', `
-# why is mail delivered to a directory of type arpwatch_data_t?
-allow mta_delivery_agent arpwatch_data_t:dir search;
-allow { system_mail_t mta_user_agent } arpwatch_tmp_t:file rw_file_perms;
-ifdef(`hide_broken_symptoms', `
-dontaudit { system_mail_t mta_user_agent } arpwatch_t:packet_socket { read write };
-')
-')dnl end if arpwatch.te
-
allow mta_delivery_agent home_root_t:dir { getattr search };
# for /var/spool/mail
@@ -81,4 +72,4 @@
allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
allow system_mail_t etc_runtime_t:file { getattr read };
-allow system_mail_t urandom_device_t:chr_file read;
+allow system_mail_t { random_device_t urandom_device_t }:chr_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dovecot.fc policy-1.23.3/file_contexts/program/dovecot.fc
--- nsapolicy/file_contexts/program/dovecot.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.3/file_contexts/program/dovecot.fc 2005-03-17 14:18:38.000000000 -0500
@@ -1,4 +1,6 @@
# for Dovecot POP and IMAP server
+/etc/dovecot.conf.* system_u:object_r:dovecot_etc_t
+/etc/dovecot.passwd.* system_u:object_r:dovecot_passwd_t
/usr/sbin/dovecot -- system_u:object_r:dovecot_exec_t
ifdef(`distro_redhat', `
/usr/libexec/dovecot/dovecot-auth -- system_u:object_r:dovecot_auth_exec_t
@@ -10,3 +12,4 @@
/usr/share/ssl/private/dovecot\.pem -- system_u:object_r:dovecot_cert_t
/var/run/dovecot(-login)?(/.*)? system_u:object_r:dovecot_var_run_t
/usr/lib(64)?/dovecot/.+ -- system_u:object_r:bin_t
+/var/spool/dovecot(/.*)? system_u:object_r:dovecot_spool_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.3/macros/program/games_domain.te
--- nsapolicy/macros/program/games_domain.te 2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/games_domain.te 2005-03-17 10:52:44.000000000 -0500
@@ -10,7 +10,23 @@
#
#
define(`games_domain', `
-x_client_domain($1, `games', `, transitionbool')
+
+type $1_games_t, domain, nscd_client_domain;
+
+# Type transition
+if (! disable_games_trans) {
+domain_auto_trans($1_t, games_exec_t, $1_games_t)
+}
+role $1_r types $1_games_t;
+
+# X access, Private tmp
+x_client_domain($1, games)
+tmp_domain($1_games)
+
+# Games seem to need this
+if (allow_execmem) {
+allow $1_games_t self:process execmem;
+}
allow $1_games_t var_t:dir { search getattr };
rw_dir_create_file($1_games_t, games_data_t)
@@ -29,7 +45,6 @@
dontaudit $1_games_t sysctl_t:dir search;
-tmp_domain($1_games)
allow $1_games_t urandom_device_t:chr_file { getattr ioctl read };
ifdef(`xdm.te', `
allow $1_games_t xdm_tmp_t:dir rw_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.3/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-03-14 14:50:45.000000000 -0500
+++ policy-1.23.3/macros/program/gift_macros.te 2005-03-17 10:52:48.000000000 -0500
@@ -12,20 +12,18 @@
define(`gift_domain', `
-# Connect to X
-x_client_domain($1, gift, `')
-
-# Transition
+# Type transition
+type $1_gift_t, domain, nscd_client_domain;
domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
-can_exec($1_gift_t, gift_exec_t)
role $1_r types $1_gift_t;
+# X access, Home access
+x_client_domain($1, gift)
+home_domain($1, gift)
+
# Self permissions
allow $1_gift_t self:process getsched;
-# Home files
-home_domain($1, gift)
-
# Fonts, icons
r_dir_file($1_gift_t, usr_t)
r_dir_file($1_gift_t, fonts_t)
@@ -56,7 +54,7 @@
# giftui looks in .icons, .themes, .fonts-cache.
dontaudit $1_gift_t $1_home_t:dir { getattr read search };
-dontaudit $1_gift_t $1_home_t:file { getattr read };
+dontaudit $1_gift_t $1_home_t:file { getattr read unlink };
') dnl gift_domain
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.3/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/mozilla_macros.te 2005-03-17 10:52:51.000000000 -0500
@@ -16,12 +16,16 @@
# provided separately in domains/program/mozilla.te.
#
define(`mozilla_domain',`
-x_client_domain($1, mozilla, `, web_client_domain, privlog, transitionbool')
+type $1_mozilla_t, domain, web_client_domain, privlog;
-# Configuration
-home_domain($1, mozilla)
+# Type transition
+if (! disable_mozilla_trans) {
+domain_auto_trans($1_t, mozilla_exec_t, $1_mozilla_t)
+}
+role $1_r types $1_mozilla_t;
-# Allow mozilla to browse files
+home_domain($1, mozilla)
+x_client_domain($1, mozilla)
file_browse_domain($1_mozilla_t)
allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.3/macros/program/mplayer_macros.te
--- nsapolicy/macros/program/mplayer_macros.te 2005-03-15 08:02:24.000000000 -0500
+++ policy-1.23.3/macros/program/mplayer_macros.te 2005-03-17 11:52:46.000000000 -0500
@@ -64,13 +64,15 @@
define(`mplayer_domain',`
-# Derive from X client domain
-x_client_domain($1, `mplayer', `')
+type $1_mplayer_t, domain;
-# Mplayer configuration here
-home_domain($1, mplayer)
+# Type transition
+domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
+role $1_r types $1_mplayer_t;
-# Allow mplayer to browse files
+# Home access, X access, Browse files
+home_domain($1, mplayer)
+x_client_domain($1, mplayer)
file_browse_domain($1_mplayer_t)
# Mplayer common stuff
@@ -85,6 +87,9 @@
# Read home directory content
r_dir_file($1_mplayer_t, $1_home_t);
+# Read CDs
+r_dir_file($1_mplayer_t, removable_t);
+
# Legacy domain issues
if (allow_mplayer_execstack) {
allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
@@ -101,12 +106,11 @@
# FIXME: privhome temporarily removed...
type $1_mencoder_t, domain;
-# Transition
+# Type transition
domain_auto_trans($1_t, mencoder_exec_t, $1_mencoder_t)
-can_exec($1_mencoder_t, mencoder_exec_t)
role $1_r types $1_mencoder_t;
-# Read home config
+# Access mplayer home domain
home_domain_access($1_mencoder_t, $1, mplayer)
# Mplayer common stuff
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.23.3/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te 2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/screen_macros.te 2005-03-17 10:51:55.000000000 -0500
@@ -21,7 +21,7 @@
ifdef(`screen.te', `
define(`screen_domain',`
# Derived domain based on the calling user domain and the program.
-type $1_screen_t, domain, privlog, privfd;
+type $1_screen_t, domain, privlog, privfdm, nscd_client_domain;
# Transition from the user domain to this domain.
domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.3/macros/program/tvtime_macros.te
--- nsapolicy/macros/program/tvtime_macros.te 2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/tvtime_macros.te 2005-03-17 10:52:55.000000000 -0500
@@ -19,16 +19,22 @@
ifdef(`tvtime.te', `
define(`tvtime_domain',`
+# Type transition
+type $1_tvtime_t, domain, nscd_client_domain;
+domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
+role $1_r types $1_tvtime_t;
+
+# Home access, X access
home_domain($1, tvtime)
+tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
x_client_domain($1, tvtime)
allow $1_tvtime_t urandom_device_t:chr_file read;
allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
allow $1_tvtime_t kernel_t:system ipc_info;
-allow $1_tvtime_t sound_device_t:chr_file read;
+allow $1_tvtime_t sound_device_t:chr_file { ioctl read };
allow $1_tvtime_t $1_home_t:dir { getattr read search };
allow $1_tvtime_t $1_home_t:file { getattr read };
-tmp_domain($1_tvtime)
allow $1_tvtime_t self:capability { setuid sys_nice sys_resource };
allow $1_tvtime_t self:process setsched;
allow $1_tvtime_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.3/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2005-03-11 15:31:07.000000000 -0500
+++ policy-1.23.3/macros/program/x_client_macros.te 2005-03-17 10:52:55.000000000 -0500
@@ -37,39 +37,11 @@
')
#
-# x_client_domain(domain_prefix)
+# x_client_domain(user, app)
#
-# Define a derived domain for an X program when executed by
-# a user domain.
-#
-# The type declaration for the executable type for this program ($2_exec_t)
-# must be provided separately!
-#
-# The first parameter is the base name for the domain/role (EG user or sysadm)
-# The second parameter is the program name (EG $2)
-# The third parameter is the attributes for the domain (if any)
+# Defines common X access rules for the user_app_t domain
#
define(`x_client_domain',`
-# Derived domain based on the calling user domain and the program.
-type $1_$2_t, domain, nscd_client_domain $3;
-
-ifelse(index(`$3', `transitionbool'), -1, `
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-', `
-# Only do it once
-ifelse($1, user, `
-bool disable_$2 false;
-')
-# Transition from the user domain to the derived domain.
-if (! disable_$2) {
-domain_auto_trans($1_t, $2_exec_t, $1_$2_t)
-can_exec($1_$2_t, $2_exec_t)
-}
-')
-
-# The user role is authorized for this domain.
-role $1_r types $1_$2_t;
# This domain is granted permissions common to most domains (including can_net)
can_network($1_$2_t)
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.3/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.3/tunables/distro.tun 2005-03-17 10:51:55.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.3/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.3/tunables/tunable.tun 2005-03-17 10:51:55.000000000 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
+define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
-dnl define(`unlimitedUtils')
+define(`unlimitedUtils')
# Allow rc scripts to run unconfined, including any daemon
# started by an rc script that does not have a domain transition
# explicitly defined.
-dnl define(`unlimitedRC')
+define(`unlimitedRC')
# Allow sysadm_t to directly start daemons
define(`direct_sysadm_daemon')
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-dnl define(`user_canbe_sysadm')
+define(`user_canbe_sysadm')
# Allow xinetd to run unconfined, including any services it starts
# that do not have a domain transition explicitly defined.
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/.cvsignore,v
retrieving revision 1.100
retrieving revision 1.101
diff -u -r1.100 -r1.101
--- .cvsignore 15 Mar 2005 13:10:01 -0000 1.100
+++ .cvsignore 18 Mar 2005 20:47:49 -0000 1.101
@@ -66,3 +66,4 @@
policy-1.22.1.tgz
policy-1.23.1.tgz
policy-1.23.2.tgz
+policy-1.23.3.tgz
policy-20050311.patch:
domains/program/unused/mta.te | 2 +-
macros/program/screen_macros.te | 2 +-
tunables/distro.tun | 2 +-
tunables/tunable.tun | 12 ++++++------
4 files changed, 9 insertions(+), 9 deletions(-)
Index: policy-20050311.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050311.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20050311.patch 15 Mar 2005 13:10:01 -0000 1.3
+++ policy-20050311.patch 18 Mar 2005 20:47:49 -0000 1.4
@@ -1,6 +1,27 @@
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.1/tunables/distro.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.2/domains/program/unused/mta.te
+--- nsapolicy/domains/program/unused/mta.te 2005-03-11 15:31:06.000000000 -0500
++++ policy-1.23.2/domains/program/unused/mta.te 2005-03-15 08:27:55.071104648 -0500
+@@ -81,4 +81,4 @@
+ allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
+
+ allow system_mail_t etc_runtime_t:file { getattr read };
+-allow system_mail_t urandom_device_t:chr_file read;
++allow system_mail_t { random_device_t urandom_device_t }:chr_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.23.2/macros/program/screen_macros.te
+--- nsapolicy/macros/program/screen_macros.te 2005-03-11 15:31:07.000000000 -0500
++++ policy-1.23.2/macros/program/screen_macros.te 2005-03-15 08:11:48.144099896 -0500
+@@ -21,7 +21,7 @@
+ ifdef(`screen.te', `
+ define(`screen_domain',`
+ # Derived domain based on the calling user domain and the program.
+-type $1_screen_t, domain, privlog, privfd;
++type $1_screen_t, domain, privlog, privfdm nscd_client_domain;
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($1_t, screen_exec_t, $1_screen_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.2/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.1/tunables/distro.tun 2005-03-11 21:18:59.000000000 -0500
++++ policy-1.23.2/tunables/distro.tun 2005-03-15 08:10:59.391511416 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -10,9 +31,9 @@
dnl define(`distro_suse')
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.1/tunables/tunable.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.2/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.1/tunables/tunable.tun 2005-03-11 21:18:59.000000000 -0500
++++ policy-1.23.2/tunables/tunable.tun 2005-03-15 08:10:59.392511264 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.255
retrieving revision 1.256
diff -u -r1.255 -r1.256
--- selinux-policy-strict.spec 15 Mar 2005 13:10:01 -0000 1.255
+++ selinux-policy-strict.spec 18 Mar 2005 20:47:49 -0000 1.256
@@ -8,15 +8,16 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.23.2
-Release: 1
+Version: 1.23.3
+Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
Source1: booleans
Prefix: %{_prefix}
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch1: policy-20050311.patch
+Patch1: policy-20050317.patch
+Patch2: x_client_cleanup.diff
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
@@ -42,11 +43,12 @@
%prep
%setup -q -n policy-%{version}
%patch1 -p1
+%patch2 -p1
%build
mv domains/misc/unused/* domains/misc
mv domains/program/unused/* domains/program/
-(cd domains/program/; mv -f amavis.te asterisk.te audio-entropyd.te authbind.te backup.te calamaris.te ciped.te clamav.te courier.te distcc.te dante.te ddclient.te devfsd.te dnsmasq.te dpk* gatekeeper* gift.te imazesrv.te ircd.te jabberd.te lcd.te lrrd.te monopd.te nagios.te nessusd.te nrpe.te nsd.te oav-update.te openca-ca.te openvpn.te perdition.te portslave.te postgrey.te pump.te pxe.te qmail* resmgrd.te rssh.te scannerdaemon.te seuser* sound-server.te speedmgmt.te snort.te sxid.te tiny* transproxy.te uml_net* uptimed.te uwimapd.te watchdog.te xprint* unused/)
+(cd domains/program/; mv -f amavis.te asterisk.te audio-entropyd.te authbind.te backup.te calamaris.te ciped.te clamav.te clockspeed.fc courier.te daemontools.te distcc.te djbdns.te dante.te ddclient.te devfsd.te dnsmasq.te dpk* gatekeeper* gift.te imazesrv.te ircd.te jabberd.te lcd.te lrrd.te monopd.te nagios.te nessusd.te nrpe.te nsd.te nx_server.te oav-update.te openca-ca.te openvpn.te perdition.te portslave.te postgrey.te publicfile.te pump.te pxe.te qmail* resmgrd.te rssh.te scannerdaemon.te seuser* sound-server.te speedmgmt.te snort.te sxid.te tiny* transproxy.te ucspi-tcp.te uml_net* uptimed.te uwimapd.te watchdog.te xprint* unused/)
make policy
rm -rf tmp
@@ -214,6 +216,15 @@
exit 0
%changelog
+* Fri Mar 18 2005 Dan Walsh <dwalsh at redhat.com> 1.23.3-2
+- Allow cups/lpd to bind to a port
+
+* Thu Mar 17 2005 Dan Walsh <dwalsh at redhat.com> 1.23.3-1
+- Update from NSA
+ * Added policy for nx_server from Thomas Bleher.
+ * Added policies for clockspeed, daemontools, djbdns, ucspi-tcp, and
+ publicfile from Petre Rodan.
+
* Tue Mar 15 2005 Dan Walsh <dwalsh at redhat.com> 1.23.2-1
- Update from NSA
* Merged diffs from Dan Walsh. Dan's patch includes Ivan Gyurdiev's
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/sources,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -r1.106 -r1.107
--- sources 15 Mar 2005 13:10:01 -0000 1.106
+++ sources 18 Mar 2005 20:47:49 -0000 1.107
@@ -1 +1 @@
-afa1186e4f065417b678b7e6868a4157 policy-1.23.2.tgz
+75e0fe2b1274dd410f5f04b4fae56332 policy-1.23.3.tgz
--- policy-20050201.patch DELETED ---
--- policy-20050208.patch DELETED ---
--- policy-20050210.patch DELETED ---
--- policy-20050217.patch DELETED ---
--- policy-20050224.patch DELETED ---
- Previous message (by thread): rpms/kernel/FC-3 jwltest-b44-bounce-bufs.patch, NONE, 1.1.4.1 jwltest-e1000-update-5_7_6-k2.patch, NONE, 1.1.2.1 jwltest-e1000-watchdog.patch, NONE, 1.1.2.1 jwltest-e1000-workqueue-flush.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.790, 1.790.2.1 linux-2.6.9-module_version.patch, 1.6, 1.6.2.1
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050317.patch, NONE, 1.1 .cvsignore, 1.96, 1.97 selinux-policy-targeted.spec, 1.254, 1.255 sources, 1.101, 1.102
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list