rpms/selinux-policy-targeted/devel policy-20050322.patch, 1.1, 1.2 selinux-policy-targeted.spec, 1.256, 1.257
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Mar 22 18:51:22 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050322.patch, 1.1, 1.2 selinux-policy-strict.spec, 1.258, 1.259
- Next message (by thread): rpms/hal/devel .cvsignore, 1.23, 1.24 hal.spec, 1.44, 1.45 sources, 1.23, 1.24
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv5933
Modified Files:
policy-20050322.patch selinux-policy-targeted.spec
Log Message:
* Tue Mar 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-2
- Cleanups to httpd_unconfined_script_t
policy-20050322.patch:
assert.te | 50 +++++++++++++++++-----------------
domains/program/initrc.te | 1
domains/program/mount.te | 3 ++
domains/program/netutils.te | 1
domains/program/ssh.te | 1
domains/program/unused/amavis.te | 1
domains/program/unused/apache.te | 23 +++++++++++++++
domains/program/unused/backup.te | 1
domains/program/unused/canna.te | 1
domains/program/unused/clockspeed.te | 1
domains/program/unused/cups.te | 2 +
domains/program/unused/cyrus.te | 1
domains/program/unused/ddclient.te | 1
domains/program/unused/devfsd.te | 1
domains/program/unused/dhcpc.te | 1
domains/program/unused/dhcpd.te | 1
domains/program/unused/djbdns.te | 1
domains/program/unused/dovecot.te | 1
domains/program/unused/dpkg.te | 1
domains/program/unused/fetchmail.te | 2 +
domains/program/unused/ftpd.te | 1
domains/program/unused/i18n_input.te | 1
domains/program/unused/inetd.te | 1
domains/program/unused/innd.te | 1
domains/program/unused/lpd.te | 1
domains/program/unused/mailman.te | 1
domains/program/unused/mrtg.te | 1
domains/program/unused/named.te | 2 +
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 1
domains/program/unused/nsd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/nx_server.te | 1
domains/program/unused/ping.te | 1
domains/program/unused/portmap.te | 4 +-
domains/program/unused/postfix.te | 3 ++
domains/program/unused/privoxy.te | 1
domains/program/unused/rhgb.te | 1
domains/program/unused/rpcd.te | 1
domains/program/unused/rpm.te | 1
domains/program/unused/samba.te | 1
domains/program/unused/sendmail.te | 1
domains/program/unused/slapd.te | 2 -
domains/program/unused/squid.te | 1
domains/program/unused/stunnel.te | 1
domains/program/unused/traceroute.te | 1
domains/program/unused/ucspi-tcp.te | 1
domains/program/unused/uwimapd.te | 1
domains/program/unused/vpnc.te | 1
domains/program/unused/watchdog.te | 1
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 1
domains/program/unused/ypbind.te | 1
flask/access_vectors | 1
macros/base_user_macros.te | 1
macros/global_macros.te | 1
macros/network_macros.te | 6 +++-
macros/program/apache_macros.te | 10 +++++-
macros/program/chroot_macros.te | 1
macros/program/crond_macros.te | 1
macros/program/gift_macros.te | 1
macros/program/gpg_macros.te | 2 +
macros/program/irc_macros.te | 1
macros/program/java_macros.te | 1
macros/program/kerberos_macros.te | 1
macros/program/lpr_macros.te | 1
macros/program/mta_macros.te | 1
macros/program/screen_macros.te | 1
macros/program/spamassassin_macros.te | 2 +
macros/program/ssh_macros.te | 1
macros/program/uml_macros.te | 1
macros/program/x_client_macros.te | 1
macros/program/xserver_macros.te | 1
man/man8/httpd_selinux.8 | 7 ++++
net_contexts | 10 ++----
tunables/distro.tun | 2 -
tunables/tunable.tun | 12 ++++----
types/file.te | 8 ++---
types/network.te | 17 ++++++-----
79 files changed, 171 insertions(+), 56 deletions(-)
Index: policy-20050322.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050322.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20050322.patch 22 Mar 2005 18:10:11 -0000 1.1
+++ policy-20050322.patch 22 Mar 2005 18:51:20 -0000 1.2
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.23.4/assert.te
--- nsapolicy/assert.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/assert.te 2005-03-22 12:19:28.263022144 -0500
++++ policy-1.23.4/assert.te 2005-03-22 12:36:49.000000000 -0500
@@ -30,56 +30,56 @@
# Verify that only the insmod_t and kernel_t domains
# have the sys_module capability.
@@ -114,7 +114,7 @@
# for gross mistakes in policy
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.4/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.4/domains/program/initrc.te 2005-03-22 12:19:28.264021992 -0500
++++ policy-1.23.4/domains/program/initrc.te 2005-03-22 12:36:49.000000000 -0500
@@ -17,6 +17,7 @@
role system_r types initrc_t;
uses_shlib(initrc_t);
@@ -125,8 +125,13 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.4/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/mount.te 2005-03-22 12:19:28.264021992 -0500
-@@ -65,6 +65,7 @@
++++ policy-1.23.4/domains/program/mount.te 2005-03-22 13:15:17.428871544 -0500
+@@ -62,9 +62,12 @@
+
+ allow mount_t root_t:filesystem unmount;
+
++can_portmap(mount_t)
++
ifdef(`portmap.te', `
# for nfs
can_network(mount_t)
@@ -136,7 +141,7 @@
allow mount_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/netutils.te policy-1.23.4/domains/program/netutils.te
--- nsapolicy/domains/program/netutils.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/netutils.te 2005-03-22 12:19:28.265021840 -0500
++++ policy-1.23.4/domains/program/netutils.te 2005-03-22 12:36:49.000000000 -0500
@@ -16,6 +16,7 @@
uses_shlib(netutils_t)
@@ -147,7 +152,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.4/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/ssh.te 2005-03-22 12:19:28.265021840 -0500
++++ policy-1.23.4/domains/program/ssh.te 2005-03-22 12:36:49.000000000 -0500
@@ -69,6 +69,7 @@
allow $1_t urandom_device_t:chr_file { getattr read };
@@ -158,7 +163,7 @@
allow $1_t { home_root_t home_dir_type }:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amavis.te policy-1.23.4/domains/program/unused/amavis.te
--- nsapolicy/domains/program/unused/amavis.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/amavis.te 2005-03-22 12:19:28.266021688 -0500
++++ policy-1.23.4/domains/program/unused/amavis.te 2005-03-22 12:36:49.000000000 -0500
@@ -27,6 +27,7 @@
# networking
@@ -169,7 +174,7 @@
can_tcp_connect(amavisd_t, mail_server_domain)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.4/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/apache.te 2005-03-22 12:19:28.267021536 -0500
++++ policy-1.23.4/domains/program/unused/apache.te 2005-03-22 13:41:52.893324080 -0500
@@ -42,6 +42,9 @@
# Allow http daemon to communicate with the TTY
bool httpd_tty_comm false;
@@ -200,18 +205,28 @@
can_ypbind(httpd_t)
###################
-@@ -352,3 +360,8 @@
+@@ -352,3 +360,18 @@
allow httpd_sys_script_t var_lib_t:dir search;
dontaudit httpd_t selinux_config_t:dir search;
r_dir_file(httpd_t, cert_t)
+
++#
++# unconfined domain for apache scripts. Only to be used as a last resort
++#
+type httpd_unconfined_script_exec_t, file_type, sysadmfile, customizable;
-+type httpd_unconfined_t, domain;
-+unconfined_domain(httpd_unconfined_t)
-+domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_t)
++type httpd_unconfined_script_t, domain, nscd_client_domain;
++role system_r types httpd_unconfined_script_t;
++unconfined_domain(httpd_unconfined_script_t)
++if (httpd_enable_cgi) {
++domain_auto_trans(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
++domain_auto_trans(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
++allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
++allow httpd_t httpd_unconfined_script_exec_t:dir r_dir_perms;
++}
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/backup.te policy-1.23.4/domains/program/unused/backup.te
--- nsapolicy/domains/program/unused/backup.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/backup.te 2005-03-22 12:19:28.267021536 -0500
++++ policy-1.23.4/domains/program/unused/backup.te 2005-03-22 12:36:49.000000000 -0500
@@ -27,6 +27,7 @@
allow backup_t urandom_device_t:chr_file read;
@@ -222,7 +237,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.23.4/domains/program/unused/canna.te
--- nsapolicy/domains/program/unused/canna.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/canna.te 2005-03-22 12:19:28.268021384 -0500
++++ policy-1.23.4/domains/program/unused/canna.te 2005-03-22 12:36:49.000000000 -0500
@@ -29,6 +29,7 @@
rw_dir_create_file(canna_t, canna_var_lib_t)
@@ -233,7 +248,7 @@
allow userdomain canna_var_run_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clockspeed.te policy-1.23.4/domains/program/unused/clockspeed.te
--- nsapolicy/domains/program/unused/clockspeed.te 2005-03-15 12:54:54.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/clockspeed.te 2005-03-22 12:19:28.268021384 -0500
++++ policy-1.23.4/domains/program/unused/clockspeed.te 2005-03-22 12:36:49.000000000 -0500
@@ -8,6 +8,7 @@
daemon_base_domain(clockspeed)
var_lib_domain(clockspeed)
@@ -244,7 +259,7 @@
allow clockspeed_t self:capability { sys_time net_bind_service };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.4/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-03-21 22:32:18.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/cups.te 2005-03-22 12:19:28.281019408 -0500
++++ policy-1.23.4/domains/program/unused/cups.te 2005-03-22 12:36:49.000000000 -0500
@@ -19,6 +19,7 @@
typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
@@ -263,7 +278,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.23.4/domains/program/unused/cyrus.te
--- nsapolicy/domains/program/unused/cyrus.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/cyrus.te 2005-03-22 12:19:28.282019256 -0500
++++ policy-1.23.4/domains/program/unused/cyrus.te 2005-03-22 12:36:49.000000000 -0500
@@ -18,6 +18,7 @@
allow initrc_su_t cyrus_var_lib_t:dir search;
@@ -274,7 +289,7 @@
allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ddclient.te policy-1.23.4/domains/program/unused/ddclient.te
--- nsapolicy/domains/program/unused/ddclient.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/ddclient.te 2005-03-22 12:19:28.282019256 -0500
++++ policy-1.23.4/domains/program/unused/ddclient.te 2005-03-22 12:36:49.000000000 -0500
@@ -32,6 +32,7 @@
# network-related goodies
@@ -285,7 +300,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/devfsd.te policy-1.23.4/domains/program/unused/devfsd.te
--- nsapolicy/domains/program/unused/devfsd.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/devfsd.te 2005-03-22 12:19:28.283019104 -0500
++++ policy-1.23.4/domains/program/unused/devfsd.te 2005-03-22 12:36:49.000000000 -0500
@@ -90,4 +90,5 @@
# for nss-ldap etc
@@ -294,7 +309,7 @@
can_ypbind(devfsd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpc.te policy-1.23.4/domains/program/unused/dhcpc.te
--- nsapolicy/domains/program/unused/dhcpc.te 2005-03-21 22:32:18.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/dhcpc.te 2005-03-22 12:19:28.283019104 -0500
++++ policy-1.23.4/domains/program/unused/dhcpc.te 2005-03-22 12:36:49.000000000 -0500
@@ -23,6 +23,7 @@
allow dhcpc_t urandom_device_t:chr_file read;
@@ -305,7 +320,7 @@
allow dhcpc_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.23.4/domains/program/unused/dhcpd.te
--- nsapolicy/domains/program/unused/dhcpd.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/dhcpd.te 2005-03-22 12:19:28.284018952 -0500
++++ policy-1.23.4/domains/program/unused/dhcpd.te 2005-03-22 12:36:49.000000000 -0500
@@ -30,6 +30,7 @@
# Use the network.
@@ -316,7 +331,7 @@
allow dhcpd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/djbdns.te policy-1.23.4/domains/program/unused/djbdns.te
--- nsapolicy/domains/program/unused/djbdns.te 2005-03-15 12:54:54.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/djbdns.te 2005-03-22 12:19:28.284018952 -0500
++++ policy-1.23.4/domains/program/unused/djbdns.te 2005-03-22 12:36:49.000000000 -0500
@@ -15,6 +15,7 @@
domain_auto_trans( svc_run_t, djbdns_$1_exec_t, djbdns_$1_t)
svc_ipc_domain(djbdns_$1_t)
@@ -327,7 +342,7 @@
r_dir_file(djbdns_$1_t, djbdns_$1_conf_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.23.4/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-03-21 22:32:18.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/dovecot.te 2005-03-22 12:19:28.285018800 -0500
++++ policy-1.23.4/domains/program/unused/dovecot.te 2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
allow dovecot_t self:capability { dac_override dac_read_search chown net_bind_service setgid setuid sys_chroot };
allow dovecot_t self:process setrlimit;
@@ -338,7 +353,7 @@
allow dovecot_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dpkg.te policy-1.23.4/domains/program/unused/dpkg.te
--- nsapolicy/domains/program/unused/dpkg.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/dpkg.te 2005-03-22 12:19:28.285018800 -0500
++++ policy-1.23.4/domains/program/unused/dpkg.te 2005-03-22 12:36:49.000000000 -0500
@@ -322,6 +322,7 @@
allow apt_t self:process { signal sigchld fork };
allow apt_t sysadm_t:process sigchld;
@@ -349,7 +364,7 @@
allow { apt_t dpkg_t } var_t:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fetchmail.te policy-1.23.4/domains/program/unused/fetchmail.te
--- nsapolicy/domains/program/unused/fetchmail.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/fetchmail.te 2005-03-22 12:19:28.286018648 -0500
++++ policy-1.23.4/domains/program/unused/fetchmail.te 2005-03-22 12:36:49.000000000 -0500
@@ -18,6 +18,8 @@
# network-related goodies
@@ -361,7 +376,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ftpd.te policy-1.23.4/domains/program/unused/ftpd.te
--- nsapolicy/domains/program/unused/ftpd.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/ftpd.te 2005-03-22 12:19:28.286018648 -0500
++++ policy-1.23.4/domains/program/unused/ftpd.te 2005-03-22 12:36:49.000000000 -0500
@@ -16,6 +16,7 @@
typealias ftpd_etc_t alias etc_ftpd_t;
@@ -372,7 +387,7 @@
allow ftpd_t self:process { getcap setcap setsched setrlimit };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.4/domains/program/unused/i18n_input.te
--- nsapolicy/domains/program/unused/i18n_input.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/i18n_input.te 2005-03-22 12:19:28.287018496 -0500
++++ policy-1.23.4/domains/program/unused/i18n_input.te 2005-03-22 12:36:49.000000000 -0500
@@ -10,6 +10,7 @@
can_exec(i18n_input_t, i18n_input_exec_t)
@@ -383,7 +398,7 @@
can_tcp_connect(userdomain, i18n_input_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/inetd.te policy-1.23.4/domains/program/unused/inetd.te
--- nsapolicy/domains/program/unused/inetd.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/inetd.te 2005-03-22 12:19:28.287018496 -0500
++++ policy-1.23.4/domains/program/unused/inetd.te 2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
daemon_domain(inetd, `ifdef(`unlimitedInetd', `,admin, etc_writer, fs_domain, auth_write, privmem')' )
@@ -394,7 +409,7 @@
allow inetd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/innd.te policy-1.23.4/domains/program/unused/innd.te
--- nsapolicy/domains/program/unused/innd.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/innd.te 2005-03-22 12:19:28.288018344 -0500
++++ policy-1.23.4/domains/program/unused/innd.te 2005-03-22 12:36:49.000000000 -0500
@@ -29,6 +29,7 @@
allow innd_t var_spool_t:dir { getattr search };
@@ -405,7 +420,7 @@
can_unix_send( { innd_t sysadm_t }, { innd_t sysadm_t } )
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lpd.te policy-1.23.4/domains/program/unused/lpd.te
--- nsapolicy/domains/program/unused/lpd.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/lpd.te 2005-03-22 12:19:28.288018344 -0500
++++ policy-1.23.4/domains/program/unused/lpd.te 2005-03-22 12:36:49.000000000 -0500
@@ -37,6 +37,7 @@
role system_r types checkpc_t;
uses_shlib(checkpc_t)
@@ -416,7 +431,7 @@
type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.23.4/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/mailman.te 2005-03-22 12:19:28.289018192 -0500
++++ policy-1.23.4/domains/program/unused/mailman.te 2005-03-22 12:36:49.000000000 -0500
@@ -30,6 +30,7 @@
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
@@ -427,7 +442,7 @@
allow mailman_$1_t var_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mrtg.te policy-1.23.4/domains/program/unused/mrtg.te
--- nsapolicy/domains/program/unused/mrtg.te 2005-03-21 22:32:19.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/mrtg.te 2005-03-22 12:19:28.289018192 -0500
++++ policy-1.23.4/domains/program/unused/mrtg.te 2005-03-22 12:36:49.000000000 -0500
@@ -32,6 +32,7 @@
# Use the network.
@@ -438,7 +453,7 @@
allow mrtg_t self:fifo_file { getattr read write ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.4/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/named.te 2005-03-22 12:19:28.290018040 -0500
++++ policy-1.23.4/domains/program/unused/named.te 2005-03-22 12:36:49.000000000 -0500
@@ -54,6 +54,7 @@
#Named can use network
@@ -457,7 +472,7 @@
read_locale(ndc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nessusd.te policy-1.23.4/domains/program/unused/nessusd.te
--- nsapolicy/domains/program/unused/nessusd.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/nessusd.te 2005-03-22 12:19:28.290018040 -0500
++++ policy-1.23.4/domains/program/unused/nessusd.te 2005-03-22 12:36:49.000000000 -0500
@@ -23,6 +23,7 @@
# Use the network.
@@ -468,7 +483,7 @@
#allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.23.4/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/nscd.te 2005-03-22 12:19:28.291017888 -0500
++++ policy-1.23.4/domains/program/unused/nscd.te 2005-03-22 12:36:49.000000000 -0500
@@ -23,6 +23,7 @@
allow nscd_t etc_t:file r_file_perms;
allow nscd_t etc_t:lnk_file read;
@@ -479,7 +494,7 @@
file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nsd.te policy-1.23.4/domains/program/unused/nsd.te
--- nsapolicy/domains/program/unused/nsd.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/nsd.te 2005-03-22 12:19:28.292017736 -0500
++++ policy-1.23.4/domains/program/unused/nsd.te 2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
role system_r types nsd_crond_t;
uses_shlib(nsd_crond_t)
@@ -490,7 +505,7 @@
allow nsd_crond_t self:process { fork signal_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.23.4/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/ntpd.te 2005-03-22 12:19:28.292017736 -0500
++++ policy-1.23.4/domains/program/unused/ntpd.te 2005-03-22 12:36:49.000000000 -0500
@@ -41,6 +41,7 @@
# Use the network.
@@ -501,7 +516,7 @@
allow ntpd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nx_server.te policy-1.23.4/domains/program/unused/nx_server.te
--- nsapolicy/domains/program/unused/nx_server.te 2005-03-15 12:54:54.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/nx_server.te 2005-03-22 12:19:28.293017584 -0500
++++ policy-1.23.4/domains/program/unused/nx_server.te 2005-03-22 12:36:49.000000000 -0500
@@ -46,6 +46,7 @@
ssh_domain(nx_server)
@@ -512,7 +527,7 @@
allow nx_server_t sysctl_kernel_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.23.4/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/ping.te 2005-03-22 12:19:28.293017584 -0500
++++ policy-1.23.4/domains/program/unused/ping.te 2005-03-22 12:36:49.000000000 -0500
@@ -32,6 +32,7 @@
uses_shlib(ping_t)
@@ -523,7 +538,7 @@
allow ping_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.23.4/domains/program/unused/portmap.te
--- nsapolicy/domains/program/unused/portmap.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/portmap.te 2005-03-22 12:35:27.083259312 -0500
++++ policy-1.23.4/domains/program/unused/portmap.te 2005-03-22 12:36:49.000000000 -0500
@@ -14,12 +14,11 @@
daemon_domain(portmap, `, nscd_client_domain')
@@ -548,7 +563,7 @@
allow portmap_helper_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.23.4/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/postfix.te 2005-03-22 12:19:28.295017280 -0500
++++ policy-1.23.4/domains/program/unused/postfix.te 2005-03-22 12:36:49.000000000 -0500
@@ -120,6 +120,7 @@
allow postfix_master_t postfix_private_t:sock_file create_file_perms;
allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
@@ -574,7 +589,7 @@
allow postfix_local_t mail_spool_t:file { unlink };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.23.4/domains/program/unused/privoxy.te
--- nsapolicy/domains/program/unused/privoxy.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/privoxy.te 2005-03-22 12:19:28.295017280 -0500
++++ policy-1.23.4/domains/program/unused/privoxy.te 2005-03-22 12:36:49.000000000 -0500
@@ -17,6 +17,7 @@
# Use the network.
@@ -585,7 +600,7 @@
allow privoxy_t self:capability { setgid setuid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.23.4/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/rhgb.te 2005-03-22 12:19:28.296017128 -0500
++++ policy-1.23.4/domains/program/unused/rhgb.te 2005-03-22 12:36:49.000000000 -0500
@@ -40,6 +40,7 @@
dontaudit rhgb_t var_run_t:dir search;
@@ -596,7 +611,7 @@
# for fonts
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpcd.te policy-1.23.4/domains/program/unused/rpcd.te
--- nsapolicy/domains/program/unused/rpcd.te 2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/rpcd.te 2005-03-22 12:19:28.296017128 -0500
++++ policy-1.23.4/domains/program/unused/rpcd.te 2005-03-22 12:36:49.000000000 -0500
@@ -13,6 +13,7 @@
define(`rpc_domain', `
daemon_base_domain($1)
@@ -607,7 +622,7 @@
read_locale($1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.23.4/domains/program/unused/rpm.te
--- nsapolicy/domains/program/unused/rpm.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/rpm.te 2005-03-22 12:19:28.297016976 -0500
++++ policy-1.23.4/domains/program/unused/rpm.te 2005-03-22 12:36:49.000000000 -0500
@@ -31,6 +31,7 @@
log_domain(rpm)
@@ -618,7 +633,7 @@
# Allow the rpm domain to execute other programs
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.4/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/samba.te 2005-03-22 12:19:28.297016976 -0500
++++ policy-1.23.4/domains/program/unused/samba.te 2005-03-22 12:36:49.000000000 -0500
@@ -153,6 +153,7 @@
# Networking
@@ -629,7 +644,7 @@
allow smbmount_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.23.4/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/sendmail.te 2005-03-22 12:19:28.298016824 -0500
++++ policy-1.23.4/domains/program/unused/sendmail.te 2005-03-22 12:36:49.000000000 -0500
@@ -26,6 +26,7 @@
# Use the network.
@@ -640,8 +655,16 @@
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.23.4/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/slapd.te 2005-03-22 12:19:28.298016824 -0500
-@@ -24,6 +24,7 @@
++++ policy-1.23.4/domains/program/unused/slapd.te 2005-03-22 13:20:35.314545576 -0500
+@@ -12,7 +12,6 @@
+ #
+ daemon_domain(slapd)
+
+-type ldap_port_t, port_type, reserved_port_type;
+ allow slapd_t ldap_port_t:tcp_socket name_bind;
+
+ etc_domain(slapd)
+@@ -24,6 +23,7 @@
# Use the network.
can_network(slapd_t)
@@ -651,7 +674,7 @@
allow slapd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.4/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/squid.te 2005-03-22 12:19:28.299016672 -0500
++++ policy-1.23.4/domains/program/unused/squid.te 2005-03-22 12:36:49.000000000 -0500
@@ -53,6 +53,7 @@
# Use the network
@@ -662,7 +685,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.23.4/domains/program/unused/stunnel.te
--- nsapolicy/domains/program/unused/stunnel.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/stunnel.te 2005-03-22 12:19:28.299016672 -0500
++++ policy-1.23.4/domains/program/unused/stunnel.te 2005-03-22 12:36:49.000000000 -0500
@@ -8,6 +8,7 @@
daemon_domain(stunnel)
@@ -673,7 +696,7 @@
allow stunnel_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/traceroute.te policy-1.23.4/domains/program/unused/traceroute.te
--- nsapolicy/domains/program/unused/traceroute.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/traceroute.te 2005-03-22 12:19:28.300016520 -0500
++++ policy-1.23.4/domains/program/unused/traceroute.te 2005-03-22 12:36:49.000000000 -0500
@@ -19,6 +19,7 @@
in_user_role(traceroute_t)
uses_shlib(traceroute_t)
@@ -684,7 +707,7 @@
type traceroute_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ucspi-tcp.te policy-1.23.4/domains/program/unused/ucspi-tcp.te
--- nsapolicy/domains/program/unused/ucspi-tcp.te 2005-03-15 12:54:54.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/ucspi-tcp.te 2005-03-22 12:19:28.300016520 -0500
++++ policy-1.23.4/domains/program/unused/ucspi-tcp.te 2005-03-22 12:36:49.000000000 -0500
@@ -9,6 +9,7 @@
daemon_base_domain(utcpserver)
@@ -695,7 +718,7 @@
allow utcpserver_t etc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/uwimapd.te policy-1.23.4/domains/program/unused/uwimapd.te
--- nsapolicy/domains/program/unused/uwimapd.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/uwimapd.te 2005-03-22 12:19:28.301016368 -0500
++++ policy-1.23.4/domains/program/unused/uwimapd.te 2005-03-22 12:36:49.000000000 -0500
@@ -9,6 +9,7 @@
tmp_domain(imapd)
@@ -706,7 +729,7 @@
allow imapd_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/vpnc.te policy-1.23.4/domains/program/unused/vpnc.te
--- nsapolicy/domains/program/unused/vpnc.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/vpnc.te 2005-03-22 12:19:28.301016368 -0500
++++ policy-1.23.4/domains/program/unused/vpnc.te 2005-03-22 12:36:49.000000000 -0500
@@ -16,6 +16,7 @@
# Use the network.
@@ -717,7 +740,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/watchdog.te policy-1.23.4/domains/program/unused/watchdog.te
--- nsapolicy/domains/program/unused/watchdog.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/watchdog.te 2005-03-22 12:19:28.302016216 -0500
++++ policy-1.23.4/domains/program/unused/watchdog.te 2005-03-22 12:36:49.000000000 -0500
@@ -24,6 +24,7 @@
allow watchdog_t self:fifo_file rw_file_perms;
allow watchdog_t self:unix_stream_socket create_socket_perms;
@@ -728,7 +751,7 @@
allow watchdog_t bin_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.4/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/winbind.te 2005-03-22 12:19:28.302016216 -0500
++++ policy-1.23.4/domains/program/unused/winbind.te 2005-03-22 12:36:49.000000000 -0500
@@ -13,6 +13,7 @@
allow winbind_t etc_t:file r_file_perms;
allow winbind_t etc_t:lnk_file read;
@@ -739,7 +762,7 @@
type samba_log_t, file_type, sysadmfile, logfile;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.4/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/xdm.te 2005-03-22 12:19:28.303016064 -0500
++++ policy-1.23.4/domains/program/unused/xdm.te 2005-03-22 12:36:49.000000000 -0500
@@ -46,6 +46,7 @@
allow xdm_t default_context_t:{ file lnk_file } { read getattr };
@@ -750,7 +773,7 @@
allow xdm_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ypbind.te policy-1.23.4/domains/program/unused/ypbind.te
--- nsapolicy/domains/program/unused/ypbind.te 2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/ypbind.te 2005-03-22 12:19:28.304015912 -0500
++++ policy-1.23.4/domains/program/unused/ypbind.te 2005-03-22 12:36:49.000000000 -0500
@@ -20,6 +20,7 @@
# Use the network.
@@ -761,7 +784,7 @@
allow ypbind_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/flask/access_vectors policy-1.23.4/flask/access_vectors
--- nsapolicy/flask/access_vectors 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.4/flask/access_vectors 2005-03-22 12:19:28.304015912 -0500
++++ policy-1.23.4/flask/access_vectors 2005-03-22 12:36:49.000000000 -0500
@@ -161,6 +161,7 @@
newconn
acceptfrom
@@ -772,7 +795,7 @@
class udp_socket
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.4/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-03-15 08:02:24.000000000 -0500
-+++ policy-1.23.4/macros/base_user_macros.te 2005-03-22 12:19:28.305015760 -0500
++++ policy-1.23.4/macros/base_user_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -213,6 +213,7 @@
# Use the network.
@@ -783,7 +806,7 @@
ifdef(`pamconsole.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.4/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/global_macros.te 2005-03-22 12:19:28.306015608 -0500
++++ policy-1.23.4/macros/global_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -679,6 +679,7 @@
allow $1 node_type:node *;
allow $1 netif_type:netif *;
@@ -794,7 +817,7 @@
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.23.4/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/macros/network_macros.te 2005-03-22 12:26:13.019489808 -0500
++++ policy-1.23.4/macros/network_macros.te 2005-03-22 13:16:42.530934064 -0500
@@ -155,14 +155,18 @@
')dnl end can_network definition
@@ -803,7 +826,7 @@
can_network_udp($1, `dns_port_t')
')
+
-+define(`use_portmap',`
++define(`can_portmap',`
+can_network_client($1, `portmap_port_t')
+allow $1 portmap_port_t:tcp_socket name_connect;
')
@@ -817,8 +840,21 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.4/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/apache_macros.te 2005-03-22 12:19:28.307015456 -0500
-@@ -29,7 +29,6 @@
++++ policy-1.23.4/macros/program/apache_macros.te 2005-03-22 13:41:05.642507296 -0500
+@@ -3,10 +3,11 @@
+
+ #This type is for webpages
+ #
+-type httpd_$1_content_t, file_type, ifelse($1, sys, `', `$1_file_type, ') httpdcontent, sysadmfile, customizable;
++type httpd_$1_content_t, file_type, httpdcontent, sysadmfile, customizable;
+ ifelse($1, sys, `
+ typealias httpd_sys_content_t alias httpd_sysadm_content_t;
+ ')
++ifelse($1, sys, `',`typeattribute httpd_$1_content_t $1_file_type;')
+
+ # This type is used for .htaccess files
+ #
+@@ -29,7 +30,6 @@
allow httpd_$1_script_t httpd_t:fd use;
allow httpd_$1_script_t httpd_t:process sigchld;
@@ -826,7 +862,7 @@
allow httpd_$1_script_t { usr_t lib_t }:file { getattr read ioctl };
allow httpd_$1_script_t usr_t:lnk_file { getattr read };
-@@ -49,6 +48,12 @@
+@@ -49,6 +49,12 @@
allow httpd_$1_script_t device_t:dir { getattr search };
allow httpd_$1_script_t null_device_t:chr_file rw_file_perms;
}
@@ -841,7 +877,7 @@
uncond_can_ypbind(httpd_$1_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chroot_macros.te policy-1.23.4/macros/program/chroot_macros.te
--- nsapolicy/macros/program/chroot_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/macros/program/chroot_macros.te 2005-03-22 12:19:28.308015304 -0500
++++ policy-1.23.4/macros/program/chroot_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -119,6 +119,7 @@
can_create_pty($2)
can_create_pty($2_super)
@@ -852,7 +888,7 @@
allow { $2_t $2_super_t } self:capability { dac_override kill };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/crond_macros.te policy-1.23.4/macros/program/crond_macros.te
--- nsapolicy/macros/program/crond_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/crond_macros.te 2005-03-22 12:19:28.308015304 -0500
++++ policy-1.23.4/macros/program/crond_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -67,6 +67,7 @@
# This domain is granted permissions common to most domains.
@@ -863,7 +899,7 @@
allow $1_crond_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.4/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-03-21 22:32:19.000000000 -0500
-+++ policy-1.23.4/macros/program/gift_macros.te 2005-03-22 12:19:28.309015152 -0500
++++ policy-1.23.4/macros/program/gift_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -34,6 +34,7 @@
# Connect to gift daemon
@@ -874,7 +910,7 @@
allow $1_gift_t proc_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_macros.te policy-1.23.4/macros/program/gpg_macros.te
--- nsapolicy/macros/program/gpg_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/gpg_macros.te 2005-03-22 12:19:28.309015152 -0500
++++ policy-1.23.4/macros/program/gpg_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -25,6 +25,7 @@
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
@@ -893,7 +929,7 @@
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/irc_macros.te policy-1.23.4/macros/program/irc_macros.te
--- nsapolicy/macros/program/irc_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/irc_macros.te 2005-03-22 12:19:28.310015000 -0500
++++ policy-1.23.4/macros/program/irc_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -46,6 +46,7 @@
# Use the network.
@@ -904,7 +940,7 @@
allow $1_irc_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.4/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/java_macros.te 2005-03-22 12:19:28.310015000 -0500
++++ policy-1.23.4/macros/program/java_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -29,6 +29,7 @@
# This domain is granted permissions common to most domains (including can_net)
@@ -915,7 +951,7 @@
allow $1_javaplugin_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/kerberos_macros.te policy-1.23.4/macros/program/kerberos_macros.te
--- nsapolicy/macros/program/kerberos_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/macros/program/kerberos_macros.te 2005-03-22 12:19:28.311014848 -0500
++++ policy-1.23.4/macros/program/kerberos_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -2,6 +2,7 @@
ifdef(`kerberos.te',`
if (allow_kerberos) {
@@ -926,7 +962,7 @@
') dnl kerberos.te
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/lpr_macros.te policy-1.23.4/macros/program/lpr_macros.te
--- nsapolicy/macros/program/lpr_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/macros/program/lpr_macros.te 2005-03-22 12:19:28.311014848 -0500
++++ policy-1.23.4/macros/program/lpr_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -35,6 +35,7 @@
# This domain is granted permissions common to most domains (including can_net)
@@ -937,7 +973,7 @@
# Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mta_macros.te policy-1.23.4/macros/program/mta_macros.te
--- nsapolicy/macros/program/mta_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/macros/program/mta_macros.te 2005-03-22 12:19:28.312014696 -0500
++++ policy-1.23.4/macros/program/mta_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -34,6 +34,7 @@
uses_shlib($1_mail_t)
@@ -948,7 +984,7 @@
allow $1_mail_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/screen_macros.te policy-1.23.4/macros/program/screen_macros.te
--- nsapolicy/macros/program/screen_macros.te 2005-03-21 22:32:20.000000000 -0500
-+++ policy-1.23.4/macros/program/screen_macros.te 2005-03-22 12:19:28.312014696 -0500
++++ policy-1.23.4/macros/program/screen_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -81,6 +81,7 @@
allow $1_screen_t tmp_t:dir search;
@@ -959,7 +995,7 @@
# get stats
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/spamassassin_macros.te policy-1.23.4/macros/program/spamassassin_macros.te
--- nsapolicy/macros/program/spamassassin_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/spamassassin_macros.te 2005-03-22 12:19:28.313014544 -0500
++++ policy-1.23.4/macros/program/spamassassin_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -86,6 +86,7 @@
# set tunable if you have spamassassin do DNS lookups
if (spamassasin_can_network) {
@@ -978,7 +1014,7 @@
# Allow connecting to a local spamd
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.4/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/ssh_macros.te 2005-03-22 12:19:28.313014544 -0500
++++ policy-1.23.4/macros/program/ssh_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -80,6 +80,7 @@
# Grant permissions needed to create TCP and UDP sockets and
# to access the network.
@@ -989,7 +1025,7 @@
can_kerberos($1_ssh_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/uml_macros.te policy-1.23.4/macros/program/uml_macros.te
--- nsapolicy/macros/program/uml_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/uml_macros.te 2005-03-22 12:19:28.314014392 -0500
++++ policy-1.23.4/macros/program/uml_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -91,6 +91,7 @@
# Use the network.
@@ -1000,7 +1036,7 @@
# for xterm
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.4/macros/program/x_client_macros.te
--- nsapolicy/macros/program/x_client_macros.te 2005-03-21 22:32:20.000000000 -0500
-+++ policy-1.23.4/macros/program/x_client_macros.te 2005-03-22 12:19:28.314014392 -0500
++++ policy-1.23.4/macros/program/x_client_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -45,6 +45,7 @@
# This domain is granted permissions common to most domains (including can_net)
@@ -1011,7 +1047,7 @@
allow $1_$2_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/xserver_macros.te policy-1.23.4/macros/program/xserver_macros.te
--- nsapolicy/macros/program/xserver_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/xserver_macros.te 2005-03-22 12:19:28.315014240 -0500
++++ policy-1.23.4/macros/program/xserver_macros.te 2005-03-22 12:36:49.000000000 -0500
@@ -57,6 +57,7 @@
}
@@ -1022,7 +1058,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.4/man/man8/httpd_selinux.8
--- nsapolicy/man/man8/httpd_selinux.8 2005-02-24 14:51:10.000000000 -0500
-+++ policy-1.23.4/man/man8/httpd_selinux.8 2005-03-22 12:19:28.316014088 -0500
++++ policy-1.23.4/man/man8/httpd_selinux.8 2005-03-22 12:36:49.000000000 -0500
@@ -36,8 +36,13 @@
httpd_sys_script_ra_t
.br
@@ -1040,7 +1076,7 @@
.SH BOOLEANS
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.4/net_contexts
--- nsapolicy/net_contexts 2005-03-17 10:18:56.000000000 -0500
-+++ policy-1.23.4/net_contexts 2005-03-22 12:28:02.295877272 -0500
++++ policy-1.23.4/net_contexts 2005-03-22 13:17:58.111444080 -0500
@@ -49,10 +49,9 @@
portcon tcp 465 system_u:object_r:smtp_port_t
portcon tcp 587 system_u:object_r:smtp_port_t
@@ -1065,9 +1101,24 @@
ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
ifdef(`samba.te', `
+@@ -93,12 +91,12 @@
+ ifdef(`comsat.te', `
+ portcon udp 512 system_u:object_r:comsat_port_t
+ ')
+-ifdef(`slapd.te', `
++
+ portcon tcp 389 system_u:object_r:ldap_port_t
+ portcon udp 389 system_u:object_r:ldap_port_t
+ portcon tcp 636 system_u:object_r:ldap_port_t
+ portcon udp 636 system_u:object_r:ldap_port_t
+-')
++
+ ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
+ ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
+ ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.4/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/tunables/distro.tun 2005-03-22 12:19:28.316014088 -0500
++++ policy-1.23.4/tunables/distro.tun 2005-03-22 12:36:49.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -1079,7 +1130,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.4/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/tunables/tunable.tun 2005-03-22 12:19:28.316014088 -0500
++++ policy-1.23.4/tunables/tunable.tun 2005-03-22 12:36:49.000000000 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
@@ -1116,7 +1167,7 @@
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.4/types/file.te
--- nsapolicy/types/file.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/types/file.te 2005-03-22 12:19:28.317013936 -0500
++++ policy-1.23.4/types/file.te 2005-03-22 12:36:49.000000000 -0500
@@ -271,15 +271,15 @@
# the default file system type.
#
@@ -1139,7 +1190,7 @@
allow autofs_t self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.4/types/network.te
--- nsapolicy/types/network.te 2005-03-17 10:18:58.000000000 -0500
-+++ policy-1.23.4/types/network.te 2005-03-22 12:35:52.831345008 -0500
++++ policy-1.23.4/types/network.te 2005-03-22 13:21:11.619026456 -0500
@@ -22,14 +22,7 @@
#
# Defines used by the te files need to be defined outside of net_constraints
@@ -1155,7 +1206,7 @@
ifdef(`dhcpd.te', `define(`use_dhcpd')')
ifdef(`dnsmasq.te', `define(`use_dhcpd')')
-@@ -82,6 +75,12 @@
+@@ -82,6 +75,16 @@
type kerberos_master_port_t, port_type;
#
@@ -1163,6 +1214,10 @@
+#
+type portmap_port_t, port_type, reserved_port_type;
+
++#
++# Ports used to communicate with ldap server
++#
++type ldap_port_t, port_type, reserved_port_type;
+
+#
# port_t is the default type of INET port numbers.
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.256
retrieving revision 1.257
diff -u -r1.256 -r1.257
--- selinux-policy-targeted.spec 22 Mar 2005 18:10:11 -0000 1.256
+++ selinux-policy-targeted.spec 22 Mar 2005 18:51:20 -0000 1.257
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.4
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -226,10 +226,17 @@
exit 0
%changelog
+* Tue Mar 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-2
+- Cleanups to httpd_unconfined_script_t
+
+* Mon Mar 21 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-1
+- Update from NSA
+- Add logfile tmpfs_t associate privs
+- Start adding name_connect code
+- Add httpd_unconfined_script_t
+
* Fri Mar 18 2005 Dan Walsh <dwalsh at redhat.com> 1.23.3-2
- Allow cups/lpd to bind to a port
-- Start adding name_connect code
-- Add httpd_unconfined_t
* Thu Mar 17 2005 Dan Walsh <dwalsh at redhat.com> 1.23.3-1
- Update from NSA
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20050322.patch, 1.1, 1.2 selinux-policy-strict.spec, 1.258, 1.259
- Next message (by thread): rpms/hal/devel .cvsignore, 1.23, 1.24 hal.spec, 1.44, 1.45 sources, 1.23, 1.24
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list