rpms/selinux-policy-targeted/devel policy-20050322.patch, 1.2, 1.3 selinux-policy-targeted.spec, 1.257, 1.258
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Mar 22 23:56:46 UTC 2005
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv1256
Modified Files:
policy-20050322.patch selinux-policy-targeted.spec
Log Message:
* Tue Mar 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-3
- More tightening of name_connect
- Cleanups to httpd_unconfined_script_t
policy-20050322.patch:
assert.te | 50 +++++++++++++++++-----------------
domains/program/initrc.te | 1
domains/program/mount.te | 3 ++
domains/program/netutils.te | 1
domains/program/ssh.te | 1
domains/program/unused/amavis.te | 1
domains/program/unused/apache.te | 23 +++++++++++++++
domains/program/unused/backup.te | 1
domains/program/unused/canna.te | 1
domains/program/unused/clockspeed.te | 1
domains/program/unused/cups.te | 2 +
domains/program/unused/cyrus.te | 1
domains/program/unused/ddclient.te | 1
domains/program/unused/devfsd.te | 1
domains/program/unused/dhcpc.te | 1
domains/program/unused/dhcpd.te | 1
domains/program/unused/djbdns.te | 1
domains/program/unused/dovecot.te | 1
domains/program/unused/dpkg.te | 1
domains/program/unused/fetchmail.te | 2 +
domains/program/unused/ftpd.te | 1
domains/program/unused/i18n_input.te | 1
domains/program/unused/inetd.te | 1
domains/program/unused/innd.te | 1
domains/program/unused/lpd.te | 1
domains/program/unused/mailman.te | 1
domains/program/unused/mrtg.te | 1
domains/program/unused/named.te | 2 +
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 1
domains/program/unused/nsd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/nx_server.te | 1
domains/program/unused/ping.te | 1
domains/program/unused/portmap.te | 4 +-
domains/program/unused/postfix.te | 3 ++
domains/program/unused/privoxy.te | 1
domains/program/unused/rhgb.te | 1
domains/program/unused/rpcd.te | 1
domains/program/unused/rpm.te | 1
domains/program/unused/samba.te | 3 --
domains/program/unused/sendmail.te | 1
domains/program/unused/slapd.te | 2 -
domains/program/unused/squid.te | 10 ++++--
domains/program/unused/stunnel.te | 1
domains/program/unused/traceroute.te | 1
domains/program/unused/ucspi-tcp.te | 1
domains/program/unused/uwimapd.te | 1
domains/program/unused/vpnc.te | 1
domains/program/unused/watchdog.te | 1
domains/program/unused/winbind.te | 6 ++--
domains/program/unused/xdm.te | 1
domains/program/unused/ypbind.te | 1
flask/access_vectors | 1
macros/base_user_macros.te | 1
macros/global_macros.te | 1
macros/network_macros.te | 6 +++-
macros/program/apache_macros.te | 10 +++++-
macros/program/chroot_macros.te | 1
macros/program/crond_macros.te | 1
macros/program/gift_macros.te | 1
macros/program/gpg_macros.te | 2 +
macros/program/irc_macros.te | 1
macros/program/java_macros.te | 1
macros/program/kerberos_macros.te | 1
macros/program/lpr_macros.te | 1
macros/program/mta_macros.te | 1
macros/program/screen_macros.te | 1
macros/program/spamassassin_macros.te | 2 +
macros/program/ssh_macros.te | 1
macros/program/uml_macros.te | 1
macros/program/x_client_macros.te | 1
macros/program/xserver_macros.te | 1
man/man8/httpd_selinux.8 | 7 ++++
net_contexts | 25 +++++++----------
tunables/distro.tun | 2 -
tunables/tunable.tun | 12 ++++----
types/file.te | 8 ++---
types/network.te | 37 ++++++++++---------------
79 files changed, 192 insertions(+), 86 deletions(-)
Index: policy-20050322.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050322.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050322.patch 22 Mar 2005 18:51:20 -0000 1.2
+++ policy-20050322.patch 22 Mar 2005 23:56:37 -0000 1.3
@@ -125,7 +125,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/mount.te policy-1.23.4/domains/program/mount.te
--- nsapolicy/domains/program/mount.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/mount.te 2005-03-22 13:15:17.428871544 -0500
++++ policy-1.23.4/domains/program/mount.te 2005-03-22 13:15:17.000000000 -0500
@@ -62,9 +62,12 @@
allow mount_t root_t:filesystem unmount;
@@ -174,7 +174,7 @@
can_tcp_connect(amavisd_t, mail_server_domain)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.4/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/apache.te 2005-03-22 13:41:52.893324080 -0500
++++ policy-1.23.4/domains/program/unused/apache.te 2005-03-22 13:41:52.000000000 -0500
@@ -42,6 +42,9 @@
# Allow http daemon to communicate with the TTY
bool httpd_tty_comm false;
@@ -431,12 +431,12 @@
type checkpc_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.23.4/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/mailman.te 2005-03-22 12:36:49.000000000 -0500
++++ policy-1.23.4/domains/program/unused/mailman.te 2005-03-22 18:43:40.386566688 -0500
@@ -30,6 +30,7 @@
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
can_network(mailman_$1_t)
-+allow mailman_$1_t port_type:tcp_socket name_connect;
++allow mailman_$1_t smtp_port_t:tcp_socket name_connect;
can_ypbind(mailman_$1_t)
allow mailman_$1_t self:{ unix_stream_socket unix_dgram_socket } create_socket_perms;
allow mailman_$1_t var_t:dir r_dir_perms;
@@ -453,7 +453,7 @@
allow mrtg_t self:fifo_file { getattr read write ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.4/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/named.te 2005-03-22 12:36:49.000000000 -0500
++++ policy-1.23.4/domains/program/unused/named.te 2005-03-22 16:56:01.046535632 -0500
@@ -54,6 +54,7 @@
#Named can use network
@@ -466,7 +466,7 @@
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
-+allow ndc_t port_type:tcp_socket name_connect;
++allow ndc_t rndc_port_t:tcp_socket name_connect;
can_ypbind(ndc_t)
can_resolve(ndc_t)
read_locale(ndc_t)
@@ -633,8 +633,24 @@
# Allow the rpm domain to execute other programs
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.4/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-02-24 14:51:07.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/samba.te 2005-03-22 12:36:49.000000000 -0500
-@@ -153,6 +153,7 @@
++++ policy-1.23.4/domains/program/unused/samba.te 2005-03-22 18:49:55.442549512 -0500
+@@ -41,7 +41,6 @@
+ general_domain_access(smbd_t)
+ general_proc_read_access(smbd_t)
+
+-type smbd_port_t, port_type, reserved_port_type;
+ allow smbd_t smbd_port_t:tcp_socket name_bind;
+
+ # Use capabilities.
+@@ -88,7 +87,6 @@
+ general_domain_access(nmbd_t)
+ general_proc_read_access(nmbd_t)
+
+-type nmbd_port_t, port_type, reserved_port_type;
+ allow nmbd_t nmbd_port_t:udp_socket name_bind;
+
+ # Use capabilities.
+@@ -153,6 +151,7 @@
# Networking
can_network(smbmount_t)
@@ -655,7 +671,7 @@
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/slapd.te policy-1.23.4/domains/program/unused/slapd.te
--- nsapolicy/domains/program/unused/slapd.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/slapd.te 2005-03-22 13:20:35.314545576 -0500
++++ policy-1.23.4/domains/program/unused/slapd.te 2005-03-22 13:20:35.000000000 -0500
@@ -12,7 +12,6 @@
#
daemon_domain(slapd)
@@ -674,15 +690,35 @@
allow slapd_t self:unix_stream_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.4/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/squid.te 2005-03-22 12:36:49.000000000 -0500
-@@ -53,6 +53,7 @@
++++ policy-1.23.4/domains/program/unused/squid.te 2005-03-22 16:55:39.907749216 -0500
+@@ -12,7 +12,7 @@
+ ifdef(`apache.te',`
+ can_tcp_connect(squid_t, httpd_t)
+ ')
+-
++bool squid_connect_any false;
+ daemon_domain(squid, `, web_client_domain, nscd_client_domain')
+ type squid_conf_t, file_type, sysadmfile;
+ general_domain_access(squid_t)
+@@ -53,12 +53,16 @@
# Use the network
can_network(squid_t)
++if (squid_connect_any) {
+allow squid_t port_type:tcp_socket name_connect;
++} else {
++allow squid_t { http_port_t http_cache_port_t }:tcp_socket name_connect;
++}
can_ypbind(squid_t)
can_tcp_connect(web_client_domain, squid_t)
+ # tcp port 8080 and udp port 3130 is http_cache_port_t (see net_contexts)
+-allow squid_t http_cache_port_t:tcp_socket name_bind;
+-allow squid_t http_cache_port_t:udp_socket name_bind;
++allow squid_t http_cache_port_t:{ tcp_socket udp_socket } name_bind;
+
+ # to allow running programs from /usr/lib/squid (IE unlinkd)
+ # also allow exec()ing itself
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/stunnel.te policy-1.23.4/domains/program/unused/stunnel.te
--- nsapolicy/domains/program/unused/stunnel.te 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.4/domains/program/unused/stunnel.te 2005-03-22 12:36:49.000000000 -0500
@@ -751,15 +787,26 @@
allow watchdog_t bin_t:lnk_file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.4/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/winbind.te 2005-03-22 12:36:49.000000000 -0500
-@@ -13,6 +13,7 @@
++++ policy-1.23.4/domains/program/unused/winbind.te 2005-03-22 18:49:36.853375496 -0500
+@@ -13,6 +13,9 @@
allow winbind_t etc_t:file r_file_perms;
allow winbind_t etc_t:lnk_file read;
can_network(winbind_t)
-+allow winbind_t port_type:tcp_socket name_connect;
++allow winbind_t smbd_port_t:tcp_socket name_connect;
++can_resolve(winbind_t)
++
ifdef(`samba.te', `', `
type samba_etc_t, file_type, sysadmfile, usercanread;
type samba_log_t, file_type, sysadmfile, logfile;
+@@ -27,7 +30,6 @@
+ allow winbind_t urandom_device_t:chr_file { getattr read };
+ allow winbind_t self:fifo_file { read write };
+ rw_dir_create_file(winbind_t, samba_var_t)
+-allow winbind_t krb5_conf_t:file { getattr read };
+-dontaudit winbind_t krb5_conf_t:file { write };
++can_kerberos(winbind_t)
+ allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow winbind_t winbind_var_run_t:sock_file create_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.4/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-03-11 15:31:06.000000000 -0500
+++ policy-1.23.4/domains/program/unused/xdm.te 2005-03-22 12:36:49.000000000 -0500
@@ -817,7 +864,7 @@
allow $1 port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.23.4/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.4/macros/network_macros.te 2005-03-22 13:16:42.530934064 -0500
++++ policy-1.23.4/macros/network_macros.te 2005-03-22 13:16:42.000000000 -0500
@@ -155,14 +155,18 @@
')dnl end can_network definition
@@ -840,7 +887,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.4/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-03-11 15:31:07.000000000 -0500
-+++ policy-1.23.4/macros/program/apache_macros.te 2005-03-22 13:41:05.642507296 -0500
++++ policy-1.23.4/macros/program/apache_macros.te 2005-03-22 13:41:05.000000000 -0500
@@ -3,10 +3,11 @@
#This type is for webpages
@@ -1076,12 +1123,19 @@
.SH BOOLEANS
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.4/net_contexts
--- nsapolicy/net_contexts 2005-03-17 10:18:56.000000000 -0500
-+++ policy-1.23.4/net_contexts 2005-03-22 13:17:58.111444080 -0500
-@@ -49,10 +49,9 @@
++++ policy-1.23.4/net_contexts 2005-03-22 18:49:22.145611416 -0500
+@@ -44,35 +44,33 @@
+ ')
+ ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
+ ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
+-ifdef(`mta.te', `
++
+ portcon tcp 25 system_u:object_r:smtp_port_t
portcon tcp 465 system_u:object_r:smtp_port_t
portcon tcp 587 system_u:object_r:smtp_port_t
- ')
+-')
-ifdef(`use_dns', `
++
portcon udp 53 system_u:object_r:dns_port_t
portcon tcp 53 system_u:object_r:dns_port_t
-')
@@ -1089,7 +1143,15 @@
ifdef(`use_dhcpd', `portcon udp 67 system_u:object_r:dhcpd_port_t')
ifdef(`dhcpc.te', `portcon udp 68 system_u:object_r:dhcpc_port_t')
ifdef(`tftpd.te', `portcon udp 69 system_u:object_r:tftp_port_t')
-@@ -66,10 +65,9 @@
+ ifdef(`fingerd.te', `portcon tcp 79 system_u:object_r:fingerd_port_t')
+-ifdef(`use_http', `
++
+ portcon tcp 80 system_u:object_r:http_port_t
+ portcon tcp 443 system_u:object_r:http_port_t
+-')
++
+ ifdef(`use_pop', `
+ portcon tcp 106 system_u:object_r:pop_port_t
portcon tcp 109 system_u:object_r:pop_port_t
portcon tcp 110 system_u:object_r:pop_port_t
')
@@ -1100,7 +1162,20 @@
+
ifdef(`innd.te', `portcon tcp 119 system_u:object_r:innd_port_t')
ifdef(`ntpd.te', `portcon udp 123 system_u:object_r:ntp_port_t')
- ifdef(`samba.te', `
+-ifdef(`samba.te', `
++
+ portcon tcp 137 system_u:object_r:smbd_port_t
+ portcon udp 137 system_u:object_r:nmbd_port_t
+ portcon tcp 138 system_u:object_r:smbd_port_t
+@@ -80,7 +78,7 @@
+ portcon tcp 139 system_u:object_r:smbd_port_t
+ portcon udp 139 system_u:object_r:nmbd_port_t
+ portcon tcp 445 system_u:object_r:smbd_port_t
+-')
++
+ ifdef(`use_pop', `
+ portcon tcp 143 system_u:object_r:pop_port_t
+ portcon tcp 220 system_u:object_r:pop_port_t
@@ -93,12 +91,12 @@
ifdef(`comsat.te', `
portcon udp 512 system_u:object_r:comsat_port_t
@@ -1116,6 +1191,19 @@
ifdef(`rlogind.te', `portcon tcp 513 system_u:object_r:rlogind_port_t')
ifdef(`rshd.te', `portcon tcp 514 system_u:object_r:rsh_port_t')
ifdef(`lpd.te', `portcon tcp 515 system_u:object_r:printer_port_t')
+@@ -210,11 +208,10 @@
+ # 9433 is for YIFF
+ portcon tcp 9433 system_u:object_r:soundd_port_t
+ ')
+-ifdef(`use_http_cache', `
+ portcon tcp 3128 system_u:object_r:http_cache_port_t
+ portcon tcp 8080 system_u:object_r:http_cache_port_t
+ portcon udp 3130 system_u:object_r:http_cache_port_t
+-')
++
+ ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
+ ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
+ ifdef(`amanda.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.4/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.4/tunables/distro.tun 2005-03-22 12:36:49.000000000 -0500
@@ -1190,8 +1278,8 @@
allow autofs_t self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.4/types/network.te
--- nsapolicy/types/network.te 2005-03-17 10:18:58.000000000 -0500
-+++ policy-1.23.4/types/network.te 2005-03-22 13:21:11.619026456 -0500
-@@ -22,14 +22,7 @@
++++ policy-1.23.4/types/network.te 2005-03-22 18:50:11.684080424 -0500
+@@ -22,20 +22,11 @@
#
# Defines used by the te files need to be defined outside of net_constraints
#
@@ -1201,12 +1289,45 @@
-ifdef(`dnsmasq.te', `define(`use_dns')')
-ifdef(`djbdns.te', `define(`use_dns')')
-ifdef(`use_dns', `
- type dns_port_t, port_type;
+-type dns_port_t, port_type;
+-')
+-
+-ifdef(`dhcpd.te', `define(`use_dhcpd')')
+-ifdef(`dnsmasq.te', `define(`use_dhcpd')')
+-ifdef(`use_dhcpd', `
+-type dhcpd_port_t, port_type;
+-')
++type dns_port_t, port_type, reserved_port_type;
++type smtp_port_t, port_type, reserved_port_type;
++type dhcpd_port_t, port_type, reserved_port_type;
++type smbd_port_t, port_type, reserved_port_type;
++type nmbd_port_t, port_type, reserved_port_type;
+
+ ifdef(`cyrus.te', `define(`use_pop')')
+ ifdef(`courier.te', `define(`use_pop')')
+@@ -45,21 +36,13 @@
+ ifdef(`use_pop', `
+ type pop_port_t, port_type, reserved_port_type;
+ ')
+-ifdef(`apache.te', `
+-define(`use_http_cache')
+-define(`use_http')
+-')
+ ifdef(`ftpd.te', `
+ define(`use_ftpd')
+ ')
+ ifdef(`publicfile.te', `
+-define(`use_http')
+ define(`use_ftpd')
+ ')
+-ifdef(`squid.te', `define(`use_http_cache')')
+-ifdef(`use_http_cache', `
+ type http_cache_port_t, port_type;
-')
- ifdef(`dhcpd.te', `define(`use_dhcpd')')
- ifdef(`dnsmasq.te', `define(`use_dhcpd')')
-@@ -82,6 +75,16 @@
+ ifdef(`dhcpd.te', `define(`use_pxe')')
+ ifdef(`pxe.te', `define(`use_pxe')')
+@@ -82,6 +65,16 @@
type kerberos_master_port_t, port_type;
#
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.257
retrieving revision 1.258
diff -u -r1.257 -r1.258
--- selinux-policy-targeted.spec 22 Mar 2005 18:51:20 -0000 1.257
+++ selinux-policy-targeted.spec 22 Mar 2005 23:56:37 -0000 1.258
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.4
-Release: 2
+Release: 3
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -226,7 +226,8 @@
exit 0
%changelog
-* Tue Mar 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-2
+* Tue Mar 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-3
+- More tightening of name_connect
- Cleanups to httpd_unconfined_script_t
* Mon Mar 21 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-1
More information about the fedora-cvs-commits
mailing list