rpms/selinux-policy-strict/devel policy-20050322.patch, 1.4, 1.5 selinux-policy-strict.spec, 1.260, 1.261
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Mar 23 17:06:53 UTC 2005
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv10534
Modified Files:
policy-20050322.patch selinux-policy-strict.spec
Log Message:
* Wed Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-4
- Allow named, nscd to log to /var/log directory
- Allow cups to create ptal_var_run_t files
policy-20050322.patch:
assert.te | 50 +++++++++++++++++-----------------
domains/program/initrc.te | 1
domains/program/mount.te | 3 ++
domains/program/netutils.te | 1
domains/program/ssh.te | 1
domains/program/unused/amavis.te | 1
domains/program/unused/apache.te | 23 +++++++++++++++
domains/program/unused/backup.te | 1
domains/program/unused/canna.te | 1
domains/program/unused/clockspeed.te | 1
domains/program/unused/cups.te | 6 ++--
domains/program/unused/cyrus.te | 1
domains/program/unused/ddclient.te | 1
domains/program/unused/devfsd.te | 1
domains/program/unused/dhcpc.te | 1
domains/program/unused/dhcpd.te | 1
domains/program/unused/djbdns.te | 1
domains/program/unused/dovecot.te | 1
domains/program/unused/dpkg.te | 1
domains/program/unused/fetchmail.te | 2 +
domains/program/unused/ftpd.te | 1
domains/program/unused/i18n_input.te | 1
domains/program/unused/inetd.te | 1
domains/program/unused/innd.te | 1
domains/program/unused/lpd.te | 1
domains/program/unused/mailman.te | 1
domains/program/unused/mrtg.te | 1
domains/program/unused/mta.te | 2 -
domains/program/unused/named.te | 3 ++
domains/program/unused/nessusd.te | 1
domains/program/unused/nscd.te | 2 +
domains/program/unused/nsd.te | 1
domains/program/unused/ntpd.te | 1
domains/program/unused/nx_server.te | 1
domains/program/unused/ping.te | 1
domains/program/unused/portmap.te | 4 +-
domains/program/unused/postfix.te | 3 ++
domains/program/unused/privoxy.te | 1
domains/program/unused/rhgb.te | 1
domains/program/unused/rpcd.te | 1
domains/program/unused/rpm.te | 1
domains/program/unused/samba.te | 3 --
domains/program/unused/sendmail.te | 1
domains/program/unused/slapd.te | 2 -
domains/program/unused/squid.te | 10 ++++--
domains/program/unused/stunnel.te | 1
domains/program/unused/traceroute.te | 1
domains/program/unused/ucspi-tcp.te | 1
domains/program/unused/uwimapd.te | 1
domains/program/unused/vpnc.te | 1
domains/program/unused/watchdog.te | 1
domains/program/unused/winbind.te | 6 ++--
domains/program/unused/xdm.te | 1
domains/program/unused/ypbind.te | 1
file_contexts/program/named.fc | 2 +
file_contexts/program/nscd.fc | 1
flask/access_vectors | 1
macros/base_user_macros.te | 1
macros/global_macros.te | 1
macros/network_macros.te | 6 +++-
macros/program/apache_macros.te | 10 +++++-
macros/program/chroot_macros.te | 1
macros/program/crond_macros.te | 1
macros/program/gift_macros.te | 1
macros/program/gpg_macros.te | 2 +
macros/program/irc_macros.te | 1
macros/program/java_macros.te | 1
macros/program/kerberos_macros.te | 1
macros/program/lpr_macros.te | 1
macros/program/mta_macros.te | 1
macros/program/screen_macros.te | 1
macros/program/spamassassin_macros.te | 2 +
macros/program/ssh_macros.te | 1
macros/program/uml_macros.te | 1
macros/program/x_client_macros.te | 1
macros/program/xserver_macros.te | 1
man/man8/httpd_selinux.8 | 7 ++++
net_contexts | 25 +++++++----------
tunables/distro.tun | 2 -
tunables/tunable.tun | 12 ++++----
types/file.te | 8 ++---
types/network.te | 37 ++++++++++---------------
82 files changed, 199 insertions(+), 90 deletions(-)
Index: policy-20050322.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050322.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20050322.patch 23 Mar 2005 00:10:44 -0000 1.4
+++ policy-20050322.patch 23 Mar 2005 17:06:43 -0000 1.5
@@ -259,7 +259,7 @@
allow clockspeed_t self:capability { sys_time net_bind_service };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.4/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-03-21 22:32:18.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/cups.te 2005-03-22 12:36:49.000000000 -0500
++++ policy-1.23.4/domains/program/unused/cups.te 2005-03-23 11:57:22.000000000 -0500
@@ -19,6 +19,7 @@
typealias cupsd_rw_etc_t alias etc_cupsd_rw_t;
@@ -268,6 +268,17 @@
logdir_domain(cupsd)
tmp_domain(cupsd)
+@@ -142,8 +143,8 @@
+ # PTAL
+ daemon_domain(ptal)
+ etcdir_domain(ptal)
+-allow ptal_t ptal_var_run_t:fifo_file create_file_perms;
+-allow ptal_t ptal_var_run_t:sock_file create_file_perms;
++
++file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
+ allow ptal_t self:capability chown;
+ allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
+ allow ptal_t self:unix_stream_socket { listen accept };
@@ -200,6 +201,7 @@
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -453,7 +464,7 @@
allow mrtg_t self:fifo_file { getattr read write ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.4/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-03-21 22:32:19.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/mta.te 2005-03-22 19:05:30.817350928 -0500
++++ policy-1.23.4/domains/program/unused/mta.te 2005-03-22 19:05:30.000000000 -0500
@@ -13,8 +13,6 @@
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
@@ -465,8 +476,8 @@
# "mail user at domain"
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.4/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/named.te 2005-03-22 16:56:01.000000000 -0500
-@@ -54,6 +54,7 @@
++++ policy-1.23.4/domains/program/unused/named.te 2005-03-23 10:32:45.000000000 -0500
+@@ -54,11 +54,13 @@
#Named can use network
can_network(named_t)
@@ -474,7 +485,13 @@
can_ypbind(named_t)
# allow UDP transfer to/from any program
can_udp_send(domain, named_t)
-@@ -103,6 +104,7 @@
+ can_udp_send(named_t, domain)
+ can_tcp_connect(domain, named_t)
++log_domain(named)
+
+ # Bind to the named port.
+ allow named_t dns_port_t:udp_socket name_bind;
+@@ -103,6 +105,7 @@
domain_auto_trans({ sysadm_t initrc_t }, ndc_exec_t, ndc_t)
uses_shlib(ndc_t)
can_network_client_tcp(ndc_t)
@@ -495,7 +512,7 @@
#allow nessusd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.23.4/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-03-11 15:31:06.000000000 -0500
-+++ policy-1.23.4/domains/program/unused/nscd.te 2005-03-22 12:36:49.000000000 -0500
++++ policy-1.23.4/domains/program/unused/nscd.te 2005-03-23 10:27:28.000000000 -0500
@@ -23,6 +23,7 @@
allow nscd_t etc_t:file r_file_perms;
allow nscd_t etc_t:lnk_file read;
@@ -504,6 +521,11 @@
can_ypbind(nscd_t)
file_type_auto_trans(nscd_t, var_run_t, nscd_var_run_t, sock_file)
+@@ -72,3 +73,4 @@
+ allow nscd_t tmp_t:dir { search getattr };
+ allow nscd_t tmp_t:lnk_file read;
+ allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
++log_domain(nscd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nsd.te policy-1.23.4/domains/program/unused/nsd.te
--- nsapolicy/domains/program/unused/nsd.te 2005-02-24 14:51:07.000000000 -0500
+++ policy-1.23.4/domains/program/unused/nsd.te 2005-03-22 12:36:49.000000000 -0500
@@ -841,6 +863,26 @@
allow ypbind_t port_t:{ tcp_socket udp_socket } name_bind;
allow ypbind_t self:fifo_file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.23.4/file_contexts/program/named.fc
+--- nsapolicy/file_contexts/program/named.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.4/file_contexts/program/named.fc 2005-03-23 10:33:49.000000000 -0500
+@@ -21,6 +21,8 @@
+ /var/run/bind(/.*)? system_u:object_r:named_var_run_t
+ /var/run/named(/.*)? system_u:object_r:named_var_run_t
+ /usr/sbin/lwresd -- system_u:object_r:named_exec_t
++/var/log/named.* -- system_u:object_r:named_log_t
++
+ ifdef(`distro_redhat', `
+ /var/named/named\.ca -- system_u:object_r:named_conf_t
+ /var/named/chroot(/.*)? system_u:object_r:named_conf_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nscd.fc policy-1.23.4/file_contexts/program/nscd.fc
+--- nsapolicy/file_contexts/program/nscd.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.4/file_contexts/program/nscd.fc 2005-03-23 10:33:55.000000000 -0500
+@@ -4,3 +4,4 @@
+ /var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
+ /var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
+ /var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
++/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/flask/access_vectors policy-1.23.4/flask/access_vectors
--- nsapolicy/flask/access_vectors 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.4/flask/access_vectors 2005-03-22 12:36:49.000000000 -0500
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.260
retrieving revision 1.261
diff -u -r1.260 -r1.261
--- selinux-policy-strict.spec 22 Mar 2005 23:56:15 -0000 1.260
+++ selinux-policy-strict.spec 23 Mar 2005 17:06:49 -0000 1.261
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.4
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -214,6 +214,10 @@
exit 0
%changelog
+* Wed Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-4
+- Allow named, nscd to log to /var/log directory
+- Allow cups to create ptal_var_run_t files
+
* Tue Mar 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.4-3
- More tightening of name_connect
- Cleanups to httpd_unconfined_script_t
More information about the fedora-cvs-commits
mailing list