rpms/selinux-policy-targeted/FC-3 policy-20050104.patch, 1.31, 1.32 selinux-policy-targeted.spec, 1.201, 1.202
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu May 5 17:48:41 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv14715
Modified Files:
policy-20050104.patch selinux-policy-targeted.spec
Log Message:
* Thu Apr 7 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-3.2
- Update unconfined_t to use proc_net
policy-20050104.patch:
Makefile | 47 +++--
attrib.te | 18 ++
domains/program/crond.te | 7
domains/program/ldconfig.te | 21 ++
domains/program/login.te | 2
domains/program/logrotate.te | 24 +-
domains/program/mount.te | 2
domains/program/ssh.te | 7
domains/program/syslogd.te | 40 +++-
domains/program/unused/acct.te | 6
domains/program/unused/apache.te | 283 +++++++++++++++++++++++-----------
domains/program/unused/arpwatch.te | 26 +++
domains/program/unused/cups.te | 58 ++++++
domains/program/unused/dhcpc.te | 5
domains/program/unused/dhcpd.te | 18 +-
domains/program/unused/dovecot.te | 3
domains/program/unused/ftpd.te | 2
domains/program/unused/hald.te | 3
domains/program/unused/howl.te | 2
domains/program/unused/innd.te | 7
domains/program/unused/ipsec.te | 9 -
domains/program/unused/iptables.te | 3
domains/program/unused/mailman.te | 29 ++-
domains/program/unused/mdadm.te | 3
domains/program/unused/mta.te | 24 ++
domains/program/unused/mysqld.te | 24 +-
domains/program/unused/named.te | 39 +++-
domains/program/unused/nscd.te | 62 +++----
domains/program/unused/ntpd.te | 23 ++
domains/program/unused/portmap.te | 20 ++
domains/program/unused/postfix.te | 2
domains/program/unused/postgresql.te | 62 +++++--
domains/program/unused/procmail.te | 1
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 5
domains/program/unused/rsync.te | 2
domains/program/unused/samba.te | 4
domains/program/unused/sendmail.te | 2
domains/program/unused/slrnpull.te | 1
domains/program/unused/snmpd.te | 24 +-
domains/program/unused/spamd.te | 2
domains/program/unused/squid.te | 21 +-
domains/program/unused/udev.te | 5
domains/program/unused/updfstab.te | 1
domains/program/unused/winbind.te | 35 ++++
domains/program/unused/xdm.te | 4
domains/program/unused/ypbind.te | 15 +
domains/program/unused/ypserv.te | 7
domains/user.te | 6
file_contexts/distros.fc | 76 ++++++---
file_contexts/program/apache.fc | 14 +
file_contexts/program/arpwatch.fc | 3
file_contexts/program/cups.fc | 5
file_contexts/program/dhcpd.fc | 2
file_contexts/program/ipsec.fc | 11 -
file_contexts/program/mailman.fc | 15 -
file_contexts/program/mta.fc | 5
file_contexts/program/mysqld.fc | 4
file_contexts/program/named.fc | 17 +-
file_contexts/program/nscd.fc | 3
file_contexts/program/ntpd.fc | 2
file_contexts/program/postgresql.fc | 23 +-
file_contexts/program/sendmail.fc | 1
file_contexts/program/snmpd.fc | 3
file_contexts/program/squid.fc | 2
file_contexts/program/winbind.fc | 10 +
file_contexts/types.fc | 161 ++++++-------------
flask/access_vectors | 31 +++
flask/security_classes | 6
genfs_contexts | 2
macros/base_user_macros.te | 9 -
macros/core_macros.te | 98 ++++++++---
macros/global_macros.te | 95 +++--------
macros/network_macros.te | 172 ++++++++++++++++++++
macros/program/apache_macros.te | 144 +++++++++--------
macros/program/kerberos_macros.te | 11 +
macros/program/mount_macros.te | 2
macros/program/mozilla_macros.te | 2
macros/program/mta_macros.te | 5
macros/program/newrole_macros.te | 2
macros/program/spamassassin_macros.te | 5
macros/program/ssh_agent_macros.te | 2
macros/program/ssh_macros.te | 2
macros/program/su_macros.te | 2
macros/program/userhelper_macros.te | 3
macros/program/xauth_macros.te | 2
macros/program/xserver_macros.te | 4
macros/program/ypbind_macros.te | 24 --
man/man8/httpd_selinux.8 | 108 ++++++++++++
man/man8/named_selinux.8 | 29 +++
net_contexts | 83 +++++++--
targeted/assert.te | 4
targeted/domains/program/hotplug.te | 4
targeted/domains/program/initrc.te | 2
targeted/domains/program/sendmail.te | 17 ++
targeted/domains/unconfined.te | 38 ++++
tunables/distro.tun | 2
tunables/tunable.tun | 21 +-
types/device.te | 6
types/file.te | 85 ++++++----
types/network.te | 55 ++++--
types/procfs.te | 4
102 files changed, 1701 insertions(+), 755 deletions(-)
Index: policy-20050104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/policy-20050104.patch,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- policy-20050104.patch 22 Apr 2005 16:40:12 -0000 1.31
+++ policy-20050104.patch 5 May 2005 17:48:38 -0000 1.32
@@ -757,8 +757,8 @@
+allow arpwatch_t sbin_t:dir { search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.17.30/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/unused/cups.te 2005-03-21 23:08:51.000000000 -0500
-@@ -20,7 +20,6 @@
++++ policy-1.17.30/domains/program/unused/cups.te 2005-04-26 08:11:29.000000000 -0400
+@@ -20,10 +20,10 @@
can_network(cupsd_t)
can_ypbind(cupsd_t)
@@ -766,7 +766,11 @@
logdir_domain(cupsd)
tmp_domain(cupsd)
-@@ -52,8 +51,6 @@
++file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file)
+
+ allow cupsd_t devpts_t:dir search;
+
+@@ -52,13 +52,11 @@
# write to spool
allow cupsd_t var_spool_t:dir search;
@@ -775,7 +779,13 @@
# this is not ideal, and allowing setattr access to cupsd_etc_t is wrong
file_type_auto_trans(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
file_type_auto_trans(cupsd_t, var_t, cupsd_rw_etc_t, file)
-@@ -165,11 +162,55 @@
+ allow cupsd_t cupsd_rw_etc_t:dir { setattr rw_dir_perms };
+-allow cupsd_t cupsd_etc_t:file setattr;
++allow cupsd_t cupsd_etc_t:file rw_file_perms;
+ allow cupsd_t cupsd_etc_t:dir setattr;
+
+ allow cupsd_t { etc_t etc_runtime_t }:file { getattr read ioctl };
+@@ -165,11 +163,55 @@
dontaudit cupsd_t selinux_config_t:dir search;
dontaudit cupsd_t selinux_config_t:file { getattr read };
@@ -2806,7 +2816,7 @@
+/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
diff --exclude-from=exclude -N -u -r nsapolicy/flask/access_vectors policy-1.17.30/flask/access_vectors
--- nsapolicy/flask/access_vectors 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/flask/access_vectors 2005-04-22 11:36:40.000000000 -0400
++++ policy-1.17.30/flask/access_vectors 2005-05-05 13:45:16.000000000 -0400
@@ -118,6 +118,7 @@
{
execute_no_trans
@@ -2835,17 +2845,19 @@
}
class udp_socket
-@@ -240,6 +247,9 @@
+@@ -240,6 +247,11 @@
siginh
setrlimit
rlimitinh
+ dyntransition
+ setcurrent
+ execmem
++ execstack
++ execheap
}
-@@ -287,6 +297,8 @@
+@@ -287,6 +299,8 @@
compute_user
setenforce # was avc_toggle in system class
setbool
@@ -2854,7 +2866,7 @@
}
-@@ -341,6 +353,8 @@
+@@ -341,6 +355,8 @@
sys_tty_config
mknod
lease
@@ -2863,7 +2875,7 @@
}
-@@ -539,6 +553,8 @@
+@@ -539,6 +555,8 @@
{
nlmsg_read
nlmsg_write
@@ -2872,7 +2884,7 @@
}
class netlink_ip6fw_socket
-@@ -575,3 +591,16 @@
+@@ -575,3 +593,16 @@
shmemgrp
shmemhost
}
@@ -3151,7 +3163,7 @@
')dnl end general_domain_access
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.17.30/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/macros/global_macros.te 2005-04-22 11:45:53.000000000 -0400
++++ policy-1.17.30/macros/global_macros.te 2005-05-05 13:41:30.000000000 -0400
@@ -89,9 +89,10 @@
allow $1 ld_so_t:file rx_file_perms;
#allow $1 ld_so_t:file execute_no_trans;
@@ -3247,6 +3259,83 @@
read_locale($1_t)
+@@ -536,6 +478,8 @@
+ #
+ define(`unconfined_domain', `
+
++typeattribute $1 unrestricted;
++
+ # Mount/unmount any filesystem.
+ allow $1 fs_type:filesystem *;
+
+@@ -543,7 +487,8 @@
+ allow $1 file_type:filesystem *;
+
+ # Create/access any file in a labeled filesystem;
+-allow $1 file_type:dir_file_class_set *;
++allow $1 file_type:{ file chr_file } ~execmod;
++allow $1 file_type:{ dir lnk_file sock_file fifo_file blk_file } *;
+ allow $1 sysctl_t:{ dir file } *;
+ allow $1 device_type:devfile_class_set *;
+ allow $1 mtrr_device_t:file *;
+@@ -552,7 +497,7 @@
+ # pseudo filesystem types that are applied to both the filesystem
+ # and its files.
+ allow $1 { unlabeled_t fs_type }:dir_file_class_set *;
+-allow $1 proc_fs: file *;
++allow $1 proc_fs:{ dir file } *;
+
+ # For /proc/pid
+ r_dir_file($1,domain)
+@@ -566,9 +511,10 @@
+ allow $1 node_type:node *;
+ allow $1 netif_type:netif *;
+ allow $1 port_type:{ tcp_socket udp_socket } { send_msg recv_msg };
++allow $1 port_type:tcp_socket name_connect;
+
+ # Bind to any network address.
+-allow $1 port_type:{ tcp_socket udp_socket } { name_bind };
++allow $1 port_type:{ tcp_socket udp_socket } name_bind;
+ allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+ allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
+
+@@ -580,10 +526,27 @@
+ allow $1 domain:fifo_file rw_file_perms;
+
+ # Act upon any other process.
+-allow $1 domain:process ~transition;
++allow $1 domain:process ~{ transition dyntransition execmem };
+ # Transition to myself, to make get_ordered_context_list happy.
+ allow $1 self:process transition;
+
++if (allow_execmem) {
++# Allow making anonymous memory executable, e.g.
++# for runtime-code generation or executable stack.
++allow $1 self:process execmem;
++}
++
++if (allow_execmem && allow_execstack) {
++# Allow making the stack executable via mprotect.
++allow $1 self:process execstack;
++}
++
++if (allow_execmod) {
++# Allow text relocations on system shared libraries, e.g. libGL.
++allow $1 texrel_shlib_t:file execmod;
++allow $1 home_type:file execmod;
++}
++
+ # Create/access any System V IPC objects.
+ allow $1 domain:{ sem msgq shm } *;
+ allow $1 domain:msg { send receive };
+@@ -612,5 +575,7 @@
+ ifdef(`nscd.te', `
+ allow $1 nscd_t:nscd *;
+ ')
++r_dir_file($1, proc_net_t)
+
+ ')dnl end unconfined_domain
++
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.17.30/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.17.30/macros/network_macros.te 2005-04-22 11:45:39.000000000 -0400
@@ -4399,7 +4488,7 @@
+domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.17.30/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/targeted/domains/unconfined.te 2005-04-22 12:30:05.000000000 -0400
++++ policy-1.17.30/targeted/domains/unconfined.te 2005-05-05 13:44:38.000000000 -0400
@@ -4,7 +4,7 @@
# is not explicitly confined. It has no restrictions.
# It needs to be carefully protected from the confined domains.
@@ -4425,13 +4514,17 @@
# User home directory type.
type user_home_t, file_type, sysadmfile;
-@@ -37,4 +41,28 @@
+@@ -37,4 +41,32 @@
user_typealias(user)
allow unconfined_t unlabeled_t:filesystem *;
-allow unlabeled_t unlabeled_t:filesystem { associate };
+allow unlabeled_t unlabeled_t:filesystem associate;
+
++# Allow making the stack executable via mprotect.
++# Also requires allow_execmem.
++bool allow_execstack true;
++
+# Allow execution of anonymous mappings, e.g. executable stack.
+bool allow_execmem true;
+
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/selinux-policy-targeted.spec,v
retrieving revision 1.201
retrieving revision 1.202
diff -u -r1.201 -r1.202
--- selinux-policy-targeted.spec 22 Apr 2005 16:40:12 -0000 1.201
+++ selinux-policy-targeted.spec 5 May 2005 17:48:38 -0000 1.202
@@ -8,7 +8,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.17.30
-Release: 3.1
+Release: 3.2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -214,6 +214,9 @@
exit 0
%changelog
+* Thu Apr 7 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-3.2
+- Update unconfined_t to use proc_net
+
* Thu Apr 7 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-2.98
- Upgrade to latest apache policy
More information about the fedora-cvs-commits
mailing list