rpms/selinux-policy-strict/devel policy-20050502.patch, 1.2, 1.3 selinux-policy-strict.spec, 1.299, 1.300

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Fri May 6 02:37:15 UTC 2005 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv30844

Modified Files:
	policy-20050502.patch selinux-policy-strict.spec 
Log Message:
* Thu May 5 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-3
- Add debugfs
- Add Russell fixes for restorecon, games
- Turn off user_canbe_sysadm


policy-20050502.patch:
 Makefile                              |    2 +-
 domains/misc/kernel.te                |    2 ++
 domains/program/ifconfig.te           |    2 ++
 domains/program/modutil.te            |    2 +-
 domains/program/restorecon.te         |    2 +-
 domains/program/unused/apmd.te        |    2 +-
 domains/program/unused/auditd.te      |    1 +
 domains/program/unused/automount.te   |    9 +++++++--
 domains/program/unused/consoletype.te |    1 +
 domains/program/unused/cups.te        |    8 ++++++--
 domains/program/unused/hald.te        |    7 ++++---
 domains/program/unused/hotplug.te     |    6 +++---
 domains/program/unused/i18n_input.te  |    2 ++
 domains/program/unused/kudzu.te       |    1 +
 domains/program/unused/lvm.te         |    2 +-
 domains/program/unused/pamconsole.te  |    2 +-
 domains/program/unused/postfix.te     |    1 +
 domains/program/unused/privoxy.te     |    9 +++++----
 domains/program/unused/udev.te        |    4 ++--
 domains/program/unused/updfstab.te    |    6 ++++++
 domains/program/unused/xdm.te         |    1 +
 domains/program/unused/xserver.te     |    1 +
 file_contexts/distros.fc              |    3 ++-
 file_contexts/program/cups.fc         |    1 +
 file_contexts/program/rhgb.fc         |    1 -
 file_contexts/types.fc                |    2 ++
 fs_use                                |    1 +
 genfs_contexts                        |    3 +--
 macros/core_macros.te                 |    1 -
 macros/program/games_domain.te        |   27 +++++++++++++++++++++------
 macros/program/su_macros.te           |    5 +++--
 net_contexts                          |    2 ++
 targeted/domains/unconfined.te        |    5 +++++
 tunables/distro.tun                   |    2 +-
 tunables/tunable.tun                  |    4 ++--
 types/file.te                         |    5 +++++
 36 files changed, 97 insertions(+), 38 deletions(-)

Index: policy-20050502.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050502.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20050502.patch	2 May 2005 20:16:06 -0000	1.2
+++ policy-20050502.patch	6 May 2005 02:37:12 -0000	1.3
@@ -42,6 +42,18 @@
  allow insmod_t proc_t:lnk_file read;
  
  # Write to /proc/mtrr.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.14/domains/program/restorecon.te
+--- nsapolicy/domains/program/restorecon.te	2005-04-27 10:28:49.000000000 -0400
++++ policy-1.23.14/domains/program/restorecon.te	2005-05-05 15:11:06.000000000 -0400
+@@ -20,7 +20,7 @@
+ role secadm_r types restorecon_t;
+ 
+ allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
+-allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
++allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
+ 
+ domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
+ allow restorecon_t { userdomain init_t privfd }:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.14/domains/program/unused/apmd.te
 --- nsapolicy/domains/program/unused/apmd.te	2005-05-02 14:06:54.000000000 -0400
 +++ policy-1.23.14/domains/program/unused/apmd.te	2005-05-02 14:57:26.000000000 -0400
@@ -98,7 +110,7 @@
  allow consoletype_t crond_t:fifo_file { read getattr ioctl };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/cups.te	2005-05-02 14:57:26.000000000 -0400
++++ policy-1.23.14/domains/program/unused/cups.te	2005-05-05 16:30:51.000000000 -0400
 @@ -22,6 +22,7 @@
  logdir_domain(cupsd)
  
@@ -107,7 +119,15 @@
  
  allow cupsd_t devpts_t:dir search;
  
-@@ -246,8 +247,9 @@
+@@ -202,6 +203,7 @@
+ rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
+ rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
+ file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
++file_type_auto_trans(cupsd_config_t, var_t, cupsd_rw_etc_t, file)
+ 
+ can_network_tcp(cupsd_config_t)
+ can_ypbind(cupsd_config_t)
+@@ -246,8 +248,9 @@
  allow cupsd_config_t logrotate_t:fd use;
  ')dnl end if logrotate.te
  allow cupsd_config_t system_crond_t:fd use;
@@ -118,6 +138,14 @@
  
  # Alternatives asks for this
  allow cupsd_config_t initrc_exec_t:file getattr;
+@@ -256,5 +259,6 @@
+ can_unix_connect(cupsd_t, initrc_t)
+ allow cupsd_t initrc_t:dbus send_msg;
+ allow initrc_t cupsd_t:dbus send_msg;
+-allow cupsd_t unconfined_t:dbus send_msg;
++allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
++allow unconfined_t cupsd_config_t }:dbus send_msg;
+ ')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.14/domains/program/unused/hald.te
 --- nsapolicy/domains/program/unused/hald.te	2005-05-02 14:06:54.000000000 -0400
 +++ policy-1.23.14/domains/program/unused/hald.te	2005-05-02 14:57:26.000000000 -0400
@@ -155,7 +183,23 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.14/domains/program/unused/hotplug.te
 --- nsapolicy/domains/program/unused/hotplug.te	2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/hotplug.te	2005-05-02 14:57:26.000000000 -0400
++++ policy-1.23.14/domains/program/unused/hotplug.te	2005-05-05 16:30:39.000000000 -0400
+@@ -23,13 +23,13 @@
+ allow hotplug_t self:unix_stream_socket create_socket_perms;
+ allow hotplug_t self:udp_socket create_socket_perms;
+ 
+-read_sysctl(hotplug_t)
++can_sysctl(hotplug_t)
+ allow hotplug_t sysctl_net_t:dir r_dir_perms;
+ allow hotplug_t sysctl_net_t:file { getattr read };
+ 
+ # get info from /proc
+ r_dir_file(hotplug_t, proc_t)
+-allow hotplug_t self:file { getattr read };
++allow hotplug_t self:file { getattr read ioctl };
+ 
+ allow hotplug_t devtty_t:chr_file rw_file_perms;
+ 
 @@ -156,4 +156,4 @@
  domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t) 
  ')
@@ -211,6 +255,43 @@
 -allow initrc_t pam_var_console_t:dir r_dir_perms;
 +allow initrc_t pam_var_console_t:dir rw_dir_perms;
  allow pam_console_t file_context_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.23.14/domains/program/unused/postfix.te
+--- nsapolicy/domains/program/unused/postfix.te	2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.14/domains/program/unused/postfix.te	2005-05-05 15:10:42.000000000 -0400
+@@ -180,6 +180,7 @@
+ # for OpenSSL certificates
+ r_dir_file(postfix_smtpd_t,usr_t)
+ allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
++allow postfix_smtpd_t self:file { getattr read };
+ 
+ # for prng_exch
+ allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.23.14/domains/program/unused/privoxy.te
+--- nsapolicy/domains/program/unused/privoxy.te	2005-04-27 10:28:52.000000000 -0400
++++ policy-1.23.14/domains/program/unused/privoxy.te	2005-05-03 10:27:27.000000000 -0400
+@@ -8,7 +8,7 @@
+ #
+ # Rules for the privoxy_t domain.
+ #
+-daemon_domain(privoxy)
++daemon_domain(privoxy, `, web_client_domain')
+ 
+ logdir_domain(privoxy)
+ 
+@@ -16,9 +16,10 @@
+ allow privoxy_t self:capability net_bind_service;
+ 
+ # Use the network.
+-can_network(privoxy_t)
+-allow privoxy_t port_type:tcp_socket name_connect;
+-allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
++can_network_tcp(privoxy_t)
++can_ypbind(privoxy_t)
++can_resolve(privoxy_t)
++allow privoxy_t http_cache_port_t:tcp_socket name_bind;
+ allow privoxy_t etc_t:file { getattr read };
+ allow privoxy_t self:capability { setgid setuid };
+ allow privoxy_t self:unix_stream_socket create_socket_perms ;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.14/domains/program/unused/udev.te
 --- nsapolicy/domains/program/unused/udev.te	2005-05-02 14:06:54.000000000 -0400
 +++ policy-1.23.14/domains/program/unused/udev.te	2005-05-02 14:57:26.000000000 -0400
@@ -293,7 +374,7 @@
 -/etc/rhgb(/.*)?		-d	system_u:object_r:mnt_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.14/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.14/file_contexts/types.fc	2005-05-02 14:57:26.000000000 -0400
++++ policy-1.23.14/file_contexts/types.fc	2005-05-05 15:00:35.000000000 -0400
 @@ -129,6 +129,7 @@
  /dev/nvram		-c	system_u:object_r:memory_device_t
  /dev/random		-c	system_u:object_r:random_device_t
@@ -302,6 +383,38 @@
  /dev/capi.*		-c	system_u:object_r:tty_device_t
  /dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
  /dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
+@@ -381,6 +382,7 @@
+ /usr/local/etc(/.*)?		system_u:object_r:etc_t
+ /usr/local/src(/.*)?		system_u:object_r:src_t
+ /usr/local/man(/.*)?		system_u:object_r:man_t
++/usr/local/.*\.so(\.[^/]*)*	--	system_u:object_r:shlib_t
+ 
+ #
+ # /usr/X11R6/man
+diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.23.14/fs_use
+--- nsapolicy/fs_use	2005-03-15 08:02:23.000000000 -0500
++++ policy-1.23.14/fs_use	2005-05-03 08:38:23.000000000 -0400
+@@ -8,6 +8,7 @@
+ fs_use_xattr ext3 system_u:object_r:fs_t;
+ fs_use_xattr xfs system_u:object_r:fs_t;
+ fs_use_xattr jfs system_u:object_r:fs_t;
++fs_use_xattr reiserfs system_u:object_r:fs_t;
+ 
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.23.14/genfs_contexts
+--- nsapolicy/genfs_contexts	2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.14/genfs_contexts	2005-05-03 08:37:51.000000000 -0400
+@@ -91,8 +91,7 @@
+ genfscon nfs4 /				system_u:object_r:nfs_t
+ genfscon afs /				system_u:object_r:nfs_t
+ 
+-# reiserfs - until xattr security support works properly
+-genfscon reiserfs /			system_u:object_r:nfs_t
++genfscon debugfs /			system_u:object_r:debugfs_t
+ 
+ # needs more work
+ genfscon eventpollfs / system_u:object_r:eventpollfs_t
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.23.14/macros/core_macros.te
 --- nsapolicy/macros/core_macros.te	2005-05-02 14:06:57.000000000 -0400
 +++ policy-1.23.14/macros/core_macros.te	2005-05-02 14:57:26.000000000 -0400
@@ -313,6 +426,74 @@
  allow $1 self:dir search;
  allow $1 self:file { getattr read };
  # Access selinuxfs.
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.14/macros/program/games_domain.te
+--- nsapolicy/macros/program/games_domain.te	2005-04-27 10:28:54.000000000 -0400
++++ policy-1.23.14/macros/program/games_domain.te	2005-05-05 15:10:05.000000000 -0400
+@@ -17,11 +17,14 @@
+ if (! disable_games_trans) {
+ domain_auto_trans($1_t, games_exec_t, $1_games_t)
+ }
++can_exec($1_games_t, games_exec_t)
+ role $1_r types $1_games_t;
+ 
++can_create_pty($1_games)
++
+ # X access, /tmp files
+ x_client_domain($1_games, $1)
+-tmp_domain($1_games)
++tmp_domain($1_games, `', { dir notdevfile_class_set })
+ 
+ uses_shlib($1_games_t)
+ read_locale($1_games_t)
+@@ -36,6 +39,10 @@
+ allow $1_games_t self:process execmem;
+ }
+ 
++if (allow_execmod) {
++allow $1_games_t texrel_shlib_t:file execmod;
++}
++
+ allow $1_games_t var_t:dir { search getattr };
+ rw_dir_create_file($1_games_t, games_data_t)
+ allow $1_games_t sound_device_t:chr_file rw_file_perms;
+@@ -65,8 +72,8 @@
+ 
+ allow $1_games_t var_lib_t:dir search;
+ r_dir_file($1_games_t, man_t)
+-allow $1_games_t proc_t:dir search;
+-allow $1_games_t proc_t:file { read getattr };
++allow $1_games_t { proc_t self }:dir search;
++allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
+ ifdef(`mozilla.te', ` 
+ dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
+ ')
+@@ -75,15 +82,23 @@
+ allow $1_games_t self:file { getattr read };
+ allow $1_games_t self:fifo_file rw_file_perms;
+ 
+-# kpat spews errors
+-dontaudit $1_games_t bin_t:dir getattr;
++allow $1_games_t self:sem create_sem_perms;
++
++allow $1_games_t { bin_t sbin_t }:dir { getattr search };
++can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
++allow $1_games_t bin_t:lnk_file read;
++
+ dontaudit $1_games_t var_run_t:dir search;
++dontaudit $1_games_t initrc_var_run_t:file { read write };
++dontaudit $1_games_t var_log_t:dir search;
+ 
+ # Allow games to read /etc/mtab and /etc/nsswitch.conf
+ allow $1_games_t etc_t:file { getattr read };
+ allow $1_games_t etc_runtime_t:file { getattr read };
+ 
+-# 
++can_network($1_games_t)
++allow $1_games_t port_t:tcp_socket name_bind;
++allow $1_games_t port_t:tcp_socket name_connect;
+ 
+ ')dnl end macro definition
+ 
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.23.14/macros/program/su_macros.te
 --- nsapolicy/macros/program/su_macros.te	2005-05-02 14:06:57.000000000 -0400
 +++ policy-1.23.14/macros/program/su_macros.te	2005-05-02 14:57:26.000000000 -0400
@@ -337,6 +518,18 @@
  ') dnl end su_restricted_domain
  
  define(`su_mini_domain', `
+diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.14/Makefile
+--- nsapolicy/Makefile	2005-04-20 15:40:34.000000000 -0400
++++ policy-1.23.14/Makefile	2005-05-03 08:38:52.000000000 -0400
+@@ -196,7 +196,7 @@
+ 	( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
+ 	mv $@.tmp $@
+ 
+-FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
++FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
+ 
+ checklabels: $(SETFILES)
+ 	$(SETFILES) -v -n $(FC) $(FILESYSTEMS)
 diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.14/net_contexts
 --- nsapolicy/net_contexts	2005-05-02 14:06:54.000000000 -0400
 +++ policy-1.23.14/net_contexts	2005-05-02 14:57:26.000000000 -0400
@@ -375,7 +568,7 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.14/tunables/tunable.tun
 --- nsapolicy/tunables/tunable.tun	2005-04-14 15:01:54.000000000 -0400
-+++ policy-1.23.14/tunables/tunable.tun	2005-05-02 14:57:26.000000000 -0400
++++ policy-1.23.14/tunables/tunable.tun	2005-05-05 15:16:58.000000000 -0400
 @@ -2,7 +2,7 @@
  dnl define(`user_can_mount')
  
@@ -385,7 +578,7 @@
  
  # Allow privileged utilities like hotplug and insmod to run unconfined.
  dnl define(`unlimitedUtils')
-@@ -20,11 +20,11 @@
+@@ -20,7 +20,7 @@
  
  # Do not audit things that we know to be broken but which
  # are not security risks
@@ -394,8 +587,22 @@
  
  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
  # Otherwise, only staff_r can do so.
--dnl define(`user_canbe_sysadm')
-+define(`user_canbe_sysadm')
+diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.14/types/file.te
+--- nsapolicy/types/file.te	2005-04-27 10:28:56.000000000 -0400
++++ policy-1.23.14/types/file.te	2005-05-03 07:58:12.000000000 -0400
+@@ -312,6 +312,9 @@
+ type cifs_t, fs_type, noexattrfile, sysadmfile;
+ allow cifs_t self:filesystem associate;
  
- # Allow xinetd to run unconfined, including any services it starts
- # that do not have a domain transition explicitly defined.
++type debugfs_t, fs_type, sysadmfile;
++allow debugfs_t self:filesystem associate;
++
+ # removable_t is the default type of all removable media
+ type removable_t, file_type, sysadmfile, usercanread;
+ allow removable_t self:filesystem associate;
+@@ -320,3 +323,5 @@
+ 
+ # Type for anonymous FTP data, used by ftp and rsync
+ type ftpd_anon_t, file_type, sysadmfile, customizable;
++
++


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.299
retrieving revision 1.300
diff -u -r1.299 -r1.300
--- selinux-policy-strict.spec	2 May 2005 20:16:36 -0000	1.299
+++ selinux-policy-strict.spec	6 May 2005 02:37:12 -0000	1.300
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.23.14
-Release: 2
+Release: 3
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -220,6 +220,11 @@
 exit 0
 
 %changelog
+* Thu May 5 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-3
+- Add debugfs
+- Add Russell fixes for restorecon, games
+- Turn off user_canbe_sysadm
+
 * Mon May 2 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-2
 - Allow all domains on ppc execmem priv, otherwise it crashes

More information about the fedora-cvs-commits mailing list