rpms/selinux-policy-strict/devel .cvsignore, 1.111, 1.112 policy-20050502.patch, 1.6, 1.7 selinux-policy-strict.spec, 1.300, 1.301
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat May 7 04:52:39 UTC 2005
- Previous message (by thread): rpms/autofs/devel autofs-4.1.4-init-plus-map-support.patch, NONE, 1.1.2.1 autofs-4.1.4-key-len-overflow-fix.patch, NONE, 1.1.2.1 autofs-4.1.4-multi-map-implied-slash.patch, NONE, 1.1.2.1 autofs-4.1.4-multimount-duplicate-keys.patch, NONE, 1.1.2.1 autofs-4.1.4-parse-sun-malformed-entry.patch, NONE, 1.1.2.1 autofs-4.1.4-solaris-hosts-in-auto-master.patch, NONE, 1.1.2.1 autofs-4.1.4-standalone-nsswitch-plus-ldap-support-stubs.patch, NONE, 1.1.2.1 autofs-4.1.4-non-replicated-ping.patch, 1.2, 1.2.2.1 autofs.spec, 1.62, 1.62.2.1
- Next message (by thread): rpms/selinux-policy-targeted/devel selinux-policy-targeted.spec, 1.295, 1.296
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv29190
Modified Files:
.cvsignore policy-20050502.patch selinux-policy-strict.spec
Log Message:
* Fri May 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-1
- Update from NSA
* Added tripwire and yam policy from David Hampton.
* Merged minor fixes to amavid and a clarification to the
httpdcontent attribute comments from David Hampton.
* Merged patch from Dan Walsh. Includes fixes for restorecon,
games, and postfix from Russell Coker. Adds support for debugfs.
Restores support for reiserfs. Allows udev to work with tmpfs_t
before /dev is labled. Removes transition from sysadm_t
(unconfined_t) to ifconfig_t for the targeted policy. Other minor
cleanups and fixes.
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/.cvsignore,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- .cvsignore 2 May 2005 19:02:31 -0000 1.111
+++ .cvsignore 7 May 2005 04:52:36 -0000 1.112
@@ -77,3 +77,4 @@
policy-1.23.12.tgz
policy-1.23.13.tgz
policy-1.23.14.tgz
+policy-1.23.15.tgz
policy-20050502.patch:
domains/program/unused/amanda.te | 2 +-
domains/program/unused/cups.te | 4 +++-
domains/program/unused/hald.te | 2 +-
domains/program/unused/hotplug.te | 4 ++--
domains/program/unused/kudzu.te | 1 -
domains/program/unused/mysqld.te | 2 +-
targeted/domains/unconfined.te | 5 +++++
tunables/distro.tun | 2 +-
tunables/tunable.tun | 4 ++--
9 files changed, 16 insertions(+), 10 deletions(-)
Index: policy-20050502.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050502.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20050502.patch 6 May 2005 03:11:58 -0000 1.6
+++ policy-20050502.patch 7 May 2005 04:52:36 -0000 1.7
@@ -1,125 +1,19 @@
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.14/domains/misc/kernel.te
---- nsapolicy/domains/misc/kernel.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/misc/kernel.te 2005-05-02 14:57:26.000000000 -0400
-@@ -36,6 +36,7 @@
-
- # Send signal to any process.
- allow kernel_t domain:process signal;
-+allow kernel_t domain:dir search;
-
- # Access the console.
- allow kernel_t device_t:dir search;
-@@ -50,6 +51,7 @@
- allow kernel_t self:capability sys_chroot;
-
- allow kernel_t { unlabeled_t root_t file_t }:dir mounton;
-+allow kernel_t unlabeled_t:fifo_file rw_file_perms;
- allow kernel_t file_t:dir rw_dir_perms;
- allow kernel_t file_t:blk_file create_file_perms;
- allow kernel_t { sysctl_t sysctl_kernel_t }:file { setattr rw_file_perms };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.23.14/domains/program/ifconfig.te
---- nsapolicy/domains/program/ifconfig.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.14/domains/program/ifconfig.te 2005-05-02 14:57:26.000000000 -0400
-@@ -21,7 +21,9 @@
- general_domain_access(ifconfig_t)
-
- domain_auto_trans(initrc_t, ifconfig_exec_t, ifconfig_t)
-+ifdef(`targeted_policy', `', `
- domain_auto_trans(sysadm_t, ifconfig_exec_t, ifconfig_t)
-+')
-
- # for /sbin/ip
- allow ifconfig_t self:netlink_route_socket rw_netlink_socket_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.14/domains/program/modutil.te
---- nsapolicy/domains/program/modutil.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.14/domains/program/modutil.te 2005-05-02 14:57:26.000000000 -0400
-@@ -143,7 +143,7 @@
- allow insmod_t proc_t:dir search;
- allow insmod_t sysctl_kernel_t:file { setattr rw_file_perms };
-
--allow insmod_t proc_t:file { getattr read };
-+allow insmod_t proc_t:file rw_file_perms;
- allow insmod_t proc_t:lnk_file read;
-
- # Write to /proc/mtrr.
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.23.14/domains/program/restorecon.te
---- nsapolicy/domains/program/restorecon.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.14/domains/program/restorecon.te 2005-05-05 15:11:06.000000000 -0400
-@@ -20,7 +20,7 @@
- role secadm_r types restorecon_t;
-
- allow restorecon_t initrc_devpts_t:chr_file { read write ioctl };
--allow restorecon_t { tty_device_t admin_tty_type }:chr_file { read write ioctl };
-+allow restorecon_t { tty_device_t admin_tty_type devtty_t }:chr_file { read write ioctl };
-
- domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
- allow restorecon_t { userdomain init_t privfd }:fd use;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.23.14/domains/program/unused/apmd.te
---- nsapolicy/domains/program/unused/apmd.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/apmd.te 2005-05-02 14:57:26.000000000 -0400
-@@ -31,7 +31,7 @@
-
- allow apmd_t device_t:lnk_file read;
- allow apmd_t proc_t:file { getattr read };
--read_sysctl(apmd_t)
-+can_sysctl(apmd_t)
- allow apmd_t self:unix_dgram_socket create_socket_perms;
- allow apmd_t self:unix_stream_socket create_stream_socket_perms;
- allow apmd_t self:fifo_file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.14/domains/program/unused/auditd.te
---- nsapolicy/domains/program/unused/auditd.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/auditd.te 2005-05-02 14:57:26.000000000 -0400
-@@ -56,3 +56,4 @@
- allow auditctl_t sysctl_kernel_t:file read;
- allow auditd_t self:process setsched;
- dontaudit auditctl_t init_t:fd use;
-+allow auditctl_t initrc_devpts_t:chr_file { read write };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.23.14/domains/program/unused/automount.te
---- nsapolicy/domains/program/unused/automount.te 2005-04-27 10:28:49.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/automount.te 2005-05-02 14:57:26.000000000 -0400
-@@ -26,7 +26,7 @@
- allow automount_t { etc_t etc_runtime_t }:file { getattr read };
- allow automount_t proc_t:file { getattr read };
- allow automount_t self:process { setpgid setsched };
--allow automount_t self:capability sys_nice;
-+allow automount_t self:capability { sys_nice dac_override };
- allow automount_t self:unix_stream_socket create_socket_perms;
- allow automount_t self:unix_dgram_socket create_socket_perms;
-
-@@ -66,4 +66,9 @@
- allow automount_t home_root_t:dir getattr;
- allow automount_t mnt_t:dir { getattr search };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.14/domains/program/unused/amanda.te
+--- nsapolicy/domains/program/unused/amanda.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.14/domains/program/unused/amanda.te 2005-05-06 12:40:27.000000000 -0400
+@@ -303,7 +303,7 @@
+
+ allow amanda_t file_type:dir {getattr read search };
+ allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
+-allow amanda_t fixed_disk_device_t:blk_file getattr;
++allow amanda_t device_type:{ blk_file chr_file } getattr;
+ dontaudit amanda_t file_type:sock_file getattr;
+ logdir_domain(amanda)
--allow initrc_t automount_etc_t:file { getattr read };
-+can_exec(initrc_t, automount_etc_t)
-+
-+# Need something like the following
-+# file_type_auto_trans(automount_t, file_type, automount_tmp_t, dir)
-+
-+
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/consoletype.te policy-1.23.14/domains/program/unused/consoletype.te
---- nsapolicy/domains/program/unused/consoletype.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/consoletype.te 2005-05-02 14:57:26.000000000 -0400
-@@ -57,6 +57,7 @@
- ifdef(`firstboot.te', `
- allow consoletype_t firstboot_t:fifo_file write;
- ')
-+dontaudit consoletype_t proc_t:dir search;
- dontaudit consoletype_t proc_t:file read;
- dontaudit consoletype_t root_t:file read;
- allow consoletype_t crond_t:fifo_file { read getattr ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
---- nsapolicy/domains/program/unused/cups.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/cups.te 2005-05-05 22:55:11.000000000 -0400
-@@ -22,6 +22,7 @@
- logdir_domain(cupsd)
-
- tmp_domain(cupsd)
-+file_type_auto_trans(cupsd_t, tmp_t, cupsd_tmp_t, fifo_file)
-
- allow cupsd_t devpts_t:dir search;
-
-@@ -202,6 +203,7 @@
+--- nsapolicy/domains/program/unused/cups.te 2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.14/domains/program/unused/cups.te 2005-05-06 08:31:46.000000000 -0400
+@@ -202,6 +202,7 @@
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -127,18 +21,7 @@
can_network_tcp(cupsd_config_t)
can_ypbind(cupsd_config_t)
-@@ -246,8 +248,9 @@
- allow cupsd_config_t logrotate_t:fd use;
- ')dnl end if logrotate.te
- allow cupsd_config_t system_crond_t:fd use;
--allow cupsd_config_t crond_t:fifo_file read;
-+allow cupsd_config_t crond_t:fifo_file r_file_perms;
- allow cupsd_t crond_t:fifo_file read;
-+allow cupsd_t crond_t:fd use;
-
- # Alternatives asks for this
- allow cupsd_config_t initrc_exec_t:file getattr;
-@@ -256,5 +259,6 @@
+@@ -257,5 +258,6 @@
can_unix_connect(cupsd_t, initrc_t)
allow cupsd_t initrc_t:dbus send_msg;
allow initrc_t cupsd_t:dbus send_msg;
@@ -147,23 +30,8 @@
+allow unconfined_t cupsd_config_t:dbus send_msg;
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.14/domains/program/unused/hald.te
---- nsapolicy/domains/program/unused/hald.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/hald.te 2005-05-02 14:57:26.000000000 -0400
-@@ -10,12 +10,12 @@
- #
- # hald_exec_t is the type of the hald executable.
- #
--daemon_domain(hald, `, fs_domain, nscd_client_domain')
-+daemon_domain(hald, `, fs_domain, nscd_client_domain, privmem')
-
- can_exec_any(hald_t)
-
- allow hald_t { etc_t etc_runtime_t }:file { getattr read };
--allow hald_t self:unix_stream_socket create_stream_socket_perms;
-+allow hald_t self:unix_stream_socket { connectto create_stream_socket_perms };
- allow hald_t self:unix_dgram_socket create_socket_perms;
-
- ifdef(`dbusd.te', `
+--- nsapolicy/domains/program/unused/hald.te 2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.14/domains/program/unused/hald.te 2005-05-06 08:37:26.000000000 -0400
@@ -36,7 +36,7 @@
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -173,16 +41,8 @@
can_network_server(hald_t)
can_ypbind(hald_t)
-@@ -47,6 +47,7 @@
- allow hald_t printer_device_t:chr_file rw_file_perms;
- allow hald_t urandom_device_t:chr_file read;
- allow hald_t mouse_device_t:chr_file r_file_perms;
-+allow hald_t memory_device_t:chr_file r_file_perms;
-
- can_getsecurity(hald_t)
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.14/domains/program/unused/hotplug.te
---- nsapolicy/domains/program/unused/hotplug.te 2005-05-02 14:06:54.000000000 -0400
+--- nsapolicy/domains/program/unused/hotplug.te 2005-05-07 00:41:09.000000000 -0400
+++ policy-1.23.14/domains/program/unused/hotplug.te 2005-05-05 23:07:49.000000000 -0400
@@ -29,7 +29,7 @@
@@ -202,51 +62,17 @@
allow hotplug_t sysfs_t:file { getattr read };
allow hotplug_t sysfs_t:lnk_file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms;
-@@ -156,4 +156,4 @@
- domain_auto_trans(hotplug_t, sendmail_exec_t, system_mail_t)
- ')
-
--allow kernel_t hotplug_etc_t:dir search;
-+allow { insmod_t kernel_t } hotplug_etc_t:dir { search getattr };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/i18n_input.te policy-1.23.14/domains/program/unused/i18n_input.te
---- nsapolicy/domains/program/unused/i18n_input.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/i18n_input.te 2005-05-02 14:57:26.000000000 -0400
-@@ -14,6 +14,7 @@
- can_ypbind(i18n_input_t)
-
- can_tcp_connect(userdomain, i18n_input_t)
-+can_unix_connect(i18n_input_t, initrc_t)
-
- allow i18n_input_t self:fifo_file rw_file_perms;
- allow i18n_input_t i18n_input_port_t:tcp_socket name_bind;
-@@ -28,3 +29,4 @@
- allow i18n_input_t self:unix_stream_socket create_stream_socket_perms;
- allow i18n_input_t i18n_input_var_run_t:dir create_dir_perms;
- allow i18n_input_t i18n_input_var_run_t:sock_file create_file_perms;
-+allow i18n_input_t usr_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.14/domains/program/unused/kudzu.te
---- nsapolicy/domains/program/unused/kudzu.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/kudzu.te 2005-05-02 14:57:26.000000000 -0400
-@@ -26,6 +26,7 @@
+--- nsapolicy/domains/program/unused/kudzu.te 2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.14/domains/program/unused/kudzu.te 2005-05-06 09:28:58.000000000 -0400
+@@ -26,7 +26,6 @@
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
allow kudzu_t { proc_net_t proc_t }:file { getattr read };
-+allow kudzu_t proc_t:lnk_file getattr;
+-allow kudzu_t proc_t:lnk_file getattr;
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.23.14/domains/program/unused/lvm.te
---- nsapolicy/domains/program/unused/lvm.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/lvm.te 2005-05-02 14:57:26.000000000 -0400
-@@ -112,7 +112,7 @@
- allow lvm_t lvm_control_t:chr_file rw_file_perms;
- allow initrc_t lvm_control_t:chr_file { getattr read unlink };
- allow initrc_t device_t:chr_file create;
--dontaudit lvm_t var_run_t:dir getattr;
-+var_run_domain(lvm)
-
- # for when /usr is not mounted
- dontaudit lvm_t file_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.14/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.14/domains/program/unused/mysqld.te 2005-05-05 22:42:20.000000000 -0400
@@ -259,303 +85,6 @@
allow mysqld_t proc_t:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.14/domains/program/unused/pamconsole.te
---- nsapolicy/domains/program/unused/pamconsole.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/pamconsole.te 2005-05-02 14:57:26.000000000 -0400
-@@ -45,5 +45,5 @@
- ifdef(`xdm.te', `
- allow pam_console_t xdm_var_run_t:file { getattr read };
- ')
--allow initrc_t pam_var_console_t:dir r_dir_perms;
-+allow initrc_t pam_var_console_t:dir rw_dir_perms;
- allow pam_console_t file_context_t:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.23.14/domains/program/unused/postfix.te
---- nsapolicy/domains/program/unused/postfix.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/postfix.te 2005-05-05 15:10:42.000000000 -0400
-@@ -180,6 +180,7 @@
- # for OpenSSL certificates
- r_dir_file(postfix_smtpd_t,usr_t)
- allow postfix_smtpd_t etc_aliases_t:file r_file_perms;
-+allow postfix_smtpd_t self:file { getattr read };
-
- # for prng_exch
- allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/privoxy.te policy-1.23.14/domains/program/unused/privoxy.te
---- nsapolicy/domains/program/unused/privoxy.te 2005-04-27 10:28:52.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/privoxy.te 2005-05-03 10:27:27.000000000 -0400
-@@ -8,7 +8,7 @@
- #
- # Rules for the privoxy_t domain.
- #
--daemon_domain(privoxy)
-+daemon_domain(privoxy, `, web_client_domain')
-
- logdir_domain(privoxy)
-
-@@ -16,9 +16,10 @@
- allow privoxy_t self:capability net_bind_service;
-
- # Use the network.
--can_network(privoxy_t)
--allow privoxy_t port_type:tcp_socket name_connect;
--allow privoxy_t port_t:{ tcp_socket udp_socket } name_bind;
-+can_network_tcp(privoxy_t)
-+can_ypbind(privoxy_t)
-+can_resolve(privoxy_t)
-+allow privoxy_t http_cache_port_t:tcp_socket name_bind;
- allow privoxy_t etc_t:file { getattr read };
- allow privoxy_t self:capability { setgid setuid };
- allow privoxy_t self:unix_stream_socket create_socket_perms ;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.14/domains/program/unused/udev.te
---- nsapolicy/domains/program/unused/udev.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/udev.te 2005-05-02 14:57:26.000000000 -0400
-@@ -38,8 +38,8 @@
- allow udev_t device_t:lnk_file create_lnk_perms;
- allow udev_t { device_t device_type }:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
- ifdef(`distro_redhat', `
--allow udev_t tmpfs_t:dir rw_dir_perms;
--allow udev_t tmpfs_t:sock_file create_file_perms;
-+allow udev_t tmpfs_t:dir create_dir_perms;
-+allow udev_t tmpfs_t:{ sock_file file } create_file_perms;
- allow udev_t tmpfs_t:lnk_file create_lnk_perms;
- allow udev_t tmpfs_t:{ chr_file blk_file } { relabelfrom relabelto create_file_perms };
- allow udev_t tmpfs_t:dir search;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/updfstab.te policy-1.23.14/domains/program/unused/updfstab.te
---- nsapolicy/domains/program/unused/updfstab.te 2005-04-27 10:28:53.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/updfstab.te 2005-05-02 14:57:26.000000000 -0400
-@@ -31,6 +31,8 @@
- ifdef(`dbusd.te', `
- dbusd_client(system, updfstab)
- allow updfstab_t system_dbusd_t:dbus { send_msg };
-+allow initrc_t updfstab_t:dbus send_msg;
-+allow updfstab_t initrc_t:dbus send_msg;
- ')
-
- # not sure what the sysctl_kernel_t file is, or why it wants to write it, so
-@@ -73,3 +75,7 @@
- dontaudit updfstab_t { home_dir_type home_type }:dir search;
- allow updfstab_t fs_t:filesystem { getattr };
- allow updfstab_t tmpfs_t:dir getattr;
-+ifdef(`hald.te', `
-+can_unix_connect(updfstab_t, hald_t)
-+')
-+
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.14/domains/program/unused/xdm.te
---- nsapolicy/domains/program/unused/xdm.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/xdm.te 2005-05-02 14:57:26.000000000 -0400
-@@ -344,3 +344,4 @@
-
- # Run telinit->init to shutdown.
- can_exec(xdm_t, init_exec_t)
-+allow xdm_t self:sem create_sem_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xserver.te policy-1.23.14/domains/program/unused/xserver.te
---- nsapolicy/domains/program/unused/xserver.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/xserver.te 2005-05-02 14:57:26.000000000 -0400
-@@ -20,3 +20,4 @@
- # Everything else is in the xserver_domain macro in
- # macros/program/xserver_macros.te.
-
-+allow initrc_t xserver_log_t:fifo_file { read write };
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.14/file_contexts/distros.fc
---- nsapolicy/file_contexts/distros.fc 2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.14/file_contexts/distros.fc 2005-05-02 14:57:26.000000000 -0400
-@@ -37,7 +37,8 @@
- /usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
- /usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
- /usr/share/ssl/private(/.*)? system_u:object_r:cert_t
--/etc/pki(/.*)? system_u:object_r:cert_t
-+/etc/pki(/.*)? system_u:object_r:cert_t
-+/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
- /usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
- #
- # /emul/ia32-linux/usr
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.23.14/file_contexts/program/cups.fc
---- nsapolicy/file_contexts/program/cups.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.14/file_contexts/program/cups.fc 2005-05-02 14:57:26.000000000 -0400
-@@ -25,6 +25,7 @@
- /usr/sbin/printconf-backend -- system_u:object_r:cupsd_config_exec_t
- ')
- /var/log/cups(/.*)? system_u:object_r:cupsd_log_t
-+/var/log/turboprint_cups\.log.* -- system_u:object_r:cupsd_log_t
- /var/spool/cups(/.*)? system_u:object_r:print_spool_t
- /var/run/cups/printcap -- system_u:object_r:cupsd_var_run_t
- /usr/lib(64)?/cups/filter/.* -- system_u:object_r:bin_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rhgb.fc policy-1.23.14/file_contexts/program/rhgb.fc
---- nsapolicy/file_contexts/program/rhgb.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.14/file_contexts/program/rhgb.fc 2005-05-02 14:57:26.000000000 -0400
-@@ -1,2 +1 @@
- /usr/bin/rhgb -- system_u:object_r:rhgb_exec_t
--/etc/rhgb(/.*)? -d system_u:object_r:mnt_t
-diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.14/file_contexts/types.fc
---- nsapolicy/file_contexts/types.fc 2005-05-02 14:06:56.000000000 -0400
-+++ policy-1.23.14/file_contexts/types.fc 2005-05-05 15:00:35.000000000 -0400
-@@ -129,6 +129,7 @@
- /dev/nvram -c system_u:object_r:memory_device_t
- /dev/random -c system_u:object_r:random_device_t
- /dev/urandom -c system_u:object_r:urandom_device_t
-+/dev/adb.* -c system_u:object_r:tty_device_t
- /dev/capi.* -c system_u:object_r:tty_device_t
- /dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
- /dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
-@@ -381,6 +382,7 @@
- /usr/local/etc(/.*)? system_u:object_r:etc_t
- /usr/local/src(/.*)? system_u:object_r:src_t
- /usr/local/man(/.*)? system_u:object_r:man_t
-+/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
-
- #
- # /usr/X11R6/man
-diff --exclude-from=exclude -N -u -r nsapolicy/fs_use policy-1.23.14/fs_use
---- nsapolicy/fs_use 2005-03-15 08:02:23.000000000 -0500
-+++ policy-1.23.14/fs_use 2005-05-03 08:38:23.000000000 -0400
-@@ -8,6 +8,7 @@
- fs_use_xattr ext3 system_u:object_r:fs_t;
- fs_use_xattr xfs system_u:object_r:fs_t;
- fs_use_xattr jfs system_u:object_r:fs_t;
-+fs_use_xattr reiserfs system_u:object_r:fs_t;
-
- # Use the allocating task SID to label inodes in the following filesystem
- # types, and label the filesystem itself with the specified context.
-diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.23.14/genfs_contexts
---- nsapolicy/genfs_contexts 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.14/genfs_contexts 2005-05-03 08:37:51.000000000 -0400
-@@ -91,8 +91,7 @@
- genfscon nfs4 / system_u:object_r:nfs_t
- genfscon afs / system_u:object_r:nfs_t
-
--# reiserfs - until xattr security support works properly
--genfscon reiserfs / system_u:object_r:nfs_t
-+genfscon debugfs / system_u:object_r:debugfs_t
-
- # needs more work
- genfscon eventpollfs / system_u:object_r:eventpollfs_t
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/core_macros.te policy-1.23.14/macros/core_macros.te
---- nsapolicy/macros/core_macros.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.14/macros/core_macros.te 2005-05-02 14:57:26.000000000 -0400
-@@ -341,7 +341,6 @@
- # Get the selinuxfs mount point via /proc/self/mounts.
- allow $1 proc_t:dir search;
- allow $1 proc_t:lnk_file read;
--allow $1 proc_t:file { getattr read };
- allow $1 self:dir search;
- allow $1 self:file { getattr read };
- # Access selinuxfs.
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.14/macros/program/games_domain.te
---- nsapolicy/macros/program/games_domain.te 2005-04-27 10:28:54.000000000 -0400
-+++ policy-1.23.14/macros/program/games_domain.te 2005-05-05 15:10:05.000000000 -0400
-@@ -17,11 +17,14 @@
- if (! disable_games_trans) {
- domain_auto_trans($1_t, games_exec_t, $1_games_t)
- }
-+can_exec($1_games_t, games_exec_t)
- role $1_r types $1_games_t;
-
-+can_create_pty($1_games)
-+
- # X access, /tmp files
- x_client_domain($1_games, $1)
--tmp_domain($1_games)
-+tmp_domain($1_games, `', { dir notdevfile_class_set })
-
- uses_shlib($1_games_t)
- read_locale($1_games_t)
-@@ -36,6 +39,10 @@
- allow $1_games_t self:process execmem;
- }
-
-+if (allow_execmod) {
-+allow $1_games_t texrel_shlib_t:file execmod;
-+}
-+
- allow $1_games_t var_t:dir { search getattr };
- rw_dir_create_file($1_games_t, games_data_t)
- allow $1_games_t sound_device_t:chr_file rw_file_perms;
-@@ -65,8 +72,8 @@
-
- allow $1_games_t var_lib_t:dir search;
- r_dir_file($1_games_t, man_t)
--allow $1_games_t proc_t:dir search;
--allow $1_games_t proc_t:file { read getattr };
-+allow $1_games_t { proc_t self }:dir search;
-+allow $1_games_t { proc_t self }:{ file lnk_file } { read getattr };
- ifdef(`mozilla.te', `
- dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
- ')
-@@ -75,15 +82,23 @@
- allow $1_games_t self:file { getattr read };
- allow $1_games_t self:fifo_file rw_file_perms;
-
--# kpat spews errors
--dontaudit $1_games_t bin_t:dir getattr;
-+allow $1_games_t self:sem create_sem_perms;
-+
-+allow $1_games_t { bin_t sbin_t }:dir { getattr search };
-+can_exec($1_games_t, { shell_exec_t bin_t utempter_exec_t })
-+allow $1_games_t bin_t:lnk_file read;
-+
- dontaudit $1_games_t var_run_t:dir search;
-+dontaudit $1_games_t initrc_var_run_t:file { read write };
-+dontaudit $1_games_t var_log_t:dir search;
-
- # Allow games to read /etc/mtab and /etc/nsswitch.conf
- allow $1_games_t etc_t:file { getattr read };
- allow $1_games_t etc_runtime_t:file { getattr read };
-
--#
-+can_network($1_games_t)
-+allow $1_games_t port_t:tcp_socket name_bind;
-+allow $1_games_t port_t:tcp_socket name_connect;
-
- ')dnl end macro definition
-
-diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/su_macros.te policy-1.23.14/macros/program/su_macros.te
---- nsapolicy/macros/program/su_macros.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.14/macros/program/su_macros.te 2005-05-02 14:57:26.000000000 -0400
-@@ -61,7 +61,7 @@
- ')
-
- # Use capabilities.
--allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
-+allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
- dontaudit $1_su_t self:capability sys_tty_config;
- #
- # Caused by su - init scripts
-@@ -90,9 +90,10 @@
-
- ifdef(`chkpwd.te', `
- domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
--allow $1_su_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
- ')
-
-+allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
-+
- ') dnl end su_restricted_domain
-
- define(`su_mini_domain', `
-diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.14/Makefile
---- nsapolicy/Makefile 2005-04-20 15:40:34.000000000 -0400
-+++ policy-1.23.14/Makefile 2005-05-03 08:38:52.000000000 -0400
-@@ -196,7 +196,7 @@
- ( cd domains/misc/ ; for n in *.te ; do echo "define(\`$$n')"; done ) >> $@.tmp
- mv $@.tmp $@
-
--FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';`
-+FILESYSTEMS=`mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs | reiserfs ).*rw/{print $$3}';`
-
- checklabels: $(SETFILES)
- $(SETFILES) -v -n $(FC) $(FILESYSTEMS)
-diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.14/net_contexts
---- nsapolicy/net_contexts 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/net_contexts 2005-05-02 14:57:26.000000000 -0400
-@@ -227,6 +227,8 @@
- portcon tcp 3128 system_u:object_r:http_cache_port_t
- portcon tcp 8080 system_u:object_r:http_cache_port_t
- portcon udp 3130 system_u:object_r:http_cache_port_t
-+# 8118 is for privoxy
-+portcon tcp 8118 system_u:object_r:http_cache_port_t
-
- ifdef(`clockspeed.te', `portcon udp 4041 system_u:object_r:clockspeed_port_t')
- ifdef(`transproxy.te', `portcon tcp 8081 system_u:object_r:transproxy_port_t')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.14/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.14/targeted/domains/unconfined.te 2005-05-02 16:12:08.000000000 -0400
@@ -601,22 +130,3 @@
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
-diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.14/types/file.te
---- nsapolicy/types/file.te 2005-04-27 10:28:56.000000000 -0400
-+++ policy-1.23.14/types/file.te 2005-05-03 07:58:12.000000000 -0400
-@@ -312,6 +312,9 @@
- type cifs_t, fs_type, noexattrfile, sysadmfile;
- allow cifs_t self:filesystem associate;
-
-+type debugfs_t, fs_type, sysadmfile;
-+allow debugfs_t self:filesystem associate;
-+
- # removable_t is the default type of all removable media
- type removable_t, file_type, sysadmfile, usercanread;
- allow removable_t self:filesystem associate;
-@@ -320,3 +323,5 @@
-
- # Type for anonymous FTP data, used by ftp and rsync
- type ftpd_anon_t, file_type, sysadmfile, customizable;
-+
-+
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.300
retrieving revision 1.301
diff -u -r1.300 -r1.301
--- selinux-policy-strict.spec 6 May 2005 02:37:12 -0000 1.300
+++ selinux-policy-strict.spec 7 May 2005 04:52:36 -0000 1.301
@@ -10,8 +10,8 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.23.14
-Release: 3
+Version: 1.23.15
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -48,7 +48,7 @@
%build
mv domains/misc/unused/* domains/misc
mv domains/program/unused/* domains/program/
-(cd domains/program/; mv -f afs.te amavis.te asterisk.te audio-entropyd.te authbind.te backup.te calamaris.te ciped.te clamav.te clockspeed.te courier.te daemontools.te distcc.te djbdns.te dante.te dcc.te ddclient.te devfsd.te dnsmasq.te dpk* gatekeeper* gift.te imazesrv.te ircd.te jabberd.te lcd.te lrrd.te monopd.te nagios.te nessusd.te nrpe.te nsd.te nx_server.te oav-update.te openca-ca.te openvpn.te perdition.te portslave.te postgrey.te publicfile.te pyzor.te pxe.te qmail* razor.te resmgrd.te rssh.te scannerdaemon.te seuser* sound-server.te speedmgmt.te snort.te sxid.te tiny* transproxy.te ucspi-tcp.te uml_net* uptimed.te uwimapd.te watchdog.te xprint* unused/)
+(cd domains/program/; mv -f afs.te amavis.te asterisk.te audio-entropyd.te authbind.te backup.te calamaris.te ciped.te clamav.te clockspeed.te courier.te daemontools.te distcc.te djbdns.te dante.te dcc.te ddclient.te devfsd.te dnsmasq.te dpk* gatekeeper* gift.te imazesrv.te ircd.te jabberd.te lcd.te lrrd.te monopd.te nagios.te nessusd.te nrpe.te nsd.te nx_server.te oav-update.te openca-ca.te openvpn.te perdition.te portslave.te postgrey.te publicfile.te pyzor.te pxe.te qmail* razor.te resmgrd.te rssh.te scannerdaemon.te seuser* sound-server.te speedmgmt.te snort.te sxid.te tiny* transproxy.te tripwire.te ucspi-tcp.te uml_net* uptimed.te uwimapd.te watchdog.te xprint* yam.te unused/)
make policy
rm -rf tmp
@@ -220,6 +220,19 @@
exit 0
%changelog
+* Fri May 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-1
+- Update from NSA
+ * Added tripwire and yam policy from David Hampton.
+ * Merged minor fixes to amavid and a clarification to the
+ httpdcontent attribute comments from David Hampton.
+ * Merged patch from Dan Walsh. Includes fixes for restorecon,
+ games, and postfix from Russell Coker. Adds support for debugfs.
+ Restores support for reiserfs. Allows udev to work with tmpfs_t
+ before /dev is labled. Removes transition from sysadm_t
+ (unconfined_t) to ifconfig_t for the targeted policy. Other minor
+ cleanups and fixes.
+
+
* Thu May 5 2005 Dan Walsh <dwalsh at redhat.com> 1.23.14-3
- Add debugfs
- Add Russell fixes for restorecon, games
- Previous message (by thread): rpms/autofs/devel autofs-4.1.4-init-plus-map-support.patch, NONE, 1.1.2.1 autofs-4.1.4-key-len-overflow-fix.patch, NONE, 1.1.2.1 autofs-4.1.4-multi-map-implied-slash.patch, NONE, 1.1.2.1 autofs-4.1.4-multimount-duplicate-keys.patch, NONE, 1.1.2.1 autofs-4.1.4-parse-sun-malformed-entry.patch, NONE, 1.1.2.1 autofs-4.1.4-solaris-hosts-in-auto-master.patch, NONE, 1.1.2.1 autofs-4.1.4-standalone-nsswitch-plus-ldap-support-stubs.patch, NONE, 1.1.2.1 autofs-4.1.4-non-replicated-ping.patch, 1.2, 1.2.2.1 autofs.spec, 1.62, 1.62.2.1
- Next message (by thread): rpms/selinux-policy-targeted/devel selinux-policy-targeted.spec, 1.295, 1.296
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list