rpms/selinux-policy-strict/devel booleans, 1.10, 1.11 policy-20050502.patch, 1.9, 1.10 selinux-policy-strict.spec, 1.303, 1.304

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed May 11 12:25:17 UTC 2005


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv13481

Modified Files:
	booleans policy-20050502.patch selinux-policy-strict.spec 
Log Message:
* Wed May 11 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-4
- Allow smbd to communicate with cups 
- fix some net_conf contexts
- Add a bunch of / files file_context 



Index: booleans
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/booleans,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- booleans	4 Apr 2005 15:41:36 -0000	1.10
+++ booleans	11 May 2005 12:25:14 -0000	1.11
@@ -21,3 +21,4 @@
 use_nfs_home_dirs=0
 allow_ypbind=0
 allow_kerberos=1
+allow_write_xhm=1

policy-20050502.patch:
 assert.te                            |    8 -----
 attrib.te                            |    7 ++++
 domains/program/initrc.te            |    2 -
 domains/program/klogd.te             |    2 -
 domains/program/modutil.te           |    1 
 domains/program/passwd.te            |    1 
 domains/program/syslogd.te           |    8 +----
 domains/program/unused/amanda.te     |    2 -
 domains/program/unused/apache.te     |    3 -
 domains/program/unused/auditd.te     |    1 
 domains/program/unused/cups.te       |    5 +--
 domains/program/unused/hald.te       |    2 -
 domains/program/unused/hotplug.te    |    4 +-
 domains/program/unused/kudzu.te      |    3 +
 domains/program/unused/lvm.te        |    4 +-
 domains/program/unused/mysqld.te     |    2 -
 domains/program/unused/pamconsole.te |    1 
 domains/program/unused/rdisc.te      |   13 ++++++++
 domains/program/unused/samba.te      |    3 +
 domains/program/unused/xdm.te        |    7 +---
 file_contexts/program/initrc.fc      |    5 +++
 file_contexts/program/lvm.fc         |    1 
 file_contexts/program/ntpd.fc        |    4 +-
 file_contexts/program/rdisc.fc       |    1 
 file_contexts/program/traceroute.fc  |    1 
 macros/base_user_macros.te           |    9 +++++
 macros/global_macros.te              |   33 +++++++++++----------
 macros/program/gift_macros.te        |    6 ++-
 macros/program/gpg_agent_macros.te   |    3 -
 macros/program/mozilla_macros.te     |   54 +++++++++++++++++++++--------------
 macros/program/mplayer_macros.te     |   45 ++++++++++++++++++++---------
 net_contexts                         |    4 --
 targeted/domains/unconfined.te       |    5 +++
 tunables/distro.tun                  |    2 -
 tunables/tunable.tun                 |    4 +-
 types/network.te                     |    1 
 36 files changed, 161 insertions(+), 96 deletions(-)

Index: policy-20050502.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050502.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20050502.patch	10 May 2005 14:53:38 -0000	1.9
+++ policy-20050502.patch	11 May 2005 12:25:14 -0000	1.10
@@ -131,10 +131,26 @@
  }
  ') dnl targeted policy
  
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.15/domains/program/unused/auditd.te
+--- nsapolicy/domains/program/unused/auditd.te	2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.15/domains/program/unused/auditd.te	2005-05-11 06:41:18.000000000 -0400
+@@ -57,3 +57,4 @@
+ allow auditd_t self:process setsched;
+ dontaudit auditctl_t init_t:fd use; 
+ allow auditctl_t initrc_devpts_t:chr_file { read write };
++allow auditd_t self:file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.15/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.15/domains/program/unused/cups.te	2005-05-10 10:24:23.000000000 -0400
-@@ -202,6 +202,7 @@
++++ policy-1.23.15/domains/program/unused/cups.te	2005-05-10 13:59:30.000000000 -0400
+@@ -11,7 +11,6 @@
+ # cupsd_t is the domain of cupsd.
+ # cupsd_exec_t is the type of the cupsd executable.
+ #
+-type ipp_port_t, port_type, reserved_port_type;
+ daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
+ etcdir_domain(cupsd)
+ type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
+@@ -202,6 +201,7 @@
  rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
  rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
  file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -142,7 +158,7 @@
  
  can_network_tcp(cupsd_config_t)
  can_ypbind(cupsd_config_t)
-@@ -257,5 +258,6 @@
+@@ -257,5 +257,6 @@
  can_unix_connect(cupsd_t, initrc_t)
  allow cupsd_t initrc_t:dbus send_msg;
  allow initrc_t cupsd_t:dbus send_msg;
@@ -204,6 +220,31 @@
  dontaudit kudzu_t src_t:dir search;
  ifdef(`xserver.te', `
  allow kudzu_t xserver_exec_t:file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.23.15/domains/program/unused/lvm.te
+--- nsapolicy/domains/program/unused/lvm.te	2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.15/domains/program/unused/lvm.te	2005-05-10 13:51:51.000000000 -0400
+@@ -18,7 +18,6 @@
+ type lvm_metadata_t, file_type, sysadmfile;
+ type lvm_control_t, device_type, dev_fs;
+ etcdir_domain(lvm)
+-allow lvm_t var_t:dir search;
+ lock_domain(lvm)
+ allow lvm_t lvm_lock_t:dir rw_dir_perms;
+ 
+@@ -35,7 +34,7 @@
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+ 
+ r_dir_file(lvm_t, proc_t)
+-allow lvm_t self:file r_file_perms;
++allow lvm_t self:file rw_file_perms;
+ 
+ # Read system variables in /proc/sys
+ read_sysctl(lvm_t)
+@@ -122,3 +121,4 @@
+ 
+ # it has no reason to need this
+ dontaudit lvm_t proc_kcore_t:file getattr;
++allow lvm_t var_t:dir { search getattr };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.15/domains/program/unused/mysqld.te
 --- nsapolicy/domains/program/unused/mysqld.te	2005-04-27 10:28:51.000000000 -0400
 +++ policy-1.23.15/domains/program/unused/mysqld.te	2005-05-10 10:24:23.000000000 -0400
@@ -216,6 +257,15 @@
  
  allow mysqld_t proc_t:file { getattr read };
  
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.15/domains/program/unused/pamconsole.te
+--- nsapolicy/domains/program/unused/pamconsole.te	2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.15/domains/program/unused/pamconsole.te	2005-05-10 13:32:32.000000000 -0400
+@@ -46,4 +46,5 @@
+ allow pam_console_t xdm_var_run_t:file { getattr read };
+ ')
+ allow initrc_t pam_var_console_t:dir rw_dir_perms;
++allow initrc_t pam_var_console_t:file unlink;
+ allow pam_console_t file_context_t:file { getattr read };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rdisc.te policy-1.23.15/domains/program/unused/rdisc.te
 --- nsapolicy/domains/program/unused/rdisc.te	1969-12-31 19:00:00.000000000 -0500
 +++ policy-1.23.15/domains/program/unused/rdisc.te	2005-05-10 10:24:23.000000000 -0400
@@ -233,6 +283,72 @@
 +can_network_udp(rdisc_t)
 +
 +allow rdisc_t etc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.15/domains/program/unused/samba.te
+--- nsapolicy/domains/program/unused/samba.te	2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.15/domains/program/unused/samba.te	2005-05-10 13:59:03.000000000 -0400
+@@ -46,7 +46,8 @@
+ allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
+ 
+ # Use the network.
+-can_network_server(smbd_t)
++can_network(smbd_t)
++allow smbd_t ipp_port_t:tcp_socket name_connect;
+ 
+ allow smbd_t urandom_device_t:chr_file { getattr read };
+ 
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.15/domains/program/unused/xdm.te
+--- nsapolicy/domains/program/unused/xdm.te	2005-05-07 00:41:11.000000000 -0400
++++ policy-1.23.15/domains/program/unused/xdm.te	2005-05-11 06:01:37.000000000 -0400
+@@ -324,11 +324,10 @@
+ 
+ domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
+ #
+-# Poweroff wants to create the /root/poweroff directory when run from xdm
+-# Seems to work without it.
++# Poweroff wants to create the /poweroff file when run from xdm
+ #
+-dontaudit xdm_t root_t:dir { add_name write };
+-dontaudit xdm_t root_t:file create;
++file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
++
+ #
+ # xdm tries to bind to biff_port_t
+ #
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.23.15/file_contexts/program/initrc.fc
+--- nsapolicy/file_contexts/program/initrc.fc	2005-04-14 15:01:54.000000000 -0400
++++ policy-1.23.15/file_contexts/program/initrc.fc	2005-05-11 05:51:10.000000000 -0400
+@@ -38,5 +38,10 @@
+ /etc/nohotplug		--	system_u:object_r:etc_runtime_t
+ ifdef(`distro_redhat', `
+ /halt			--	system_u:object_r:etc_runtime_t
++/fastboot 		--	system_u:object_r:etc_runtime_t
++/fsckoptions 		--	system_u:object_r:etc_runtime_t
++/forcefsck 		--	system_u:object_r:etc_runtime_t
++/poweroff		--	system_u:object_r:etc_runtime_t
+ /\.autofsck		--	system_u:object_r:etc_runtime_t
+ ')
++
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.23.15/file_contexts/program/lvm.fc
+--- nsapolicy/file_contexts/program/lvm.fc	2005-05-02 14:06:56.000000000 -0400
++++ policy-1.23.15/file_contexts/program/lvm.fc	2005-05-10 13:56:13.000000000 -0400
+@@ -65,3 +65,4 @@
+ /sbin/pvs          --      system_u:object_r:lvm_exec_t
+ /sbin/vgs          --      system_u:object_r:lvm_exec_t
+ /sbin/multipathd   --      system_u:object_r:lvm_exec_t
++/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.23.15/file_contexts/program/ntpd.fc
+--- nsapolicy/file_contexts/program/ntpd.fc	2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.15/file_contexts/program/ntpd.fc	2005-05-10 13:25:08.000000000 -0400
+@@ -1,7 +1,7 @@
+ /var/lib/ntp(/.*)?			system_u:object_r:ntp_drift_t
+ /etc/ntp/data(/.*)?			system_u:object_r:ntp_drift_t
+-/etc/ntp(d)?\.conf(.sv)?	--	system_u:object_r:net_conf_t
+-/etc/ntp/step-tickers		--	system_u:object_r:net_conf_t
++/etc/ntp(d)?\.conf.*	--	system_u:object_r:net_conf_t
++/etc/ntp/step-tickers.*		--	system_u:object_r:net_conf_t
+ /usr/sbin/ntpd			--	system_u:object_r:ntpd_exec_t
+ /usr/sbin/ntpdate		--	system_u:object_r:ntpdate_exec_t
+ /var/log/ntpstats(/.*)?			system_u:object_r:ntpd_log_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rdisc.fc policy-1.23.15/file_contexts/program/rdisc.fc
 --- nsapolicy/file_contexts/program/rdisc.fc	1969-12-31 19:00:00.000000000 -0500
 +++ policy-1.23.15/file_contexts/program/rdisc.fc	2005-05-10 10:24:23.000000000 -0400
@@ -582,7 +698,7 @@
  define(`mplayer_domains', `
 diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.15/net_contexts
 --- nsapolicy/net_contexts	2005-05-07 00:41:08.000000000 -0400
-+++ policy-1.23.15/net_contexts	2005-05-10 10:24:23.000000000 -0400
++++ policy-1.23.15/net_contexts	2005-05-10 13:59:47.000000000 -0400
 @@ -41,7 +41,7 @@
  portcon tcp 20 system_u:object_r:ftp_data_port_t
  portcon tcp 21 system_u:object_r:ftp_port_t
@@ -592,6 +708,17 @@
  
  portcon tcp 25 system_u:object_r:smtp_port_t
  portcon tcp 465 system_u:object_r:smtp_port_t
+@@ -106,10 +106,8 @@
+ portcon udp 517 system_u:object_r:ktalkd_port_t
+ portcon udp 518 system_u:object_r:ktalkd_port_t
+ ')
+-ifdef(`cups.te', `
+ portcon tcp 631 system_u:object_r:ipp_port_t
+ portcon udp 631 system_u:object_r:ipp_port_t
+-')
+ portcon tcp 88 system_u:object_r:kerberos_port_t
+ portcon udp 88 system_u:object_r:kerberos_port_t
+ portcon tcp 464 system_u:object_r:kerberos_admin_port_t
 diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.15/targeted/domains/unconfined.te
 --- nsapolicy/targeted/domains/unconfined.te	2005-05-02 14:06:57.000000000 -0400
 +++ policy-1.23.15/targeted/domains/unconfined.te	2005-05-10 10:24:23.000000000 -0400
@@ -637,3 +764,14 @@
  
  # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
  # Otherwise, only staff_r can do so.
+diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.15/types/network.te
+--- nsapolicy/types/network.te	2005-05-02 14:06:57.000000000 -0400
++++ policy-1.23.15/types/network.te	2005-05-10 13:59:57.000000000 -0400
+@@ -30,6 +30,7 @@
+ type nmbd_port_t, port_type, reserved_port_type;
+ type http_cache_port_t, port_type, reserved_port_type;
+ type http_port_t, port_type, reserved_port_type;
++type ipp_port_t, port_type, reserved_port_type;
+ 
+ allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
+ ifdef(`cyrus.te', `define(`use_pop')')


Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.303
retrieving revision 1.304
diff -u -r1.303 -r1.304
--- selinux-policy-strict.spec	10 May 2005 14:53:38 -0000	1.303
+++ selinux-policy-strict.spec	11 May 2005 12:25:14 -0000	1.304
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.23.15
-Release: 3
+Release: 4
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -220,6 +220,11 @@
 exit 0
 
 %changelog
+* Wed May 11 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-4
+- Allow smbd to communicate with cups 
+- fix some net_conf contexts
+- Add a bunch of / files file_context 
+
 * Tue May 10 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-3
 - httpd_suexec_t needs to be able to read user_home_dir_t in targeted policy
 




More information about the fedora-cvs-commits mailing list