rpms/selinux-policy-strict/devel booleans, 1.10, 1.11 policy-20050502.patch, 1.9, 1.10 selinux-policy-strict.spec, 1.303, 1.304
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed May 11 12:25:17 UTC 2005
- Previous message (by thread): rpms/kernel/devel kernel-2.6.spec,1.1297,1.1298
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050502.patch, 1.8, 1.9 selinux-policy-targeted.spec, 1.298, 1.299 policy-20050309.patch, 1.6, NONE policy-20050311.patch, 1.2, NONE policy-20050317.patch, 1.1, NONE policy-20050322.patch, 1.9, NONE policy-20050404.patch, 1.13, NONE policy-20050414.patch, 1.10, NONE policy-20050425.patch, 1.8, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv13481
Modified Files:
booleans policy-20050502.patch selinux-policy-strict.spec
Log Message:
* Wed May 11 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-4
- Allow smbd to communicate with cups
- fix some net_conf contexts
- Add a bunch of / files file_context
Index: booleans
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/booleans,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- booleans 4 Apr 2005 15:41:36 -0000 1.10
+++ booleans 11 May 2005 12:25:14 -0000 1.11
@@ -21,3 +21,4 @@
use_nfs_home_dirs=0
allow_ypbind=0
allow_kerberos=1
+allow_write_xhm=1
policy-20050502.patch:
assert.te | 8 -----
attrib.te | 7 ++++
domains/program/initrc.te | 2 -
domains/program/klogd.te | 2 -
domains/program/modutil.te | 1
domains/program/passwd.te | 1
domains/program/syslogd.te | 8 +----
domains/program/unused/amanda.te | 2 -
domains/program/unused/apache.te | 3 -
domains/program/unused/auditd.te | 1
domains/program/unused/cups.te | 5 +--
domains/program/unused/hald.te | 2 -
domains/program/unused/hotplug.te | 4 +-
domains/program/unused/kudzu.te | 3 +
domains/program/unused/lvm.te | 4 +-
domains/program/unused/mysqld.te | 2 -
domains/program/unused/pamconsole.te | 1
domains/program/unused/rdisc.te | 13 ++++++++
domains/program/unused/samba.te | 3 +
domains/program/unused/xdm.te | 7 +---
file_contexts/program/initrc.fc | 5 +++
file_contexts/program/lvm.fc | 1
file_contexts/program/ntpd.fc | 4 +-
file_contexts/program/rdisc.fc | 1
file_contexts/program/traceroute.fc | 1
macros/base_user_macros.te | 9 +++++
macros/global_macros.te | 33 +++++++++++----------
macros/program/gift_macros.te | 6 ++-
macros/program/gpg_agent_macros.te | 3 -
macros/program/mozilla_macros.te | 54 +++++++++++++++++++++--------------
macros/program/mplayer_macros.te | 45 ++++++++++++++++++++---------
net_contexts | 4 --
targeted/domains/unconfined.te | 5 +++
tunables/distro.tun | 2 -
tunables/tunable.tun | 4 +-
types/network.te | 1
36 files changed, 161 insertions(+), 96 deletions(-)
Index: policy-20050502.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050502.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20050502.patch 10 May 2005 14:53:38 -0000 1.9
+++ policy-20050502.patch 11 May 2005 12:25:14 -0000 1.10
@@ -131,10 +131,26 @@
}
') dnl targeted policy
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.15/domains/program/unused/auditd.te
+--- nsapolicy/domains/program/unused/auditd.te 2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.15/domains/program/unused/auditd.te 2005-05-11 06:41:18.000000000 -0400
+@@ -57,3 +57,4 @@
+ allow auditd_t self:process setsched;
+ dontaudit auditctl_t init_t:fd use;
+ allow auditctl_t initrc_devpts_t:chr_file { read write };
++allow auditd_t self:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.15/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.15/domains/program/unused/cups.te 2005-05-10 10:24:23.000000000 -0400
-@@ -202,6 +202,7 @@
++++ policy-1.23.15/domains/program/unused/cups.te 2005-05-10 13:59:30.000000000 -0400
+@@ -11,7 +11,6 @@
+ # cupsd_t is the domain of cupsd.
+ # cupsd_exec_t is the type of the cupsd executable.
+ #
+-type ipp_port_t, port_type, reserved_port_type;
+ daemon_domain(cupsd, `, auth_chkpwd, nscd_client_domain')
+ etcdir_domain(cupsd)
+ type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
+@@ -202,6 +201,7 @@
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file)
@@ -142,7 +158,7 @@
can_network_tcp(cupsd_config_t)
can_ypbind(cupsd_config_t)
-@@ -257,5 +258,6 @@
+@@ -257,5 +257,6 @@
can_unix_connect(cupsd_t, initrc_t)
allow cupsd_t initrc_t:dbus send_msg;
allow initrc_t cupsd_t:dbus send_msg;
@@ -204,6 +220,31 @@
dontaudit kudzu_t src_t:dir search;
ifdef(`xserver.te', `
allow kudzu_t xserver_exec_t:file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/lvm.te policy-1.23.15/domains/program/unused/lvm.te
+--- nsapolicy/domains/program/unused/lvm.te 2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.15/domains/program/unused/lvm.te 2005-05-10 13:51:51.000000000 -0400
+@@ -18,7 +18,6 @@
+ type lvm_metadata_t, file_type, sysadmfile;
+ type lvm_control_t, device_type, dev_fs;
+ etcdir_domain(lvm)
+-allow lvm_t var_t:dir search;
+ lock_domain(lvm)
+ allow lvm_t lvm_lock_t:dir rw_dir_perms;
+
+@@ -35,7 +34,7 @@
+ allow lvm_t self:unix_dgram_socket create_socket_perms;
+
+ r_dir_file(lvm_t, proc_t)
+-allow lvm_t self:file r_file_perms;
++allow lvm_t self:file rw_file_perms;
+
+ # Read system variables in /proc/sys
+ read_sysctl(lvm_t)
+@@ -122,3 +121,4 @@
+
+ # it has no reason to need this
+ dontaudit lvm_t proc_kcore_t:file getattr;
++allow lvm_t var_t:dir { search getattr };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.15/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-04-27 10:28:51.000000000 -0400
+++ policy-1.23.15/domains/program/unused/mysqld.te 2005-05-10 10:24:23.000000000 -0400
@@ -216,6 +257,15 @@
allow mysqld_t proc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.15/domains/program/unused/pamconsole.te
+--- nsapolicy/domains/program/unused/pamconsole.te 2005-05-07 00:41:09.000000000 -0400
++++ policy-1.23.15/domains/program/unused/pamconsole.te 2005-05-10 13:32:32.000000000 -0400
+@@ -46,4 +46,5 @@
+ allow pam_console_t xdm_var_run_t:file { getattr read };
+ ')
+ allow initrc_t pam_var_console_t:dir rw_dir_perms;
++allow initrc_t pam_var_console_t:file unlink;
+ allow pam_console_t file_context_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rdisc.te policy-1.23.15/domains/program/unused/rdisc.te
--- nsapolicy/domains/program/unused/rdisc.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.15/domains/program/unused/rdisc.te 2005-05-10 10:24:23.000000000 -0400
@@ -233,6 +283,72 @@
+can_network_udp(rdisc_t)
+
+allow rdisc_t etc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.15/domains/program/unused/samba.te
+--- nsapolicy/domains/program/unused/samba.te 2005-05-02 14:06:54.000000000 -0400
++++ policy-1.23.15/domains/program/unused/samba.te 2005-05-10 13:59:03.000000000 -0400
+@@ -46,7 +46,8 @@
+ allow smbd_t self:capability { setgid setuid sys_resource net_bind_service lease dac_override dac_read_search };
+
+ # Use the network.
+-can_network_server(smbd_t)
++can_network(smbd_t)
++allow smbd_t ipp_port_t:tcp_socket name_connect;
+
+ allow smbd_t urandom_device_t:chr_file { getattr read };
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.15/domains/program/unused/xdm.te
+--- nsapolicy/domains/program/unused/xdm.te 2005-05-07 00:41:11.000000000 -0400
++++ policy-1.23.15/domains/program/unused/xdm.te 2005-05-11 06:01:37.000000000 -0400
+@@ -324,11 +324,10 @@
+
+ domain_auto_trans(initrc_t, xserver_exec_t, xdm_xserver_t)
+ #
+-# Poweroff wants to create the /root/poweroff directory when run from xdm
+-# Seems to work without it.
++# Poweroff wants to create the /poweroff file when run from xdm
+ #
+-dontaudit xdm_t root_t:dir { add_name write };
+-dontaudit xdm_t root_t:file create;
++file_type_auto_trans(xdm_t, root_t, etc_runtime_t, file)
++
+ #
+ # xdm tries to bind to biff_port_t
+ #
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/initrc.fc policy-1.23.15/file_contexts/program/initrc.fc
+--- nsapolicy/file_contexts/program/initrc.fc 2005-04-14 15:01:54.000000000 -0400
++++ policy-1.23.15/file_contexts/program/initrc.fc 2005-05-11 05:51:10.000000000 -0400
+@@ -38,5 +38,10 @@
+ /etc/nohotplug -- system_u:object_r:etc_runtime_t
+ ifdef(`distro_redhat', `
+ /halt -- system_u:object_r:etc_runtime_t
++/fastboot -- system_u:object_r:etc_runtime_t
++/fsckoptions -- system_u:object_r:etc_runtime_t
++/forcefsck -- system_u:object_r:etc_runtime_t
++/poweroff -- system_u:object_r:etc_runtime_t
+ /\.autofsck -- system_u:object_r:etc_runtime_t
+ ')
++
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/lvm.fc policy-1.23.15/file_contexts/program/lvm.fc
+--- nsapolicy/file_contexts/program/lvm.fc 2005-05-02 14:06:56.000000000 -0400
++++ policy-1.23.15/file_contexts/program/lvm.fc 2005-05-10 13:56:13.000000000 -0400
+@@ -65,3 +65,4 @@
+ /sbin/pvs -- system_u:object_r:lvm_exec_t
+ /sbin/vgs -- system_u:object_r:lvm_exec_t
+ /sbin/multipathd -- system_u:object_r:lvm_exec_t
++/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.23.15/file_contexts/program/ntpd.fc
+--- nsapolicy/file_contexts/program/ntpd.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.15/file_contexts/program/ntpd.fc 2005-05-10 13:25:08.000000000 -0400
+@@ -1,7 +1,7 @@
+ /var/lib/ntp(/.*)? system_u:object_r:ntp_drift_t
+ /etc/ntp/data(/.*)? system_u:object_r:ntp_drift_t
+-/etc/ntp(d)?\.conf(.sv)? -- system_u:object_r:net_conf_t
+-/etc/ntp/step-tickers -- system_u:object_r:net_conf_t
++/etc/ntp(d)?\.conf.* -- system_u:object_r:net_conf_t
++/etc/ntp/step-tickers.* -- system_u:object_r:net_conf_t
+ /usr/sbin/ntpd -- system_u:object_r:ntpd_exec_t
+ /usr/sbin/ntpdate -- system_u:object_r:ntpdate_exec_t
+ /var/log/ntpstats(/.*)? system_u:object_r:ntpd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rdisc.fc policy-1.23.15/file_contexts/program/rdisc.fc
--- nsapolicy/file_contexts/program/rdisc.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.15/file_contexts/program/rdisc.fc 2005-05-10 10:24:23.000000000 -0400
@@ -582,7 +698,7 @@
define(`mplayer_domains', `
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.15/net_contexts
--- nsapolicy/net_contexts 2005-05-07 00:41:08.000000000 -0400
-+++ policy-1.23.15/net_contexts 2005-05-10 10:24:23.000000000 -0400
++++ policy-1.23.15/net_contexts 2005-05-10 13:59:47.000000000 -0400
@@ -41,7 +41,7 @@
portcon tcp 20 system_u:object_r:ftp_data_port_t
portcon tcp 21 system_u:object_r:ftp_port_t
@@ -592,6 +708,17 @@
portcon tcp 25 system_u:object_r:smtp_port_t
portcon tcp 465 system_u:object_r:smtp_port_t
+@@ -106,10 +106,8 @@
+ portcon udp 517 system_u:object_r:ktalkd_port_t
+ portcon udp 518 system_u:object_r:ktalkd_port_t
+ ')
+-ifdef(`cups.te', `
+ portcon tcp 631 system_u:object_r:ipp_port_t
+ portcon udp 631 system_u:object_r:ipp_port_t
+-')
+ portcon tcp 88 system_u:object_r:kerberos_port_t
+ portcon udp 88 system_u:object_r:kerberos_port_t
+ portcon tcp 464 system_u:object_r:kerberos_admin_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.15/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.15/targeted/domains/unconfined.te 2005-05-10 10:24:23.000000000 -0400
@@ -637,3 +764,14 @@
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
+diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.15/types/network.te
+--- nsapolicy/types/network.te 2005-05-02 14:06:57.000000000 -0400
++++ policy-1.23.15/types/network.te 2005-05-10 13:59:57.000000000 -0400
+@@ -30,6 +30,7 @@
+ type nmbd_port_t, port_type, reserved_port_type;
+ type http_cache_port_t, port_type, reserved_port_type;
+ type http_port_t, port_type, reserved_port_type;
++type ipp_port_t, port_type, reserved_port_type;
+
+ allow web_client_domain { http_cache_port_t http_port_t }:tcp_socket name_connect;
+ ifdef(`cyrus.te', `define(`use_pop')')
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.303
retrieving revision 1.304
diff -u -r1.303 -r1.304
--- selinux-policy-strict.spec 10 May 2005 14:53:38 -0000 1.303
+++ selinux-policy-strict.spec 11 May 2005 12:25:14 -0000 1.304
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.15
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -220,6 +220,11 @@
exit 0
%changelog
+* Wed May 11 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-4
+- Allow smbd to communicate with cups
+- fix some net_conf contexts
+- Add a bunch of / files file_context
+
* Tue May 10 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-3
- httpd_suexec_t needs to be able to read user_home_dir_t in targeted policy
- Previous message (by thread): rpms/kernel/devel kernel-2.6.spec,1.1297,1.1298
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050502.patch, 1.8, 1.9 selinux-policy-targeted.spec, 1.298, 1.299 policy-20050309.patch, 1.6, NONE policy-20050311.patch, 1.2, NONE policy-20050317.patch, 1.1, NONE policy-20050322.patch, 1.9, NONE policy-20050404.patch, 1.13, NONE policy-20050414.patch, 1.10, NONE policy-20050425.patch, 1.8, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list