rpms/selinux-policy-targeted/devel policy-20050525.patch, NONE, 1.1 .cvsignore, 1.109, 1.110 selinux-policy-targeted.spec, 1.309, 1.310 sources, 1.115, 1.116
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed May 25 15:46:49 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv5810
Modified Files:
.cvsignore selinux-policy-targeted.spec sources
Added Files:
policy-20050525.patch
Log Message:
* Wed May 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.17-1
- Update from NSA
* Merged minor fixes by Petre Rodan to the daemontools, dante,
gpg, kerberos, and ucspi-tcp policies.
* Merged minor fixes by Russell Coker to the bluetooth, crond,
initrc, postfix, and udev policies. Modifies constraints so that
newaliases can be run. Modifies types.fc so that objects in
lost+found directories will not be relabled.
* Modified fc rules for nvidia.
* Added Chad Sellers policy for polyinstantiation support, which
creates the polydir, polyparent, and polymember attributes. Also
added the support_polyinstantiation tunable.
* Merged patch from Dan Walsh. Includes mount_point attribute,
read_font macros and some other policy fixes from Ivan Gyurdiev.
Adds privkmsg and secadmfile attributes and ddcprobe policy.
Removes the use_syslogng boolean. Many other minor fixes.
policy-20050525.patch:
domains/misc/kernel.te | 4 ++--
domains/program/crond.te | 5 +++++
domains/program/fsadm.te | 3 ++-
domains/program/modutil.te | 4 ++--
domains/program/syslogd.te | 2 ++
domains/program/unused/amanda.te | 8 +++++---
domains/program/unused/auditd.te | 13 ++++++-------
domains/program/unused/automount.te | 4 ++--
domains/program/unused/cups.te | 6 +++---
domains/program/unused/firstboot.te | 7 ++++++-
domains/program/unused/fontconfig.te | 7 +++++++
domains/program/unused/rhgb.te | 2 ++
domains/program/unused/rshd.te | 2 --
domains/program/unused/squid.te | 3 ++-
file_contexts/program/crond.fc | 1 +
file_contexts/program/cups.fc | 1 +
file_contexts/program/fontconfig.fc | 2 ++
file_contexts/program/fsadm.fc | 1 +
file_contexts/types.fc | 3 ++-
macros/base_user_macros.te | 2 ++
macros/program/chkpwd_macros.te | 1 +
macros/program/fontconfig_macros.te | 24 ++++++++++++++++++++++++
macros/program/gift_macros.te | 1 +
macros/program/java_macros.te | 3 ---
macros/user_macros.te | 6 ++++++
targeted/domains/program/crond.te | 2 +-
tunables/distro.tun | 2 +-
tunables/tunable.tun | 4 ++--
types/file.te | 1 -
29 files changed, 91 insertions(+), 33 deletions(-)
--- NEW FILE policy-20050525.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.23.16/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-05-07 00:41:08.000000000 -0400
+++ policy-1.23.16/domains/misc/kernel.te 2005-05-24 11:50:19.000000000 -0400
@@ -22,8 +22,8 @@
# Use capabilities.
allow kernel_t self:capability *;
-allow kernel_t sysfs_t:dir search;
-allow kernel_t { usbfs_t usbdevfs_t sysfs_t }:dir search;
+r_dir_file(kernel_t, sysfs_t)
+allow kernel_t { usbfs_t usbdevfs_t }:dir search;
# Run init in the init_t domain.
domain_auto_trans(kernel_t, init_exec_t, init_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.23.16/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/crond.te 2005-05-23 16:45:33.000000000 -0400
@@ -43,6 +43,8 @@
read_locale(crond_t)
+log_domain(crond)
+
# Use capabilities.
allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
dontaudit crond_t self:capability sys_resource;
@@ -101,6 +103,9 @@
# Still need to study anacron.
domain_auto_trans(initrc_t, anacron_exec_t, system_crond_t)
+# Access log files
+file_type_auto_trans(system_crond_t, var_log_t, crond_log_t, file)
+
# Inherit and use descriptors from init for anacron.
allow system_crond_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.16/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/fsadm.te 2005-05-24 11:38:39.000000000 -0400
@@ -47,8 +47,9 @@
type fsadm_exec_t, file_type, sysadmfile, exec_type;
domain_auto_trans(initrc_t, fsadm_exec_t, fsadm_t)
+ifdef(`targeted_policy', `', `
domain_auto_trans(sysadm_t, fsadm_exec_t, fsadm_t)
-
+')
tmp_domain(fsadm)
# remount file system to apply changes
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.16/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/modutil.te 2005-05-25 10:53:30.000000000 -0400
@@ -138,8 +138,8 @@
allow insmod_t fs_t:filesystem getattr;
allow insmod_t sysfs_t:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:dir search;
-allow insmod_t { usbfs_t usbdevfs_t }:filesystem mount;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:dir search;
+allow insmod_t { usbfs_t usbdevfs_t debugfs_t }:filesystem mount;
# Rules for /proc/sys/kernel/tainted
read_sysctl(insmod_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.16/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/syslogd.te 2005-05-23 16:45:33.000000000 -0400
@@ -64,6 +64,8 @@
allow privlog devlog_t:lnk_file read;
ifdef(`crond.te', `
+# Write to the cron log.
+allow syslogd_t crond_log_t:file rw_file_perms;
# for daemon re-start
allow system_crond_t syslogd_t:lnk_file read;
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.16/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/amanda.te 2005-05-25 11:18:18.000000000 -0400
@@ -31,7 +31,7 @@
# General declarations
######################
-type amanda_t, domain, privlog, auth, nscd_client_domain ;
+type amanda_t, domain, privlog, auth, nscd_client_domain;
role system_r types amanda_t;
# type for the amanda executables
@@ -157,7 +157,7 @@
allow amanda_t bin_t:file { execute execute_no_trans };
allow amanda_t self:capability { chown dac_override setuid };
-allow amanda_t self:process { fork sigchld };
+allow amanda_t self:process { fork sigchld setpgid signal };
allow amanda_t self:unix_dgram_socket create;
@@ -234,7 +234,7 @@
uses_shlib(amanda_recover_t)
allow amanda_recover_t self:process { fork sigkill sigstop sigchld signal };
-allow amanda_recover_t self:capability { fowner fsetid setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
allow amanda_recover_t shell_exec_t:file { execute execute_no_trans getattr read };
allow amanda_recover_t privfd:fd use;
@@ -304,6 +304,8 @@
allow amanda_t file_type:dir {getattr read search };
allow amanda_t file_type:{ lnk_file file chr_file blk_file } {getattr read };
allow amanda_t device_type:{ blk_file chr_file } getattr;
+domain_auto_trans(amanda_t, fsadm_exec_t, fsadm_t)
+
dontaudit amanda_t file_type:sock_file getattr;
logdir_domain(amanda)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.16/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/auditd.te 2005-05-23 16:45:33.000000000 -0400
@@ -15,6 +15,8 @@
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice };
+allow auditd_t self:process setsched;
+allow auditd_t self:file { getattr read };
allow auditd_t etc_t:file { getattr read };
# Do not use logdir_domain since this is a security file
@@ -35,15 +37,17 @@
type auditd_etc_t, file_type, secure_file_type;
allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
+allow initrc_t auditd_etc_t:file r_file_perms;
role secadm_r types auditctl_t;
role sysadm_r types auditctl_t;
audit_manager_domain(secadm_t)
+ifdef(`targeted_policy', `', `
ifdef(`separate_secadm', `', `
audit_manager_domain(sysadm_t)
+')
')
-allow initrc_t auditd_etc_t:file r_file_perms;
role system_r types auditctl_t;
domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
@@ -52,11 +56,6 @@
allow auditctl_t proc_t:dir search;
allow auditctl_t sysctl_kernel_t:dir search;
allow auditctl_t sysctl_kernel_t:file { getattr read };
-allow auditd_t self:process setsched;
dontaudit auditctl_t init_t:fd use;
-allow auditctl_t privfd:fd use;
allow auditctl_t initrc_devpts_t:chr_file { read write };
-allow auditd_t self:file { getattr read };
-ifdef(`rpm.te', `
-allow auditctl_t rpm_script_t:fd use;
-')
+allow auditctl_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/automount.te policy-1.23.16/domains/program/unused/automount.te
--- nsapolicy/domains/program/unused/automount.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/automount.te 2005-05-25 10:54:47.000000000 -0400
@@ -68,8 +68,8 @@
can_exec(initrc_t, automount_etc_t)
-# Need something like the following
-# file_type_auto_trans(automount_t, file_type, automount_tmp_t, dir)
+# Allow automount to create and delete directories in / and /home
+file_type_auto_trans(automount_t, { root_t home_root_t }, automount_tmp_t, dir)
allow automount_t var_lib_t:dir search;
allow automount_t var_lib_nfs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.16/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-05-25 11:28:09.000000000 -0400
+++ policy-1.23.16/domains/program/unused/cups.te 2005-05-23 17:03:34.000000000 -0400
@@ -16,7 +16,6 @@
type cupsd_rw_etc_t, file_type, sysadmfile, usercanread;
can_network(cupsd_t)
-can_ypbind(cupsd_t)
allow cupsd_t port_type:tcp_socket name_connect;
logdir_domain(cupsd)
@@ -148,12 +147,12 @@
etcdir_domain(ptal)
file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
-allow ptal_t self:capability chown;
+allow ptal_t self:capability { chown sys_rawio };
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
-allow ptal_t printer_device_t:chr_file { ioctl read write };
+allow ptal_t printer_device_t:chr_file rw_file_perms;
allow initrc_t printer_device_t:chr_file getattr;
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
r_dir_file(ptal_t, usbdevfs_t)
@@ -181,6 +180,7 @@
daemon_domain(cupsd_config)
allow cupsd_config_t devpts_t:dir search;
+allow cupsd_config_t devpts_t:chr_file { getattr ioctl };
ifdef(`distro_redhat', `
ifdef(`rpm.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/firstboot.te policy-1.23.16/domains/program/unused/firstboot.te
--- nsapolicy/domains/program/unused/firstboot.te 2005-04-27 10:28:50.000000000 -0400
+++ policy-1.23.16/domains/program/unused/firstboot.te 2005-05-23 16:45:33.000000000 -0400
@@ -10,7 +10,7 @@
#
# firstboot_exec_t is the type of the firstboot executable.
#
-application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privlog, privowner, privmodule, sysctl_kernel_writer')
+application_domain(firstboot,`, admin, etc_writer, fs_domain, privmem, auth_write, privowner, privmodule, privuser, sysctl_kernel_writer')
type firstboot_rw_t, file_type, sysadmfile;
role system_r types firstboot_t;
@@ -29,8 +29,10 @@
file_type_auto_trans(firstboot_t, etc_t, firstboot_rw_t, file)
can_exec_any(firstboot_t)
+ifdef(`useradd.te',`
domain_auto_trans(firstboot_t, useradd_exec_t, useradd_t)
domain_auto_trans(firstboot_t, groupadd_exec_t, groupadd_t)
+')
allow firstboot_t etc_runtime_t:file { getattr read };
r_dir_file(firstboot_t, etc_t)
@@ -130,4 +132,7 @@
# The big hammer
#
unconfined_domain(firstboot_t)
+ifdef(`targeted_policy', `
+allow firstboot_t unconfined_t:process transition;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/fontconfig.te policy-1.23.16/domains/program/unused/fontconfig.te
--- nsapolicy/domains/program/unused/fontconfig.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/domains/program/unused/fontconfig.te 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1,7 @@
+#
+# Fontconfig related types
+#
+# Author: Ivan Gyurdiev <ivg2 at cornell.edu>
+#
+
+# Look in fontconfig_macros.te
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rhgb.te policy-1.23.16/domains/program/unused/rhgb.te
--- nsapolicy/domains/program/unused/rhgb.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.16/domains/program/unused/rhgb.te 2005-05-25 11:22:37.000000000 -0400
@@ -43,6 +43,8 @@
allow rhgb_t port_type:tcp_socket name_connect;
can_ypbind(rhgb_t)
+allow rhgb_t usr_t:{ file lnk_file } { getattr read };
+
# for running setxkbmap
r_dir_file(rhgb_t, xkb_var_lib_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rshd.te policy-1.23.16/domains/program/unused/rshd.te
--- nsapolicy/domains/program/unused/rshd.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.23.16/domains/program/unused/rshd.te 2005-05-23 17:04:20.000000000 -0400
@@ -25,8 +25,6 @@
can_network_server(rshd_t)
allow rshd_t rsh_port_t:tcp_socket name_bind;
-can_ypbind(rshd_t)
-
allow rshd_t etc_t:file { getattr read };
read_locale(rshd_t)
allow rshd_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.16/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-05-02 14:06:54.000000000 -0400
+++ policy-1.23.16/domains/program/unused/squid.te 2005-05-24 20:04:03.000000000 -0400
@@ -28,7 +28,7 @@
# type for /var/cache/squid
type squid_cache_t, file_type, sysadmfile;
-allow squid_t self:capability { setgid setuid net_bind_service };
+allow squid_t self:capability { setgid setuid net_bind_service dac_override };
allow squid_t { etc_t etc_runtime_t }:file r_file_perms;
allow squid_t etc_t:lnk_file read;
allow squid_t self:unix_stream_socket create_socket_perms;
@@ -76,3 +76,4 @@
#squid requires the following when run in diskd mode, the recommended setting
allow squid_t tmpfs_t:file { read write };
+r_dir_file(squid_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/crond.fc policy-1.23.16/file_contexts/program/crond.fc
--- nsapolicy/file_contexts/program/crond.fc 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.16/file_contexts/program/crond.fc 2005-05-16 11:35:33.000000000 -0400
@@ -9,6 +9,7 @@
/var/spool/cron/crontabs/root -- system_u:object_r:sysadm_cron_spool_t
/var/spool/cron/root -- system_u:object_r:sysadm_cron_spool_t
/var/spool/cron/[^/]* -- <<none>>
+/var/log/cron.* -- system_u:object_r:crond_log_t
/var/run/crond\.reboot -- system_u:object_r:crond_var_run_t
/var/run/crond?\.pid -- system_u:object_r:crond_var_run_t
# fcron
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/cups.fc policy-1.23.16/file_contexts/program/cups.fc
--- nsapolicy/file_contexts/program/cups.fc 2005-05-07 00:41:12.000000000 -0400
+++ policy-1.23.16/file_contexts/program/cups.fc 2005-05-23 16:45:33.000000000 -0400
@@ -35,3 +35,4 @@
/var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t
/var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
/usr/share/foomatic/db/oldprinterids -- system_u:object_r:cupsd_rw_etc_t
+/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fontconfig.fc policy-1.23.16/file_contexts/program/fontconfig.fc
--- nsapolicy/file_contexts/program/fontconfig.fc 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/file_contexts/program/fontconfig.fc 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1,2 @@
+HOME_DIR/\.fonts(/.*)? system_u:object_r:ROLE_fonts_t
+HOME_DIR/\.fonts.cache-1 -- system_u:object_r:ROLE_fonts_cache_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/fsadm.fc policy-1.23.16/file_contexts/program/fsadm.fc
--- nsapolicy/file_contexts/program/fsadm.fc 2005-04-14 15:01:54.000000000 -0400
+++ policy-1.23.16/file_contexts/program/fsadm.fc 2005-05-25 11:16:51.000000000 -0400
@@ -19,6 +19,7 @@
/sbin/parted -- system_u:object_r:fsadm_exec_t
/sbin/tune2fs -- system_u:object_r:fsadm_exec_t
/sbin/dumpe2fs -- system_u:object_r:fsadm_exec_t
+/sbin/dump -- system_u:object_r:fsadm_exec_t
/sbin/swapon.* -- system_u:object_r:fsadm_exec_t
/sbin/hdparm -- system_u:object_r:fsadm_exec_t
/sbin/raidstart -- system_u:object_r:fsadm_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.16/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.16/file_contexts/types.fc 2005-05-23 16:45:33.000000000 -0400
@@ -356,10 +356,11 @@
/usr/share(/.*)?/lib(64)?(/.*)? system_u:object_r:usr_t
# nvidia share libraries
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
+/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
+/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
-/usr/lib(64)?/(tls/)?libnvidia-tls\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
# libGL
/usr/X11R6/lib/libGL\.so.* -- system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.16/macros/base_user_macros.te
--- nsapolicy/macros/base_user_macros.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.16/macros/base_user_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -198,6 +198,8 @@
ifdef(`mplayer.te', `mplayer_domains($1)')
ifdef(`gift.te', `gift_domains($1)')
+fontconfig_domain($1)
+
# Instantiate a derived domain for user cron jobs.
ifdef(`crond.te', `crond_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.23.16/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-05-02 14:06:57.000000000 -0400
+++ policy-1.23.16/macros/program/chkpwd_macros.te 2005-05-23 17:02:21.000000000 -0400
@@ -34,6 +34,7 @@
allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
dontaudit auth_chkpwd shadow_t:file { getattr read };
+can_ypbind(auth_chkpwd)
', `
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
allow $1_t sbin_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/fontconfig_macros.te policy-1.23.16/macros/program/fontconfig_macros.te
--- nsapolicy/macros/program/fontconfig_macros.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.23.16/macros/program/fontconfig_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -0,0 +1,24 @@
+#
+# Fontconfig related types
+#
+# Author: Ivan Gyurdiev <ivg2 at cornell.edu>
+#
+# fontconfig_domain(role_prefix) - create fontconfig domain
+#
+# read_fonts(domain, role_prefix) -
+# allow domain to read fonts, optionally per/user
+#
+# dontaudit_home_fonts(domain, role_prefix) -
+# block the denials of home fonts - hack for X
+
+define(`fontconfig_domain', `
+
+type $1_fonts_t, file_type, $1_file_type, sysadmfile, customizable;
+type $1_fonts_cache_t, file_type, $1_file_type, sysadmfile;
+
+allow $1_t $1_fonts_cache_t:file create_file_perms;
+create_dir_file($1_t, $1_fonts_t)
+
+') dnl gnome_domain
+
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.16/macros/program/gift_macros.te
--- nsapolicy/macros/program/gift_macros.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.16/macros/program/gift_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -56,6 +56,7 @@
allow $1_gift_t etc_runtime_t:file { getattr read };
# Tmp/ORBit
+tmp_domain($1_gift)
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
can_unix_connect($1_t, $1_gift_t)
can_unix_connect($1_gift_t, $1_t)
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/java_macros.te policy-1.23.16/macros/program/java_macros.te
--- nsapolicy/macros/program/java_macros.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.16/macros/program/java_macros.te 2005-05-23 16:45:33.000000000 -0400
@@ -92,7 +92,4 @@
dontaudit $1_javaplugin_t tmpfs_t:file { execute read write };
dontaudit $1_javaplugin_t $1_home_t:file { execute setattr };
-# Do not audit read/getattr of .fonts-cache-1
-dontaudit $1_javaplugin_t $1_home_t:file { read getattr };
-
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/user_macros.te policy-1.23.16/macros/user_macros.te
--- nsapolicy/macros/user_macros.te 2005-05-25 11:28:10.000000000 -0400
+++ policy-1.23.16/macros/user_macros.te 2005-05-25 10:57:10.000000000 -0400
@@ -172,6 +172,12 @@
attribute $1_file_type;
+ifdef(`useradd.te', `
+# Useradd relabels /etc/skel files so needs these privs
+allow useradd_t $1_file_type:dir create_dir_perms;
+allow useradd_t $1_file_type:notdevfile_class_set create_file_perms;
+')
+
can_exec($1_t, usr_t)
# Read directories and files with the readable_t type.
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/crond.te policy-1.23.16/targeted/domains/program/crond.te
--- nsapolicy/targeted/domains/program/crond.te 2005-05-02 07:37:54.000000000 -0400
+++ policy-1.23.16/targeted/domains/program/crond.te 2005-05-24 08:21:57.000000000 -0400
@@ -14,7 +14,7 @@
type crond_t, domain, privuser, privrole, privowner;
typealias crond_t alias system_crond_t;
type anacron_exec_t, file_type, sysadmfile, exec_type;
-type system_crond_tmp_t, file_type, sysadmfile;
+type system_crond_tmp_t, file_type, tmpfile, sysadmfile;
type system_cron_spool_t, file_type, sysadmfile;
type sysadm_cron_spool_t, file_type, sysadmfile;
type crond_log_t, file_type, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.16/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.16/tunables/distro.tun 2005-05-23 16:45:33.000000000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.16/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.16/tunables/tunable.tun 2005-05-23 16:45:33.000000000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -20,7 +20,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.16/types/file.te
--- nsapolicy/types/file.te 2005-05-25 11:28:11.000000000 -0400
+++ policy-1.23.16/types/file.te 2005-05-23 16:45:33.000000000 -0400
@@ -188,7 +188,6 @@
#
type var_run_t, file_type, sysadmfile;
type var_log_t, file_type, sysadmfile, logfile;
-typealias var_log_t alias crond_log_t;
type faillog_t, file_type, sysadmfile, logfile;
type var_lock_t, file_type, sysadmfile, lockfile;
type var_lib_t, mount_point, file_type, sysadmfile;
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/.cvsignore,v
retrieving revision 1.109
retrieving revision 1.110
diff -u -r1.109 -r1.110
--- .cvsignore 17 May 2005 11:25:18 -0000 1.109
+++ .cvsignore 25 May 2005 15:46:46 -0000 1.110
@@ -74,3 +74,4 @@
policy-1.23.14.tgz
policy-1.23.15.tgz
policy-1.23.16.tgz
+policy-1.23.17.tgz
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.309
retrieving revision 1.310
diff -u -r1.309 -r1.310
--- selinux-policy-targeted.spec 25 May 2005 15:27:54 -0000 1.309
+++ selinux-policy-targeted.spec 25 May 2005 15:46:46 -0000 1.310
@@ -10,15 +10,15 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.23.16
-Release: 8
+Version: 1.23.17
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
Source1: booleans
Prefix: %{_prefix}
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050516.patch
+Patch: policy-20050525.patch
Patch1: policy-%{type}.patch
BuildArch: noarch
@@ -234,6 +234,24 @@
exit 0
%changelog
+* Wed May 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.17-1
+- Update from NSA
+ * Merged minor fixes by Petre Rodan to the daemontools, dante,
+ gpg, kerberos, and ucspi-tcp policies.
+ * Merged minor fixes by Russell Coker to the bluetooth, crond,
+ initrc, postfix, and udev policies. Modifies constraints so that
+ newaliases can be run. Modifies types.fc so that objects in
+ lost+found directories will not be relabled.
+ * Modified fc rules for nvidia.
+ * Added Chad Sellers policy for polyinstantiation support, which
+ creates the polydir, polyparent, and polymember attributes. Also
+ added the support_polyinstantiation tunable.
+ * Merged patch from Dan Walsh. Includes mount_point attribute,
+ read_font macros and some other policy fixes from Ivan Gyurdiev.
+ Adds privkmsg and secadmfile attributes and ddcprobe policy.
+ Removes the use_syslogng boolean. Many other minor fixes.
+
+
* Wed May 25 2005 Dan Walsh <dwalsh at redhat.com> 1.23.16-8
- Fixes for amanda
- Add debugfs for insmod
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/sources,v
retrieving revision 1.115
retrieving revision 1.116
diff -u -r1.115 -r1.116
--- sources 17 May 2005 11:25:18 -0000 1.115
+++ sources 25 May 2005 15:46:46 -0000 1.116
@@ -1 +1 @@
-2249f7d4895de02d8abf9d33103148eb policy-1.23.16.tgz
+6f4a8a6cd4eb487ff7f3a2d334fa4478 policy-1.23.17.tgz
More information about the fedora-cvs-commits
mailing list