rpms/selinux-policy-strict/devel policy-20051021.patch, 1.14, 1.15 selinux-policy-strict.spec, 1.412, 1.413
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Nov 3 23:18:04 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv14780
Modified Files:
policy-20051021.patch selinux-policy-strict.spec
Log Message:
* Thu Nov 3 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-13
- Add Russell's patch for sendmail
- Fix postfix and cyrus interaction
policy-20051021.patch:
Makefile | 14 -
attrib.te | 18 +
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/fsadm.te | 2
domains/program/ifconfig.te | 2
domains/program/init.te | 2
domains/program/initrc.te | 13 +
domains/program/logrotate.te | 2
domains/program/modutil.te | 8
domains/program/newrole.te | 4
domains/program/restorecon.te | 4
domains/program/setfiles.te | 2
domains/program/ssh.te | 2
domains/program/su.te | 4
domains/program/syslogd.te | 4
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 10 +
domains/program/unused/amanda.te | 21 +-
domains/program/unused/apache.te | 16 +
domains/program/unused/apmd.te | 13 +
domains/program/unused/auditd.te | 6
domains/program/unused/avahi.te | 31 +++
domains/program/unused/bluetooth.te | 57 +++++
domains/program/unused/cups.te | 11 -
domains/program/unused/cyrus.te | 8
domains/program/unused/dbusd.te | 2
domains/program/unused/dhcpc.te | 3
domains/program/unused/dhcpd.te | 3
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 3
domains/program/unused/mta.te | 5
domains/program/unused/mysqld.te | 6
domains/program/unused/named.te | 17 +
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 15 +
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 55 +++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 22 +-
domains/program/unused/radius.te | 3
domains/program/unused/rpcd.te | 16 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 6
domains/program/unused/saslauthd.te | 1
domains/program/unused/sendmail.te | 50 ++++-
domains/program/unused/snmpd.te | 1
domains/program/unused/spamd.te | 28 --
domains/program/unused/udev.te | 8
domains/program/unused/webalizer.te | 3
domains/program/unused/xdm.te | 2
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 8
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 3
file_contexts/program/avahi.fc | 4
file_contexts/program/backup.fc | 2
file_contexts/program/bluetooth.fc | 2
file_contexts/program/compat.fc | 7
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 5
file_contexts/program/exim.fc | 18 +
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 3
file_contexts/program/kudzu.fc | 2
file_contexts/program/pegasus.fc | 6
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/sendmail.fc | 7
file_contexts/program/squid.fc | 3
file_contexts/program/yppasswdd.fc | 2
file_contexts/types.fc | 4
genfs_contexts | 1
macros/base_user_macros.te | 7
macros/global_macros.te | 25 --
macros/home_macros.te | 9
macros/program/chkpwd_macros.te | 7
macros/program/dbusd_macros.te | 1
macros/program/exim_macros.te | 75 +++++++
macros/program/su_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 194 ++++++-------------
mls | 227 ++++++++--------------
targeted/assert.te | 2
targeted/domains/program/compat.te | 1
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 2
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 8
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 43 +---
types/network.te | 10 -
types/nfs.te | 1
types/security.te | 2
108 files changed, 1153 insertions(+), 520 deletions(-)
Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20051021.patch,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- policy-20051021.patch 3 Nov 2005 20:03:38 -0000 1.14
+++ policy-20051021.patch 3 Nov 2005 23:18:00 -0000 1.15
@@ -614,6 +614,21 @@
+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cyrus.te policy-1.27.2/domains/program/unused/cyrus.te
+--- nsapolicy/domains/program/unused/cyrus.te 2005-10-21 11:36:15.000000000 -0400
++++ policy-1.27.2/domains/program/unused/cyrus.te 2005-11-03 14:58:55.000000000 -0500
+@@ -50,3 +50,11 @@
+
+ r_dir_file(cyrus_t, cert_t)
+ allow cyrus_t { urandom_device_t random_device_t }:chr_file { read getattr };
++
++ifdef(`postfix.te', `
++allow postfix_master_t cyrus_t:unix_stream_socket connectto;
++allow postfix_master_t var_lib_t:dir search;
++allow postfix_master_t cyrus_var_lib_t:dir search;
++allow postfix_master_t cyrus_var_lib_t:sock_file write;
++')
++
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dbusd.te policy-1.27.2/domains/program/unused/dbusd.te
--- nsapolicy/domains/program/unused/dbusd.te 2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/unused/dbusd.te 2005-10-27 10:26:28.000000000 -0400
@@ -1064,6 +1079,21 @@
')
allow kudzu_t initrc_t:unix_stream_socket connectto;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.2/domains/program/unused/mta.te
+--- nsapolicy/domains/program/unused/mta.te 2005-10-21 11:36:15.000000000 -0400
++++ policy-1.27.2/domains/program/unused/mta.te 2005-11-03 15:13:19.000000000 -0500
+@@ -38,9 +38,8 @@
+ ', `
+ ifdef(`sendmail.te', `
+ # sendmail has an ugly design, the one process parses input from the user and
+-# then does system things with it.
+-domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
+-', `
++# then does system things with it. But the sendmail_launch_t domain works
++# around this.
+ domain_auto_trans(initrc_t, sendmail_exec_t, system_mail_t)
+ ')
+ allow initrc_t sendmail_exec_t:lnk_file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.27.2/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/unused/mysqld.te 2005-10-27 10:26:28.000000000 -0400
@@ -1232,7 +1262,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.2/domains/program/unused/postfix.te
--- nsapolicy/domains/program/unused/postfix.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/postfix.te 2005-10-31 10:51:39.000000000 -0500
++++ policy-1.27.2/domains/program/unused/postfix.te 2005-11-03 14:58:43.000000000 -0500
@@ -54,6 +54,8 @@
allow postfix_$1_t proc_net_t:dir search;
allow postfix_$1_t proc_net_t:file { getattr read };
@@ -1299,7 +1329,7 @@
can_exec(postfix_master_t, { ls_exec_t sbin_t })
allow postfix_master_t self:fifo_file rw_file_perms;
allow postfix_master_t usr_t:file r_file_perms;
-@@ -124,7 +136,7 @@
+@@ -124,12 +136,13 @@
can_network(postfix_master_t)
allow postfix_master_t port_type:tcp_socket name_connect;
can_ypbind(postfix_master_t)
@@ -1308,7 +1338,13 @@
allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
allow postfix_master_t postfix_prng_t:file getattr;
-@@ -138,14 +150,10 @@
+ allow postfix_master_t privfd:fd use;
+ allow postfix_master_t etc_aliases_t:file rw_file_perms;
++allow postfix_master_t var_lib_t:dir search;
+
+ ifdef(`saslauthd.te',`
+ allow postfix_smtpd_t saslauthd_var_run_t:dir { search getattr };
+@@ -138,14 +151,10 @@
')
create_dir_file(postfix_master_t, postfix_spool_flush_t)
@@ -1323,7 +1359,7 @@
# allow access to deferred queue and allow removing bogus incoming entries
allow postfix_master_t postfix_spool_t:dir create_dir_perms;
allow postfix_master_t postfix_spool_t:file create_file_perms;
-@@ -166,7 +174,6 @@
+@@ -166,7 +175,6 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
@@ -1331,7 +1367,7 @@
allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
# if you have two different mail servers on the same host let them talk via
# SMTP, also if one mail server wants to talk to itself then allow it and let
-@@ -175,7 +182,6 @@
+@@ -175,7 +183,6 @@
can_tcp_connect(postfix_smtp_t, mail_server_domain)
postfix_server_domain(smtpd)
@@ -1339,7 +1375,7 @@
allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
-@@ -199,7 +205,7 @@
+@@ -199,7 +206,7 @@
')
allow postfix_local_t etc_aliases_t:file r_file_perms;
allow postfix_local_t self:fifo_file rw_file_perms;
@@ -1348,7 +1384,7 @@
allow postfix_local_t postfix_spool_t:file rw_file_perms;
# for .forward - maybe we need a new type for it?
allow postfix_local_t postfix_private_t:dir search;
-@@ -207,7 +213,15 @@
+@@ -207,7 +214,15 @@
allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
allow postfix_local_t postfix_public_t:dir search;
allow postfix_local_t postfix_public_t:sock_file write;
@@ -1365,7 +1401,7 @@
define(`postfix_public_domain',`
postfix_server_domain($1)
-@@ -244,6 +258,7 @@
+@@ -244,6 +259,7 @@
allow postfix_postqueue_t postfix_public_t:dir search;
allow postfix_postqueue_t postfix_public_t:fifo_file getattr;
allow postfix_postqueue_t self:udp_socket { create ioctl };
@@ -1373,7 +1409,7 @@
allow postfix_master_t postfix_postqueue_exec_t:file getattr;
domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
allow postfix_postqueue_t initrc_t:process sigchld;
-@@ -274,6 +289,7 @@
+@@ -274,6 +290,7 @@
dontaudit postfix_showq_t net_conf_t:file r_file_perms;
postfix_user_domain(postdrop, `, mta_user_agent')
@@ -1381,7 +1417,7 @@
allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
allow postfix_postdrop_t user_mail_domain:unix_stream_socket rw_socket_perms;
-@@ -287,7 +303,9 @@
+@@ -287,7 +304,9 @@
allow postfix_postdrop_t { crond_t system_crond_t }:fifo_file rw_file_perms;')
# usually it does not need a UDP socket
allow postfix_postdrop_t self:udp_socket create_socket_perms;
@@ -1391,7 +1427,7 @@
postfix_public_domain(pickup)
allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
-@@ -352,5 +370,3 @@
+@@ -352,5 +371,3 @@
dontaudit postfix_map_t var_t:dir search;
can_network_server(postfix_map_t)
allow postfix_map_t port_type:tcp_socket name_connect;
@@ -1618,17 +1654,79 @@
+dontaudit saslauthd_t self:capability setuid;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/sendmail.te policy-1.27.2/domains/program/unused/sendmail.te
--- nsapolicy/domains/program/unused/sendmail.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/sendmail.te 2005-10-27 10:26:28.000000000 -0400
-@@ -13,9 +13,6 @@
++++ policy-1.27.2/domains/program/unused/sendmail.te 2005-11-03 15:15:08.000000000 -0500
+@@ -13,10 +13,47 @@
# daemon started by the init rc scripts.
#
-# etc_mail_t is the type of /etc/mail.
-type etc_mail_t, file_type, sysadmfile, usercanread;
--
- daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm)
++daemon_base_domain(sendmail_launch)
++
++allow sendmail_launch_t { etc_t proc_t etc_runtime_t self }:file { getattr read };
++allow sendmail_launch_t { bin_t sbin_t etc_t }:lnk_file { getattr read };
++allow sendmail_launch_t { bin_t sbin_t }:dir search;
++can_exec(sendmail_launch_t, { etc_t bin_t sbin_t shell_exec_t })
++access_terminal(sendmail_launch_t, sysadm)
++ifdef(`consoletype.te', `
++domain_auto_trans(sendmail_launch_t, consoletype_exec_t, consoletype_t)
++')
++read_locale(sendmail_launch_t)
++r_dir_file(sendmail_launch_t, etc_mail_t)
++allow sendmail_launch_t self:fifo_file rw_file_perms;
++allow sendmail_launch_t self:capability { chown kill sys_nice };
++allow sendmail_launch_t self:unix_stream_socket create_stream_socket_perms;
++can_ps(sendmail_launch_t, sendmail_t)
++dontaudit sendmail_launch_t domain:dir search;
++allow sendmail_launch_t sendmail_t:process signal;
++ifdef(`distro_redhat', `
++lock_domain(sendmail_launch)
++')
++dontaudit sendmail_launch_t mnt_t:dir search;
++allow sendmail_launch_t devpts_t:dir search;
++
++file_type_auto_trans(sendmail_launch_t, var_run_t, sendmail_var_run_t, file)
++
++daemon_core_rules(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender')
++
++# stuff from daemon_domain and daemon_base_domain because we can not have an
++# automatic transition from initrc_t
++rhgb_domain(sendmail_t)
++read_sysctl(sendmail_t)
++domain_auto_trans(sendmail_launch_t, sendmail_exec_t, sendmail_t)
++allow sendmail_t privfd:fd use;
++allow { sendmail_t sendmail_launch_t } var_t:dir { getattr search };
++var_run_domain(sendmail)
++allow sendmail_t devtty_t:chr_file rw_file_perms;
++dontaudit { sendmail_t sendmail_launch_t } sysadm_home_dir_t:dir search;
++read_locale(sendmail_t)
++allow sendmail_t fs_t:filesystem getattr;
+
+-daemon_domain(sendmail, `, nscd_client_domain, mta_delivery_agent, mail_server_domain, mail_server_sender', nosysadm)
tmp_domain(sendmail)
+ logdir_domain(sendmail)
+@@ -51,11 +88,6 @@
+
+ allow sendmail_t etc_mail_t:dir rw_dir_perms;
+ allow sendmail_t etc_mail_t:file create_file_perms;
+-# for the start script to run make -C /etc/mail
+-allow initrc_t etc_mail_t:dir rw_dir_perms;
+-allow initrc_t etc_mail_t:file create_file_perms;
+-allow system_mail_t initrc_t:fd use;
+-allow system_mail_t initrc_t:fifo_file write;
+
+ # Write to /var/spool/mail and /var/spool/mqueue.
+ allow sendmail_t var_spool_t:dir { getattr search };
+@@ -104,7 +136,7 @@
+ ifdef(`crond.te', `
+ dontaudit system_mail_t system_crond_tmp_t:file append;
+ ')
+-dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
++dontaudit sendmail_t admin_tty_type:chr_file rw_file_perms;
+
+ # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+ allow sendmail_t initrc_var_run_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.2/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/domains/program/unused/snmpd.te 2005-10-27 10:26:28.000000000 -0400
@@ -2009,14 +2107,28 @@
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
-/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t
+/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/sendmail.fc policy-1.27.2/file_contexts/program/sendmail.fc
+--- nsapolicy/file_contexts/program/sendmail.fc 2005-09-12 16:40:27.000000000 -0400
++++ policy-1.27.2/file_contexts/program/sendmail.fc 2005-11-03 15:14:55.000000000 -0500
+@@ -4,3 +4,10 @@
+ /var/log/mail(/.*)? system_u:object_r:sendmail_log_t
+ /var/run/sendmail\.pid -- system_u:object_r:sendmail_var_run_t
+ /var/run/sm-client\.pid -- system_u:object_r:sendmail_var_run_t
++ifdef(`distro_redhat', `
++/etc/rc.d/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t
++/var/lock/subsys/sm-client -- system_u:object_r:sendmail_launch_lock_t
++/var/lock/subsys/sendmail -- system_u:object_r:sendmail_launch_lock_t
++', `
++/etc/init.d/sendmail -- system_u:object_r:sendmail_launch_exec_t
++')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/squid.fc policy-1.27.2/file_contexts/program/squid.fc
--- nsapolicy/file_contexts/program/squid.fc 2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.2/file_contexts/program/squid.fc 2005-10-27 10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/squid.fc 2005-11-03 17:28:39.000000000 -0500
@@ -6,3 +6,6 @@
/etc/squid(/.*)? system_u:object_r:squid_conf_t
/var/run/squid\.pid -- system_u:object_r:squid_var_run_t
/usr/share/squid(/.*)? system_u:object_r:squid_conf_t
-+ifdef(`httpd.te', `
++ifdef(`apache.te', `
+/usr/lib/squid/cachemgr.cgi -- system_u:object_r:httpd_exec_t
+')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/yppasswdd.fc policy-1.27.2/file_contexts/program/yppasswdd.fc
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.412
retrieving revision 1.413
diff -u -r1.412 -r1.413
--- selinux-policy-strict.spec 3 Nov 2005 18:57:05 -0000 1.412
+++ selinux-policy-strict.spec 3 Nov 2005 23:18:00 -0000 1.413
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.2
-Release: 12
+Release: 13
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -245,6 +245,10 @@
exit 0
%changelog
+* Thu Nov 3 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-13
+- Add Russell's patch for sendmail
+- Fix postfix and cyrus interaction
+
* Thu Nov 3 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-12
- Add Russell patch to allow transition to strict policy
- Allow pegasus to use pam
More information about the fedora-cvs-commits
mailing list