rpms/selinux-policy-mls/devel policy-20051021.patch, 1.21, 1.22 policy-mls.patch, 1.7, 1.8 selinux-policy-mls.spec, 1.121, 1.122
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Nov 16 19:25:08 UTC 2005
- Previous message (by thread): rpms/selinux-policy-targeted/devel Makefile, 1.2, 1.3 policy-20051021.patch, 1.21, 1.22 selinux-policy-targeted.spec, 1.414, 1.415 sources, 1.126, 1.127
- Next message (by thread): rpms/selinux-policy-strict/devel policy-20051021.patch, 1.23, 1.24 selinux-policy-strict.spec, 1.421, 1.422
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-mls/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv32606
Modified Files:
policy-20051021.patch policy-mls.patch selinux-policy-mls.spec
Log Message:
* Wed Nov 16 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-21
- Fixes for pegasus, suspend within su, and audit
policy-20051021.patch:
Makefile | 22 --
attrib.te | 18 +
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/fsadm.te | 2
domains/program/getty.te | 2
domains/program/ifconfig.te | 2
domains/program/init.te | 2
domains/program/initrc.te | 13 +
domains/program/login.te | 2
domains/program/logrotate.te | 2
domains/program/modutil.te | 8
domains/program/newrole.te | 4
domains/program/passwd.te | 2
domains/program/restorecon.te | 6
domains/program/setfiles.te | 2
domains/program/ssh.te | 2
domains/program/su.te | 7
domains/program/syslogd.te | 4
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 10 +
domains/program/unused/amanda.te | 21 +-
domains/program/unused/apache.te | 16 +
domains/program/unused/apmd.te | 19 +
domains/program/unused/auditd.te | 7
domains/program/unused/avahi.te | 31 +++
domains/program/unused/bluetooth.te | 57 +++++
domains/program/unused/cups.te | 11 -
domains/program/unused/cyrus.te | 8
domains/program/unused/dbusd.te | 2
domains/program/unused/dhcpc.te | 4
domains/program/unused/dhcpd.te | 4
domains/program/unused/dovecot.te | 2
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 10 -
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 3
domains/program/unused/mta.te | 5
domains/program/unused/mysqld.te | 6
domains/program/unused/named.te | 17 +
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 15 +
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 55 +++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 24 +-
domains/program/unused/procmail.te | 9
domains/program/unused/radius.te | 3
domains/program/unused/rpcd.te | 16 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 6
domains/program/unused/saslauthd.te | 1
domains/program/unused/sendmail.te | 58 ++++-
domains/program/unused/slapd.te | 25 ++
domains/program/unused/snmpd.te | 1
domains/program/unused/spamd.te | 28 --
domains/program/unused/udev.te | 8
domains/program/unused/webalizer.te | 3
domains/program/unused/xdm.te | 2
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 8
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 3
file_contexts/program/avahi.fc | 4
file_contexts/program/backup.fc | 2
file_contexts/program/bluetooth.fc | 2
file_contexts/program/compat.fc | 4
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 9
file_contexts/program/exim.fc | 18 +
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 3
file_contexts/program/innd.fc | 15 -
file_contexts/program/kudzu.fc | 2
file_contexts/program/pegasus.fc | 6
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/sendmail.fc | 7
file_contexts/program/slapd.fc | 12 +
file_contexts/program/squid.fc | 3
file_contexts/program/yppasswdd.fc | 2
file_contexts/types.fc | 6
genfs_contexts | 1
macros/base_user_macros.te | 7
macros/global_macros.te | 33 +--
macros/home_macros.te | 9
macros/program/chkpwd_macros.te | 7
macros/program/dbusd_macros.te | 1
macros/program/exim_macros.te | 75 +++++++
macros/program/su_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 194 ++++++-------------
mls | 227 ++++++++--------------
net_contexts | 4
targeted/assert.te | 2
targeted/domains/program/compat.te | 1
targeted/domains/program/rpm.te | 4
targeted/domains/program/sendmail.te | 18 -
targeted/domains/program/ssh.te | 2
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 10 -
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 44 +---
types/network.te | 10 -
types/nfs.te | 1
types/security.te | 2
118 files changed, 1232 insertions(+), 586 deletions(-)
Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/policy-20051021.patch,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- policy-20051021.patch 9 Nov 2005 22:53:20 -0000 1.21
+++ policy-20051021.patch 16 Nov 2005 19:25:06 -0000 1.22
@@ -263,7 +263,16 @@
allow $1_t { ttyfile ptyfile }:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.2/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/restorecon.te 2005-11-09 11:23:15.000000000 -0500
++++ policy-1.27.2/domains/program/restorecon.te 2005-11-10 19:42:35.000000000 -0500
+@@ -22,7 +22,7 @@
+ can_access_pty(restorecon_t, initrc)
+ allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
+
+-domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
++domain_auto_trans({ initrc_t secadmin }, restorecon_exec_t, restorecon_t)
+ allow restorecon_t { userdomain init_t privfd }:fd use;
+
+ uses_shlib(restorecon_t)
@@ -63,3 +63,7 @@
allow restorecon_t kernel_t:fifo_file { read write };
allow restorecon_t kernel_t:unix_dgram_socket { read write };
@@ -296,14 +305,17 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.2/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/su.te 2005-11-07 10:47:22.000000000 -0500
-@@ -15,7 +15,9 @@
++++ policy-1.27.2/domains/program/su.te 2005-11-16 14:08:58.000000000 -0500
+@@ -15,7 +15,12 @@
ifdef(`use_mcs', `
ifdef(`targeted_policy', `
-range_transition unconfined_t su_exec_t s0 - s0:c0.c127;
+range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
++# allow user to suspend terminal
++allow sysadm_su_t unconfined_t:process signal;
++allow sysadm_su_t self:process { signal sigstop };
+can_exec(sysadm_su_t, bin_t)
+rw_dir_create_file(sysadm_su_t, home_dir_type)
')
@@ -496,7 +508,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.2/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/auditd.te 2005-11-07 10:47:22.000000000 -0500
++++ policy-1.27.2/domains/program/unused/auditd.te 2005-11-14 13:19:41.000000000 -0500
@@ -12,6 +12,12 @@
daemon_domain(auditd)
@@ -510,6 +522,11 @@
allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+@@ -67,3 +73,4 @@
+
+ allow auditd_t sbin_t:dir search;
+ can_exec(auditd_t, sbin_t)
++allow auditd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/avahi.te policy-1.27.2/domains/program/unused/avahi.te
--- nsapolicy/domains/program/unused/avahi.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.2/domains/program/unused/avahi.te 2005-11-07 10:47:22.000000000 -0500
@@ -740,6 +757,15 @@
allow dhcpd_t etc_t:lnk_file read;
allow dhcpd_t { etc_t etc_runtime_t }:file r_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.2/domains/program/unused/dovecot.te
+--- nsapolicy/domains/program/unused/dovecot.te 2005-10-21 11:36:15.000000000 -0400
++++ policy-1.27.2/domains/program/unused/dovecot.te 2005-11-14 12:15:35.000000000 -0500
+@@ -72,4 +72,4 @@
+ read_sysctl(dovecot_auth_t)
+ allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
+ dontaudit dovecot_auth_t selinux_config_t:dir search;
+-
++allow dovecot_auth_t etc_runtime_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/exim.te policy-1.27.2/domains/program/unused/exim.te
--- nsapolicy/domains/program/unused/exim.te 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.27.2/domains/program/unused/exim.te 2005-11-07 10:47:22.000000000 -0500
@@ -1291,7 +1317,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.2/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 2005-10-20 15:53:02.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pegasus.te 2005-11-07 10:47:22.000000000 -0500
++++ policy-1.27.2/domains/program/unused/pegasus.te 2005-11-16 14:22:32.000000000 -0500
@@ -7,17 +7,20 @@
#
# Rules for the pegasus domain
@@ -1321,12 +1347,12 @@
r_dir_file(pegasus_t, var_lib_t)
r_dir_file(pegasus_t, pegasus_mof_t)
-rw_dir_create_file(pegasus_t, pegasus_conf_t)
++allow pegasus_t pegasus_conf_t:file { link unlink };
+r_dir_file(pegasus_t, pegasus_conf_t)
+file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
rw_dir_create_file(pegasus_t, pegasus_data_t)
-rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
+dontaudit pegasus_t selinux_config_t:dir search;
-+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te policy-1.27.2/domains/program/unused/ping.te
--- nsapolicy/domains/program/unused/ping.te 2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.2/domains/program/unused/ping.te 2005-11-07 10:47:22.000000000 -0500
@@ -1623,8 +1649,19 @@
+allow pppd_t initrc_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.2/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/procmail.te 2005-11-07 11:30:31.000000000 -0500
-@@ -59,12 +59,14 @@
++++ policy-1.27.2/domains/program/unused/procmail.te 2005-11-14 12:09:43.000000000 -0500
+@@ -18,8 +18,9 @@
+
+ uses_shlib(procmail_t)
+ allow procmail_t device_t:dir search;
+-can_network_server(procmail_t)
++can_network(procmail_t)
+ nsswitch_domain(procmail_t)
++allow procmail_t spamd_port_t:tcp_socket name_connect;
+
+ allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
+
+@@ -59,12 +60,14 @@
allow procmail_t usr_t:file { getattr ioctl read };
ifdef(`spamassassin.te', `
can_exec(procmail_t, spamassassin_exec_t)
@@ -2422,7 +2459,7 @@
ifdef(`screen.te', `screen_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.2/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/macros/global_macros.te 2005-11-09 14:25:50.000000000 -0500
++++ policy-1.27.2/macros/global_macros.te 2005-11-14 12:52:33.000000000 -0500
@@ -287,8 +287,12 @@
#
define(`init_service_domain', `
@@ -2496,12 +2533,13 @@
allow $1 node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
allow $1 file_type:{ unix_stream_socket unix_dgram_socket } name_bind;
-@@ -774,4 +765,7 @@
+@@ -774,4 +765,8 @@
allow $1 { random_device_t urandom_device_t }:chr_file { getattr read };
allow $1 self:capability { audit_write audit_control };
dontaudit $1 shadow_t:file { getattr read };
+allow $1 sbin_t:dir search;
+allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++allow $1 var_lib_t:dir r_dir_perms;
+rw_dir_file($1, var_auth_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/home_macros.te policy-1.27.2/macros/home_macros.te
@@ -3492,7 +3530,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.2/types/file.te
--- nsapolicy/types/file.te 2005-10-21 11:36:16.000000000 -0400
-+++ policy-1.27.2/types/file.te 2005-11-07 10:47:22.000000000 -0500
++++ policy-1.27.2/types/file.te 2005-11-09 20:39:49.000000000 -0500
@@ -84,6 +84,9 @@
#
type etc_t, file_type, sysadmfile;
@@ -3507,7 +3545,7 @@
type faillog_t, file_type, sysadmfile, logfile;
type var_lock_t, file_type, sysadmfile, lockfile;
type var_lib_t, mount_point, file_type, sysadmfile;
-+type var_auth_t, file_type, sysadmfile, logfile;
++type var_auth_t, file_type, sysadmfile;
# for /var/{spool,lib}/texmf index files
type tetex_data_t, file_type, sysadmfile, tmpfile;
type var_spool_t, file_type, sysadmfile, tmpfile;
policy-mls.patch:
Makefile | 2 +-
tunables/tunable.tun | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
Index: policy-mls.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/policy-mls.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- policy-mls.patch 21 Oct 2005 18:20:16 -0000 1.7
+++ policy-mls.patch 16 Nov 2005 19:25:06 -0000 1.8
@@ -1,4 +1,11 @@
- define(`direct_sysadm_daemon')
+--- policy-1.27.2/tunables/tunable.tunmls 2005-11-16 14:20:09.000000000 -0500
++++ policy-1.27.2/tunables/tunable.tun 2005-11-16 14:20:32.000000000 -0500
+@@ -10,10 +10,10 @@
+ dnl define(`unlimitedRC')
+
+ # Allow sysadm_t to directly start daemons
+-define(`direct_sysadm_daemon')
++dnl define(`direct_sysadm_daemon')
# Do not allow sysadm_t to be in the security manager domain
-dnl define(`separate_secadm')
@@ -6,12 +13,13 @@
# Do not audit things that we know to be broken but which
# are not security risks
+@@ -32,3 +32,4 @@
# Enable Polyinstantiation support
dnl define(`support_polyinstatiation')
+define(`mls_policy')
---- policy-1.27.1/Makefile.mls 2005-09-16 11:48:59.000000000 -0400
-+++ policy-1.27.1/Makefile 2005-09-16 11:49:18.000000000 -0400
+--- policy-1.27.2/Makefilemls 2005-11-16 14:20:09.000000000 -0500
++++ policy-1.27.2/Makefile 2005-11-16 14:20:09.000000000 -0500
@@ -32,7 +32,7 @@
MLSENABLED := $(shell cat /selinux/mls)
POLICYVER := policy.$(VERS)
@@ -21,4 +29,3 @@
INSTALLDIR = $(TOPDIR)/$(TYPE)
POLICYPATH = $(INSTALLDIR)/policy
-
Index: selinux-policy-mls.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/selinux-policy-mls.spec,v
retrieving revision 1.121
retrieving revision 1.122
diff -u -r1.121 -r1.122
--- selinux-policy-mls.spec 9 Nov 2005 22:53:20 -0000 1.121
+++ selinux-policy-mls.spec 16 Nov 2005 19:25:06 -0000 1.122
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.2
-Release: 19
+Release: 21
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -49,7 +49,6 @@
mv domains/misc/unused/* domains/misc
mv domains/program/unused/* domains/program/
(cd domains/program/; mv -f afs.te amavis.te asterisk.te audio-entropyd.te authbind.te backup.te calamaris.te ciped.te clamav.te clockspeed.te courier.te daemontools.te distcc.te djbdns.te dante.te dcc.te ddclient.te devfsd.te dnsmasq.te dpk* ethereal.te evolution.te exim.te fontconfig.te gatekeeper* games.te gconf.te gift.te gnome*.te iceauth.te imazesrv.te ircd.te jabberd.te lcd.te lrrd.te monopd.te mozilla.te mplayer.te nagios.te nessusd.te nrpe.te nsd.te nx_server.te oav-update.te openca-ca.te openvpn.te perdition.te portslave.te postgrey.te publicfile.te pyzor.te pxe.te qmail* thunderbird.te razor.te resmgrd.te rhgb.te rssh.te scannerdaemon.te seuser* sound-server.te speedmgmt.te snort.te sxid.te tiny* transproxy.te tripwire.te tvtime.te ucspi-tcp.te uml* uptimed.te uwimapd.te vmware.te watchdog.te xauth.te xdm.te xprint* xserver.te yam.te unused/)
-echo "define(\`mls_policy')" >> tunables/tunable.tun
make mlsconvert
make file_contexts/file_contexts
%patch2 -p1
@@ -242,6 +241,12 @@
exit 0
%changelog
+* Wed Nov 16 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-21
+- Fixes for pegasus, suspend within su, and audit
+
+* Mon Nov 14 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-20
+- Additional fixes for pam_abl
+
* Wed Nov 9 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-19
- Add /dev/xvd
- Add disable trans for init_core apps
- Previous message (by thread): rpms/selinux-policy-targeted/devel Makefile, 1.2, 1.3 policy-20051021.patch, 1.21, 1.22 selinux-policy-targeted.spec, 1.414, 1.415 sources, 1.126, 1.127
- Next message (by thread): rpms/selinux-policy-strict/devel policy-20051021.patch, 1.23, 1.24 selinux-policy-strict.spec, 1.421, 1.422
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list