rpms/selinux-policy-mls/devel policy-20051121.patch, NONE, 1.1 .cvsignore, 1.17, 1.18 policy-20051021.patch, 1.22, 1.23 selinux-policy-mls.spec, 1.122, 1.123 sources, 1.18, 1.19
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Nov 21 20:29:37 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20051121.patch, NONE, 1.1 .cvsignore, 1.123, 1.124 policy-20051021.patch, 1.24, 1.25 selinux-policy-strict.spec, 1.422, 1.423 sources, 1.129, 1.130
- Next message (by thread): rpms/selinux-policy-targeted/devel selinux-policy.spec,1.1,NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-mls/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv20265
Modified Files:
.cvsignore policy-20051021.patch selinux-policy-mls.spec
sources
Added Files:
policy-20051121.patch
Log Message:
* Wed Nov 21 2005 Dan Walsh <dwalsh at redhat.com> 1.27.3-1
- Update to upstream
policy-20051121.patch:
domains/program/su.te | 3 +++
domains/program/syslogd.te | 1 +
domains/program/unused/amanda.te | 1 +
domains/program/unused/auditd.te | 1 +
domains/program/unused/dovecot.te | 2 +-
domains/program/unused/pegasus.te | 2 +-
domains/program/unused/procmail.te | 3 ++-
domains/program/unused/zebra.te | 2 +-
file_contexts/program/slocate.fc | 4 ++--
macros/global_macros.te | 1 +
net_contexts | 1 +
tunables/distro.tun | 2 +-
tunables/tunable.tun | 4 ++--
types/file.te | 2 +-
14 files changed, 19 insertions(+), 10 deletions(-)
--- NEW FILE policy-20051121.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.3/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-11-21 15:16:00.000000000 -0500
+++ policy-1.27.3/domains/program/su.te 2005-11-21 15:23:54.000000000 -0500
@@ -17,6 +17,9 @@
ifdef(`targeted_policy', `
range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
+# allow user to suspend terminal
+allow sysadm_su_t unconfined_t:process signal;
+allow sysadm_su_t self:process { signal sigstop };
can_exec(sysadm_su_t, bin_t)
rw_dir_create_file(sysadm_su_t, home_dir_type)
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.3/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-11-21 15:16:00.000000000 -0500
+++ policy-1.27.3/domains/program/syslogd.te 2005-11-21 15:23:54.000000000 -0500
@@ -97,6 +97,7 @@
allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
ifdef(`targeted_policy', `
allow syslogd_t var_run_t:fifo_file { ioctl read write };
+allow syslogd_t ttyfile:chr_file { getattr write ioctl append };
')
# Allow access to /proc/kmsg for syslog-ng
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.27.3/domains/program/unused/amanda.te
--- nsapolicy/domains/program/unused/amanda.te 2005-11-21 15:16:00.000000000 -0500
+++ policy-1.27.3/domains/program/unused/amanda.te 2005-11-21 15:23:54.000000000 -0500
@@ -181,6 +181,7 @@
# type for amrecover
type amanda_recover_t, domain;
role sysadm_r types amanda_recover_t;
+role system_r types amanda_recover_t;
# exec types for amrecover
type amanda_recover_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.3/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-11-21 15:16:00.000000000 -0500
+++ policy-1.27.3/domains/program/unused/auditd.te 2005-11-21 15:23:54.000000000 -0500
@@ -73,3 +73,4 @@
allow auditd_t sbin_t:dir search;
can_exec(auditd_t, sbin_t)
+allow auditd_t self:fifo_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.3/domains/program/unused/dovecot.te
--- nsapolicy/domains/program/unused/dovecot.te 2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.3/domains/program/unused/dovecot.te 2005-11-21 15:23:54.000000000 -0500
@@ -72,4 +72,4 @@
read_sysctl(dovecot_auth_t)
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
dontaudit dovecot_auth_t selinux_config_t:dir search;
-
+allow dovecot_auth_t etc_runtime_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pegasus.te policy-1.27.3/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 2005-11-21 15:16:01.000000000 -0500
+++ policy-1.27.3/domains/program/unused/pegasus.te 2005-11-21 15:23:54.000000000 -0500
@@ -29,8 +29,8 @@
r_dir_file(pegasus_t, etc_t)
r_dir_file(pegasus_t, var_lib_t)
r_dir_file(pegasus_t, pegasus_mof_t)
+allow pegasus_t pegasus_conf_t:file { link unlink };
r_dir_file(pegasus_t, pegasus_conf_t)
file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
rw_dir_create_file(pegasus_t, pegasus_data_t)
dontaudit pegasus_t selinux_config_t:dir search;
-
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.3/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-11-21 15:16:01.000000000 -0500
+++ policy-1.27.3/domains/program/unused/procmail.te 2005-11-21 15:23:54.000000000 -0500
@@ -18,8 +18,9 @@
uses_shlib(procmail_t)
allow procmail_t device_t:dir search;
-can_network_server(procmail_t)
+can_network(procmail_t)
nsswitch_domain(procmail_t)
+allow procmail_t spamd_port_t:tcp_socket name_connect;
allow procmail_t self:capability { sys_nice chown setuid setgid dac_override };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/zebra.te policy-1.27.3/domains/program/unused/zebra.te
--- nsapolicy/domains/program/unused/zebra.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.3/domains/program/unused/zebra.te 2005-11-21 15:24:29.000000000 -0500
@@ -24,7 +24,7 @@
allow zebra_t self:unix_dgram_socket create_socket_perms;
allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow zebra_t self:rawip_socket create_socket_perms;
-allow zebra_t self:netlink_route_socket r_netlink_socket_perms;
+allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
allow zebra_t zebra_port_t:tcp_socket name_bind;
allow zebra_t proc_t:file { getattr read };
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/slocate.fc policy-1.27.3/file_contexts/program/slocate.fc
--- nsapolicy/file_contexts/program/slocate.fc 2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.3/file_contexts/program/slocate.fc 2005-11-21 15:23:54.000000000 -0500
@@ -1,4 +1,4 @@
# locate - file locater
-/usr/bin/slocate -- system_u:object_r:locate_exec_t
-/var/lib/slocate(/.*)? system_u:object_r:locate_var_lib_t
+/usr/bin/s?locate -- system_u:object_r:locate_exec_t
+/var/lib/[sm]locate(/.*)? system_u:object_r:locate_var_lib_t
/etc/updatedb\.conf -- system_u:object_r:locate_etc_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.3/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-11-21 15:16:01.000000000 -0500
+++ policy-1.27.3/macros/global_macros.te 2005-11-21 15:23:54.000000000 -0500
@@ -767,5 +767,6 @@
dontaudit $1 shadow_t:file { getattr read };
allow $1 sbin_t:dir search;
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow $1 var_lib_t:dir r_dir_perms;
rw_dir_file($1, var_auth_t)
')
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.3/net_contexts
--- nsapolicy/net_contexts 2005-11-21 15:16:00.000000000 -0500
+++ policy-1.27.3/net_contexts 2005-11-21 15:23:54.000000000 -0500
@@ -149,6 +149,7 @@
portcon udp 5060 system_u:object_r:asterisk_port_t
portcon tcp 2000 system_u:object_r:mail_port_t
portcon tcp 2601 system_u:object_r:zebra_port_t
+portcon tcp 2605 system_u:object_r:zebra_port_t
portcon tcp 2628 system_u:object_r:dict_port_t
portcon tcp 3306 system_u:object_r:mysqld_port_t
portcon tcp 3632 system_u:object_r:distccd_port_t
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.27.3/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.3/tunables/distro.tun 2005-11-21 15:23:54.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.27.3/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.3/tunables/tunable.tun 2005-11-21 15:23:54.000000000 -0500
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.3/types/file.te
--- nsapolicy/types/file.te 2005-11-21 15:16:02.000000000 -0500
+++ policy-1.27.3/types/file.te 2005-11-21 15:23:54.000000000 -0500
@@ -199,7 +199,7 @@
type faillog_t, file_type, sysadmfile, logfile;
type var_lock_t, file_type, sysadmfile, lockfile;
type var_lib_t, mount_point, file_type, sysadmfile;
-type var_auth_t, file_type, sysadmfile, logfile;
+type var_auth_t, file_type, sysadmfile;
# for /var/{spool,lib}/texmf index files
type tetex_data_t, file_type, sysadmfile, tmpfile;
type var_spool_t, file_type, sysadmfile, tmpfile;
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/.cvsignore,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- .cvsignore 21 Oct 2005 18:21:02 -0000 1.17
+++ .cvsignore 21 Nov 2005 20:29:34 -0000 1.18
@@ -15,3 +15,4 @@
policy-1.26.tgz
policy-1.27.1.tgz
policy-1.27.2.tgz
+policy-1.27.3.tgz
policy-20051021.patch:
Makefile | 22 --
attrib.te | 18 +
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/fsadm.te | 2
domains/program/getty.te | 2
domains/program/ifconfig.te | 2
domains/program/init.te | 2
domains/program/initrc.te | 13 +
domains/program/login.te | 2
domains/program/logrotate.te | 2
domains/program/modutil.te | 8
domains/program/newrole.te | 4
domains/program/passwd.te | 2
domains/program/restorecon.te | 6
domains/program/setfiles.te | 2
domains/program/ssh.te | 2
domains/program/su.te | 7
domains/program/syslogd.te | 5
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 10 +
domains/program/unused/amanda.te | 21 +-
domains/program/unused/apache.te | 16 +
domains/program/unused/apmd.te | 19 +
domains/program/unused/auditd.te | 7
domains/program/unused/avahi.te | 31 +++
domains/program/unused/bluetooth.te | 57 +++++
domains/program/unused/cups.te | 11 -
domains/program/unused/cyrus.te | 8
domains/program/unused/dbusd.te | 2
domains/program/unused/dhcpc.te | 4
domains/program/unused/dhcpd.te | 4
domains/program/unused/dovecot.te | 2
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 10 -
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 3
domains/program/unused/mta.te | 5
domains/program/unused/mysqld.te | 6
domains/program/unused/named.te | 17 +
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 15 +
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 55 +++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 24 +-
domains/program/unused/procmail.te | 9
domains/program/unused/radius.te | 3
domains/program/unused/rpcd.te | 16 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 6
domains/program/unused/saslauthd.te | 1
domains/program/unused/sendmail.te | 58 ++++-
domains/program/unused/slapd.te | 25 ++
domains/program/unused/snmpd.te | 1
domains/program/unused/spamd.te | 28 --
domains/program/unused/udev.te | 8
domains/program/unused/webalizer.te | 3
domains/program/unused/xdm.te | 2
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 8
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 3
file_contexts/program/avahi.fc | 4
file_contexts/program/backup.fc | 2
file_contexts/program/bluetooth.fc | 2
file_contexts/program/compat.fc | 4
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 9
file_contexts/program/exim.fc | 18 +
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 3
file_contexts/program/innd.fc | 15 -
file_contexts/program/kudzu.fc | 2
file_contexts/program/pegasus.fc | 6
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/sendmail.fc | 7
file_contexts/program/slapd.fc | 12 +
file_contexts/program/squid.fc | 3
file_contexts/program/yppasswdd.fc | 2
file_contexts/types.fc | 6
genfs_contexts | 1
macros/base_user_macros.te | 7
macros/global_macros.te | 33 +--
macros/home_macros.te | 9
macros/program/chkpwd_macros.te | 7
macros/program/dbusd_macros.te | 1
macros/program/exim_macros.te | 75 +++++++
macros/program/su_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 194 ++++++-------------
mls | 227 ++++++++--------------
net_contexts | 4
targeted/assert.te | 2
targeted/domains/program/compat.te | 1
targeted/domains/program/rpm.te | 4
targeted/domains/program/sendmail.te | 18 -
targeted/domains/program/ssh.te | 2
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 10 -
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 44 +---
types/network.te | 10 -
types/nfs.te | 1
types/security.te | 2
118 files changed, 1233 insertions(+), 586 deletions(-)
Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/policy-20051021.patch,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- policy-20051021.patch 16 Nov 2005 19:25:06 -0000 1.22
+++ policy-20051021.patch 21 Nov 2005 20:29:34 -0000 1.23
@@ -322,7 +322,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.27.2/domains/program/syslogd.te
--- nsapolicy/domains/program/syslogd.te 2005-10-21 11:36:15.000000000 -0400
-+++ policy-1.27.2/domains/program/syslogd.te 2005-11-07 10:47:22.000000000 -0500
++++ policy-1.27.2/domains/program/syslogd.te 2005-11-16 15:51:03.000000000 -0500
@@ -14,9 +14,9 @@
# by syslogd.
#
@@ -335,6 +335,14 @@
')
# can_network is for the UDP socket
+@@ -97,6 +97,7 @@
+ allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ ifdef(`targeted_policy', `
+ allow syslogd_t var_run_t:fifo_file { ioctl read write };
++allow syslogd_t ttyfile:chr_file { getattr write ioctl append };
+ ')
+
+ # Allow access to /proc/kmsg for syslog-ng
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.27.2/domains/program/tmpreaper.te
--- nsapolicy/domains/program/tmpreaper.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.2/domains/program/tmpreaper.te 2005-11-07 10:47:22.000000000 -0500
Index: selinux-policy-mls.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/selinux-policy-mls.spec,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -r1.122 -r1.123
--- selinux-policy-mls.spec 16 Nov 2005 19:25:06 -0000 1.122
+++ selinux-policy-mls.spec 21 Nov 2005 20:29:34 -0000 1.123
@@ -8,8 +8,8 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.27.2
-Release: 21
+Version: 1.27.3
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -17,7 +17,7 @@
Source4: seusers
Source5: setrans.conf
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20051021.patch
+Patch: policy-20051121.patch
Patch1: policy-%{type}.patch
Patch2: mlspol.patch
@@ -241,6 +241,9 @@
exit 0
%changelog
+* Wed Nov 21 2005 Dan Walsh <dwalsh at redhat.com> 1.27.3-1
+- Update to upstream
+
* Wed Nov 16 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-21
- Fixes for pegasus, suspend within su, and audit
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-mls/devel/sources,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- sources 21 Oct 2005 18:21:02 -0000 1.18
+++ sources 21 Nov 2005 20:29:34 -0000 1.19
@@ -1 +1 @@
-7a3f5b1224a4d1475fb146b2fb6950bc policy-1.27.2.tgz
+f3dc97e90e08288bf701c686054cb078 policy-1.27.3.tgz
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-20051121.patch, NONE, 1.1 .cvsignore, 1.123, 1.124 policy-20051021.patch, 1.24, 1.25 selinux-policy-strict.spec, 1.422, 1.423 sources, 1.129, 1.130
- Next message (by thread): rpms/selinux-policy-targeted/devel selinux-policy.spec,1.1,NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list