rpms/selinux-policy-targeted/devel seusers, NONE, 1.1 policy-20050916.patch, 1.15, 1.16 selinux-policy-targeted.spec, 1.384, 1.385
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Oct 7 20:26:06 UTC 2005
- Previous message (by thread): rpms/rhpl/devel .cvsignore, 1.48, 1.49 rhpl.spec, 1.53, 1.54 sources, 1.50, 1.51
- Next message (by thread): rpms/kernel/FC-4 jwltest-3c59x-misc.patch, NONE, 1.1.2.1 jwltest-3c59x-mmio.patch, NONE, 1.1.10.1 jwltest-8139too-resume.patch, NONE, 1.1.4.1 jwltest-acpi-dsdt-initrd.patch, NONE, 1.1.28.1 jwltest-ipw2100-1_1_0.patch, NONE, 1.1.32.1 jwltest-libata-atapi.patch, NONE, 1.1.12.1 jwltest-pci-d3hot-d0.patch, NONE, 1.1.18.1 jwltest-sundance-fixes.patch, NONE, 1.1.8.1 jwltest-sundance-icplus.patch, NONE, 1.1.12.1 kernel-2.6.spec, 1.1470, 1.1470.2.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv32078
Modified Files:
policy-20050916.patch selinux-policy-targeted.spec
Added Files:
seusers
Log Message:
* Fri Oct 7 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-14
- Increase sensitivities to 16
- Increase Capabilities to 256
--- NEW FILE seusers ---
root:root:s0-s0:c0.c255
default:user_u:s0
policy-20050916.patch:
Makefile | 26 ++--
attrib.te | 3
domains/misc/kernel.te | 2
domains/program/crond.te | 2
domains/program/fsadm.te | 7 -
domains/program/hostname.te | 2
domains/program/ifconfig.te | 5
domains/program/initrc.te | 17 +++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 7 -
domains/program/login.te | 21 ++-
domains/program/modutil.te | 14 +-
domains/program/mount.te | 5
domains/program/netutils.te | 3
domains/program/newrole.te | 4
domains/program/passwd.te | 1
domains/program/restorecon.te | 3
domains/program/setfiles.te | 4
domains/program/ssh.te | 6 -
domains/program/su.te | 9 +
domains/program/syslogd.te | 6 -
domains/program/unused/NetworkManager.te | 3
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 +++-----------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 17 +--
domains/program/unused/apmd.te | 13 ++
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4
domains/program/unused/bluetooth.te | 61 +++++++++++
domains/program/unused/cups.te | 18 ++-
domains/program/unused/cvs.te | 3
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4
domains/program/unused/dhcpc.te | 5
domains/program/unused/dhcpd.te | 3
domains/program/unused/dovecot.te | 4
domains/program/unused/hald.te | 2
domains/program/unused/hotplug.te | 5
domains/program/unused/hwclock.te | 2
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5
domains/program/unused/mta.te | 8 +
domains/program/unused/mysqld.te | 6 -
domains/program/unused/named.te | 29 ++++-
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 -
domains/program/unused/openct.te | 16 +++
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 37 +++++++
domains/program/unused/ping.te | 3
domains/program/unused/postfix.te | 30 +++--
domains/program/unused/pppd.te | 8 -
domains/program/unused/procmail.te | 11 +-
domains/program/unused/readahead.te | 21 +++
domains/program/unused/rlogind.te | 4
domains/program/unused/roundup.te | 29 +++++
domains/program/unused/rpcd.te | 12 ++
domains/program/unused/samba.te | 12 +-
domains/program/unused/snmpd.te | 6 -
domains/program/unused/squid.te | 3
domains/program/unused/udev.te | 10 +
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/yppasswdd.te | 40 +++++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5
file_contexts/distros.fc | 2
file_contexts/program/bluetooth.fc | 3
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 1
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 11 +-
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 ++
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4
file_contexts/program/rsync.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 2
genfs_contexts | 2
macros/core_macros.te | 3
macros/global_macros.te | 18 ++-
macros/network_macros.te | 17 +++
macros/program/apache_macros.te | 13 ++
macros/program/cdrecord_macros.te | 2
macros/program/i18n_input_macros.te | 21 +++
macros/program/mta_macros.te | 4
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +--
man/man8/httpd_selinux.8 | 9 +
man/man8/rsync_selinux.8 | 12 +-
man/man8/samba_selinux.8 | 9 +
mcs | 146 +++++++++++++++++++++++++++
mls | 163 ++++++++++++++++++++++++++++---
net_contexts | 6 +
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 16 ++-
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 15 ++
types/network.te | 12 +-
types/security.te | 5
119 files changed, 1040 insertions(+), 243 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050916.patch,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- policy-20050916.patch 4 Oct 2005 16:31:20 -0000 1.15
+++ policy-20050916.patch 7 Oct 2005 20:26:02 -0000 1.16
@@ -11,6 +11,18 @@
# For clients of nscd.
attribute nscd_client_domain;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.27.1/domains/misc/kernel.te
+--- nsapolicy/domains/misc/kernel.te 2005-09-16 11:17:08.000000000 -0400
++++ policy-1.27.1/domains/misc/kernel.te 2005-10-05 10:05:53.000000000 -0400
+@@ -30,7 +30,7 @@
+
+ ifdef(`mls_policy', `
+ # run init with maximum MLS range
+-range_transition kernel_t init_exec_t s0 - s9:c0.c127;
++range_transition kernel_t init_exec_t s0 - s9:c0.c255;
+ ')
+
+ # Share state with the init process.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.27.1/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/crond.te 2005-09-27 17:14:40.000000000 -0400
@@ -150,7 +162,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.27.1/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.1/domains/program/login.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/login.te 2005-10-05 10:03:33.000000000 -0400
@@ -62,6 +62,11 @@
ifdef(`pamconsole.te', `
@@ -197,7 +209,7 @@
+ifdef(`use_mcs', `
+ifdef(`getty.te', `
-+range_transition getty_t login_exec_t s0 - s0:c0.c127;
++range_transition getty_t login_exec_t s0 - s0:c0.c255;
+')
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
@@ -346,7 +358,7 @@
allow setfiles_t self:unix_dgram_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.27.1/domains/program/ssh.te
--- nsapolicy/domains/program/ssh.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/ssh.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/ssh.te 2005-10-05 10:03:39.000000000 -0400
@@ -153,6 +153,7 @@
#
sshd_program_domain(sshd)
@@ -369,11 +381,11 @@
allow ssh_keygen_t sysadm_tty_device_t:chr_file { read write };
allow ssh_keygen_t urandom_device_t:chr_file { getattr read };
+ifdef(`use_mcs', `
-+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
++range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/su.te policy-1.27.1/domains/program/su.te
--- nsapolicy/domains/program/su.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.1/domains/program/su.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/su.te 2005-10-05 10:03:19.000000000 -0400
@@ -12,3 +12,12 @@
# Everything else is in the su_domain macro in
@@ -381,7 +393,7 @@
+
+ifdef(`use_mcs', `
+ifdef(`targeted_policy', `
-+range_transition unconfined_t su_exec_t s0 - s0:c0.c127;
++range_transition unconfined_t su_exec_t s0 - s0:c0.c255;
+domain_auto_trans(unconfined_t, su_exec_t, sysadm_su_t)
+can_exec(sysadm_su_t, bin_t)
+rw_dir_create_file(sysadm_su_t, home_dir_type)
@@ -807,7 +819,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cups.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cups.te 2005-10-05 10:04:29.000000000 -0400
@@ -188,6 +188,7 @@
# Uses networking to talk to the daemons
allow hplip_t self:unix_dgram_socket create_socket_perms;
@@ -867,7 +879,7 @@
r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
+ifdef(`use_mcs', `
-+range_transition initrc_t cupsd_exec_t s0 - s0:c0.c127;
++range_transition initrc_t cupsd_exec_t s0 - s0:c0.c255;
+')
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cvs.te policy-1.27.1/domains/program/unused/cvs.te
@@ -1635,7 +1647,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.27.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/samba.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/unused/samba.te 2005-10-05 13:09:46.000000000 -0400
@@ -25,6 +25,9 @@
# not sure why it needs this
tmp_domain(smbd)
@@ -1657,7 +1669,7 @@
allow smbd_t { smbd_port_t ipp_port_t }:tcp_socket name_connect;
allow smbd_t urandom_device_t:chr_file { getattr read };
-@@ -75,6 +77,11 @@
+@@ -75,6 +77,12 @@
allow smbd_t samba_log_t:dir ra_dir_perms;
dontaudit smbd_t samba_log_t:dir remove_name;
@@ -1665,13 +1677,14 @@
+dontaudit smbd_t { devpts_t boot_t default_t tmpfs_t }:dir getattr;
+dontaudit smbd_t devpts_t:dir getattr;
+')
++allow smbd_t fs_t:filesystem quotaget;
+
allow smbd_t usr_t:file { getattr read };
# Access Samba shares.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/snmpd.te policy-1.27.1/domains/program/unused/snmpd.te
--- nsapolicy/domains/program/unused/snmpd.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/snmpd.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/unused/snmpd.te 2005-10-07 15:05:58.000000000 -0400
@@ -22,8 +22,9 @@
# for the .index file
@@ -1692,6 +1705,13 @@
allow snmpd_t etc_t:lnk_file read;
allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
+@@ -79,5 +80,6 @@
+
+ allow snmpd_t domain:dir { getattr search };
+ allow snmpd_t domain:file { getattr read };
++allow snmpd_t domain:process signull;
+
+ dontaudit snmpd_t selinux_config_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.27.1/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/squid.te 2005-09-27 17:14:40.000000000 -0400
@@ -1712,7 +1732,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.27.1/domains/program/unused/udev.te
--- nsapolicy/domains/program/unused/udev.te 2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/udev.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/unused/udev.te 2005-10-05 10:04:14.000000000 -0400
@@ -28,12 +28,12 @@
type udev_tdb_t, file_type, sysadmfile, dev_fs;
typealias udev_tdb_t alias udev_tbl_t;
@@ -1739,8 +1759,8 @@
')
dontaudit hostname_t udev_t:fd use;
+ifdef(`use_mcs', `
-+range_transition kernel_t udev_exec_t s0 - s0:c0.c127;
-+range_transition initrc_t udev_exec_t s0 - s0:c0.c127;
++range_transition kernel_t udev_exec_t s0 - s0:c0.c255;
++range_transition initrc_t udev_exec_t s0 - s0:c0.c255;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/utempter.te policy-1.27.1/domains/program/unused/utempter.te
--- nsapolicy/domains/program/unused/utempter.te 2005-09-12 16:40:29.000000000 -0400
@@ -1780,13 +1800,13 @@
allow winbind_helper_t privfd:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.27.1/domains/program/unused/xdm.te
--- nsapolicy/domains/program/unused/xdm.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/xdm.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/unused/xdm.te 2005-10-05 10:04:37.000000000 -0400
@@ -371,3 +371,6 @@
dontaudit xdm_t ice_tmp_t:dir { getattr setattr };
#### Also see xdm_macros.te
+ifdef(`use_mcs', `
-+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
++range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/yppasswdd.te policy-1.27.1/domains/program/unused/yppasswdd.te
--- nsapolicy/domains/program/unused/yppasswdd.te 1969-12-31 19:00:00.000000000 -0500
@@ -2083,7 +2103,7 @@
# initrd mount point, only used during boot
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.1/genfs_contexts
--- nsapolicy/genfs_contexts 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.1/genfs_contexts 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/genfs_contexts 2005-10-06 17:35:05.000000000 -0400
@@ -94,7 +94,7 @@
genfscon debugfs / system_u:object_r:debugfs_t
genfscon inotifyfs / system_u:object_r:inotifyfs_t
@@ -2383,7 +2403,7 @@
ifdef(`lockdev.te', `lockdev_domain($1)')
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.27.1/Makefile
--- nsapolicy/Makefile 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/Makefile 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/Makefile 2005-10-05 10:02:18.000000000 -0400
@@ -16,7 +16,7 @@
MLS=n
@@ -2445,12 +2465,25 @@
reload tmp/load: $(LOADPATH)
@echo "Loading Policy ..."
+@@ -337,10 +340,10 @@
+ done
+ @for file in $(USER_FILES); do \
+ echo "Converting $$file"; \
+- sed -e 's/;/ level s0 range s0 - s9:c0.c127;/' $$file > $$file.new && \
++ sed -e 's/;/ level s0 range s0 - s15:c0.c255;/' $$file > $$file.new && \
+ mv $$file.new $$file; \
+ done
+- @sed -e '/sid kernel/s/s0/s0 - s9:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
++ @sed -e '/sid kernel/s/s0/s0 - s15:c0.c255/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
+ @echo "Enabling MLS in the Makefile"
+ @sed "s/MLS=n/MLS=y/" Makefile > Makefile.new
+ @mv Makefile.new Makefile
@@ -355,10 +358,9 @@
@for file in $(USER_FILES); do \
echo "Converting $$file"; \
sed -r -e 's/\;/ level s0 range s0;/' $$file | \
- sed -r -e 's/(user (root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
-+ sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c127;/' > $$file.new; \
++ sed -r -e 's/(user (user_u|root|system_u).*);/\1 - s0:c0.c255;/' > $$file.new; \
mv $$file.new $$file; \
done
- @sed -e '/sid kernel/s/s0/s0 - s0:c0.c127/' initial_sid_contexts > initial_sid_contexts.new && mv initial_sid_contexts.new initial_sid_contexts
@@ -2570,8 +2603,151 @@
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.1/mcs
--- nsapolicy/mcs 2005-09-15 16:13:03.000000000 -0400
-+++ policy-1.27.1/mcs 2005-09-27 17:14:40.000000000 -0400
-@@ -200,9 +200,23 @@
++++ policy-1.27.1/mcs 2005-10-05 09:43:32.000000000 -0400
+@@ -146,13 +146,141 @@
+ category c125;
+ category c126;
+ category c127;
++category c128;
++category c129;
++category c130;
++category c131;
++category c132;
++category c133;
++category c134;
++category c135;
++category c136;
++category c137;
++category c138;
++category c139;
++category c140;
++category c141;
++category c142;
++category c143;
++category c144;
++category c145;
++category c146;
++category c147;
++category c148;
++category c149;
++category c150;
++category c151;
++category c152;
++category c153;
++category c154;
++category c155;
++category c156;
++category c157;
++category c158;
++category c159;
++category c160;
++category c161;
++category c162;
++category c163;
++category c164;
++category c165;
++category c166;
++category c167;
++category c168;
++category c169;
++category c170;
++category c171;
++category c172;
++category c173;
++category c174;
++category c175;
++category c176;
++category c177;
++category c178;
++category c179;
++category c180;
++category c181;
++category c182;
++category c183;
++category c184;
++category c185;
++category c186;
++category c187;
++category c188;
++category c189;
++category c190;
++category c191;
++category c192;
++category c193;
++category c194;
++category c195;
++category c196;
++category c197;
++category c198;
++category c199;
++category c200;
++category c201;
++category c202;
++category c203;
++category c204;
++category c205;
++category c206;
++category c207;
++category c208;
++category c209;
++category c210;
++category c211;
++category c212;
++category c213;
++category c214;
++category c215;
++category c216;
++category c217;
++category c218;
++category c219;
++category c220;
++category c221;
++category c222;
++category c223;
++category c224;
++category c225;
++category c226;
++category c227;
++category c228;
++category c229;
++category c230;
++category c231;
++category c232;
++category c233;
++category c234;
++category c235;
++category c236;
++category c237;
++category c238;
++category c239;
++category c240;
++category c241;
++category c242;
++category c243;
++category c244;
++category c245;
++category c246;
++category c247;
++category c248;
++category c249;
++category c250;
++category c251;
++category c252;
++category c253;
++category c254;
++category c255;
+
+
+ #
+ # Each MCS level specifies a sensitivity and zero or more categories which may
+ # be associated with that sensitivity.
+ #
+-level s0:c0.c127;
++level s0:c0.c255;
+
+ #
+ # Define the MCS policy
+@@ -200,9 +328,23 @@
#
# Only files are constrained by MCS at this stage.
#
@@ -2596,6 +2772,196 @@
# XXX
#
+diff --exclude-from=exclude -N -u -r nsapolicy/mls policy-1.27.1/mls
+--- nsapolicy/mls 2005-09-12 16:40:26.000000000 -0400
++++ policy-1.27.1/mls 2005-10-05 09:42:58.000000000 -0400
+@@ -13,12 +13,17 @@
+ sensitivity s7;
+ sensitivity s8;
+ sensitivity s9;
+-
++sensitivity s10;
++sensitivity s11;
++sensitivity s12;
++sensitivity s13;
++sensitivity s14;
++sensitivity s15;
+
+ #
+ # Define the ordering of the sensitivity levels (least to greatest)
+ #
+-dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 }
++dominance { s0 s1 s2 s3 s4 s5 s6 s7 s8 s9 s10 s11 s12 s13 s14 s15 }
+
+
+ #
+@@ -154,22 +159,156 @@
+ category c125;
+ category c126;
+ category c127;
++category c128;
++category c129;
++category c130;
++category c131;
++category c132;
++category c133;
++category c134;
++category c135;
++category c136;
++category c137;
++category c138;
++category c139;
++category c140;
++category c141;
++category c142;
++category c143;
++category c144;
++category c145;
++category c146;
++category c147;
++category c148;
++category c149;
++category c150;
++category c151;
++category c152;
++category c153;
++category c154;
++category c155;
++category c156;
++category c157;
++category c158;
++category c159;
++category c160;
++category c161;
++category c162;
++category c163;
++category c164;
++category c165;
++category c166;
++category c167;
++category c168;
++category c169;
++category c170;
++category c171;
++category c172;
++category c173;
++category c174;
++category c175;
++category c176;
++category c177;
++category c178;
++category c179;
++category c180;
++category c181;
++category c182;
++category c183;
++category c184;
++category c185;
++category c186;
++category c187;
++category c188;
++category c189;
++category c190;
++category c191;
++category c192;
++category c193;
++category c194;
++category c195;
++category c196;
++category c197;
++category c198;
++category c199;
++category c200;
++category c201;
++category c202;
++category c203;
++category c204;
++category c205;
++category c206;
++category c207;
++category c208;
++category c209;
++category c210;
++category c211;
++category c212;
++category c213;
++category c214;
++category c215;
++category c216;
++category c217;
++category c218;
++category c219;
++category c220;
++category c221;
++category c222;
++category c223;
++category c224;
++category c225;
++category c226;
++category c227;
++category c228;
++category c229;
++category c230;
++category c231;
++category c232;
++category c233;
++category c234;
++category c235;
++category c236;
++category c237;
++category c238;
++category c239;
++category c240;
++category c241;
++category c242;
++category c243;
++category c244;
++category c245;
++category c246;
++category c247;
++category c248;
++category c249;
++category c250;
++category c251;
++category c252;
++category c253;
++category c254;
++category c255;
+
+
+ #
+ # Each MLS level specifies a sensitivity and zero or more categories which may
+ # be associated with that sensitivity.
+ #
+-level s0:c0.c127;
+-level s1:c0.c127;
+-level s2:c0.c127;
+-level s3:c0.c127;
+-level s4:c0.c127;
+-level s5:c0.c127;
+-level s6:c0.c127;
+-level s7:c0.c127;
+-level s8:c0.c127;
+-level s9:c0.c127;
++level s0:c0.c255;
++level s1:c0.c255;
++level s2:c0.c255;
++level s3:c0.c255;
++level s4:c0.c255;
++level s5:c0.c255;
++level s6:c0.c255;
++level s7:c0.c255;
++level s8:c0.c255;
++level s9:c0.c255;
++level s10:c0.c255;
++level s11:c0.c255;
++level s12:c0.c255;
++level s13:c0.c255;
++level s14:c0.c255;
++level s15:c0.c255;
+
+
+ #
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.27.1/net_contexts
--- nsapolicy/net_contexts 2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/net_contexts 2005-09-27 17:14:40.000000000 -0400
@@ -2631,36 +2997,36 @@
+system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.27.1/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-09-16 11:17:12.000000000 -0400
-+++ policy-1.27.1/targeted/assert.te 2005-10-04 12:22:32.000000000 -0400
++++ policy-1.27.1/targeted/assert.te 2005-10-07 16:23:29.000000000 -0400
@@ -22,7 +22,7 @@
# Confined domains must never touch an unconfined domain except to
# send SIGCHLD for child termination notifications.
-neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
-+neverallow { domain -unrestricted -unconfinedtrans } unconfined_t:process ~sigchld;
++neverallow { domain -unrestricted -unconfinedtrans -snmpd_t } unconfined_t:process ~sigchld;
# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.1/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/ssh.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/targeted/domains/program/ssh.te 2005-10-05 10:05:20.000000000 -0400
@@ -17,3 +17,6 @@
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+ifdef(`use_mcs', `
-+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
++range_transition initrc_t sshd_exec_t s0 - s0:c0.c255;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.27.1/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.1/targeted/domains/program/xdm.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/targeted/domains/program/xdm.te 2005-10-05 10:05:33.000000000 -0400
@@ -20,3 +20,7 @@
type xdm_tmp_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+ifdef(`use_mcs', `
-+range_transition init_t xdm_exec_t s0 - s0:c0.c127;
-+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
++range_transition init_t xdm_exec_t s0 - s0:c0.c255;
++range_transition initrc_t xdm_exec_t s0 - s0:c0.c255;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.27.1/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-09-12 16:40:26.000000000 -0400
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.384
retrieving revision 1.385
diff -u -r1.384 -r1.385
--- selinux-policy-targeted.spec 4 Oct 2005 16:31:20 -0000 1.384
+++ selinux-policy-targeted.spec 7 Oct 2005 20:26:02 -0000 1.385
@@ -4,14 +4,13 @@
%define PRE_FILE_CONTEXT %{FILE_CONTEXT}.pre
%define POLICYVER 20
%define PREVPOLICYVER 19
-%define POLICYCOREUTILSVER 1.25.9-1
-%define CHECKPOLICYVER 1.25.11-2
-%define LIBSELINUXVER 1.26-2
+%define POLICYCOREUTILSVER 1.27.5-1
+%define CHECKPOLICYVER 1.27.7-2
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 13
+Release: 14
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -21,11 +20,12 @@
Patch1: policy-%{type}.patch
Patch2: policy-mcs.patch
Patch3: policy-mcsroot.patch
+Source4: seusers
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: python
-PreReq: policycoreutils >= %{POLICYCOREUTILSVER} libselinux >= %{LIBSELINUXVER}
+PreReq: policycoreutils >= %{POLICYCOREUTILSVER}
Obsoletes: policy
%description
@@ -91,6 +91,7 @@
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/src/policy/policy.conf
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/config
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/booleans.local
+install -m0600 %{SOURCE4} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/seusers
%clean
rm -rf ${RPM_BUILD_ROOT}
@@ -106,6 +107,7 @@
%dir %{_sysconfdir}/selinux/%{type}/contexts/files
%dir %{_sysconfdir}/selinux/%{type}/contexts/users
%config %{_sysconfdir}/selinux/%{type}/booleans
+%config(noreplace) %{_sysconfdir}/selinux/%{type}/seusers
%ghost %config(noreplace) %{_sysconfdir}/selinux/%{type}/booleans.local
%{_sysconfdir}/selinux/%{type}/policy/policy.%{POLICYVER}
%{_sysconfdir}/selinux/%{type}/policy/policy.%{PREVPOLICYVER}
@@ -246,6 +248,10 @@
exit 0
%changelog
+* Fri Oct 7 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-14
+- Increase sensitivities to 16
+- Increase Capabilities to 256
+
* Tue Oct 4 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-13
- Fixes for pegasus, add newrole policy for targeted
- Fixes for postgres
- Previous message (by thread): rpms/rhpl/devel .cvsignore, 1.48, 1.49 rhpl.spec, 1.53, 1.54 sources, 1.50, 1.51
- Next message (by thread): rpms/kernel/FC-4 jwltest-3c59x-misc.patch, NONE, 1.1.2.1 jwltest-3c59x-mmio.patch, NONE, 1.1.10.1 jwltest-8139too-resume.patch, NONE, 1.1.4.1 jwltest-acpi-dsdt-initrd.patch, NONE, 1.1.28.1 jwltest-ipw2100-1_1_0.patch, NONE, 1.1.32.1 jwltest-libata-atapi.patch, NONE, 1.1.12.1 jwltest-pci-d3hot-d0.patch, NONE, 1.1.18.1 jwltest-sundance-fixes.patch, NONE, 1.1.8.1 jwltest-sundance-icplus.patch, NONE, 1.1.12.1 kernel-2.6.spec, 1.1470, 1.1470.2.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list