rpms/selinux-policy-strict/devel .cvsignore, 1.122, 1.123 policy-20050916.patch, 1.27, 1.28 selinux-policy-strict.spec, 1.399, 1.400 sources, 1.128, 1.129
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Oct 21 18:21:00 UTC 2005
- Previous message (by thread): rpms/eclipse/FC-4 eclipse-libswt-mozilla.patch,1.7,1.8
- Next message (by thread): rpms/selinux-policy-targeted/devel .cvsignore, 1.118, 1.119 policy-20050916.patch, 1.26, 1.27 selinux-policy-targeted.spec, 1.393, 1.394 sources, 1.124, 1.125
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv2974
Modified Files:
.cvsignore policy-20050916.patch selinux-policy-strict.spec
sources
Log Message:
* Fri Oct 21 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-1
- Update to latest from NSA
* Merged patch from Chad Hanson. Modified MLS constraints.
Provided comments for the MLS attributes.
* Merged two patches from Thomas Bleher which made some minor
fixes and cleanups.
* Merged patches from Russell Coker. Added comments to some of the
MLS attributes. Added the secure_mode_insmod boolean to determine
whether the system permits loading policy, setting enforcing mode,
and changing boolean values. Made minor fixes for the cdrecord_domain
macro, application_domain, newrole_domain, and daemon_base_domain
macros. Added rules to allow the mail server to access the user
home directories in the targeted policy and allows the postfix
showq program to do DNS lookups. Minor fixes for the MCS
policy. Made other minor fixes and cleanups.
* Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
and roundup policies. Created can_access_pty macro to handle pty
output. Created nsswithch_domain macro for domains using
nsswitch. Added mcs transition rules. Removed mqueue and added
capifs genfscon entries. Added dhcpd and pegasus ports. Added
domain transitions from login domains to pam_console and alsa
domains. Added rules to allow the httpd and squid domains to
relay more protocols. For the targeted policy, removed sysadm_r
role from unconfined_t. Made other fixes and cleanups.
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/.cvsignore,v
retrieving revision 1.122
retrieving revision 1.123
diff -u -r1.122 -r1.123
--- .cvsignore 16 Sep 2005 15:57:44 -0000 1.122
+++ .cvsignore 21 Oct 2005 18:20:54 -0000 1.123
@@ -88,3 +88,4 @@
policy-1.25.4.tgz
policy-1.26.tgz
policy-1.27.1.tgz
+policy-1.27.2.tgz
policy-20050916.patch:
Makefile | 26 +-
attrib.te | 96 ++++++++++-
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/crond.te | 2
domains/program/fsadm.te | 9 -
domains/program/hostname.te | 2
domains/program/ifconfig.te | 5
domains/program/init.te | 2
domains/program/initrc.te | 26 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 7
domains/program/login.te | 21 +-
domains/program/logrotate.te | 2
domains/program/modutil.te | 14 -
domains/program/mount.te | 6
domains/program/netutils.te | 3
domains/program/newrole.te | 4
domains/program/passwd.te | 1
domains/program/restorecon.te | 3
domains/program/setfiles.te | 4
domains/program/ssh.te | 6
domains/program/su.te | 9 +
domains/program/syslogd.te | 6
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 8
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 ++------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 22 +-
domains/program/unused/apmd.te | 19 ++
domains/program/unused/auditd.te | 8
domains/program/unused/automount.te | 4
domains/program/unused/bluetooth.te | 72 ++++++++
domains/program/unused/cups.te | 20 +-
domains/program/unused/cvs.te | 3
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4
domains/program/unused/dcc.te | 5
domains/program/unused/dhcpc.te | 7
domains/program/unused/dhcpd.te | 3
domains/program/unused/dovecot.te | 4
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/hwclock.te | 2
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5
domains/program/unused/mta.te | 8
domains/program/unused/mysqld.te | 12 -
domains/program/unused/named.te | 29 ++-
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 -
domains/program/unused/openct.te | 16 +
domains/program/unused/pamconsole.te | 4
domains/program/unused/pegasus.te | 37 ++++
domains/program/unused/ping.te | 3
domains/program/unused/postfix.te | 60 ++++--
domains/program/unused/pppd.te | 8
domains/program/unused/procmail.te | 11 +
domains/program/unused/readahead.te | 21 ++
domains/program/unused/rlogind.te | 4
domains/program/unused/roundup.te | 29 +++
domains/program/unused/rpcd.te | 18 +-
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 12 +
domains/program/unused/sendmail.te | 3
domains/program/unused/snmpd.te | 6
domains/program/unused/squid.te | 3
domains/program/unused/udev.te | 10 -
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5
file_contexts/distros.fc | 2
file_contexts/program/apache.fc | 2
file_contexts/program/bluetooth.fc | 3
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 5
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 11 -
file_contexts/program/ipsec.fc | 1
file_contexts/program/kudzu.fc | 2
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 +
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 4
genfs_contexts | 3
macros/base_user_macros.te | 6
macros/core_macros.te | 3
macros/global_macros.te | 18 +-
macros/network_macros.te | 17 +
macros/program/apache_macros.te | 13 +
macros/program/bonobo_macros.te | 2
macros/program/cdrecord_macros.te | 2
macros/program/crontab_macros.te | 2
macros/program/dbusd_macros.te | 4
macros/program/gconf_macros.te | 2
macros/program/gift_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++
macros/program/lpr_macros.te | 2
macros/program/mta_macros.te | 4
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4
macros/program/uml_macros.te | 2
macros/program/xdm_macros.te | 2
macros/user_macros.te | 6
man/man8/ftpd_selinux.8 | 19 +-
man/man8/httpd_selinux.8 | 9 +
man/man8/rsync_selinux.8 | 12 +
man/man8/samba_selinux.8 | 9 +
mcs | 210 +++++++++---------------
mls | 270 +++++++++++--------------------
net_contexts | 8
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 16 +
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/device.te | 4
types/devpts.te | 4
types/file.te | 45 +----
types/network.te | 13 -
types/nfs.te | 1
types/security.te | 6
144 files changed, 1134 insertions(+), 622 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050916.patch,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- policy-20050916.patch 20 Oct 2005 19:14:13 -0000 1.27
+++ policy-20050916.patch 21 Oct 2005 18:20:55 -0000 1.28
@@ -149,6 +149,18 @@
# For clients of nscd.
attribute nscd_client_domain;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/admin.te policy-1.27.1/domains/admin.te
+--- nsapolicy/domains/admin.te 2005-09-12 16:40:28.000000000 -0400
++++ policy-1.27.1/domains/admin.te 2005-10-21 11:29:09.000000000 -0400
+@@ -4,7 +4,7 @@
+
+ # sysadm_t is the system administrator domain.
+ type sysadm_t, domain, privlog, privowner, admin, userdomain, web_client_domain, privhome, etc_writer, privmodule, nscd_client_domain
+-ifdef(`direct_sysadm_daemon', `, priv_system_role')
++ifdef(`direct_sysadm_daemon', `, priv_system_role, privrangetrans')
+ ; dnl end of sysadm_t type declaration
+
+ allow privhome home_root_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.27.1/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/misc/kernel.te 2005-10-13 09:32:32.000000000 -0400
@@ -175,7 +187,16 @@
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.27.1/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/fsadm.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/fsadm.te 2005-10-21 11:29:24.000000000 -0400
+@@ -12,7 +12,7 @@
+ # administration.
+ # fsadm_exec_t is the type of the corresponding programs.
+ #
+-type fsadm_t, domain, privlog, fs_domain, mlsfileread;
++type fsadm_t, domain, privlog, fs_domain, mlsfileread, mlsfilewrite;
+ role system_r types fsadm_t;
+ role sysadm_r types fsadm_t;
+
@@ -102,10 +102,10 @@
allow fsadm_t kernel_t:system syslog_console;
@@ -230,7 +251,16 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/initrc.te 2005-10-17 15:59:18.000000000 -0400
++++ policy-1.27.1/domains/program/initrc.te 2005-10-21 11:29:24.000000000 -0400
+@@ -12,7 +12,7 @@
+ # initrc_exec_t is the type of the init program.
+ #
+ # do not use privmail for sendmail as it creates a type transition conflict
+-type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite;
++type initrc_t, fs_domain, ifdef(`unlimitedRC', `admin, etc_writer, privmem, auth_write, ') domain, privlog, privowner, privmodule, ifdef(`sendmail.te', `', `privmail,') ifdef(`distro_debian', `etc_writer, ') sysctl_kernel_writer, nscd_client_domain, mlsfileread, mlsfilewrite, mlsprocread, mlsprocwrite, privrangetrans;
+
+ role system_r types initrc_t;
+ uses_shlib(initrc_t);
@@ -56,6 +56,10 @@
can_create_pty(initrc)
@@ -259,7 +289,18 @@
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
-@@ -322,3 +334,9 @@
+@@ -271,6 +283,10 @@
+ ifdef(`direct_sysadm_daemon', `
+ role_transition sysadm_r initrc_exec_t system_r;
+ domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
++ifdef(`mls_policy', `
++typeattribute initrc_t mlsrangetrans;
++range_transition sysadm_t initrc_exec_t s0 - s15:c0.c255;
++')
+ ')
+
+ #
+@@ -322,3 +338,9 @@
ifdef(`dbusd.te', `
allow initrc_t system_dbusd_var_run_t:sock_file write;
')
@@ -269,6 +310,18 @@
+ifdef(`use_mcs', `
+range_transition sysadm_t initrc_exec_t s0;
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/init.te policy-1.27.1/domains/program/init.te
+--- nsapolicy/domains/program/init.te 2005-09-12 16:40:29.000000000 -0400
++++ policy-1.27.1/domains/program/init.te 2005-10-21 11:29:24.000000000 -0400
+@@ -14,7 +14,7 @@
+ # by init during initialization. This pipe is used
+ # to communicate with init.
+ #
+-type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite;
++type init_t, domain, privlog, sysctl_kernel_writer, nscd_client_domain, mlsrangetrans, mlsfileread, mlsfilewrite, mlsprocwrite;
+ role system_r types init_t;
+ uses_shlib(init_t);
+ type init_exec_t, file_type, sysadmfile, exec_type;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.27.1/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/ldconfig.te 2005-09-27 17:14:40.000000000 -0400
@@ -353,6 +406,18 @@
+range_transition getty_t login_exec_t s0 - s0:c0.c255;
+')
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/logrotate.te policy-1.27.1/domains/program/logrotate.te
+--- nsapolicy/domains/program/logrotate.te 2005-09-12 16:40:29.000000000 -0400
++++ policy-1.27.1/domains/program/logrotate.te 2005-10-21 11:29:24.000000000 -0400
+@@ -13,7 +13,7 @@
+ # logrotate_t is the domain for the logrotate program.
+ # logrotate_exec_t is the type of the corresponding program.
+ #
+-type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain;
++type logrotate_t, domain, privowner, privmail, priv_system_role, nscd_client_domain, mlsfileread, mlsfilewrite, mlsfileupgrade;
+ role system_r types logrotate_t;
+ role sysadm_r types logrotate_t;
+ uses_shlib(logrotate_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.27.1/domains/program/modutil.te
--- nsapolicy/domains/program/modutil.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/modutil.te 2005-09-27 17:14:40.000000000 -0400
@@ -570,6 +635,18 @@
# Use capabilities.
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/tmpreaper.te policy-1.27.1/domains/program/tmpreaper.te
+--- nsapolicy/domains/program/tmpreaper.te 2005-09-12 16:40:28.000000000 -0400
++++ policy-1.27.1/domains/program/tmpreaper.te 2005-10-21 11:29:48.000000000 -0400
+@@ -8,7 +8,7 @@
+ #
+ # Rules for the tmpreaper_t domain.
+ #
+-type tmpreaper_t, domain, privlog;
++type tmpreaper_t, domain, privlog, mlsfileread, mlsfilewrite;
+ type tmpreaper_exec_t, file_type, sysadmfile, exec_type;
+
+ role system_r types tmpreaper_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/alsa.te 2005-09-27 17:14:40.000000000 -0400
@@ -858,8 +935,21 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.27.1/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/auditd.te 2005-09-27 17:14:40.000000000 -0400
-@@ -65,3 +65,5 @@
++++ policy-1.27.1/domains/program/unused/auditd.te 2005-10-21 11:29:24.000000000 -0400
+@@ -12,6 +12,12 @@
+
+ daemon_domain(auditd)
+
++ifdef(`mls_policy', `
++# run at the highest MLS level
++typeattribute auditd_t mlsrangetrans;
++range_transition initrc_t auditd_exec_t s15:c0.c255;
++')
++
+ allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
+ allow auditd_t self:unix_dgram_socket create_socket_perms;
+ allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource };
+@@ -65,3 +71,5 @@
allow auditctl_t privfd:fd use;
@@ -1518,7 +1608,16 @@
+allow openct_t etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.27.1/domains/program/unused/pamconsole.te
--- nsapolicy/domains/program/unused/pamconsole.te 2005-09-12 16:40:28.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pamconsole.te 2005-10-21 11:29:39.000000000 -0400
+@@ -3,7 +3,7 @@
+ #
+ # pam_console_apply
+
+-daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread')
++daemon_base_domain(pam_console, `, nscd_client_domain, mlsfileread, mlsfilewrite')
+
+ type pam_var_console_t, file_type, sysadmfile;
+
@@ -25,6 +25,7 @@
# for /var/run/console.lock checking
allow pam_console_t { var_t var_run_t }:dir search;
@@ -1958,6 +2057,27 @@
+allow gssd_t user_tmpfile:file write;
+')
+}
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rpm.te policy-1.27.1/domains/program/unused/rpm.te
+--- nsapolicy/domains/program/unused/rpm.te 2005-09-16 11:17:09.000000000 -0400
++++ policy-1.27.1/domains/program/unused/rpm.te 2005-10-21 11:29:48.000000000 -0400
+@@ -10,7 +10,7 @@
+ # rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
+ # rpm_var_lib_t is the type for rpm files in /var/lib
+ #
+-type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
++type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd, mlsfileread, mlsfilewrite, mlsfileupgrade;
+ role system_r types rpm_t;
+ uses_shlib(rpm_t)
+ type rpm_exec_t, file_type, sysadmfile, exec_type;
+@@ -114,7 +114,7 @@
+
+ allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
+
+-type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
++type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role, mlsfileread, mlsfilewrite;
+ # policy for rpm scriptlet
+ role system_r types rpm_script_t;
+ uses_shlib(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rsync.te policy-1.27.1/domains/program/unused/rsync.te
--- nsapolicy/domains/program/unused/rsync.te 2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/rsync.te 2005-10-11 12:50:03.000000000 -0400
@@ -2472,7 +2592,7 @@
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.1/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.1/file_contexts/types.fc 2005-10-15 14:02:25.000000000 -0400
++++ policy-1.27.1/file_contexts/types.fc 2005-10-21 11:29:48.000000000 -0400
@@ -133,6 +133,7 @@
/dev/dcbri[0-9]+ -c system_u:object_r:tty_device_t
/dev/irlpt[0-9]+ -c system_u:object_r:printer_device_t
@@ -3795,6 +3915,17 @@
# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/sendmail.te policy-1.27.1/targeted/domains/program/sendmail.te
+--- nsapolicy/targeted/domains/program/sendmail.te 2005-09-12 16:40:26.000000000 -0400
++++ policy-1.27.1/targeted/domains/program/sendmail.te 2005-10-20 15:53:47.000000000 -0400
+@@ -12,7 +12,6 @@
+ #
+ type sendmail_exec_t, file_type, sysadmfile, exec_type;
+ type sendmail_log_t, file_type, sysadmfile;
+-type etc_mail_t, file_type, sysadmfile;
+ domain_auto_trans(initrc_t, sendmail_exec_t, sendmail_t)
+ var_run_domain(sendmail)
+
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.27.1/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/targeted/domains/program/ssh.te 2005-10-05 10:05:20.000000000 -0400
@@ -3918,7 +4049,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.1/types/file.te
--- nsapolicy/types/file.te 2005-09-16 11:17:12.000000000 -0400
-+++ policy-1.27.1/types/file.te 2005-10-20 14:50:58.000000000 -0400
++++ policy-1.27.1/types/file.te 2005-10-20 15:56:01.000000000 -0400
@@ -84,6 +84,9 @@
#
type etc_t, file_type, sysadmfile;
@@ -3929,50 +4060,85 @@
#
# shadow_t is the type of the /etc/shadow file
#
-@@ -307,8 +310,7 @@
- type hugetlbfs_t, mount_point, fs_type, sysadmfile;
- allow hugetlbfs_t self:filesystem associate;
+@@ -273,9 +276,6 @@
+ #
+ allow { file_type device_type ttyfile } fs_t:filesystem associate;
+-# Allow the pty to be associated with the file system.
+-allow devpts_t self:filesystem associate;
+-
+ type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
+ allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
+ allow { logfile tmpfile home_type } tmp_t:filesystem associate;
+@@ -284,31 +284,14 @@
+ ')
+
+ type autofs_t, fs_type, noexattrfile, sysadmfile;
+-allow autofs_t self:filesystem associate;
+-
+ type usbdevfs_t, fs_type, mount_point, noexattrfile, sysadmfile;
+-allow usbdevfs_t self:filesystem associate;
+-
+ type sysfs_t, mount_point, fs_type, sysadmfile;
+-allow sysfs_t self:filesystem associate;
+-
+ type iso9660_t, fs_type, noexattrfile, sysadmfile;
+-allow iso9660_t self:filesystem associate;
+-
+ type romfs_t, fs_type, sysadmfile;
+-allow romfs_t self:filesystem associate;
+-
+ type ramfs_t, fs_type, sysadmfile;
+-allow ramfs_t self:filesystem associate;
+-
+ type dosfs_t, fs_type, noexattrfile, sysadmfile;
+-allow dosfs_t self:filesystem associate;
+-
+ type hugetlbfs_t, mount_point, fs_type, sysadmfile;
+-allow hugetlbfs_t self:filesystem associate;
+-
-type mqueue_t, mount_point, fs_type, sysadmfile;
-allow mqueue_t self:filesystem associate;
+typealias file_t alias mqueue_t;
# udev_runtime_t is the type of the udev table file
type udev_runtime_t, file_type, sysadmfile;
-@@ -322,9 +324,15 @@
- type debugfs_t, fs_type, sysadmfile;
- allow debugfs_t self:filesystem associate;
+@@ -317,26 +300,26 @@
+ type krb5_conf_t, file_type, sysadmfile;
+ type cifs_t, fs_type, noexattrfile, sysadmfile;
+-allow cifs_t self:filesystem associate;
+-
+ type debugfs_t, fs_type, sysadmfile;
+-allow debugfs_t self:filesystem associate;
+-
+type configfs_t, fs_type, sysadmfile;
-+allow configfs_t self:filesystem associate;
-+
type inotifyfs_t, fs_type, sysadmfile;
- allow inotifyfs_t self:filesystem associate;
-
+-allow inotifyfs_t self:filesystem associate;
+type capifs_t, fs_type, sysadmfile;
-+allow capifs_t self:filesystem associate;
-+
+
# removable_t is the default type of all removable media
type removable_t, file_type, sysadmfile, usercanread;
- allow removable_t self:filesystem associate;
-@@ -332,11 +340,16 @@
+-allow removable_t self:filesystem associate;
+ allow file_type removable_t:filesystem associate;
allow file_type noexattrfile:filesystem associate;
# Type for anonymous FTP data, used by ftp and rsync
-type ftpd_anon_t, file_type, sysadmfile, customizable;
-type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
+-
+-allow customizable self:filesystem associate;
+type public_content_t, file_type, sysadmfile, customizable;
+type public_content_rw_t, file_type, sysadmfile, customizable;
+typealias public_content_t alias ftpd_anon_t;
+typealias public_content_rw_t alias ftpd_anon_rw_t;
- allow customizable self:filesystem associate;
-
# type for /tmp/.ICE-unix
type ice_tmp_t, file_type, sysadmfile, tmpfile;
+# type for /usr/share/hwdata
+type hwdata_t, file_type, sysadmfile;
++allow { fs_type file_type } self:filesystem associate;
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.1/types/network.te
--- nsapolicy/types/network.te 2005-09-16 11:17:12.000000000 -0400
@@ -4028,6 +4194,15 @@
type inetd_child_port_t, port_type, reserved_port_type;
type ktalkd_port_t, port_type, reserved_port_type;
type rsync_port_t, port_type, reserved_port_type;
+diff --exclude-from=exclude -N -u -r nsapolicy/types/nfs.te policy-1.27.1/types/nfs.te
+--- nsapolicy/types/nfs.te 2005-09-12 16:40:26.000000000 -0400
++++ policy-1.27.1/types/nfs.te 2005-10-20 15:38:54.000000000 -0400
+@@ -18,5 +18,4 @@
+ #
+ # Allow NFS files to be associated with an NFS file system.
+ #
+-allow nfs_t self:filesystem associate;
+ allow file_type nfs_t:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.1/types/security.te
--- nsapolicy/types/security.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/types/security.te 2005-10-20 12:44:37.000000000 -0400
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.399
retrieving revision 1.400
diff -u -r1.399 -r1.400
--- selinux-policy-strict.spec 20 Oct 2005 19:14:13 -0000 1.399
+++ selinux-policy-strict.spec 21 Oct 2005 18:20:55 -0000 1.400
@@ -9,8 +9,8 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
-Version: 1.27.1
-Release: 22
+Version: 1.27.2
+Release: 1
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -19,7 +19,7 @@
Source3: selinux.csh
Source4: seusers
BuildRoot: %{_tmppath}/%{name}-buildroot
-Patch: policy-20050916.patch
+Patch: policy-20051021.patch
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
@@ -244,6 +244,31 @@
exit 0
%changelog
+* Fri Oct 21 2005 Dan Walsh <dwalsh at redhat.com> 1.27.2-1
+- Update to latest from NSA
+ * Merged patch from Chad Hanson. Modified MLS constraints.
+ Provided comments for the MLS attributes.
+ * Merged two patches from Thomas Bleher which made some minor
+ fixes and cleanups.
+ * Merged patches from Russell Coker. Added comments to some of the
+ MLS attributes. Added the secure_mode_insmod boolean to determine
+ whether the system permits loading policy, setting enforcing mode,
+ and changing boolean values. Made minor fixes for the cdrecord_domain
+ macro, application_domain, newrole_domain, and daemon_base_domain
+ macros. Added rules to allow the mail server to access the user
+ home directories in the targeted policy and allows the postfix
+ showq program to do DNS lookups. Minor fixes for the MCS
+ policy. Made other minor fixes and cleanups.
+ * Merged patch from Dan Walsh. Added opencd, pegasus, readahead,
+ and roundup policies. Created can_access_pty macro to handle pty
+ output. Created nsswithch_domain macro for domains using
+ nsswitch. Added mcs transition rules. Removed mqueue and added
+ capifs genfscon entries. Added dhcpd and pegasus ports. Added
+ domain transitions from login domains to pam_console and alsa
+ domains. Added rules to allow the httpd and squid domains to
+ relay more protocols. For the targeted policy, removed sysadm_r
+ role from unconfined_t. Made other fixes and cleanups.
+
* Thu Oct 20 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-22
- Fix to make postfix read spamassasin files
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/sources,v
retrieving revision 1.128
retrieving revision 1.129
diff -u -r1.128 -r1.129
--- sources 16 Sep 2005 15:57:44 -0000 1.128
+++ sources 21 Oct 2005 18:20:55 -0000 1.129
@@ -1 +1 @@
-ea5c830df3d0627a1b67ce1bec40ada2 policy-1.27.1.tgz
+7a3f5b1224a4d1475fb146b2fb6950bc policy-1.27.2.tgz
- Previous message (by thread): rpms/eclipse/FC-4 eclipse-libswt-mozilla.patch,1.7,1.8
- Next message (by thread): rpms/selinux-policy-targeted/devel .cvsignore, 1.118, 1.119 policy-20050916.patch, 1.26, 1.27 selinux-policy-targeted.spec, 1.393, 1.394 sources, 1.124, 1.125
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list