rpms/selinux-policy-strict/devel policy-mcs.patch, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 14 16:52:21 UTC 2005
- Previous message (by thread): rpms/selinux-policy-targeted/devel policy-20050912.parch, NONE, 1.1 .cvsignore, 1.116, 1.117 policy-20050811.patch, 1.9, 1.10 selinux-policy-targeted.spec, 1.369, 1.370 sources, 1.122, 1.123 policy-20050606.patch, 1.20, NONE policy-20050629.patch, 1.5, NONE policy-20050706.patch, 1.9, NONE policy-20050712.patch, 1.4, NONE policy-20050719.patch, 1.11, NONE
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050912.patch, NONE, 1.1 policy-mcs.patch, NONE, 1.1 policy-mcs.patch.orig, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12481
Added Files:
policy-mcs.patch policy-mcsroot.patch
Log Message:
* Tue Sep 13 2005 Dan Walsh <dwalsh at redhat.com> 1.26-1
- Update to latest from NSA
- Update to MCS policy
policy-mcs.patch:
constraints | 26 ++++++++++++++++++++++++++
1 files changed, 26 insertions(+)
--- NEW FILE policy-mcs.patch ---
--- policy-1.25.3/constraints~ 2005-08-05 15:24:32.000000000 -0400
+++ policy-1.25.3/constraints 2005-08-05 15:35:54.000000000 -0400
@@ -52,3 +52,29 @@
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
+rename search add_name remove_name reparent write rmdir relabelfrom
+relabelto }')
+
+mlsconstrain { file lnk_file fifo_file chr_file blk_file }
+mlsconstrain file nogetattr_file_perms (h1 dom h2);
+mlsconstrain dir nogetattr_dir_perms (h1 dom h2);
+mlsconstrain process { transition dyntransition sigkill sigstop signal
+ptrace } (h1 dom h2);
+
+# Send sigchld to parent (with higher access) and allow parent to send all
+# signals to child. Do not allow domains with incomparable contexts to
+# send sigchld to each other.
+# NB we have no limits on signull as ESRCH vs EACCESS will tell them all they
+# want to know anyway.
+mlsconstrain process sigchld (not h1 incomp h2);
+
+mlsconstrain security { load_policy setenforce setbool setcheckreqprot } (h1
+dom h2);
+
+mlsconstrain system { syslog_read syslog_mod syslog_console } (h1 dom h2);
+
policy-mcsroot.patch:
root_default_contexts | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
--- NEW FILE policy-mcsroot.patch ---
--- policy-1.25.4/appconfig/root_default_contexts.mcsroot 2005-08-24 15:28:42.000000000 -0400
+++ policy-1.25.4/appconfig/root_default_contexts 2005-08-24 15:29:03.000000000 -0400
@@ -1,6 +1,6 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:crond_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:initrc_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:local_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:rshd_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:crond_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
- Previous message (by thread): rpms/selinux-policy-targeted/devel policy-20050912.parch, NONE, 1.1 .cvsignore, 1.116, 1.117 policy-20050811.patch, 1.9, 1.10 selinux-policy-targeted.spec, 1.369, 1.370 sources, 1.122, 1.123 policy-20050606.patch, 1.20, NONE policy-20050629.patch, 1.5, NONE policy-20050706.patch, 1.9, NONE policy-20050712.patch, 1.4, NONE policy-20050719.patch, 1.11, NONE
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050912.patch, NONE, 1.1 policy-mcs.patch, NONE, 1.1 policy-mcs.patch.orig, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list