rpms/selinux-policy-strict/devel policy-mcs.patch, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Sep 14 16:52:21 UTC 2005 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12481

Added Files:
	policy-mcs.patch policy-mcsroot.patch 
Log Message:
* Tue Sep 13 2005 Dan Walsh <dwalsh at redhat.com> 1.26-1
- Update to latest from NSA
- Update to MCS policy


policy-mcs.patch:
 constraints |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+)

--- NEW FILE policy-mcs.patch ---
--- policy-1.25.3/constraints~	2005-08-05 15:24:32.000000000 -0400
+++ policy-1.25.3/constraints	2005-08-05 15:35:54.000000000 -0400
@@ -52,3 +52,29 @@
 
 constrain socket_class_set { create relabelto relabelfrom } 
 	( u1 == u2 or t1 == privowner );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink 
+rename search add_name remove_name reparent write rmdir relabelfrom 
+relabelto }')
+
+mlsconstrain { file lnk_file fifo_file chr_file blk_file } 
+mlsconstrain file nogetattr_file_perms (h1 dom h2);
+mlsconstrain dir nogetattr_dir_perms (h1 dom h2);
+mlsconstrain process { transition dyntransition sigkill sigstop signal 
+ptrace } (h1 dom h2);
+
+# Send sigchld to parent (with higher access) and allow parent to send all
+# signals to child.  Do not allow domains with incomparable contexts to
+# send sigchld to each other.
+# NB we have no limits on signull as ESRCH vs EACCESS will tell them all they
+# want to know anyway.
+mlsconstrain process sigchld (not h1 incomp h2);
+
+mlsconstrain security { load_policy setenforce setbool setcheckreqprot } (h1 
+dom h2);
+
+mlsconstrain system { syslog_read syslog_mod syslog_console } (h1 dom h2);
+

policy-mcsroot.patch:
 root_default_contexts |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

--- NEW FILE policy-mcsroot.patch ---
--- policy-1.25.4/appconfig/root_default_contexts.mcsroot	2005-08-24 15:28:42.000000000 -0400
+++ policy-1.25.4/appconfig/root_default_contexts	2005-08-24 15:29:03.000000000 -0400
@@ -1,6 +1,6 @@
-system_r:unconfined_t:s0	system_r:unconfined_t:s0
-system_r:initrc_t:s0	system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0		system_r:unconfined_t:s0
-system_r:crond_t:s0	system_r:unconfined_t:s0
+system_r:unconfined_t:s0	system_r:unconfined_t:s0 - s0:c0.c127
+system_r:initrc_t:s0	system_r:unconfined_t:s0 - s0:c0.c127
+system_r:local_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:rshd_t:s0		system_r:unconfined_t:s0 - s0:c0.c127
+system_r:crond_t:s0	system_r:unconfined_t:s0 - s0:c0.c127

More information about the fedora-cvs-commits mailing list