rpms/selinux-policy-targeted/devel policy-20050912.patch, NONE, 1.1 policy-mcs.patch, NONE, 1.1 policy-mcs.patch.orig, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Wed Sep 14 16:52:50 UTC 2005 

Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12544

Added Files:
	policy-20050912.patch policy-mcs.patch policy-mcs.patch.orig 
	policy-mcsroot.patch 
Log Message:
* Tue Sep 13 2005 Dan Walsh <dwalsh at redhat.com> 1.26-1
- Update to latest from NSA
- Update to MCS policy


policy-20050912.patch:
 Makefile                                 |   38 ++++-
 domains/misc/kernel.te                   |    2 
 domains/program/crond.te                 |    7 
 domains/program/fsadm.te                 |    7 
 domains/program/hostname.te              |    3 
 domains/program/ifconfig.te              |    5 
 domains/program/initrc.te                |   16 ++
 domains/program/ldconfig.te              |    3 
 domains/program/load_policy.te           |    6 
 domains/program/login.te                 |   21 +-
 domains/program/modutil.te               |   14 +
 domains/program/mount.te                 |    3 
 domains/program/netutils.te              |    3 
 domains/program/passwd.te                |    3 
 domains/program/restorecon.te            |    5 
 domains/program/setfiles.te              |    2 
 domains/program/ssh.te                   |   21 +-
 domains/program/su.te                    |    7 
 domains/program/syslogd.te               |    2 
 domains/program/unused/NetworkManager.te |   10 -
 domains/program/unused/acct.te           |   10 -
 domains/program/unused/alsa.te           |   11 +
 domains/program/unused/amanda.te         |   53 -------
 domains/program/unused/anaconda.te       |    5 
 domains/program/unused/apache.te         |   12 +
 domains/program/unused/apmd.te           |    8 +
 domains/program/unused/auditd.te         |    2 
 domains/program/unused/automount.te      |    4 
 domains/program/unused/backup.te         |    2 
 domains/program/unused/bluetooth.te      |   18 ++
 domains/program/unused/bootloader.te     |    2 
 domains/program/unused/cardmgr.te        |    3 
 domains/program/unused/certwatch.te      |   11 +
 domains/program/unused/clockspeed.te     |    3 
 domains/program/unused/cups.te           |   12 +
 domains/program/unused/cvs.te            |   10 -
 domains/program/unused/cyrus.te          |   10 +
 domains/program/unused/dbusd.te          |    9 +
 domains/program/unused/ddclient.te       |    6 
 domains/program/unused/dhcpc.te          |    6 
 domains/program/unused/dovecot.te        |    4 
 domains/program/unused/dpkg.te           |    3 
 domains/program/unused/firstboot.te      |    7 
 domains/program/unused/fs_daemon.te      |    2 
 domains/program/unused/ftpd.te           |    8 -
 domains/program/unused/hald.te           |    1 
 domains/program/unused/hwclock.te        |    5 
 domains/program/unused/i18n_input.te     |    2 
 domains/program/unused/ipsec.te          |    7 
 domains/program/unused/kudzu.te          |    4 
 domains/program/unused/lvm.te            |    1 
 domains/program/unused/mailman.te        |    2 
 domains/program/unused/mta.te            |    6 
 domains/program/unused/mysqld.te         |    7 
 domains/program/unused/ntpd.te           |    4 
 domains/program/unused/openct.te         |   16 ++
 domains/program/unused/pamconsole.te     |    2 
 domains/program/unused/pegasus.te        |   31 ++++
 domains/program/unused/ping.te           |   12 -
 domains/program/unused/postfix.te        |    3 
 domains/program/unused/postgresql.te     |    4 
 domains/program/unused/pppd.te           |   22 ++-
 domains/program/unused/procmail.te       |    3 
 domains/program/unused/readahead.te      |   21 ++
 domains/program/unused/rlogind.te        |    2 
 domains/program/unused/roundup.te        |   29 +++
 domains/program/unused/rpcd.te           |    2 
 domains/program/unused/rpm.te            |    3 
 domains/program/unused/rsync.te          |    4 
 domains/program/unused/samba.te          |   16 +-
 domains/program/unused/saslauthd.te      |   10 +
 domains/program/unused/slocate.te        |    4 
 domains/program/unused/snmpd.te          |    5 
 domains/program/unused/squid.te          |    3 
 domains/program/unused/sxid.te           |    1 
 domains/program/unused/udev.te           |    8 -
 domains/program/unused/vpnc.te           |   17 +-
 domains/program/unused/winbind.te        |    1 
 domains/program/unused/xdm.te            |    3 
 domains/program/unused/ypserv.te         |    1 
 domains/program/useradd.te               |    2 
 file_contexts/distros.fc                 |    5 
 file_contexts/program/apache.fc          |    8 -
 file_contexts/program/bluetooth.fc       |    1 
 file_contexts/program/certwatch.fc       |    3 
 file_contexts/program/clamav.fc          |    2 
 file_contexts/program/cups.fc            |    1 
 file_contexts/program/dhcpc.fc           |    1 
 file_contexts/program/dhcpd.fc           |    2 
 file_contexts/program/fsadm.fc           |    1 
 file_contexts/program/ipsec.fc           |    1 
 file_contexts/program/openct.fc          |    2 
 file_contexts/program/pegasus.fc         |   11 +
 file_contexts/program/postfix.fc         |    2 
 file_contexts/program/postgresql.fc      |    4 
 file_contexts/program/pppd.fc            |   14 +
 file_contexts/program/qmail.fc           |    2 
 file_contexts/program/radvd.fc           |    1 
 file_contexts/program/readahead.fc       |    1 
 file_contexts/program/roundup.fc         |    2 
 file_contexts/program/xdm.fc             |    2 
 file_contexts/program/ypserv.fc          |    1 
 file_contexts/types.fc                   |    8 -
 genfs_contexts                           |    1 
 macros/base_user_macros.te               |    4 
 macros/core_macros.te                    |    3 
 macros/global_macros.te                  |   32 ++++
 macros/network_macros.te                 |   21 ++
 macros/program/apache_macros.te          |   19 ++
 macros/program/cdrecord_macros.te        |   16 --
 macros/program/chkpwd_macros.te          |   17 --
 macros/program/ethereal_macros.te        |    7 
 macros/program/evolution_macros.te       |    2 
 macros/program/gpg_macros.te             |    2 
 macros/program/i18n_input_macros.te      |   21 ++
 macros/program/mail_client_macros.te     |    5 
 macros/program/mozilla_macros.te         |    7 
 macros/program/mta_macros.te             |    4 
 macros/program/pyzor_macros.te           |    2 
 macros/program/razor_macros.te           |    2 
 macros/program/spamassassin_macros.te    |    2 
 macros/program/su_macros.te              |   10 -
 macros/program/thunderbird_macros.te     |    6 
 macros/program/uml_macros.te             |    2 
 macros/user_macros.te                    |    1 
 mcs                                      |  226 +++++++++++++++++++++++++++++++
 net_contexts                             |   14 -
 targeted/appconfig/root_default_contexts |    4 
 targeted/assert.te                       |    2 
 targeted/domains/program/ssh.te          |    3 
 targeted/domains/program/xdm.te          |    4 
 targeted/domains/unconfined.te           |   14 +
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    5 
 types/file.te                            |    4 
 types/network.te                         |   11 -
 types/security.te                        |    4 
 137 files changed, 943 insertions(+), 274 deletions(-)

--- NEW FILE policy-20050912.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.26/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/misc/kernel.te	2005-09-13 12:50:36.156465000 -0400
@@ -11,7 +11,7 @@
 # kernel_t is the domain of kernel threads.
 # It is also the target type when checking permissions in the system class.
 # 
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
 role system_r types kernel_t;
 general_domain_access(kernel_t)
 general_proc_read_access(kernel_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.26/domains/program/crond.te
--- nsapolicy/domains/program/crond.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/crond.te	2005-09-13 12:50:36.160461000 -0400
@@ -44,7 +44,7 @@
 read_locale(crond_t)
 
 # Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
 dontaudit crond_t self:capability sys_resource;
 
 # Get security policy decisions.
@@ -106,7 +106,7 @@
 
 # Inherit and use descriptors from initrc for anacron.
 allow system_crond_t initrc_t:fd use;
-allow system_crond_t initrc_devpts_t:chr_file { read write };
+can_access_pty(system_crond_t, initrc)
 
 # Use capabilities.
 allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
@@ -207,5 +207,8 @@
 #
 ifdef(`apache.te', `
 allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
 ')
 dontaudit crond_t self:capability sys_tty_config;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.26/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/program/fsadm.te	2005-09-13 12:50:36.164458000 -0400
@@ -64,7 +64,7 @@
 allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
 
 # Use capabilities.  ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
 
 # Write to /etc/mtab.
 file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -102,10 +102,10 @@
 allow fsadm_t kernel_t:system syslog_console;
 
 # Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
 allow fsadm_t privfd:fd use;
-allow fsadm_t devpts_t:dir { getattr search };
 
 read_locale(fsadm_t)
 
@@ -117,3 +117,4 @@
 allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
 allow fsadm_t usbfs_t:dir { getattr search };
 allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.26/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/hostname.te	2005-09-13 12:50:36.168454000 -0400
@@ -24,4 +24,5 @@
 ifdef(`distro_redhat', `
 allow hostname_t tmpfs_t:chr_file rw_file_perms;
 ')
-allow hostname_t initrc_devpts_t:chr_file { read write };
+can_access_pty(hostname_t, initrc)
+allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.26/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/ifconfig.te	2005-09-13 12:50:36.172450000 -0400
@@ -34,7 +34,7 @@
 allow ifconfig_t self:socket create_socket_perms;
 
 # Use capabilities.
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_raw net_admin };
 dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:capability sys_tty_config;
 
@@ -52,7 +52,8 @@
 allow ifconfig_t self:udp_socket create_socket_perms;
 
 # Access terminals.
-allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
 ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
 
 allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.26/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/program/initrc.te	2005-09-13 12:50:36.177444000 -0400
@@ -214,7 +214,15 @@
 allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
 allow initrc_t self:capability sys_admin;
 allow initrc_t device_t:dir create;
-
+# wants to delete /poweroff and other files 
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
 ')dnl end distro_redhat
 
 allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -319,3 +327,9 @@
 ')
 allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
 allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.26/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/ldconfig.te	2005-09-13 12:50:36.181442000 -0400
@@ -16,7 +16,8 @@
 
 domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
 dontaudit ldconfig_t device_t:dir search;
-allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
 allow ldconfig_t privfd:fd use;
 
 uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.26/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te	2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/load_policy.te	2005-09-13 12:50:36.185438000 -0400
@@ -45,11 +45,9 @@
 allow load_policy_t root_t:dir search;
 allow load_policy_t etc_t:dir search;
 
-# Read the devpts root directory (needed?)  
-allow load_policy_t devpts_t:dir r_dir_perms;
-
 # Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
 uses_shlib(load_policy_t)
 allow load_policy_t self:capability dac_override;
 
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.26/domains/program/login.te
--- nsapolicy/domains/program/login.te	2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/program/login.te	2005-09-13 12:53:20.134324000 -0400
@@ -62,6 +62,11 @@
 
 ifdef(`pamconsole.te', `
 rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
+')
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
 ')
 
 # Use capabilities
@@ -200,23 +205,20 @@
 # since very weak authentication is used.
 login_spawn_domain(remote_login, unpriv_userdomain)
 
-allow remote_login_t devpts_t:dir search;
 allow remote_login_t userpty_type:chr_file { setattr write };
 
 # Use the pty created by rlogind.
 ifdef(`rlogind.te', `
-allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, rlogind)
 # Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
 ')
 
 # Use the pty created by telnetd.
 ifdef(`telnetd.te', `
-allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
[...2810 lines suppressed...]
 portcon tcp 50002 system_u:object_r:hplip_port_t
 portcon tcp 5900  system_u:object_r:vnc_port_t 
+portcon tcp 5988  system_u:object_r:pegasus_http_port_t
+portcon tcp 5989  system_u:object_r:pegasus_https_port_t
 portcon tcp 6000  system_u:object_r:xserver_port_t
 portcon tcp 6001  system_u:object_r:xserver_port_t
 portcon tcp 6002  system_u:object_r:xserver_port_t
@@ -223,14 +229,6 @@
 #
 # interface netif_context default_msg_context
 #
-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
 
 # Nodes (default = initial SID "node")
 #
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.26/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/appconfig/root_default_contexts	2005-09-13 12:50:36.753867000 -0400
@@ -1,2 +1,6 @@
 system_r:unconfined_t	system_r:unconfined_t
 system_r:initrc_t	system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t		system_r:unconfined_t
+system_r:crond_t	system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.26/targeted/assert.te
--- nsapolicy/targeted/assert.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/assert.te	2005-09-13 12:50:36.756865000 -0400
@@ -24,7 +24,7 @@
 # send SIGCHLD for child termination notifications.
 neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
 
-# Confined domains must never see unconfined domain's /proc/pid entries.
+# Confined domains must never see /proc/pid entries for an unconfined domain.
 neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
 
 #
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.26/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/domains/program/ssh.te	2005-09-13 12:50:36.760861000 -0400
@@ -17,3 +17,6 @@
 type sshd_key_t, file_type, sysadmfile;
 type sshd_var_run_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.26/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/domains/program/xdm.te	2005-09-13 12:50:36.764857000 -0400
@@ -20,3 +20,7 @@
 type xdm_tmp_t, file_type, sysadmfile;
 domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
 domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+ifdef(`use_mcs', `
+range_transition init_t xdm_exec_t s0 - s0:c0.c127;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.26/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/domains/unconfined.te	2005-09-13 12:50:36.768852000 -0400
@@ -14,8 +14,8 @@
 
 # Define some type aliases to help with compatibility with
 # macros and domains from the "strict" policy.
-typealias bin_t alias su_exec_t;
 typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
 typeattribute tty_device_t admin_tty_type;
 typeattribute devpts_t admin_tty_type;
 
@@ -63,6 +63,7 @@
 bool use_samba_home_dirs false;
 
 ifdef(`samba.te', `samba_domain(user)')
+ifdef(`i18n_input.te', `i18n_input_domain(user)')
 
 # Allow system to run with NIS
 bool allow_ypbind false;
@@ -77,3 +78,14 @@
 allow domain self:process execmem;
 }
 
+#Removing i18n_input from targeted for now, since wants to read users homedirs
+typealias bin_t alias i18n_input_exec_t;
+typealias unconfined_t alias i18n_input_t;
+typealias var_run_t alias i18n_input_var_run_t;
+# Needed to get su working
+bool secure_mode false;
+typealias unconfined_t alias { sysadm_chkpwd_t };
+typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
+su_domain(sysadm)
+typeattribute sysadm_su_t unrestricted;
+role system_r types sysadm_su_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.26/tunables/distro.tun
--- nsapolicy/tunables/distro.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/tunables/distro.tun	2005-09-13 12:50:36.772848000 -0400
@@ -5,7 +5,7 @@
 # appropriate ifdefs.
 
 
-dnl define(`distro_redhat')
+define(`distro_redhat')
 
 dnl define(`distro_suse')
 
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.26/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/tunables/tunable.tun	2005-09-13 12:50:36.776844000 -0400
@@ -1,5 +1,5 @@
 # Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
 
 # Allow privileged utilities like hotplug and insmod to run unconfined.
 dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
 
 # Do not audit things that we know to be broken but which
 # are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
 
 # Allow user_r to reach sysadm_r via su, sudo, or userhelper.
 # Otherwise, only staff_r can do so.
@@ -32,3 +32,4 @@
 
 # Enable Polyinstantiation support
 dnl define(`support_polyinstatiation')
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.26/types/file.te
--- nsapolicy/types/file.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/types/file.te	2005-09-13 12:50:36.780840000 -0400
@@ -325,6 +325,9 @@
 type inotifyfs_t, fs_type, sysadmfile;
 allow inotifyfs_t self:filesystem associate;
 
+type capifs_t, fs_type, sysadmfile;
+allow capifs_t self:filesystem associate;
+
 # removable_t is the default type of all removable media
 type removable_t, file_type, sysadmfile, usercanread;
 allow removable_t self:filesystem associate;
@@ -333,6 +336,7 @@
 
 # Type for anonymous FTP data, used by ftp and rsync
 type ftpd_anon_t, file_type, sysadmfile, customizable;
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
 
 allow customizable self:filesystem associate;
 
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.26/types/network.te
--- nsapolicy/types/network.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/types/network.te	2005-09-13 12:50:36.785835000 -0400
@@ -74,15 +74,6 @@
 # interfaces in net_contexts or net_contexts.mls.
 #
 type netif_t, netif_type;
-type netif_eth0_t, netif_type;
-type netif_eth1_t, netif_type;
-type netif_eth2_t, netif_type;
-type netif_lo_t, netif_type;
-type netif_ippp0_t, netif_type;
-
-type netif_ipsec0_t, netif_type;
-type netif_ipsec1_t, netif_type;
-type netif_ipsec2_t, netif_type;
 
 #
 # node_t is the default type of network nodes.
@@ -129,6 +120,8 @@
 type zebra_port_t, port_type;
 type i18n_input_port_t, port_type;
 type vnc_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
 type openvpn_port_t, port_type;
 type clamd_port_t, port_type, reserved_port_type;
 type transproxy_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.26/types/security.te
--- nsapolicy/types/security.te	2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/types/security.te	2005-09-13 12:50:36.789831000 -0400
@@ -19,6 +19,10 @@
 # the security server policy configuration.
 #
 type policy_config_t, file_type, secadmfile;
+# Since libselinux attempts to read these by default, most domains 
+# do not need it.
+dontaudit domain selinux_config_t:dir search;
+dontaudit domain selinux_config_t:file { getattr read };
 
 #
 # policy_src_t is the type of the policy source

policy-mcs.patch:
 constraints |   26 ++++++++++++++++++++++++++
 1 files changed, 26 insertions(+)

--- NEW FILE policy-mcs.patch ---
--- policy-1.25.3/constraints~	2005-08-05 15:24:32.000000000 -0400
+++ policy-1.25.3/constraints	2005-08-05 15:35:54.000000000 -0400
@@ -52,3 +52,29 @@
 
 constrain socket_class_set { create relabelto relabelfrom } 
 	( u1 == u2 or t1 == privowner );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink 
+rename search add_name remove_name reparent write rmdir relabelfrom 
+relabelto }')
+
+mlsconstrain { file lnk_file fifo_file chr_file blk_file } 
+mlsconstrain file nogetattr_file_perms (h1 dom h2);
+mlsconstrain dir nogetattr_dir_perms (h1 dom h2);
+mlsconstrain process { transition dyntransition sigkill sigstop signal 
+ptrace } (h1 dom h2);
+
+# Send sigchld to parent (with higher access) and allow parent to send all
+# signals to child.  Do not allow domains with incomparable contexts to
+# send sigchld to each other.
+# NB we have no limits on signull as ESRCH vs EACCESS will tell them all they
+# want to know anyway.
+mlsconstrain process sigchld (not h1 incomp h2);
+
+mlsconstrain security { load_policy setenforce setbool setcheckreqprot } (h1 
+dom h2);
+
+mlsconstrain system { syslog_read syslog_mod syslog_console } (h1 dom h2);
+


--- NEW FILE policy-mcs.patch.orig ---
--- policy-1.25.3/Makefile.orig	2005-07-19 10:57:19.000000000 -0400
+++ policy-1.25.3/Makefile	2005-08-02 16:01:54.000000000 -0400
--- policy-1.25.3/constraints~	2005-08-05 15:24:32.000000000 -0400
+++ policy-1.25.3/constraints	2005-08-05 15:35:54.000000000 -0400
@@ -52,3 +52,29 @@
 
 constrain socket_class_set { create relabelto relabelfrom } 
 	( u1 == u2 or t1 == privowner );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append 
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink 
+rename search add_name remove_name reparent write rmdir relabelfrom 
+relabelto }')
+
+mlsconstrain { file lnk_file fifo_file chr_file blk_file } 
+mlsconstrain file nogetattr_file_perms (h1 dom h2);
+mlsconstrain dir nogetattr_dir_perms (h1 dom h2);
+mlsconstrain process { transition dyntransition sigkill sigstop signal 
+ptrace } (h1 dom h2);
+
+# Send sigchld to parent (with higher access) and allow parent to send all
+# signals to child.  Do not allow domains with incomparable contexts to
+# send sigchld to each other.
+# NB we have no limits on signull as ESRCH vs EACCESS will tell them all they
+# want to know anyway.
+mlsconstrain process sigchld (not h1 incomp h2);
+
+mlsconstrain security { load_policy setenforce setbool setcheckreqprot } (h1 
+dom h2);
+
+mlsconstrain system { syslog_read syslog_mod syslog_console } (h1 dom h2);
+

policy-mcsroot.patch:
 root_default_contexts |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)

--- NEW FILE policy-mcsroot.patch ---
--- policy-1.25.4/appconfig/root_default_contexts.mcsroot	2005-08-24 15:28:42.000000000 -0400
+++ policy-1.25.4/appconfig/root_default_contexts	2005-08-24 15:29:03.000000000 -0400
@@ -1,6 +1,6 @@
-system_r:unconfined_t:s0	system_r:unconfined_t:s0
-system_r:initrc_t:s0	system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0		system_r:unconfined_t:s0
-system_r:crond_t:s0	system_r:unconfined_t:s0
+system_r:unconfined_t:s0	system_r:unconfined_t:s0 - s0:c0.c127
+system_r:initrc_t:s0	system_r:unconfined_t:s0 - s0:c0.c127
+system_r:local_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:rshd_t:s0		system_r:unconfined_t:s0 - s0:c0.c127
+system_r:crond_t:s0	system_r:unconfined_t:s0 - s0:c0.c127

More information about the fedora-cvs-commits mailing list