rpms/selinux-policy-targeted/devel policy-20050912.patch, NONE, 1.1 policy-mcs.patch, NONE, 1.1 policy-mcs.patch.orig, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 14 16:52:50 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-mcs.patch, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
- Next message (by thread): rpms/control-center/devel control-center-2.12.0-help-left-handed-dual-mice-users.patch, NONE, 1.1 control-center.spec, 1.91, 1.92 control-center-2.11.91-help-left-handed-dual-mice-users.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12544
Added Files:
policy-20050912.patch policy-mcs.patch policy-mcs.patch.orig
policy-mcsroot.patch
Log Message:
* Tue Sep 13 2005 Dan Walsh <dwalsh at redhat.com> 1.26-1
- Update to latest from NSA
- Update to MCS policy
policy-20050912.patch:
Makefile | 38 ++++-
domains/misc/kernel.te | 2
domains/program/crond.te | 7
domains/program/fsadm.te | 7
domains/program/hostname.te | 3
domains/program/ifconfig.te | 5
domains/program/initrc.te | 16 ++
domains/program/ldconfig.te | 3
domains/program/load_policy.te | 6
domains/program/login.te | 21 +-
domains/program/modutil.te | 14 +
domains/program/mount.te | 3
domains/program/netutils.te | 3
domains/program/passwd.te | 3
domains/program/restorecon.te | 5
domains/program/setfiles.te | 2
domains/program/ssh.te | 21 +-
domains/program/su.te | 7
domains/program/syslogd.te | 2
domains/program/unused/NetworkManager.te | 10 -
domains/program/unused/acct.te | 10 -
domains/program/unused/alsa.te | 11 +
domains/program/unused/amanda.te | 53 -------
domains/program/unused/anaconda.te | 5
domains/program/unused/apache.te | 12 +
domains/program/unused/apmd.te | 8 +
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4
domains/program/unused/backup.te | 2
domains/program/unused/bluetooth.te | 18 ++
domains/program/unused/bootloader.te | 2
domains/program/unused/cardmgr.te | 3
domains/program/unused/certwatch.te | 11 +
domains/program/unused/clockspeed.te | 3
domains/program/unused/cups.te | 12 +
domains/program/unused/cvs.te | 10 -
domains/program/unused/cyrus.te | 10 +
domains/program/unused/dbusd.te | 9 +
domains/program/unused/ddclient.te | 6
domains/program/unused/dhcpc.te | 6
domains/program/unused/dovecot.te | 4
domains/program/unused/dpkg.te | 3
domains/program/unused/firstboot.te | 7
domains/program/unused/fs_daemon.te | 2
domains/program/unused/ftpd.te | 8 -
domains/program/unused/hald.te | 1
domains/program/unused/hwclock.te | 5
domains/program/unused/i18n_input.te | 2
domains/program/unused/ipsec.te | 7
domains/program/unused/kudzu.te | 4
domains/program/unused/lvm.te | 1
domains/program/unused/mailman.te | 2
domains/program/unused/mta.te | 6
domains/program/unused/mysqld.te | 7
domains/program/unused/ntpd.te | 4
domains/program/unused/openct.te | 16 ++
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 31 ++++
domains/program/unused/ping.te | 12 -
domains/program/unused/postfix.te | 3
domains/program/unused/postgresql.te | 4
domains/program/unused/pppd.te | 22 ++-
domains/program/unused/procmail.te | 3
domains/program/unused/readahead.te | 21 ++
domains/program/unused/rlogind.te | 2
domains/program/unused/roundup.te | 29 +++
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 3
domains/program/unused/rsync.te | 4
domains/program/unused/samba.te | 16 +-
domains/program/unused/saslauthd.te | 10 +
domains/program/unused/slocate.te | 4
domains/program/unused/snmpd.te | 5
domains/program/unused/squid.te | 3
domains/program/unused/sxid.te | 1
domains/program/unused/udev.te | 8 -
domains/program/unused/vpnc.te | 17 +-
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 2
file_contexts/distros.fc | 5
file_contexts/program/apache.fc | 8 -
file_contexts/program/bluetooth.fc | 1
file_contexts/program/certwatch.fc | 3
file_contexts/program/clamav.fc | 2
file_contexts/program/cups.fc | 1
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 2
file_contexts/program/fsadm.fc | 1
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 +
file_contexts/program/postfix.fc | 2
file_contexts/program/postgresql.fc | 4
file_contexts/program/pppd.fc | 14 +
file_contexts/program/qmail.fc | 2
file_contexts/program/radvd.fc | 1
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 8 -
genfs_contexts | 1
macros/base_user_macros.te | 4
macros/core_macros.te | 3
macros/global_macros.te | 32 ++++
macros/network_macros.te | 21 ++
macros/program/apache_macros.te | 19 ++
macros/program/cdrecord_macros.te | 16 --
macros/program/chkpwd_macros.te | 17 --
macros/program/ethereal_macros.te | 7
macros/program/evolution_macros.te | 2
macros/program/gpg_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++
macros/program/mail_client_macros.te | 5
macros/program/mozilla_macros.te | 7
macros/program/mta_macros.te | 4
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/spamassassin_macros.te | 2
macros/program/su_macros.te | 10 -
macros/program/thunderbird_macros.te | 6
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
mcs | 226 +++++++++++++++++++++++++++++++
net_contexts | 14 -
targeted/appconfig/root_default_contexts | 4
targeted/assert.te | 2
targeted/domains/program/ssh.te | 3
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 14 +
tunables/distro.tun | 2
tunables/tunable.tun | 5
types/file.te | 4
types/network.te | 11 -
types/security.te | 4
137 files changed, 943 insertions(+), 274 deletions(-)
--- NEW FILE policy-20050912.patch ---
diff --exclude-from=exclude -N -u -r nsapolicy/domains/misc/kernel.te policy-1.26/domains/misc/kernel.te
--- nsapolicy/domains/misc/kernel.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/misc/kernel.te 2005-09-13 12:50:36.156465000 -0400
@@ -11,7 +11,7 @@
# kernel_t is the domain of kernel threads.
# It is also the target type when checking permissions in the system class.
#
-type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod ifdef(`nfs_export_all_rw',`,etc_writer'), privrangetrans ;
+type kernel_t, domain, privmodule, privlog, sysctl_kernel_writer, mlsprocread, mlsprocwrite, privsysmod, etc_writer, privrangetrans ;
role system_r types kernel_t;
general_domain_access(kernel_t)
general_proc_read_access(kernel_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/crond.te policy-1.26/domains/program/crond.te
--- nsapolicy/domains/program/crond.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/crond.te 2005-09-13 12:50:36.160461000 -0400
@@ -44,7 +44,7 @@
read_locale(crond_t)
# Use capabilities.
-allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice };
+allow crond_t self:capability { dac_override setgid setuid net_bind_service sys_nice audit_control };
dontaudit crond_t self:capability sys_resource;
# Get security policy decisions.
@@ -106,7 +106,7 @@
# Inherit and use descriptors from initrc for anacron.
allow system_crond_t initrc_t:fd use;
-allow system_crond_t initrc_devpts_t:chr_file { read write };
+can_access_pty(system_crond_t, initrc)
# Use capabilities.
allow system_crond_t self:capability { dac_read_search chown setgid setuid fowner net_bind_service fsetid };
@@ -207,5 +207,8 @@
#
ifdef(`apache.te', `
allow system_crond_t { httpd_log_t httpd_config_t }:file { getattr read };
+allow system_crond_t httpd_modules_t:lnk_file read;
')
dontaudit crond_t self:capability sys_tty_config;
+# Needed for certwatch
+can_exec(system_crond_t, httpd_modules_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.26/domains/program/fsadm.te
--- nsapolicy/domains/program/fsadm.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/program/fsadm.te 2005-09-13 12:50:36.164458000 -0400
@@ -64,7 +64,7 @@
allow fsadm_t { urandom_device_t random_device_t }:chr_file { getattr read };
# Use capabilities. ipc_lock is for losetup
-allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config };
+allow fsadm_t self:capability { ipc_lock sys_rawio sys_admin sys_tty_config dac_override dac_read_search };
# Write to /etc/mtab.
file_type_auto_trans(fsadm_t, etc_t, etc_runtime_t, file)
@@ -102,10 +102,10 @@
allow fsadm_t kernel_t:system syslog_console;
# Access terminals.
-allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
+can_access_pty(fsadm_t, initrc)
+allow fsadm_t { admin_tty_type devtty_t console_device_t }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
allow fsadm_t privfd:fd use;
-allow fsadm_t devpts_t:dir { getattr search };
read_locale(fsadm_t)
@@ -117,3 +117,4 @@
allow fsadm_t { file_t unlabeled_t }:blk_file rw_file_perms;
allow fsadm_t usbfs_t:dir { getattr search };
allow fsadm_t ramfs_t:fifo_file rw_file_perms;
+allow fsadm_t device_type:chr_file getattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/hostname.te policy-1.26/domains/program/hostname.te
--- nsapolicy/domains/program/hostname.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/hostname.te 2005-09-13 12:50:36.168454000 -0400
@@ -24,4 +24,5 @@
ifdef(`distro_redhat', `
allow hostname_t tmpfs_t:chr_file rw_file_perms;
')
-allow hostname_t initrc_devpts_t:chr_file { read write };
+can_access_pty(hostname_t, initrc)
+allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.26/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/ifconfig.te 2005-09-13 12:50:36.172450000 -0400
@@ -34,7 +34,7 @@
allow ifconfig_t self:socket create_socket_perms;
# Use capabilities.
-allow ifconfig_t self:capability net_admin;
+allow ifconfig_t self:capability { net_raw net_admin };
dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:capability sys_tty_config;
@@ -52,7 +52,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
# Access terminals.
-allow ifconfig_t { user_tty_type initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ifconfig_t, initrc)
+allow ifconfig_t { user_tty_type admin_tty_type }:chr_file rw_file_perms;
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.26/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/program/initrc.te 2005-09-13 12:50:36.177444000 -0400
@@ -214,7 +214,15 @@
allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
allow initrc_t self:capability sys_admin;
allow initrc_t device_t:dir create;
-
+# wants to delete /poweroff and other files
+allow initrc_t root_t:file unlink;
+# wants to read /.fonts directory
+allow initrc_t default_t:file { getattr read };
+ifdef(`xserver.te', `
+# wants to cleanup xserver log dir
+allow initrc_t xserver_log_t:dir rw_dir_perms;
+allow initrc_t xserver_log_t:file unlink;
+')
')dnl end distro_redhat
allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
@@ -319,3 +327,9 @@
')
allow initrc_t self:netlink_route_socket r_netlink_socket_perms;
allow initrc_t device_t:lnk_file create_file_perms;
+ifdef(`dbusd.te', `
+allow initrc_t system_dbusd_var_run_t:sock_file write;
+')
+
+# Slapd needs to read cert files from its initscript
+r_dir_file(initrc_t, cert_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ldconfig.te policy-1.26/domains/program/ldconfig.te
--- nsapolicy/domains/program/ldconfig.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/ldconfig.te 2005-09-13 12:50:36.181442000 -0400
@@ -16,7 +16,8 @@
domain_auto_trans({ sysadm_t initrc_t }, ldconfig_exec_t, ldconfig_t)
dontaudit ldconfig_t device_t:dir search;
-allow ldconfig_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
+can_access_pty(ldconfig_t, initrc)
+allow ldconfig_t admin_tty_type:chr_file rw_file_perms;
allow ldconfig_t privfd:fd use;
uses_shlib(ldconfig_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/load_policy.te policy-1.26/domains/program/load_policy.te
--- nsapolicy/domains/program/load_policy.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.26/domains/program/load_policy.te 2005-09-13 12:50:36.185438000 -0400
@@ -45,11 +45,9 @@
allow load_policy_t root_t:dir search;
allow load_policy_t etc_t:dir search;
-# Read the devpts root directory (needed?)
-allow load_policy_t devpts_t:dir r_dir_perms;
-
# Other access
-allow load_policy_t { admin_tty_type initrc_devpts_t devtty_t }:chr_file { read write ioctl getattr };
+can_access_pty(load_policy_t, initrc)
+allow load_policy_t { admin_tty_type devtty_t }:chr_file { read write ioctl getattr };
uses_shlib(load_policy_t)
allow load_policy_t self:capability dac_override;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/login.te policy-1.26/domains/program/login.te
--- nsapolicy/domains/program/login.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.26/domains/program/login.te 2005-09-13 12:53:20.134324000 -0400
@@ -62,6 +62,11 @@
ifdef(`pamconsole.te', `
rw_dir_create_file($1_login_t, pam_var_console_t)
+domain_auto_trans($1_login_t, pam_console_exec_t, pam_console_t)
+')
+
+ifdef(`alsa.te', `
+domain_auto_trans($1_login_t, alsa_exec_t, alsa_t)
')
# Use capabilities
@@ -200,23 +205,20 @@
# since very weak authentication is used.
login_spawn_domain(remote_login, unpriv_userdomain)
-allow remote_login_t devpts_t:dir search;
allow remote_login_t userpty_type:chr_file { setattr write };
# Use the pty created by rlogind.
ifdef(`rlogind.te', `
-allow remote_login_t rlogind_devpts_t:chr_file { setattr rw_file_perms };
-
+can_access_pty(remote_login_t, rlogind)
# Relabel ptys created by rlogind.
-allow remote_login_t rlogind_devpts_t:chr_file { relabelfrom relabelto };
+allow remote_login_t rlogind_devpts_t:chr_file { setattr relabelfrom relabelto };
')
# Use the pty created by telnetd.
ifdef(`telnetd.te', `
-allow remote_login_t telnetd_devpts_t:chr_file { setattr rw_file_perms };
[...2810 lines suppressed...]
portcon tcp 50002 system_u:object_r:hplip_port_t
portcon tcp 5900 system_u:object_r:vnc_port_t
+portcon tcp 5988 system_u:object_r:pegasus_http_port_t
+portcon tcp 5989 system_u:object_r:pegasus_https_port_t
portcon tcp 6000 system_u:object_r:xserver_port_t
portcon tcp 6001 system_u:object_r:xserver_port_t
portcon tcp 6002 system_u:object_r:xserver_port_t
@@ -223,14 +229,6 @@
#
# interface netif_context default_msg_context
#
-netifcon lo system_u:object_r:netif_lo_t system_u:object_r:unlabeled_t
-netifcon eth0 system_u:object_r:netif_eth0_t system_u:object_r:unlabeled_t
-netifcon eth1 system_u:object_r:netif_eth1_t system_u:object_r:unlabeled_t
-netifcon eth2 system_u:object_r:netif_eth2_t system_u:object_r:unlabeled_t
-netifcon ippp0 system_u:object_r:netif_ippp0_t system_u:object_r:unlabeled_t
-netifcon ipsec0 system_u:object_r:netif_ipsec0_t system_u:object_r:unlabeled_t
-netifcon ipsec1 system_u:object_r:netif_ipsec1_t system_u:object_r:unlabeled_t
-netifcon ipsec2 system_u:object_r:netif_ipsec2_t system_u:object_r:unlabeled_t
# Nodes (default = initial SID "node")
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/root_default_contexts policy-1.26/targeted/appconfig/root_default_contexts
--- nsapolicy/targeted/appconfig/root_default_contexts 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/appconfig/root_default_contexts 2005-09-13 12:50:36.753867000 -0400
@@ -1,2 +1,6 @@
system_r:unconfined_t system_r:unconfined_t
system_r:initrc_t system_r:unconfined_t
+system_r:local_login_t system_r:unconfined_t
+system_r:remote_login_t system_r:unconfined_t
+system_r:rshd_t system_r:unconfined_t
+system_r:crond_t system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/assert.te policy-1.26/targeted/assert.te
--- nsapolicy/targeted/assert.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/assert.te 2005-09-13 12:50:36.756865000 -0400
@@ -24,7 +24,7 @@
# send SIGCHLD for child termination notifications.
neverallow { domain -unrestricted } unconfined_t:process ~sigchld;
-# Confined domains must never see unconfined domain's /proc/pid entries.
+# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr search };
#
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/ssh.te policy-1.26/targeted/domains/program/ssh.te
--- nsapolicy/targeted/domains/program/ssh.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/domains/program/ssh.te 2005-09-13 12:50:36.760861000 -0400
@@ -17,3 +17,6 @@
type sshd_key_t, file_type, sysadmfile;
type sshd_var_run_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, sshd_exec_t, sshd_t)
+ifdef(`use_mcs', `
+range_transition initrc_t sshd_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/program/xdm.te policy-1.26/targeted/domains/program/xdm.te
--- nsapolicy/targeted/domains/program/xdm.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/domains/program/xdm.te 2005-09-13 12:50:36.764857000 -0400
@@ -20,3 +20,7 @@
type xdm_tmp_t, file_type, sysadmfile;
domain_auto_trans(initrc_t, xdm_exec_t, xdm_t)
domain_auto_trans(init_t, xdm_exec_t, xdm_t)
+ifdef(`use_mcs', `
+range_transition init_t xdm_exec_t s0 - s0:c0.c127;
+range_transition initrc_t xdm_exec_t s0 - s0:c0.c127;
+')
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.26/targeted/domains/unconfined.te
--- nsapolicy/targeted/domains/unconfined.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/targeted/domains/unconfined.te 2005-09-13 12:50:36.768852000 -0400
@@ -14,8 +14,8 @@
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
-typealias bin_t alias su_exec_t;
typealias unconfined_t alias { logrotate_t sendmail_t sshd_t secadm_t sysadm_t rpm_t rpm_script_t xdm_t };
+
typeattribute tty_device_t admin_tty_type;
typeattribute devpts_t admin_tty_type;
@@ -63,6 +63,7 @@
bool use_samba_home_dirs false;
ifdef(`samba.te', `samba_domain(user)')
+ifdef(`i18n_input.te', `i18n_input_domain(user)')
# Allow system to run with NIS
bool allow_ypbind false;
@@ -77,3 +78,14 @@
allow domain self:process execmem;
}
+#Removing i18n_input from targeted for now, since wants to read users homedirs
+typealias bin_t alias i18n_input_exec_t;
+typealias unconfined_t alias i18n_input_t;
+typealias var_run_t alias i18n_input_var_run_t;
+# Needed to get su working
+bool secure_mode false;
+typealias unconfined_t alias { sysadm_chkpwd_t };
+typealias tmp_t alias { sysadm_tmp_t sshd_tmp_t };
+su_domain(sysadm)
+typeattribute sysadm_su_t unrestricted;
+role system_r types sysadm_su_t;
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.26/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/tunables/distro.tun 2005-09-13 12:50:36.772848000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
-dnl define(`distro_redhat')
+define(`distro_redhat')
dnl define(`distro_suse')
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.26/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/tunables/tunable.tun 2005-09-13 12:50:36.776844000 -0400
@@ -1,5 +1,5 @@
# Allow rpm to run unconfined.
-dnl define(`unlimitedRPM')
+define(`unlimitedRPM')
# Allow privileged utilities like hotplug and insmod to run unconfined.
dnl define(`unlimitedUtils')
@@ -17,7 +17,7 @@
# Do not audit things that we know to be broken but which
# are not security risks
-dnl define(`hide_broken_symptoms')
+define(`hide_broken_symptoms')
# Allow user_r to reach sysadm_r via su, sudo, or userhelper.
# Otherwise, only staff_r can do so.
@@ -32,3 +32,4 @@
# Enable Polyinstantiation support
dnl define(`support_polyinstatiation')
+
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.26/types/file.te
--- nsapolicy/types/file.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/types/file.te 2005-09-13 12:50:36.780840000 -0400
@@ -325,6 +325,9 @@
type inotifyfs_t, fs_type, sysadmfile;
allow inotifyfs_t self:filesystem associate;
+type capifs_t, fs_type, sysadmfile;
+allow capifs_t self:filesystem associate;
+
# removable_t is the default type of all removable media
type removable_t, file_type, sysadmfile, usercanread;
allow removable_t self:filesystem associate;
@@ -333,6 +336,7 @@
# Type for anonymous FTP data, used by ftp and rsync
type ftpd_anon_t, file_type, sysadmfile, customizable;
+type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
allow customizable self:filesystem associate;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.26/types/network.te
--- nsapolicy/types/network.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/types/network.te 2005-09-13 12:50:36.785835000 -0400
@@ -74,15 +74,6 @@
# interfaces in net_contexts or net_contexts.mls.
#
type netif_t, netif_type;
-type netif_eth0_t, netif_type;
-type netif_eth1_t, netif_type;
-type netif_eth2_t, netif_type;
-type netif_lo_t, netif_type;
-type netif_ippp0_t, netif_type;
-
-type netif_ipsec0_t, netif_type;
-type netif_ipsec1_t, netif_type;
-type netif_ipsec2_t, netif_type;
#
# node_t is the default type of network nodes.
@@ -129,6 +120,8 @@
type zebra_port_t, port_type;
type i18n_input_port_t, port_type;
type vnc_port_t, port_type;
+type pegasus_http_port_t, port_type;
+type pegasus_https_port_t, port_type;
type openvpn_port_t, port_type;
type clamd_port_t, port_type, reserved_port_type;
type transproxy_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.26/types/security.te
--- nsapolicy/types/security.te 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.26/types/security.te 2005-09-13 12:50:36.789831000 -0400
@@ -19,6 +19,10 @@
# the security server policy configuration.
#
type policy_config_t, file_type, secadmfile;
+# Since libselinux attempts to read these by default, most domains
+# do not need it.
+dontaudit domain selinux_config_t:dir search;
+dontaudit domain selinux_config_t:file { getattr read };
#
# policy_src_t is the type of the policy source
policy-mcs.patch:
constraints | 26 ++++++++++++++++++++++++++
1 files changed, 26 insertions(+)
--- NEW FILE policy-mcs.patch ---
--- policy-1.25.3/constraints~ 2005-08-05 15:24:32.000000000 -0400
+++ policy-1.25.3/constraints 2005-08-05 15:35:54.000000000 -0400
@@ -52,3 +52,29 @@
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
+rename search add_name remove_name reparent write rmdir relabelfrom
+relabelto }')
+
+mlsconstrain { file lnk_file fifo_file chr_file blk_file }
+mlsconstrain file nogetattr_file_perms (h1 dom h2);
+mlsconstrain dir nogetattr_dir_perms (h1 dom h2);
+mlsconstrain process { transition dyntransition sigkill sigstop signal
+ptrace } (h1 dom h2);
+
+# Send sigchld to parent (with higher access) and allow parent to send all
+# signals to child. Do not allow domains with incomparable contexts to
+# send sigchld to each other.
+# NB we have no limits on signull as ESRCH vs EACCESS will tell them all they
+# want to know anyway.
+mlsconstrain process sigchld (not h1 incomp h2);
+
+mlsconstrain security { load_policy setenforce setbool setcheckreqprot } (h1
+dom h2);
+
+mlsconstrain system { syslog_read syslog_mod syslog_console } (h1 dom h2);
+
--- NEW FILE policy-mcs.patch.orig ---
--- policy-1.25.3/Makefile.orig 2005-07-19 10:57:19.000000000 -0400
+++ policy-1.25.3/Makefile 2005-08-02 16:01:54.000000000 -0400
--- policy-1.25.3/constraints~ 2005-08-05 15:24:32.000000000 -0400
+++ policy-1.25.3/constraints 2005-08-05 15:35:54.000000000 -0400
@@ -52,3 +52,29 @@
constrain socket_class_set { create relabelto relabelfrom }
( u1 == u2 or t1 == privowner );
+
+define(`nogetattr_file_perms', `{ create ioctl read lock write setattr append
+link unlink rename relabelfrom relabelto }')
+
+define(`nogetattr_dir_perms', `{ create read lock setattr ioctl link unlink
+rename search add_name remove_name reparent write rmdir relabelfrom
+relabelto }')
+
+mlsconstrain { file lnk_file fifo_file chr_file blk_file }
+mlsconstrain file nogetattr_file_perms (h1 dom h2);
+mlsconstrain dir nogetattr_dir_perms (h1 dom h2);
+mlsconstrain process { transition dyntransition sigkill sigstop signal
+ptrace } (h1 dom h2);
+
+# Send sigchld to parent (with higher access) and allow parent to send all
+# signals to child. Do not allow domains with incomparable contexts to
+# send sigchld to each other.
+# NB we have no limits on signull as ESRCH vs EACCESS will tell them all they
+# want to know anyway.
+mlsconstrain process sigchld (not h1 incomp h2);
+
+mlsconstrain security { load_policy setenforce setbool setcheckreqprot } (h1
+dom h2);
+
+mlsconstrain system { syslog_read syslog_mod syslog_console } (h1 dom h2);
+
policy-mcsroot.patch:
root_default_contexts | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
--- NEW FILE policy-mcsroot.patch ---
--- policy-1.25.4/appconfig/root_default_contexts.mcsroot 2005-08-24 15:28:42.000000000 -0400
+++ policy-1.25.4/appconfig/root_default_contexts 2005-08-24 15:29:03.000000000 -0400
@@ -1,6 +1,6 @@
-system_r:unconfined_t:s0 system_r:unconfined_t:s0
-system_r:initrc_t:s0 system_r:unconfined_t:s0
-system_r:local_login_t:s0 system_r:unconfined_t:s0
-system_r:remote_login_t:s0 system_r:unconfined_t:s0
-system_r:rshd_t:s0 system_r:unconfined_t:s0
-system_r:crond_t:s0 system_r:unconfined_t:s0
+system_r:unconfined_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:initrc_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:local_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:rshd_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
+system_r:crond_t:s0 system_r:unconfined_t:s0 - s0:c0.c127
- Previous message (by thread): rpms/selinux-policy-strict/devel policy-mcs.patch, NONE, 1.1 policy-mcsroot.patch, NONE, 1.1
- Next message (by thread): rpms/control-center/devel control-center-2.12.0-help-left-handed-dual-mice-users.patch, NONE, 1.1 control-center.spec, 1.91, 1.92 control-center-2.11.91-help-left-handed-dual-mice-users.patch, 1.3, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list