rpms/selinux-policy-targeted/devel policy-20050916.patch, 1.4, 1.5 selinux-policy-targeted.spec, 1.374, 1.375
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Sep 21 01:18:05 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv11676
Modified Files:
policy-20050916.patch selinux-policy-targeted.spec
Log Message:
* Tue Sep 20 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-4
- Add privuser to unconfined_domain
- dontaudit read of security_t
policy-20050916.patch:
Makefile | 22 +++++----
domains/program/crond.te | 2
domains/program/fsadm.te | 7 ++-
domains/program/hostname.te | 2
domains/program/ifconfig.te | 3 -
domains/program/initrc.te | 17 +++++++
domains/program/ldconfig.te | 3 -
domains/program/load_policy.te | 7 +--
domains/program/login.te | 21 ++++++---
domains/program/modutil.te | 14 +++---
domains/program/mount.te | 5 +-
domains/program/netutils.te | 3 -
domains/program/restorecon.te | 3 -
domains/program/setfiles.te | 2
domains/program/ssh.te | 6 ++
domains/program/su.te | 7 +++
domains/program/syslogd.te | 2
domains/program/unconfined.te | 15 ++++++
domains/program/unused/NetworkManager.te | 3 -
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 70 +++++++------------------------
domains/program/unused/anaconda.te | 5 --
domains/program/unused/apache.te | 9 ++-
domains/program/unused/apmd.te | 8 +++
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4 +
domains/program/unused/bluetooth.te | 17 +++++++
domains/program/unused/cups.te | 11 ++++
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4 +
domains/program/unused/dhcpc.te | 4 -
domains/program/unused/dovecot.te | 4 +
domains/program/unused/hwclock.te | 2
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 2
domains/program/unused/mta.te | 8 +++
domains/program/unused/mysqld.te | 6 +-
domains/program/unused/named.te | 14 ++++--
domains/program/unused/ntpd.te | 7 +--
domains/program/unused/openct.te | 16 +++++++
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 31 +++++++++++++
domains/program/unused/ping.te | 3 -
domains/program/unused/postfix.te | 8 ++-
domains/program/unused/pppd.te | 5 +-
domains/program/unused/procmail.te | 11 +++-
domains/program/unused/readahead.te | 21 +++++++++
domains/program/unused/rlogind.te | 4 +
domains/program/unused/roundup.te | 29 ++++++++++++
domains/program/unused/rpcd.te | 12 ++++-
domains/program/unused/samba.te | 11 +++-
domains/program/unused/snmpd.te | 5 +-
domains/program/unused/squid.te | 3 -
domains/program/unused/udev.te | 6 ++
domains/program/unused/utempter.te | 2
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3 +
domains/program/unused/yppasswdd.te | 40 +++++++++++++++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5 +-
file_contexts/distros.fc | 1
file_contexts/program/bluetooth.fc | 1
file_contexts/program/dhcpc.fc | 1
file_contexts/program/ftpd.fc | 4 -
file_contexts/program/games.fc | 11 +++-
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 ++++
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4 +
file_contexts/program/rsync.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
genfs_contexts | 2
macros/core_macros.te | 3 +
macros/global_macros.te | 16 +++++--
macros/network_macros.te | 17 +++++++
macros/program/apache_macros.te | 13 ++++-
macros/program/cdrecord_macros.te | 2
macros/program/i18n_input_macros.te | 21 +++++++++
macros/program/mta_macros.te | 4 -
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 2
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 10 ++--
man/man8/rsync_selinux.8 | 6 +-
mcs | 16 ++++++-
net_contexts | 6 ++
targeted/appconfig/root_default_contexts | 4 +
targeted/domains/program/ssh.te | 3 +
targeted/domains/program/xdm.te | 4 +
targeted/domains/unconfined.te | 18 +++++++
tunables/distro.tun | 2
tunables/tunable.tun | 4 -
types/file.te | 12 +++--
types/network.te | 2
types/security.te | 5 ++
103 files changed, 597 insertions(+), 178 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050916.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20050916.patch 19 Sep 2005 19:59:01 -0000 1.4
+++ policy-20050916.patch 21 Sep 2005 01:18:01 -0000 1.5
@@ -266,7 +266,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/restorecon.te policy-1.27.1/domains/program/restorecon.te
--- nsapolicy/domains/program/restorecon.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/restorecon.te 2005-09-19 11:05:10.000000000 -0400
++++ policy-1.27.1/domains/program/restorecon.te 2005-09-20 11:14:37.000000000 -0400
@@ -19,7 +19,7 @@
role sysadm_r types restorecon_t;
role secadm_r types restorecon_t;
@@ -276,6 +276,11 @@
allow restorecon_t { tty_device_t admin_tty_type user_tty_type devtty_t }:chr_file { read write ioctl };
domain_auto_trans({ initrc_t sysadm_t secadm_t }, restorecon_exec_t, restorecon_t)
+@@ -63,3 +63,4 @@
+ allow restorecon_t kernel_t:fifo_file { read write };
+ allow restorecon_t kernel_t:unix_dgram_socket { read write };
+ r_dir_file(restorecon_t, { selinux_config_t file_context_t default_context_t } )
++allow restorecon_t autofs_t:dir search;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
--- nsapolicy/domains/program/setfiles.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/setfiles.te 2005-09-19 11:05:10.000000000 -0400
@@ -341,6 +346,25 @@
# Use capabilities.
allow syslogd_t self:capability { dac_override net_admin net_bind_service sys_resource sys_tty_config };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unconfined.te policy-1.27.1/domains/program/unconfined.te
+--- nsapolicy/domains/program/unconfined.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.27.1/domains/program/unconfined.te 2005-09-16 11:17:27.000000000 -0400
+@@ -0,0 +1,15 @@
++#DESC Unconfined - Use to essentially disable SELinux for a particular program
++# This domain will be useful as a workaround for e.g. third-party daemon software
++# that has no policy, until one can be written for it.
++#
++# To use, label the executable with unconfined_exec_t, e.g.:
++# chcon -t unconfined_exec_t /usr/local/bin/appsrv
++# Or alternatively add it to /etc/security/selinux/src/policy/file_contexts/program/unconfined.fc
++
++type unconfined_t, domain, privlog, admin, privmem, fs_domain, auth_write;
++type unconfined_exec_t, file_type, sysadmfile, exec_type;
++role sysadm_r types unconfined_t;
++domain_auto_trans(sysadm_t, unconfined_exec_t, unconfined_t)
++role system_r types unconfined_t;
++domain_auto_trans(initrc_t, unconfined_exec_t, unconfined_t)
++unconfined_domain(unconfined_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/alsa.te policy-1.27.1/domains/program/unused/alsa.te
--- nsapolicy/domains/program/unused/alsa.te 2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/alsa.te 2005-09-19 11:05:10.000000000 -0400
@@ -1455,6 +1479,31 @@
-/srv/([^/]*/)?ftp(/.*)? system_u:object_r:ftpd_anon_t
+/var/ftp(/.*)? system_u:object_r:public_content_t
+/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/games.fc policy-1.27.1/file_contexts/program/games.fc
+--- nsapolicy/file_contexts/program/games.fc 2005-09-12 16:40:27.000000000 -0400
++++ policy-1.27.1/file_contexts/program/games.fc 2005-09-20 10:57:13.000000000 -0400
+@@ -1,8 +1,10 @@
+ # games
+-/usr/lib(64)?/games/.* -- system_u:object_r:games_exec_t
+-/var/games(/.*)? system_u:object_r:games_data_t
+-/usr/games/.* -- system_u:object_r:games_exec_t
++/usr/lib/games(/.*)? system_u:object_r:games_exec_t
+ /var/lib/games(/.*)? system_u:object_r:games_data_t
++ifdef(`distro_debian', `
++/usr/games/.* -- system_u:object_r:games_exec_t
++/var/games(/.*)? system_u:object_r:games_data_t
++', `
+ /usr/bin/micq -- system_u:object_r:games_exec_t
+ /usr/bin/blackjack -- system_u:object_r:games_exec_t
+ /usr/bin/gataxx -- system_u:object_r:games_exec_t
+@@ -53,4 +55,7 @@
+ /usr/bin/lskat -- system_u:object_r:games_exec_t
+ /usr/bin/lskatproc -- system_u:object_r:games_exec_t
+ /usr/bin/Maelstrom -- system_u:object_r:games_exec_t
++/usr/bin/civclient.* -- system_u:object_r:games_exec_t
++/usr/bin/civserver.* -- system_u:object_r:games_exec_t
++')dnl end non-Debian section
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ipsec.fc policy-1.27.1/file_contexts/program/ipsec.fc
--- nsapolicy/file_contexts/program/ipsec.fc 2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/ipsec.fc 2005-09-19 11:05:10.000000000 -0400
@@ -1581,7 +1630,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-09-16 11:17:11.000000000 -0400
-+++ policy-1.27.1/macros/global_macros.te 2005-09-19 11:17:34.000000000 -0400
++++ policy-1.27.1/macros/global_macros.te 2005-09-20 14:22:30.000000000 -0400
@@ -157,6 +157,11 @@
r_dir_file($1, locale_t)
')
@@ -1604,7 +1653,17 @@
')
#
-@@ -600,10 +604,10 @@
+@@ -514,6 +518,9 @@
+ type $1_t, domain, privlog $2;
+ type $1_exec_t, file_type, sysadmfile, exec_type;
+ role sysadm_r types $1_t;
++ifdef(`targeted_policy', `
++role system_r types $1_t;
++')
+ domain_auto_trans(sysadm_t, $1_exec_t, $1_t)
+ uses_shlib($1_t)
+ ')
+@@ -600,10 +607,10 @@
# Also define boolean to allow anonymous writing
#
define(`anonymous_domain', `
@@ -1617,6 +1676,14 @@
}
')
#
+@@ -618,6 +625,7 @@
+ define(`unconfined_domain', `
+
+ typeattribute $1 unrestricted;
++typeattribute $1 privuser;
+
+ # Mount/unmount any filesystem.
+ allow $1 fs_type:filesystem *;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/network_macros.te policy-1.27.1/macros/network_macros.te
--- nsapolicy/macros/network_macros.te 2005-09-16 11:17:11.000000000 -0400
+++ policy-1.27.1/macros/network_macros.te 2005-09-19 11:05:10.000000000 -0400
@@ -2158,8 +2225,15 @@
type transproxy_port_t, port_type;
diff --exclude-from=exclude -N -u -r nsapolicy/types/security.te policy-1.27.1/types/security.te
--- nsapolicy/types/security.te 2005-09-12 16:40:26.000000000 -0400
-+++ policy-1.27.1/types/security.te 2005-09-19 11:05:10.000000000 -0400
-@@ -19,6 +19,10 @@
++++ policy-1.27.1/types/security.te 2005-09-20 21:16:41.000000000 -0400
+@@ -13,12 +13,17 @@
+ # applied to selinuxfs inodes.
+ #
+ type security_t, mount_point, fs_type, mlstrustedobject;
++dontaudit domain security_t:dir search;
+
+ #
+ # policy_config_t is the type of /etc/security/selinux/*
# the security server policy configuration.
#
type policy_config_t, file_type, secadmfile;
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.374
retrieving revision 1.375
diff -u -r1.374 -r1.375
--- selinux-policy-targeted.spec 19 Sep 2005 19:28:30 -0000 1.374
+++ selinux-policy-targeted.spec 21 Sep 2005 01:18:01 -0000 1.375
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -246,6 +246,10 @@
exit 0
%changelog
+* Tue Sep 20 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-4
+- Add privuser to unconfined_domain
+- dontaudit read of security_t
+
* Mon Sep 19 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-3
- Add yppasswdd policy
- Change ftpd_anon_t to public_content_t
More information about the fedora-cvs-commits
mailing list