rpms/selinux-policy-strict/devel policy-20050916.patch, 1.9, 1.10 selinux-policy-strict.spec, 1.383, 1.384
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Sep 23 21:33:32 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv8034
Modified Files:
policy-20050916.patch selinux-policy-strict.spec
Log Message:
* Fri Sep 23 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-7
- Fix su behavior on MCS platform
- Fix dhcpd/dhclient dirs
policy-20050916.patch:
Makefile | 22 +++++----
domains/program/crond.te | 2
domains/program/fsadm.te | 7 ++-
domains/program/hostname.te | 2
domains/program/ifconfig.te | 3 -
domains/program/initrc.te | 17 +++++++
domains/program/ldconfig.te | 3 -
domains/program/load_policy.te | 7 +--
domains/program/login.te | 21 ++++++---
domains/program/modutil.te | 14 +++---
domains/program/mount.te | 5 +-
domains/program/netutils.te | 3 -
domains/program/passwd.te | 1
domains/program/restorecon.te | 3 -
domains/program/setfiles.te | 2
domains/program/ssh.te | 6 ++
domains/program/su.te | 9 +++
domains/program/syslogd.te | 2
domains/program/unused/NetworkManager.te | 3 -
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 70 +++++++------------------------
domains/program/unused/anaconda.te | 5 --
domains/program/unused/apache.te | 9 ++-
domains/program/unused/apmd.te | 13 +++++
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4 +
domains/program/unused/bluetooth.te | 17 +++++++
domains/program/unused/cups.te | 11 ++++
domains/program/unused/cvs.te | 3 +
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4 +
domains/program/unused/dhcpc.te | 5 +-
domains/program/unused/dovecot.te | 4 +
domains/program/unused/hotplug.te | 1
domains/program/unused/hwclock.te | 2
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5 +-
domains/program/unused/mta.te | 8 +++
domains/program/unused/mysqld.te | 6 +-
domains/program/unused/named.te | 14 ++++--
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 7 +--
domains/program/unused/openct.te | 16 +++++++
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 31 +++++++++++++
domains/program/unused/ping.te | 3 -
domains/program/unused/postfix.te | 8 ++-
domains/program/unused/pppd.te | 5 +-
domains/program/unused/procmail.te | 11 +++-
domains/program/unused/readahead.te | 21 +++++++++
domains/program/unused/rlogind.te | 4 +
domains/program/unused/roundup.te | 29 ++++++++++++
domains/program/unused/rpcd.te | 12 ++++-
domains/program/unused/samba.te | 11 +++-
domains/program/unused/snmpd.te | 5 +-
domains/program/unused/squid.te | 3 -
domains/program/unused/udev.te | 10 +++-
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3 +
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3 +
domains/program/unused/yppasswdd.te | 40 +++++++++++++++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5 +-
file_contexts/distros.fc | 1
file_contexts/program/bluetooth.fc | 1
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 1
file_contexts/program/ftpd.fc | 5 +-
file_contexts/program/games.fc | 11 +++-
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 ++++
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4 +
file_contexts/program/rsync.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 1
genfs_contexts | 2
macros/core_macros.te | 3 +
macros/global_macros.te | 16 +++++--
macros/network_macros.te | 17 +++++++
macros/program/apache_macros.te | 13 ++++-
macros/program/cdrecord_macros.te | 2
macros/program/i18n_input_macros.te | 21 +++++++++
macros/program/mta_macros.te | 4 -
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 2
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 10 ++--
man/man8/rsync_selinux.8 | 6 +-
mcs | 16 ++++++-
net_contexts | 6 ++
targeted/appconfig/root_default_contexts | 4 +
targeted/domains/program/ssh.te | 3 +
targeted/domains/program/xdm.te | 4 +
targeted/domains/unconfined.te | 18 +++++++
tunables/distro.tun | 2
tunables/tunable.tun | 4 -
types/devpts.te | 4 +
types/file.te | 15 ++++--
types/network.te | 2
types/security.te | 5 ++
110 files changed, 613 insertions(+), 182 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050916.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20050916.patch 23 Sep 2005 19:26:12 -0000 1.9
+++ policy-20050916.patch 23 Sep 2005 21:33:18 -0000 1.10
@@ -564,7 +564,7 @@
# connect to mysql
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apmd.te 2005-09-21 08:39:31.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apmd.te 2005-09-23 17:01:30.000000000 -0400
@@ -47,6 +47,7 @@
# acpid also has a logfile
@@ -573,7 +573,7 @@
ifdef(`distro_suse', `
var_lib_domain(apmd)
-@@ -140,3 +141,14 @@
+@@ -140,3 +141,15 @@
allow apmd_t user_tty_type:chr_file rw_file_perms;
# Access /dev/apm_bios.
allow initrc_t apm_bios_t:chr_file { setattr getattr read };
@@ -583,7 +583,8 @@
+')dnl end if logrotate.te
+allow apmd_t devpts_t:dir { getattr search };
+allow apmd_t security_t:dir search;
-+r_dir_file(apmd_t, usr_t)
++allow apmd_t usr_t:dir search;
++r_dir_file(apmd_t, hwdata_t)
+ifdef(`targeted_policy', `
+unconfined_domain(apmd_t)
+')
@@ -802,6 +803,17 @@
create_dir_file(dovecot_t, dovecot_spool_t)
create_dir_file(mta_delivery_agent, dovecot_spool_t)
allow dovecot_t mail_spool_t:lnk_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.1/domains/program/unused/hotplug.te
+--- nsapolicy/domains/program/unused/hotplug.te 2005-09-12 16:40:28.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hotplug.te 2005-09-23 17:02:56.000000000 -0400
+@@ -132,6 +132,7 @@
+ allow hotplug_t sysfs_t:dir { getattr read search write };
+ allow hotplug_t sysfs_t:file rw_file_perms;
+ allow hotplug_t sysfs_t:lnk_file { getattr read };
++r_dir_file(hotplug_t, hwdata_t)
+ allow hotplug_t udev_runtime_t:file rw_file_perms;
+ ifdef(`lpd.te', `
+ allow hotplug_t printer_device_t:chr_file setattr;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hwclock.te policy-1.27.1/domains/program/unused/hwclock.te
--- nsapolicy/domains/program/unused/hwclock.te 2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/hwclock.te 2005-09-20 21:33:02.000000000 -0400
@@ -832,7 +844,7 @@
allow ipsec_mgmt_t self:{ tcp_socket udp_socket } create_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.27.1/domains/program/unused/kudzu.te
--- nsapolicy/domains/program/unused/kudzu.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/kudzu.te 2005-09-20 21:33:02.000000000 -0400
++++ policy-1.27.1/domains/program/unused/kudzu.te 2005-09-23 17:02:13.000000000 -0400
@@ -20,7 +20,7 @@
allow kudzu_t ramfs_t:dir search;
allow kudzu_t ramfs_t:sock_file write;
@@ -842,6 +854,23 @@
allow kudzu_t modules_object_t:dir r_dir_perms;
allow kudzu_t { modules_object_t modules_dep_t }:file { getattr read };
allow kudzu_t mouse_device_t:chr_file { read write };
+@@ -64,6 +64,7 @@
+ allow kudzu_t lib_t:file { read getattr };
+ # Read /usr/share/hwdata/.* and /usr/share/terminfo/l/linux
+ allow kudzu_t usr_t:file { read getattr };
++r_dir_file(kudzu_t, hwdata_t)
+
+ # Communicate with rhgb-client.
+ allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
+@@ -107,6 +108,8 @@
+ ifdef(`userhelper.te', `
+ role system_r types sysadm_userhelper_t;
+ domain_auto_trans(kudzu_t, userhelper_exec_t, sysadm_userhelper_t)
++', `
++unconfined_domain(kudzu_t)
+ ')
+
+ allow kudzu_t initrc_t:unix_stream_socket connectto;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.27.1/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-09-16 11:17:09.000000000 -0400
+++ policy-1.27.1/domains/program/unused/mta.te 2005-09-20 21:33:02.000000000 -0400
@@ -1379,6 +1408,19 @@
# Use capabilities.
allow utempter_t self:capability setgid;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.27.1/domains/program/unused/webalizer.te
+--- nsapolicy/domains/program/unused/webalizer.te 2005-09-12 16:40:29.000000000 -0400
++++ policy-1.27.1/domains/program/unused/webalizer.te 2005-09-23 17:23:00.000000000 -0400
+@@ -20,6 +20,9 @@
+ #read apache log
+ allow webalizer_t var_log_t:dir r_dir_perms;
+ r_dir_file(webalizer_t, httpd_log_t)
++ifdef(`ftpd.te', `
++allow webalizer_t xferlog_t:file { getattr read };
++')
+
+ #r/w /var/lib/webalizer
+ var_lib_domain(webalizer)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.27.1/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-09-12 16:40:29.000000000 -0400
+++ policy-1.27.1/domains/program/unused/winbind.te 2005-09-20 21:33:02.000000000 -0400
@@ -1499,8 +1541,8 @@
/usr/sbin/sdpd -- system_u:object_r:bluetooth_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.1/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc 2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-09-20 21:33:02.000000000 -0400
-@@ -4,6 +4,7 @@
++++ policy-1.27.1/file_contexts/program/dhcpc.fc 2005-09-23 17:32:37.000000000 -0400
+@@ -4,9 +4,11 @@
/etc/dhclient.*conf -- system_u:object_r:dhcp_etc_t
/etc/dhclient-script -- system_u:object_r:dhcp_etc_t
/sbin/dhcpcd -- system_u:object_r:dhcpc_exec_t
@@ -1508,6 +1550,21 @@
/sbin/dhclient.* -- system_u:object_r:dhcpc_exec_t
/var/lib/dhcp(3)?/dhclient.* system_u:object_r:dhcpc_state_t
/var/lib/dhcpcd(/.*)? system_u:object_r:dhcpc_state_t
++/var/lib/dhclient(/.*)? system_u:object_r:dhcpc_state_t
+ /var/run/dhclient.*\.pid -- system_u:object_r:dhcpc_var_run_t
+ /var/run/dhclient.*\.leases -- system_u:object_r:dhcpc_var_run_t
+ # pump
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpd.fc policy-1.27.1/file_contexts/program/dhcpd.fc
+--- nsapolicy/file_contexts/program/dhcpd.fc 2005-09-16 11:17:10.000000000 -0400
++++ policy-1.27.1/file_contexts/program/dhcpd.fc 2005-09-23 17:34:22.000000000 -0400
+@@ -13,6 +13,7 @@
+ /etc/dhcp -d system_u:object_r:dhcp_etc_t
+ /etc/dhcp(/.*)? -- system_u:object_r:dhcp_etc_t
+ /var/lib/dhcp -d system_u:object_r:dhcp_state_t
++/var/lib/dhcpd(/.*)? system_u:object_r:dhcpd_state_t
+ /var/lib/dhcp/dhcpd\.leases.* -- system_u:object_r:dhcpd_state_t
+ /var/run/dhcp/dhcpd\.pid -- system_u:object_r:dhcpd_var_run_t
+
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ftpd.fc policy-1.27.1/file_contexts/program/ftpd.fc
--- nsapolicy/file_contexts/program/ftpd.fc 2005-09-12 16:40:27.000000000 -0400
+++ policy-1.27.1/file_contexts/program/ftpd.fc 2005-09-21 08:32:51.000000000 -0400
@@ -1646,6 +1703,17 @@
/usr/sbin/ypserv -- system_u:object_r:ypserv_exec_t
+/usr/lib/yp/.+ -- system_u:object_r:bin_t
/etc/ypserv\.conf -- system_u:object_r:ypserv_conf_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.1/file_contexts/types.fc
+--- nsapolicy/file_contexts/types.fc 2005-09-16 11:17:10.000000000 -0400
++++ policy-1.27.1/file_contexts/types.fc 2005-09-23 17:01:01.000000000 -0400
+@@ -485,6 +485,7 @@
+ # Turboprint
+ #
+ /usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
++/usr/share/hwdata(/.*)? system_u:object_r:hwdata_t
+
+ #
+ # initrd mount point, only used during boot
diff --exclude-from=exclude -N -u -r nsapolicy/genfs_contexts policy-1.27.1/genfs_contexts
--- nsapolicy/genfs_contexts 2005-09-12 16:40:26.000000000 -0400
+++ policy-1.27.1/genfs_contexts 2005-09-20 21:33:02.000000000 -0400
@@ -2231,7 +2299,7 @@
+')
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.27.1/types/file.te
--- nsapolicy/types/file.te 2005-09-16 11:17:12.000000000 -0400
-+++ policy-1.27.1/types/file.te 2005-09-20 21:33:02.000000000 -0400
++++ policy-1.27.1/types/file.te 2005-09-23 17:00:17.000000000 -0400
@@ -307,8 +307,7 @@
type hugetlbfs_t, mount_point, fs_type, sysadmfile;
allow hugetlbfs_t self:filesystem associate;
@@ -2252,7 +2320,7 @@
# removable_t is the default type of all removable media
type removable_t, file_type, sysadmfile, usercanread;
allow removable_t self:filesystem associate;
-@@ -332,8 +334,10 @@
+@@ -332,11 +334,16 @@
allow file_type noexattrfile:filesystem associate;
# Type for anonymous FTP data, used by ftp and rsync
@@ -2265,6 +2333,12 @@
allow customizable self:filesystem associate;
+ # type for /tmp/.ICE-unix
+ type ice_tmp_t, file_type, sysadmfile, tmpfile;
+
++# type for /usr/share/hwdata
++type hwdata_t, file_type, sysadmfile;
++
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.27.1/types/network.te
--- nsapolicy/types/network.te 2005-09-16 11:17:12.000000000 -0400
+++ policy-1.27.1/types/network.te 2005-09-20 21:33:02.000000000 -0400
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.383
retrieving revision 1.384
diff -u -r1.383 -r1.384
--- selinux-policy-strict.spec 23 Sep 2005 19:26:12 -0000 1.383
+++ selinux-policy-strict.spec 23 Sep 2005 21:33:18 -0000 1.384
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.1
-Release: 6
+Release: 7
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -242,8 +242,9 @@
exit 0
%changelog
-* Fri Sep 23 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-6
+* Fri Sep 23 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-7
- Fix su behavior on MCS platform
+- Fix dhcpd/dhclient dirs
* Wed Sep 21 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-5
- Fix xferlog for vsftpd
More information about the fedora-cvs-commits
mailing list