rpms/selinux-policy-targeted/devel policy-20050916.patch, 1.9, 1.10 selinux-policy-targeted.spec, 1.378, 1.379

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Mon Sep 26 20:10:45 UTC 2005


Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv22548

Modified Files:
	policy-20050916.patch selinux-policy-targeted.spec 
Log Message:
* Mon Sep 26 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-8
- Many fixes for postfix and bluetooth


policy-20050916.patch:
 Makefile                                 |   22 +++++----
 domains/program/crond.te                 |    2 
 domains/program/fsadm.te                 |    7 ++-
 domains/program/hostname.te              |    2 
 domains/program/ifconfig.te              |    3 -
 domains/program/initrc.te                |   17 +++++++
 domains/program/ldconfig.te              |    3 -
 domains/program/load_policy.te           |    7 +--
 domains/program/login.te                 |   21 ++++++---
 domains/program/modutil.te               |   14 +++---
 domains/program/mount.te                 |    5 +-
 domains/program/netutils.te              |    3 -
 domains/program/passwd.te                |    1 
 domains/program/restorecon.te            |    3 -
 domains/program/setfiles.te              |    4 -
 domains/program/ssh.te                   |    6 ++
 domains/program/su.te                    |    9 +++
 domains/program/syslogd.te               |    2 
 domains/program/unused/NetworkManager.te |    3 -
 domains/program/unused/alsa.te           |    2 
 domains/program/unused/amanda.te         |   70 +++++++------------------------
 domains/program/unused/anaconda.te       |    5 --
 domains/program/unused/apache.te         |    9 ++-
 domains/program/unused/apmd.te           |   13 +++++
 domains/program/unused/auditd.te         |    2 
 domains/program/unused/automount.te      |    4 +
 domains/program/unused/bluetooth.te      |   57 ++++++++++++++++++++++++-
 domains/program/unused/cups.te           |   16 +++++--
 domains/program/unused/cvs.te            |    3 +
 domains/program/unused/cyrus.te          |    2 
 domains/program/unused/dbusd.te          |    4 +
 domains/program/unused/dhcpc.te          |    5 +-
 domains/program/unused/dhcpd.te          |    3 -
 domains/program/unused/dovecot.te        |    4 +
 domains/program/unused/hald.te           |    2 
 domains/program/unused/hotplug.te        |    1 
 domains/program/unused/hwclock.te        |    2 
 domains/program/unused/ipsec.te          |    2 
 domains/program/unused/kudzu.te          |    5 +-
 domains/program/unused/mta.te            |    8 +++
 domains/program/unused/mysqld.te         |    6 +-
 domains/program/unused/named.te          |   14 ++++--
 domains/program/unused/nscd.te           |    1 
 domains/program/unused/ntpd.te           |    7 +--
 domains/program/unused/openct.te         |   16 +++++++
 domains/program/unused/pamconsole.te     |    2 
 domains/program/unused/pegasus.te        |   31 +++++++++++++
 domains/program/unused/ping.te           |    3 -
 domains/program/unused/postfix.te        |   24 ++++++----
 domains/program/unused/pppd.te           |    7 +--
 domains/program/unused/procmail.te       |   11 +++-
 domains/program/unused/readahead.te      |   21 +++++++++
 domains/program/unused/rlogind.te        |    4 +
 domains/program/unused/roundup.te        |   29 ++++++++++++
 domains/program/unused/rpcd.te           |   12 ++++-
 domains/program/unused/samba.te          |   11 +++-
 domains/program/unused/snmpd.te          |    5 +-
 domains/program/unused/squid.te          |    3 -
 domains/program/unused/udev.te           |   10 +++-
 domains/program/unused/utempter.te       |    2 
 domains/program/unused/webalizer.te      |    3 +
 domains/program/unused/winbind.te        |    1 
 domains/program/unused/xdm.te            |    3 +
 domains/program/unused/yppasswdd.te      |   40 +++++++++++++++++
 domains/program/unused/ypserv.te         |    1 
 domains/program/useradd.te               |    5 +-
 file_contexts/distros.fc                 |    1 
 file_contexts/program/bluetooth.fc       |    3 +
 file_contexts/program/dhcpc.fc           |    2 
 file_contexts/program/dhcpd.fc           |    1 
 file_contexts/program/ftpd.fc            |    5 +-
 file_contexts/program/games.fc           |   11 +++-
 file_contexts/program/ipsec.fc           |    1 
 file_contexts/program/openct.fc          |    2 
 file_contexts/program/pegasus.fc         |   11 ++++
 file_contexts/program/pppd.fc            |    2 
 file_contexts/program/readahead.fc       |    1 
 file_contexts/program/roundup.fc         |    2 
 file_contexts/program/rpm.fc             |    4 +
 file_contexts/program/rsync.fc           |    2 
 file_contexts/program/xdm.fc             |    2 
 file_contexts/program/yppasswdd.fc       |    2 
 file_contexts/program/ypserv.fc          |    1 
 file_contexts/types.fc                   |    2 
 genfs_contexts                           |    2 
 macros/core_macros.te                    |    3 +
 macros/global_macros.te                  |   16 +++++--
 macros/network_macros.te                 |   17 +++++++
 macros/program/apache_macros.te          |   13 ++++-
 macros/program/cdrecord_macros.te        |    2 
 macros/program/i18n_input_macros.te      |   21 +++++++++
 macros/program/mta_macros.te             |    4 -
 macros/program/newrole_macros.te         |    2 
 macros/program/pyzor_macros.te           |    2 
 macros/program/razor_macros.te           |    2 
 macros/program/su_macros.te              |    2 
 macros/program/uml_macros.te             |    2 
 macros/user_macros.te                    |    1 
 man/man8/ftpd_selinux.8                  |   10 ++--
 man/man8/rsync_selinux.8                 |    6 +-
 mcs                                      |   16 ++++++-
 net_contexts                             |    6 ++
 targeted/appconfig/root_default_contexts |    4 +
 targeted/domains/program/ssh.te          |    3 +
 targeted/domains/program/xdm.te          |    4 +
 targeted/domains/unconfined.te           |   18 +++++++
 tunables/distro.tun                      |    2 
 tunables/tunable.tun                     |    4 -
 types/devpts.te                          |    4 +
 types/file.te                            |   15 ++++--
 types/network.te                         |    2 
 types/security.te                        |    5 ++
 112 files changed, 671 insertions(+), 197 deletions(-)

Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050916.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20050916.patch	23 Sep 2005 21:33:30 -0000	1.9
+++ policy-20050916.patch	26 Sep 2005 20:10:42 -0000	1.10
@@ -292,7 +292,16 @@
 +allow restorecon_t autofs_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/setfiles.te policy-1.27.1/domains/program/setfiles.te
 --- nsapolicy/domains/program/setfiles.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.1/domains/program/setfiles.te	2005-09-20 21:33:02.000000000 -0400
++++ policy-1.27.1/domains/program/setfiles.te	2005-09-26 16:09:45.000000000 -0400
+@@ -12,7 +12,7 @@
+ #
+ # needs auth_write attribute because it has relabelfrom/relabelto
+ # access to shadow_t
+-type setfiles_t, domain, privlog, privowner, auth_write, change_context;
++type setfiles_t, domain, privlog, privowner, auth_write, change_context, mlsfileread, mlsfilewrite, mlsfileupgrade, mlsfiledowngrade;
+ type setfiles_exec_t, file_type, sysadmfile, exec_type;
+ 
+ role system_r types setfiles_t;
 @@ -22,7 +22,7 @@
  ifdef(`distro_redhat', `
  domain_auto_trans(initrc_t, setfiles_exec_t, setfiles_t)
@@ -626,14 +635,15 @@
 +
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/bluetooth.te policy-1.27.1/domains/program/unused/bluetooth.te
 --- nsapolicy/domains/program/unused/bluetooth.te	2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/bluetooth.te	2005-09-20 21:33:02.000000000 -0400
-@@ -11,11 +11,16 @@
++++ policy-1.27.1/domains/program/unused/bluetooth.te	2005-09-26 15:26:45.000000000 -0400
+@@ -11,11 +11,17 @@
  daemon_domain(bluetooth)
  
  file_type_auto_trans(bluetooth_t, var_run_t, bluetooth_var_run_t, sock_file)
 +file_type_auto_trans(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t)
  
  tmp_domain(bluetooth)
++var_lib_domain(bluetooth)
  
  # Use capabilities.
  allow bluetooth_t self:capability { net_admin net_raw sys_tty_config };
@@ -644,7 +654,7 @@
  
  lock_domain(bluetooth)
  
-@@ -35,6 +40,7 @@
+@@ -35,6 +41,7 @@
  
  # bluetooth_conf_t is the type of the /etc/bluetooth dir.
  type bluetooth_conf_t, file_type, sysadmfile;
@@ -652,7 +662,7 @@
  
  # Read /etc/bluetooth
  allow bluetooth_t bluetooth_conf_t:dir search;
-@@ -44,5 +50,14 @@
+@@ -44,5 +51,53 @@
  allow bluetooth_t usbfs_t:dir r_dir_perms;
  allow bluetooth_t usbfs_t:file rw_file_perms; 
  allow bluetooth_t bin_t:dir search;
@@ -663,14 +673,53 @@
 +#Handle bluetooth serial devices
 +allow bluetooth_t tty_device_t:chr_file rw_file_perms;
 +allow bluetooth_t self:fifo_file rw_file_perms;
-+allow bluetooth_t etc_t:file { getattr read };
++allow bluetooth_t { etc_t etc_runtime_t }:file { getattr read };
 +r_dir_file(bluetooth_t, fonts_t)
 +allow bluetooth_t urandom_device_t:chr_file r_file_perms;
 +allow bluetooth_t usr_t:file { getattr read };
++
++application_domain(bluetooth_helper, `, nscd_client_domain')
++domain_auto_trans(bluetooth_t, bluetooth_helper_exec_t, bluetooth_helper_t)
++role system_r types bluetooth_helper_t;
++read_locale(bluetooth_helper_t) 
++typeattribute bluetooth_helper_t unrestricted;
++r_dir_file(bluetooth_helper_t, domain)
++allow bluetooth_helper_t bin_t:dir { getattr search };
++can_exec(bluetooth_helper_t, { bin_t shell_exec_t })
++allow bluetooth_helper_t bin_t:lnk_file read;
++allow bluetooth_helper_t self:capability sys_nice;
++allow bluetooth_helper_t self:fifo_file rw_file_perms;
++allow bluetooth_helper_t self:process fork;
++allow bluetooth_helper_t self:shm create_shm_perms;
++allow bluetooth_helper_t self:unix_stream_socket create_stream_socket_perms;
++allow bluetooth_helper_t { etc_t etc_runtime_t }:file { getattr read };
++r_dir_file(bluetooth_helper_t, fonts_t)
++r_dir_file(bluetooth_helper_t, proc_t)
++read_sysctl(bluetooth_helper_t)
++allow bluetooth_helper_t tmp_t:dir search;
++allow bluetooth_helper_t usr_t:file { getattr read };
++allow bluetooth_helper_t home_dir_type:dir search;
++allow bluetooth_helper_t xserver_log_t:dir search;
++allow bluetooth_helper_t xserver_log_t:file { getattr read };
++ifdef(`targeted_policy', `
++allow bluetooth_helper_t tmp_t:sock_file { read write };
++allow bluetooth_helper_t tmpfs_t:file { read write };
++allow bluetooth_helper_t unconfined_t:unix_stream_socket connectto;
++allow bluetooth_t unconfined_t:dbus send_msg;
++allow unconfined_t bluetooth_t:dbus send_msg;
++', `
++allow bluetooth_helper_t xdm_xserver_tmp_t:sock_file { read write };
++allow bluetooth_t unpriv_userdomain:dbus send_msg;
++allow unpriv_userdomain bluetooth_t:dbus send_msg;
++')
++allow bluetooth_helper_t bluetooth_t:socket { read write };
++
++dontaudit bluetooth_helper_t default_t:dir { read search };
++dontaudit bluetooth_helper_t { devtty_t ttyfile }:chr_file { read write };
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.27.1/domains/program/unused/cups.te
 --- nsapolicy/domains/program/unused/cups.te	2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/cups.te	2005-09-20 21:33:02.000000000 -0400
++++ policy-1.27.1/domains/program/unused/cups.te	2005-09-26 16:03:35.000000000 -0400
 @@ -188,6 +188,7 @@
  # Uses networking to talk to the daemons
  allow hplip_t self:unix_dgram_socket create_socket_perms;
@@ -704,7 +753,19 @@
  
  can_network_tcp(cupsd_config_t)
  can_ypbind(cupsd_config_t)
-@@ -311,3 +316,7 @@
+@@ -256,9 +261,8 @@
+ ifdef(`hald.te', `
+ 
+ ifdef(`dbusd.te', `
+-allow cupsd_t hald_t:dbus send_msg;
+-allow cupsd_config_t hald_t:dbus send_msg;
+-allow hald_t cupsd_t:dbus send_msg;
++allow { cupsd_t cupsd_config_t } hald_t:dbus send_msg;
++allow hald_t { cupsd_t cupsd_config_t }:dbus send_msg;
+ ')dnl end if dbusd.te
+ 
+ allow hald_t cupsd_config_t:process signal;
+@@ -311,3 +315,7 @@
  r_dir_file(cupsd_lpd_t, cupsd_etc_t)
  r_dir_file(cupsd_lpd_t, cupsd_rw_etc_t)
  allow cupsd_lpd_t ipp_port_t:tcp_socket name_connect;
@@ -789,6 +850,26 @@
 -')dnl end ifdef unconfined.te
 +')
  ')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dhcpd.te policy-1.27.1/domains/program/unused/dhcpd.te
+--- nsapolicy/domains/program/unused/dhcpd.te	2005-09-12 16:40:28.000000000 -0400
++++ policy-1.27.1/domains/program/unused/dhcpd.te	2005-09-26 11:24:26.000000000 -0400
+@@ -17,8 +17,6 @@
+ #
+ daemon_domain(dhcpd, `, nscd_client_domain')
+ 
+-allow dhcpd_t dhcpd_port_t:udp_socket name_bind;
+-
+ # for UDP port 4011
+ allow dhcpd_t pxe_port_t:udp_socket name_bind;
+ 
+@@ -27,6 +25,7 @@
+ # Use the network.
+ can_network(dhcpd_t)
+ allow dhcpd_t port_type:tcp_socket name_connect;
++allow dhcpd_t dhcpd_port_t:{ tcp_socket udp_socket } name_bind;
+ can_ypbind(dhcpd_t)
+ allow dhcpd_t self:unix_dgram_socket create_socket_perms;
+ allow dhcpd_t self:unix_stream_socket create_socket_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/dovecot.te policy-1.27.1/domains/program/unused/dovecot.te
 --- nsapolicy/domains/program/unused/dovecot.te	2005-09-12 16:40:28.000000000 -0400
 +++ policy-1.27.1/domains/program/unused/dovecot.te	2005-09-20 21:33:02.000000000 -0400
@@ -803,6 +884,15 @@
  create_dir_file(dovecot_t, dovecot_spool_t)
  create_dir_file(mta_delivery_agent, dovecot_spool_t)
  allow dovecot_t mail_spool_t:lnk_file read;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.27.1/domains/program/unused/hald.te
+--- nsapolicy/domains/program/unused/hald.te	2005-09-16 11:17:09.000000000 -0400
++++ policy-1.27.1/domains/program/unused/hald.te	2005-09-26 09:21:29.000000000 -0400
+@@ -100,4 +100,4 @@
+ ifdef(`mount.te', `
+ domain_auto_trans(hald_t, mount_exec_t, mount_t)
+ ')
+-
++r_dir_file(hald_t, hwdata_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.27.1/domains/program/unused/hotplug.te
 --- nsapolicy/domains/program/unused/hotplug.te	2005-09-12 16:40:28.000000000 -0400
 +++ policy-1.27.1/domains/program/unused/hotplug.te	2005-09-23 17:02:56.000000000 -0400
@@ -1105,8 +1195,17 @@
  
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/postfix.te policy-1.27.1/domains/program/unused/postfix.te
 --- nsapolicy/domains/program/unused/postfix.te	2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/postfix.te	2005-09-20 21:33:02.000000000 -0400
-@@ -69,6 +69,9 @@
++++ policy-1.27.1/domains/program/unused/postfix.te	2005-09-26 15:58:21.000000000 -0400
+@@ -54,6 +54,8 @@
+ allow postfix_$1_t proc_net_t:dir search;
+ allow postfix_$1_t proc_net_t:file { getattr read };
+ can_exec(postfix_$1_t, postfix_$1_exec_t)
++r_dir_file(postfix_$1_t, cert_t)
++allow postfix_$1_t { urandom_device_t random_device_t }:chr_file { read getattr };
+ 
+ allow postfix_$1_t tmp_t:dir getattr;
+ 
+@@ -69,6 +71,9 @@
  postfix_domain(master, `, mail_server_domain')
  rhgb_domain(postfix_master_t)
  
@@ -1116,7 +1215,72 @@
  read_sysctl(postfix_master_t)
  
  domain_auto_trans(initrc_t, postfix_master_exec_t, postfix_master_t)
-@@ -260,7 +263,7 @@
+@@ -98,6 +103,7 @@
+ can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
+ ifdef(`distro_redhat', `
+ file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, postfix_etc_t, etc_aliases_t)
++file_type_auto_trans({ sysadm_mail_t system_mail_t postfix_master_t }, etc_t, etc_aliases_t)
+ ', `
+ file_type_auto_trans({ sysadm_mail_t system_mail_t }, etc_t, etc_aliases_t)
+ ')
+@@ -121,7 +127,7 @@
+ can_network(postfix_master_t)
+ allow postfix_master_t port_type:tcp_socket name_connect;
+ can_ypbind(postfix_master_t)
+-allow postfix_master_t smtp_port_t:tcp_socket name_bind;
++allow postfix_master_t { amavisd_send_port_t smtp_port_t }:tcp_socket name_bind;
+ allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
+ allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
+ allow postfix_master_t postfix_prng_t:file getattr;
+@@ -135,13 +141,11 @@
+ ')
+ 
+ create_dir_file(postfix_master_t, postfix_spool_flush_t)
+-allow postfix_master_t random_device_t:chr_file { read getattr };
+ allow postfix_master_t postfix_prng_t:file rw_file_perms;
+ # for ls to get the current context
+ allow postfix_master_t self:file { getattr read };
+ 
+ # for SSP
+-allow postfix_master_t urandom_device_t:chr_file read;
+ 
+ # allow access to deferred queue and allow removing bogus incoming entries
+ allow postfix_master_t postfix_spool_t:dir create_dir_perms;
+@@ -163,7 +167,6 @@
+ allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+ allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
+ allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
+-allow postfix_smtp_t urandom_device_t:chr_file { getattr read };
+ allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
+ # if you have two different mail servers on the same host let them talk via
+ # SMTP, also if one mail server wants to talk to itself then allow it and let
+@@ -172,7 +175,6 @@
+ can_tcp_connect(postfix_smtp_t, mail_server_domain)
+ 
+ postfix_server_domain(smtpd)
+-allow postfix_smtpd_t urandom_device_t:chr_file { getattr read };
+ allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+ allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
+ allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
+@@ -184,7 +186,7 @@
+ 
+ # for prng_exch
+ allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+-
++dontaudit postfix_smtpd_t { home_root_t boot_t }:dir getattr;
+ allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+ 
+ postfix_server_domain(local, `, mta_delivery_agent')
+@@ -196,7 +198,7 @@
+ ')
+ allow postfix_local_t etc_aliases_t:file r_file_perms;
+ allow postfix_local_t self:fifo_file rw_file_perms;
+-allow postfix_local_t self:process setrlimit;
++allow postfix_local_t postfix_local_t:process { setsched setrlimit };
+ allow postfix_local_t postfix_spool_t:file rw_file_perms;
+ # for .forward - maybe we need a new type for it?
+ allow postfix_local_t postfix_private_t:dir search;
+@@ -260,7 +262,7 @@
  postfix_user_domain(showq)
  # the following auto_trans is usually in postfix server domain
  domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
@@ -1125,7 +1289,7 @@
  r_dir_file(postfix_showq_t, postfix_spool_maildrop_t)
  domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
  allow postfix_showq_t self:capability { setuid setgid };
-@@ -329,7 +332,8 @@
+@@ -329,7 +331,8 @@
  domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
  ')
  ifdef(`sendmail.te', `
@@ -1135,15 +1299,24 @@
  ')
  
  # Program for creating database files
+@@ -348,5 +351,8 @@
+ dontaudit postfix_map_t var_t:dir search;
+ can_network_server(postfix_map_t)
+ allow postfix_map_t port_type:tcp_socket name_connect;
++r_dir_file(postfix_local_t, etc_mail_t)
+ allow postfix_local_t mail_spool_t:dir { remove_name };
+ allow postfix_local_t mail_spool_t:file { unlink };
++can_exec(postfix_local_t, bin_t)
++
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
 --- nsapolicy/domains/program/unused/pppd.te	2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pppd.te	2005-09-20 21:33:02.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pppd.te	2005-09-26 11:31:22.000000000 -0400
 @@ -14,7 +14,7 @@
  #
  bool pppd_for_user false;
  
 -daemon_domain(pppd, `, privmail')
-+daemon_domain(pppd, `, privmail, privsysmod')
++daemon_domain(pppd, `, privmail, privsysmod, nscd_client_domain')
  type pppd_secret_t, file_type, sysadmfile;
  
  # Define a separate type for /etc/ppp
@@ -1164,6 +1337,15 @@
  
  # Access /dev/ppp.
  allow pppd_t ppp_device_t:chr_file rw_file_perms;
+@@ -111,7 +112,7 @@
+ ')
+ }
+ 
+-daemon_domain(pptp)
++daemon_domain(pptp, `, nscd_client_domain')
+ can_network_client_tcp(pptp_t)
+ allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
+ can_exec(pptp_t, hostname_exec_t)
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
 --- nsapolicy/domains/program/unused/procmail.te	2005-09-12 16:40:28.000000000 -0400
 +++ policy-1.27.1/domains/program/unused/procmail.te	2005-09-20 21:33:02.000000000 -0400
@@ -1531,14 +1713,19 @@
  /usr/lib/ladspa/analogue_osc_1416\.so		-- system_u:object_r:texrel_shlib_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/bluetooth.fc policy-1.27.1/file_contexts/program/bluetooth.fc
 --- nsapolicy/file_contexts/program/bluetooth.fc	2005-09-12 16:40:27.000000000 -0400
-+++ policy-1.27.1/file_contexts/program/bluetooth.fc	2005-09-20 21:33:02.000000000 -0400
-@@ -1,5 +1,6 @@
++++ policy-1.27.1/file_contexts/program/bluetooth.fc	2005-09-26 15:24:30.000000000 -0400
+@@ -1,8 +1,11 @@
  # bluetooth
  /etc/bluetooth(/.*)?		system_u:object_r:bluetooth_conf_t
 +/etc/bluetooth/link_key		system_u:object_r:bluetooth_conf_rw_t
  /usr/bin/rfcomm		--	system_u:object_r:bluetooth_exec_t
  /usr/sbin/hcid		--	system_u:object_r:bluetooth_exec_t
  /usr/sbin/sdpd		--	system_u:object_r:bluetooth_exec_t
+ /usr/sbin/hciattach	--	system_u:object_r:bluetooth_exec_t
+ /var/run/sdp		-s	system_u:object_r:bluetooth_var_run_t
+ /usr/sbin/hid2hci	--	system_u:object_r:bluetooth_exec_t
++/usr/bin/bluepin	--	system_u:object_r:bluetooth_helper_exec_t
++/var/lib/bluetooth(/.*)?	system_u:object_r:bluetooth_var_lib_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc policy-1.27.1/file_contexts/program/dhcpc.fc
 --- nsapolicy/file_contexts/program/dhcpc.fc	2005-09-12 16:40:27.000000000 -0400
 +++ policy-1.27.1/file_contexts/program/dhcpc.fc	2005-09-23 17:32:37.000000000 -0400
@@ -1705,8 +1892,16 @@
  /etc/ypserv\.conf		--	system_u:object_r:ypserv_conf_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.27.1/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2005-09-16 11:17:10.000000000 -0400
-+++ policy-1.27.1/file_contexts/types.fc	2005-09-23 17:01:01.000000000 -0400
-@@ -485,6 +485,7 @@
++++ policy-1.27.1/file_contexts/types.fc	2005-09-26 11:59:56.000000000 -0400
+@@ -133,6 +133,7 @@
+ /dev/dcbri[0-9]+	-c	system_u:object_r:tty_device_t
+ /dev/irlpt[0-9]+	-c	system_u:object_r:printer_device_t
+ /dev/ircomm[0-9]+	-c	system_u:object_r:tty_device_t
++/dev/rfcomm[0-9]+	-c	system_u:object_r:tty_device_t
+ /dev/isdn.*		-c	system_u:object_r:tty_device_t
+ /dev/.*tty[^/]*	-c	system_u:object_r:tty_device_t
+ /dev/[pt]ty[abcdepqrstuvwxyz][0-9a-f]	-c system_u:object_r:bsdpty_device_t
+@@ -485,6 +486,7 @@
  # Turboprint
  #
  /usr/share/turboprint/lib(/.*)? 	--     system_u:object_r:bin_t


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.378
retrieving revision 1.379
diff -u -r1.378 -r1.379
--- selinux-policy-targeted.spec	23 Sep 2005 21:33:30 -0000	1.378
+++ selinux-policy-targeted.spec	26 Sep 2005 20:10:42 -0000	1.379
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.27.1
-Release: 7
+Release: 8
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -246,6 +246,9 @@
 exit 0
 
 %changelog
+* Mon Sep 26 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-8
+- Many fixes for postfix and bluetooth
+
 * Fri Sep 23 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-7
 - Fix su behavior on MCS platform
 - Fix dhcpd/dhclient dirs




More information about the fedora-cvs-commits mailing list