rpms/selinux-policy/devel file_contexts.patch, NONE, 1.1 policy-200604.patch, NONE, 1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 10 12:16:14 UTC 2006
Author: rcoker
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31440
Added Files:
file_contexts.patch policy-200604.patch
Log Message:
Optimise file contexts slightly for performance and fix several policy bugs.
file_contexts.patch:
admin/su.fc | 2 +-
apps/java.fc | 2 +-
kernel/corecommands.fc | 18 ++++++++++--------
kernel/devices.fc | 3 ++-
kernel/files.fc | 35 +++++++++++++++++++++++------------
services/kerberos.fc | 4 ++--
services/tftp.fc | 3 ++-
system/authlogin.fc | 3 ++-
system/daemontools.fc | 3 ++-
system/libraries.fc | 39 ++++++++++++++++++++++-----------------
system/miscfiles.fc | 2 +-
system/modutils.fc | 6 ++++--
12 files changed, 72 insertions(+), 48 deletions(-)
--- NEW FILE file_contexts.patch ---
diff -ru serefpolicy-2.2.29.orig/policy/modules/admin/su.fc serefpolicy-2.2.29.fc/policy/modules/admin/su.fc
--- serefpolicy-2.2.29.orig/policy/modules/admin/su.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/admin/su.fc 2006-04-10 20:53:28.000000000 +1000
@@ -1,5 +1,5 @@
/bin/su -- gen_context(system_u:object_r:su_exec_t,s0)
-/usr(/local)?/bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
+/usr/(local/)?bin/ksu -- gen_context(system_u:object_r:su_exec_t,s0)
/usr/bin/kdesu -- gen_context(system_u:object_r:su_exec_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/apps/java.fc serefpolicy-2.2.29.fc/policy/modules/apps/java.fc
--- serefpolicy-2.2.29.orig/policy/modules/apps/java.fc 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29.fc/policy/modules/apps/java.fc 2006-04-10 20:53:28.000000000 +1000
@@ -1,7 +1,7 @@
#
# /usr
#
-/usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
/opt(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/kernel/corecommands.fc serefpolicy-2.2.29.fc/policy/modules/kernel/corecommands.fc
--- serefpolicy-2.2.29.orig/policy/modules/kernel/corecommands.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/kernel/corecommands.fc 2006-04-10 20:53:28.000000000 +1000
@@ -2,7 +2,8 @@
#
# /bin
#
-/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/bin -d gen_context(system_u:object_r:bin_t,s0)
+/bin/.* gen_context(system_u:object_r:bin_t,s0)
/bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0)
/bin/bash2 -- gen_context(system_u:object_r:shell_exec_t,s0)
@@ -86,27 +87,28 @@
#
# /sbin
#
-/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/sbin -d gen_context(system_u:object_r:sbin_t,s0)
+/sbin/.* gen_context(system_u:object_r:sbin_t,s0)
/sbin/mkfs\.cramfs -- gen_context(system_u:object_r:sbin_t,s0)
/sbin/insmod_ksymoops_clean -- gen_context(system_u:object_r:sbin_t,s0)
#
# /opt
#
-/opt(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/opt(/.*)?/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/opt/(.*/)?libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/opt(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/opt/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
#
# /usr
#
-/usr(/.*)?/Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?Bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr(/.*)?/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr(/.*)?/sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
+/usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:sbin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/kernel/devices.fc serefpolicy-2.2.29.fc/policy/modules/kernel/devices.fc
--- serefpolicy-2.2.29.orig/policy/modules/kernel/devices.fc 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29.fc/policy/modules/kernel/devices.fc 2006-04-10 20:53:29.000000000 +1000
@@ -1,5 +1,6 @@
-/dev(/.*)? gen_context(system_u:object_r:device_t,s0)
+/dev -d gen_context(system_u:object_r:device_t,s0)
+/dev/.* gen_context(system_u:object_r:device_t,s0)
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/adsp -c gen_context(system_u:object_r:sound_device_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/kernel/files.fc serefpolicy-2.2.29.fc/policy/modules/kernel/files.fc
--- serefpolicy-2.2.29.orig/policy/modules/kernel/files.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/kernel/files.fc 2006-04-10 20:53:29.000000000 +1000
@@ -25,7 +25,8 @@
#
# /boot
#
-/boot(/.*)? gen_context(system_u:object_r:boot_t,s0)
+/boot -d gen_context(system_u:object_r:boot_t,s0)
+/boot/.* gen_context(system_u:object_r:boot_t,s0)
/boot/\.journal <<none>>
/boot/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/boot/lost\+found/.* <<none>>
@@ -36,13 +37,15 @@
#
ifdef(`distro_redhat',`
-/emul(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/emul -d gen_context(system_u:object_r:usr_t,s0)
+/emul/.* gen_context(system_u:object_r:usr_t,s0)
')
#
# /etc
#
-/etc(/.*)? gen_context(system_u:object_r:etc_t,s0)
+/etc -d gen_context(system_u:object_r:etc_t,s0)
+/etc/.* gen_context(system_u:object_r:etc_t,s0)
/etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/asound\.state -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/blkid(/.*)? gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -104,7 +107,8 @@
#
# /lib(64)?
#
-/lib(64)?/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+/lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
+/lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
#
# /lost+found
@@ -139,29 +143,34 @@
#
# /opt
#
-/opt(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/opt -d gen_context(system_u:object_r:usr_t,s0)
+/opt/.* gen_context(system_u:object_r:usr_t,s0)
-/opt(/.*)?/var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
+/opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
#
# /proc
#
-/proc(/.*)? <<none>>
+/proc -d <<none>>
+/proc/.* <<none>>
#
# /selinux
#
-/selinux(/.*)? <<none>>
+/selinux -d <<none>>
+/selinux/.* <<none>>
#
# /srv
#
-/srv(/.*)? gen_context(system_u:object_r:var_t,s0)
+/srv -d gen_context(system_u:object_r:var_t,s0)
+/srv/.* gen_context(system_u:object_r:var_t,s0)
#
# /sys
#
-/sys(/.*)? <<none>>
+/sys -d <<none>>
+/sys/.* <<none>>
#
# /tmp
@@ -176,7 +185,8 @@
#
# /usr
#
-/usr(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr -d gen_context(system_u:object_r:usr_t,s0)
+/usr/.* gen_context(system_u:object_r:usr_t,s0)
/usr/\.journal <<none>>
/usr/doc(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
@@ -208,7 +218,8 @@
#
# /var
#
-/var(/.*)? gen_context(system_u:object_r:var_t,s0)
+/var -d gen_context(system_u:object_r:var_t,s0)
+/var/.* gen_context(system_u:object_r:var_t,s0)
/var/\.journal <<none>>
/var/db/.*\.db -- gen_context(system_u:object_r:etc_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/services/kerberos.fc serefpolicy-2.2.29.fc/policy/modules/services/kerberos.fc
--- serefpolicy-2.2.29.orig/policy/modules/services/kerberos.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/services/kerberos.fc 2006-04-10 20:53:29.000000000 +1000
@@ -5,8 +5,8 @@
/etc/krb5kdc/kadm5.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
/etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
-/usr(/local)?(/kerberos)?/sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
-/usr(/local)?(/kerberos)?/sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
+/usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
/usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
/usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/services/tftp.fc serefpolicy-2.2.29.fc/policy/modules/services/tftp.fc
--- serefpolicy-2.2.29.orig/policy/modules/services/tftp.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/services/tftp.fc 2006-04-10 20:53:29.000000000 +1000
@@ -2,4 +2,5 @@
/usr/sbin/atftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
/usr/sbin/in\.tftpd -- gen_context(system_u:object_r:tftpd_exec_t,s0)
-/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+/tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/system/authlogin.fc serefpolicy-2.2.29.fc/policy/modules/system/authlogin.fc
--- serefpolicy-2.2.29.orig/policy/modules/system/authlogin.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/system/authlogin.fc 2006-04-10 20:53:29.000000000 +1000
@@ -7,7 +7,8 @@
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-/lib(64)?/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
+/lib64/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
diff -ru serefpolicy-2.2.29.orig/policy/modules/system/daemontools.fc serefpolicy-2.2.29.fc/policy/modules/system/daemontools.fc
--- serefpolicy-2.2.29.orig/policy/modules/system/daemontools.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/system/daemontools.fc 2006-04-10 20:53:29.000000000 +1000
@@ -2,7 +2,8 @@
# /service
#
-/service(/.*)? gen_context(system_u:object_r:svc_svc_t,s0)
+/service -d gen_context(system_u:object_r:svc_svc_t,s0)
+/service/.* gen_context(system_u:object_r:svc_svc_t,s0)
#
# /usr
diff -ru serefpolicy-2.2.29.orig/policy/modules/system/libraries.fc serefpolicy-2.2.29.fc/policy/modules/system/libraries.fc
--- serefpolicy-2.2.29.orig/policy/modules/system/libraries.fc 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29.fc/policy/modules/system/libraries.fc 2006-04-10 20:53:29.000000000 +1000
@@ -24,15 +24,20 @@
#
# /lib(64)?
#
-/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib -d gen_context(system_u:object_r:lib_t,s0)
+/lib/.* gen_context(system_u:object_r:lib_t,s0)
+/lib64 -d gen_context(system_u:object_r:lib_t,s0)
+/lib64/.* gen_context(system_u:object_r:lib_t,s0)
+/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/lib64/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/lib/(.*/)?ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+/lib64/(.*/)?ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
#
# /opt
#
-/opt(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/opt(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/opt/(.*/)?lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/opt/(.*/)?lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
/opt/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -44,18 +49,18 @@
#
# /usr
#
-/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?HelixPlayer/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?java/.*\.jar -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?java/.*\.jsa -- gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
-/usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/usr/(.*/)?lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?lib(64)?/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
-/usr(/.*)?/lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/usr/(.*/)?lib(64)?(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
-/usr(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr(/.*)?/lib(64)?(/.*)?/nvidia/.*\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -130,7 +135,7 @@
/usr/lib(64)?/.*/program/libsvx680li\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/program/libcomphelp4gcc3\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/.*/program/libsoffice\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/(.*/)?pcsc/drivers(/.*)?/lib(cm2020|cm4000|SCR24x)\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/firefox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/mozilla.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -185,9 +190,9 @@
/usr/.*/jre.*/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/.*/jre.*/libjvm.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/usr(/.*)?/intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
-/usr(/.*)?/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/nppdf\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/lib/\.so -- gen_context(system_u:object_r:texrel_shlib_t,s0)
+/usr/(.*/)?intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:texrel_shlib_t,s0)
') dnl end distro_redhat
ifdef(`distro_suse',`
diff -ru serefpolicy-2.2.29.orig/policy/modules/system/miscfiles.fc serefpolicy-2.2.29.fc/policy/modules/system/miscfiles.fc
--- serefpolicy-2.2.29.orig/policy/modules/system/miscfiles.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/system/miscfiles.fc 2006-04-10 20:53:29.000000000 +1000
@@ -7,7 +7,7 @@
#
# /opt
#
-/opt(/.*)?/man(/.*)? gen_context(system_u:object_r:man_t,s0)
+/opt/(.*/)?man(/.*)? gen_context(system_u:object_r:man_t,s0)
#
# /srv
diff -ru serefpolicy-2.2.29.orig/policy/modules/system/modutils.fc serefpolicy-2.2.29.fc/policy/modules/system/modutils.fc
--- serefpolicy-2.2.29.orig/policy/modules/system/modutils.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29.fc/policy/modules/system/modutils.fc 2006-04-10 20:53:29.000000000 +1000
@@ -2,9 +2,11 @@
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
-/lib(64)?/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
+/lib64/modules/[^/]+/modules\..+ -- gen_context(system_u:object_r:modules_dep_t,s0)
-/lib(64)?/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
+/lib64/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
policy-200604.patch:
mcs | 6 +++++-
modules/admin/amanda.te | 5 ++++-
modules/kernel/devices.if | 4 ++--
modules/kernel/files.fc | 2 +-
modules/kernel/files.if | 32 ++++++++++++--------------------
modules/kernel/mcs.te | 4 ++++
modules/kernel/terminal.te | 1 -
modules/services/bind.fc | 1 +
modules/services/hal.te | 1 +
modules/services/mailman.if | 38 ++++++++++++++++++++++++++++++++++++++
modules/services/postfix.te | 3 +++
modules/services/samba.te | 7 +++++++
modules/system/init.te | 5 -----
modules/system/selinuxutil.if | 4 ++--
modules/system/unconfined.te | 2 ++
modules/system/xen.te | 5 +++++
16 files changed, 87 insertions(+), 33 deletions(-)
--- NEW FILE policy-200604.patch ---
diff -ru serefpolicy-2.2.29.fc/policy/mcs serefpolicy-2.2.29/policy/mcs
--- serefpolicy-2.2.29.fc/policy/mcs 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/mcs 2006-04-10 20:54:22.000000000 +1000
@@ -134,14 +134,18 @@
# the high range of the file. We use the high range of the process so
# that processes can always simply run at s0.
#
-# Only files are constrained by MCS at this stage.
+# Note that getattr on files is always permitted.
#
mlsconstrain file { write setattr append unlink link rename ioctl lock execute relabelfrom }
( h1 dom h2 );
+# New filesystem object labels must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
mlsconstrain file { create relabelto }
(( h1 dom h2 ) and ( l2 eq h2 ));
+# At this time we do not restrict "ps" type operations via MCS. This
+# will probably change in future.
mlsconstrain file { read }
(( h1 dom h2 ) or ( t2 == domain ) or ( t1 == mlsfileread ));
diff -ru serefpolicy-2.2.29.fc/policy/modules/admin/amanda.te serefpolicy-2.2.29/policy/modules/admin/amanda.te
--- serefpolicy-2.2.29.fc/policy/modules/admin/amanda.te 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/admin/amanda.te 2006-04-10 20:54:22.000000000 +1000
@@ -9,6 +9,7 @@
type amanda_t;
type amanda_inetd_exec_t;
inetd_udp_service_domain(amanda_t,amanda_inetd_exec_t)
+inetd_tcp_service_domain(amanda_t,amanda_inetd_exec_t)
role system_r types amanda_t;
type amanda_exec_t;
@@ -183,13 +184,15 @@
optional_policy(`
nscd_socket_use(amanda_t)
+ nscd_socket_use(amanda_recover_t)
')
########################################
#
# Amanda recover local policy
-allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override net_bind_service };
+allow amanda_recover_t self:capability { fowner fsetid kill setgid setuid chown dac_override };
+corenet_tcp_bind_reserved_port(amanda_recover_t)
allow amanda_recover_t self:process { sigkill sigstop signal };
allow amanda_recover_t self:fifo_file { getattr ioctl read write };
allow amanda_recover_t self:unix_stream_socket { connect create read write };
diff -ru serefpolicy-2.2.29.fc/policy/modules/kernel/devices.if serefpolicy-2.2.29/policy/modules/kernel/devices.if
--- serefpolicy-2.2.29.fc/policy/modules/kernel/devices.if 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29/policy/modules/kernel/devices.if 2006-04-10 21:58:00.000000000 +1000
@@ -2702,7 +2702,7 @@
')
allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file r_file_perms;
+ allow $1 xen_device_t:chr_file rw_file_perms;
')
########################################
@@ -2721,7 +2721,7 @@
')
allow $1 device_t:dir r_dir_perms;
- allow $1 xen_device_t:chr_file r_file_perms;
+ allow $1 xen_device_t:chr_file manage_file_perms;
')
########################################
diff -ru serefpolicy-2.2.29.fc/policy/modules/kernel/files.fc serefpolicy-2.2.29/policy/modules/kernel/files.fc
--- serefpolicy-2.2.29.fc/policy/modules/kernel/files.fc 2006-04-10 20:53:29.000000000 +1000
+++ serefpolicy-2.2.29/policy/modules/kernel/files.fc 2006-04-10 20:54:22.000000000 +1000
@@ -210,7 +210,7 @@
/usr/share(/.*)?/lib(64)?(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
-/usr/src(/.*)?/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
+/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
/usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-s15:c0.c255)
/usr/tmp/.* <<none>>
diff -ru serefpolicy-2.2.29.fc/policy/modules/kernel/files.if serefpolicy-2.2.29/policy/modules/kernel/files.if
--- serefpolicy-2.2.29.fc/policy/modules/kernel/files.if 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29/policy/modules/kernel/files.if 2006-04-10 20:54:22.000000000 +1000
@@ -930,6 +930,18 @@
########################################
#
+# files_stat_all_mountpoints(domain)
+#
+interface(`files_stat_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir { getattr };
+')
+
+########################################
+#
# files_list_root(domain)
#
interface(`files_list_root',`
@@ -1192,26 +1204,6 @@
########################################
## <summary>
-## Read and write symbolic links
-## in the /boot directory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`files_rw_boot_symlinks',`
- gen_require(`
- type boot_t;
- ')
-
- allow $1 boot_t:dir r_dir_perms;
- allow $1 boot_t:lnk_file rw_file_perms;
-')
-
-########################################
-## <summary>
## Create, read, write, and delete symbolic links
## in the /boot directory.
## </summary>
diff -ru serefpolicy-2.2.29.fc/policy/modules/kernel/mcs.te serefpolicy-2.2.29/policy/modules/kernel/mcs.te
--- serefpolicy-2.2.29.fc/policy/modules/kernel/mcs.te 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/kernel/mcs.te 2006-04-10 20:54:22.000000000 +1000
@@ -32,6 +32,10 @@
type xdm_exec_t;
ifdef(`enable_mcs',`
+# The eventual plan is to have a range_transition to s0 for the daemon by
+# default and have the daemons which need to run with all categories be
+# exceptions. But while range_transitions have to be in the base module
+# this is not possible.
range_transition getty_t login_exec_t s0 - s0:c0.c255;
range_transition init_t xdm_exec_t s0 - s0:c0.c255;
range_transition initrc_t crond_exec_t s0 - s0:c0.c255;
diff -ru serefpolicy-2.2.29.fc/policy/modules/kernel/terminal.te serefpolicy-2.2.29/policy/modules/kernel/terminal.te
--- serefpolicy-2.2.29.fc/policy/modules/kernel/terminal.te 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/kernel/terminal.te 2006-04-10 20:54:22.000000000 +1000
@@ -28,7 +28,6 @@
type devpts_t;
files_mountpoint(devpts_t)
fs_associate_tmpfs(devpts_t)
-files_associate_tmp(devpts_t)
fs_type(devpts_t)
fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0);
diff -ru serefpolicy-2.2.29.fc/policy/modules/services/bind.fc serefpolicy-2.2.29/policy/modules/services/bind.fc
--- serefpolicy-2.2.29.fc/policy/modules/services/bind.fc 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/services/bind.fc 2006-04-10 20:54:22.000000000 +1000
@@ -29,6 +29,7 @@
ifdef(`distro_redhat',`
/etc/named\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
+/etc/named\.caching-nameserver\.conf -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
/var/named/slaves(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
diff -ru serefpolicy-2.2.29.fc/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
--- serefpolicy-2.2.29.fc/policy/modules/services/hal.te 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29/policy/modules/services/hal.te 2006-04-10 20:54:22.000000000 +1000
@@ -103,6 +103,7 @@
fs_getattr_all_fs(hald_t)
fs_search_all(hald_t)
fs_list_auto_mountpoints(hald_t)
+files_stat_all_mountpoints(hald_t)
mls_file_read_up(hald_t)
diff -ru serefpolicy-2.2.29.fc/policy/modules/services/mailman.if serefpolicy-2.2.29/policy/modules/services/mailman.if
--- serefpolicy-2.2.29.fc/policy/modules/services/mailman.if 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/services/mailman.if 2006-04-10 20:54:22.000000000 +1000
@@ -200,6 +200,44 @@
#######################################
## <summary>
+## Allow domain to to create mailman data files and write the directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_create_data_file',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir rw_dir_perms;
+ allow $1 mailman_data_t:file create_file_perms;
+')
+
+#######################################
+## <summary>
+## Allow domain to to read mailman data files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mailman_read_data_file',`
+ gen_require(`
+ type mailman_data_t;
+ ')
+
+ allow $1 mailman_data_t:dir search_dir_perms;
+ allow $1 mailman_data_t:file read_file_perms;
+')
+
+#######################################
+## <summary>
## List the contents of mailman data directories.
## </summary>
## <param name="domain">
diff -ru serefpolicy-2.2.29.fc/policy/modules/services/postfix.te serefpolicy-2.2.29/policy/modules/services/postfix.te
--- serefpolicy-2.2.29.fc/policy/modules/services/postfix.te 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/services/postfix.te 2006-04-10 20:54:22.000000000 +1000
@@ -408,6 +408,9 @@
optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
+# for postalias
+ mailman_create_data_file(postfix_master_t)
+ mailman_read_data_file(postfix_local_t)
')
########################################
diff -ru serefpolicy-2.2.29.fc/policy/modules/services/samba.te serefpolicy-2.2.29/policy/modules/services/samba.te
--- serefpolicy-2.2.29.fc/policy/modules/services/samba.te 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29/policy/modules/services/samba.te 2006-04-10 20:54:22.000000000 +1000
@@ -337,6 +337,13 @@
')
allow smbd_t mtrr_device_t:file getattr;
+# Support Samba sharing of NFS mount points
+bool samba_share_nfs false;
+if (samba_share_nfs) {
+fs_manage_nfs_dirs(smbd_t)
+fs_manage_nfs_files(smbd_t)
+}
+
########################################
#
# nmbd Local policy
diff -ru serefpolicy-2.2.29.fc/policy/modules/system/init.te serefpolicy-2.2.29/policy/modules/system/init.te
--- serefpolicy-2.2.29.fc/policy/modules/system/init.te 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29/policy/modules/system/init.te 2006-04-10 20:54:22.000000000 +1000
@@ -426,11 +426,6 @@
selinux_set_enforce_mode(initrc_t)
- # Create and read /boot/kernel.h and /boot/System.map.
- # Redhat systems typically create this file at boot time.
- bootloader_create_runtime_file(initrc_t)
- files_rw_boot_symlinks(initrc_t)
-
# These seem to be from the initrd
# during device initialization:
dev_create_generic_dirs(initrc_t)
diff -ru serefpolicy-2.2.29.fc/policy/modules/system/selinuxutil.if serefpolicy-2.2.29/policy/modules/system/selinuxutil.if
--- serefpolicy-2.2.29.fc/policy/modules/system/selinuxutil.if 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/system/selinuxutil.if 2006-04-10 20:54:22.000000000 +1000
@@ -697,8 +697,8 @@
files_search_etc($1)
allow $1 selinux_config_t:dir search;
- allow $1 file_context_t:dir r_dir_perms;
- allow $1 file_context_t:file rw_file_perms;
+ allow $1 file_context_t:dir rw_dir_perms;
+ allow $1 file_context_t:file create_file_perms;
allow $1 file_context_t:lnk_file { getattr read };
')
diff -ru serefpolicy-2.2.29.fc/policy/modules/system/unconfined.te serefpolicy-2.2.29/policy/modules/system/unconfined.te
--- serefpolicy-2.2.29.fc/policy/modules/system/unconfined.te 2006-04-10 20:52:58.000000000 +1000
+++ serefpolicy-2.2.29/policy/modules/system/unconfined.te 2006-04-10 20:54:22.000000000 +1000
@@ -24,6 +24,8 @@
logging_send_syslog_msg(unconfined_t)
+mount_domtrans(unconfined_t)
+
ifdef(`targeted_policy',`
allow unconfined_t self:system syslog_read;
dontaudit unconfined_t self:capability sys_module;
diff -ru serefpolicy-2.2.29.fc/policy/modules/system/xen.te serefpolicy-2.2.29/policy/modules/system/xen.te
--- serefpolicy-2.2.29.fc/policy/modules/system/xen.te 2006-04-01 03:11:34.000000000 +1100
+++ serefpolicy-2.2.29/policy/modules/system/xen.te 2006-04-10 21:58:19.000000000 +1000
@@ -19,6 +19,8 @@
# var/lib files
type xend_var_lib_t;
files_type(xend_var_lib_t)
+# for mounting an NFS store
+files_mountpoint(xend_var_lib_t)
# log files
type xend_var_log_t;
@@ -67,6 +69,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
+files_read_kernel_symbol_table(xend_t)
+
# pid file
allow xend_t xend_var_run_t:file manage_file_perms;
allow xend_t xend_var_run_t:sock_file manage_file_perms;
@@ -210,6 +214,7 @@
dev_filetrans_xen(xenstored_t)
term_dontaudit_use_generic_ptys(xenstored_t)
+dev_rw_xen(xenstored_t)
init_use_fds(xenstored_t)
More information about the fedora-cvs-commits
mailing list