rpms/selinux-policy/devel modules-targeted.conf, 1.31, 1.32 policy-20060802.patch, 1.5, 1.6 selinux-policy.spec, 1.248, 1.249
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Aug 11 03:12:11 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv9023
Modified Files:
modules-targeted.conf policy-20060802.patch
selinux-policy.spec
Log Message:
* Th Aug 10 2006 Dan Walsh <dwalsh at redhat.com> 2.3.6-3
- Misc fixes
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- modules-targeted.conf 28 Jul 2006 17:44:17 -0000 1.31
+++ modules-targeted.conf 11 Aug 2006 03:11:59 -0000 1.32
@@ -1109,3 +1109,16 @@
nagios = module
+# Layer: apps
+# Module: evolution
+#
+# Evolution email client
+#
+evolution = module
+
+# Layer: apps
+# Module: mozilla
+#
+# Policy for Mozilla and related web browsers
+#
+mozilla = module
policy-20060802.patch:
Makefile | 59 +++----
policy/mls | 9 -
policy/modules/admin/anaconda.te | 20 ++
policy/modules/admin/bootloader.te | 4
policy/modules/admin/consoletype.te | 11 +
policy/modules/admin/firstboot.te | 2
policy/modules/admin/prelink.te | 3
policy/modules/admin/rpm.fc | 2
policy/modules/admin/rpm.if | 13 -
policy/modules/admin/usermanage.te | 4
policy/modules/apps/java.fc | 1
policy/modules/apps/mozilla.if | 2
policy/modules/kernel/corecommands.fc | 1
policy/modules/kernel/corenetwork.te.in | 4
policy/modules/kernel/devices.fc | 2
policy/modules/kernel/devices.if | 37 ++++
policy/modules/kernel/devices.te | 8 -
policy/modules/kernel/files.if | 18 ++
policy/modules/kernel/filesystem.te | 2
policy/modules/kernel/kernel.if | 75 +++++++++
policy/modules/kernel/terminal.if | 19 ++
policy/modules/services/amavis.te | 7
policy/modules/services/apache.te | 1
policy/modules/services/avahi.te | 1
policy/modules/services/bind.te | 1
policy/modules/services/bluetooth.te | 5
policy/modules/services/clamav.if | 1
policy/modules/services/cron.if | 16 +-
policy/modules/services/cron.te | 1
policy/modules/services/cups.te | 18 ++
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 6
policy/modules/services/ldap.te | 2
policy/modules/services/mta.fc | 2
policy/modules/services/nis.te | 2
policy/modules/services/ntp.te | 2
policy/modules/services/openvpn.te | 2
policy/modules/services/pegasus.if | 31 +++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 7
policy/modules/services/procmail.te | 1
policy/modules/services/samba.te | 6
policy/modules/services/setroubleshoot.fc | 9 +
policy/modules/services/setroubleshoot.if | 3
policy/modules/services/setroubleshoot.te | 105 +++++++++++++
policy/modules/services/spamassassin.te | 4
policy/modules/services/squid.te | 4
policy/modules/services/ssh.if | 26 +++
policy/modules/services/ssh.te | 9 +
policy/modules/services/stunnel.te | 4
policy/modules/services/xserver.if | 69 ++++++++
policy/modules/services/xserver.te | 19 +-
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.te | 1
policy/modules/system/hostname.te | 10 -
policy/modules/system/init.if | 7
policy/modules/system/init.te | 2
policy/modules/system/libraries.fc | 4
policy/modules/system/locallogin.te | 4
policy/modules/system/logging.fc | 3
policy/modules/system/logging.if | 21 ++
policy/modules/system/logging.te | 3
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 18 ++
policy/modules/system/modutils.te | 1
policy/modules/system/mount.te | 3
policy/modules/system/selinuxutil.te | 11 +
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 1
policy/modules/system/unconfined.if | 2
policy/modules/system/unconfined.te | 5
policy/modules/system/userdomain.if | 236 ++++++++++++++++++++----------
policy/modules/system/userdomain.te | 48 ++----
policy/modules/system/xen.if | 38 ++++
policy/modules/system/xen.te | 26 ++-
75 files changed, 904 insertions(+), 209 deletions(-)
Index: policy-20060802.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060802.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20060802.patch 9 Aug 2006 19:14:24 -0000 1.5
+++ policy-20060802.patch 11 Aug 2006 03:11:59 -0000 1.6
@@ -1,3 +1,163 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.3.6/Makefile
+--- nsaserefpolicy/Makefile 2006-08-10 09:14:45.000000000 -0400
++++ serefpolicy-2.3.6/Makefile 2006-08-08 16:00:22.000000000 -0400
+@@ -67,7 +67,6 @@
+ # interpreters and aux tools
+ AWK ?= gawk
+ GREP ?= egrep
+-INSTALL ?= install
+ M4 ?= m4
+ PYTHON ?= python
+ SED ?= sed
+@@ -305,8 +304,8 @@
+
+ # parse-rolemap modulename,outputfile
+ define parse-rolemap
+- $(verbose) $(M4) $(M4PARAM) $(ROLEMAP) | \
+- $(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
++ $(verbose) m4 $(M4PARAM) $(ROLEMAP) | \
++ awk '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
+ endef
+
+ # peruser-expansion modulename,outputfile
+@@ -341,17 +340,17 @@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+ $(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
+- $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
+- | $(M4) -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
+- | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
++ $(verbose) egrep "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
++ | m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
++ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+ $(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
+ @echo "#" > $@
+ @echo "# This is a generated file! Instead of modifying this file, the" >> $@
+ @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
+ @echo "#" >> $@
+- $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ \
+- | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
++ $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ \
++ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
+ ########################################
+ #
+@@ -422,14 +421,14 @@
+ @echo "# This file is replaced on reinstalls of this policy." >> $(TMPDIR)/system.users
+ @echo "# Please edit local.users to make local changes." >> $(TMPDIR)/system.users
+ @echo "#" >> $(TMPDIR)/system.users
+- $(verbose) $(M4) -D self_contained_policy $(M4PARAM) $^ | $(SED) -r -e 's/^[[:blank:]]+//' \
++ $(verbose) m4 -D self_contained_policy $(M4PARAM) $^ | sed -r -e 's/^[[:blank:]]+//' \
+ -e '/^[[:blank:]]*($$|#)/d' >> $(TMPDIR)/system.users
+- $(verbose) $(INSTALL) -m 644 $(TMPDIR)/system.users $@
++ $(verbose) install -m 644 $(TMPDIR)/system.users $@
+
+ $(USERPATH)/local.users: config/local.users
+ @mkdir -p $(USERPATH)
+ @echo "Installing local.users"
+- $(verbose) $(INSTALL) -b -m 644 $< $@
++ $(verbose) install -b -m 644 $< $@
+
+ ########################################
+ #
+@@ -440,45 +439,45 @@
+ $(INSTALLDIR)/booleans: $(BOOLEANS)
+ @mkdir -p $(TMPDIR)
+ @mkdir -p $(INSTALLDIR)
+- $(verbose) $(SED) -r -e 's/false/0/g' -e 's/true/1/g' \
+- -e '/^[[:blank:]]*($$|#)/d' $(BOOLEANS) | $(SORT) > $(TMPDIR)/booleans
+- $(verbose) $(INSTALL) -m 644 $(TMPDIR)/booleans $@
++ $(verbose) sed -r -e 's/false/0/g' -e 's/true/1/g' \
++ -e '/^[[:blank:]]*($$|#)/d' $(BOOLEANS) | sort > $(TMPDIR)/booleans
++ $(verbose) install -m 644 $(TMPDIR)/booleans $@
+
+ $(CONTEXTPATH)/files/media: $(APPCONF)/media
+ @mkdir -p $(CONTEXTPATH)/files/
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/default_contexts: $(APPCONF)/default_contexts
+ @mkdir -p $(APPDIR)
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/removable_context: $(APPCONF)/removable_context
+ @mkdir -p $(APPDIR)
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/default_type: $(APPCONF)/default_type
+ @mkdir -p $(APPDIR)
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/userhelper_context: $(APPCONF)/userhelper_context
+ @mkdir -p $(APPDIR)
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/initrc_context: $(APPCONF)/initrc_context
+ @mkdir -p $(APPDIR)
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/failsafe_context: $(APPCONF)/failsafe_context
+ @mkdir -p $(APPDIR)
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/dbus_contexts: $(APPCONF)/dbus_contexts
+ @mkdir -p $(APPDIR)
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ $(APPDIR)/users/root: $(APPCONF)/root_default_contexts
+ @mkdir -p $(APPDIR)/users
+- $(verbose) $(INSTALL) -m 644 $< $@
++ $(verbose) install -m 644 $< $@
+
+ ########################################
+ #
+@@ -487,14 +486,14 @@
+ install-headers: $(TUNXML) $(BOOLXML)
+ @mkdir -p $(HEADERDIR)
+ @echo "Installing $(TYPE) policy headers."
+- $(verbose) $(INSTALL) -m 644 $(TUNXML) $(BOOLXML) $(HEADERDIR)
+- $(verbose) $(M4) $(M4PARAM) $(ROLEMAP) > $(HEADERDIR)/$(notdir $(ROLEMAP))
++ $(verbose) install -m 644 $(TUNXML) $(BOOLXML) $(HEADERDIR)
++ $(verbose) m4 $(M4PARAM) $(ROLEMAP) > $(HEADERDIR)/$(notdir $(ROLEMAP))
+ $(verbose) mkdir -p $(HEADERDIR)/support
+- $(verbose) $(INSTALL) -m 644 $(M4SUPPORT) $(word $(words $(GENXML)),$(GENXML)) $(XMLDTD) $(HEADERDIR)/support
++ $(verbose) install -m 644 $(M4SUPPORT) $(word $(words $(GENXML)),$(GENXML)) $(XMLDTD) $(HEADERDIR)/support
+ $(verbose) $(GENPERM) $(AVS) $(SECCLASS) > $(HEADERDIR)/support/all_perms.spt
+ $(verbose) for i in $(notdir $(ALL_LAYERS)); do \
+ mkdir -p $(HEADERDIR)/$$i ;\
+- $(INSTALL) -m 644 $(MODDIR)/$$i/*.if \
++ install -m 644 $(MODDIR)/$$i/*.if \
+ $(MODDIR)/$$i/metadata.xml \
+ $(HEADERDIR)/$$i ;\
+ done
+@@ -506,7 +505,7 @@
+ $(verbose) echo "MONOLITHIC ?= n" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "DIRECT_INITRC ?= $(DIRECT_INITRC)" >> $(HEADERDIR)/build.conf
+ $(verbose) echo "POLY ?= $(POLY)" >> $(HEADERDIR)/build.conf
+- $(verbose) $(INSTALL) -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
++ $(verbose) install -m 644 $(SUPPORT)/Makefile.devel $(HEADERDIR)/Makefile
+
+ ########################################
+ #
+@@ -515,8 +514,8 @@
+ install-docs: $(TMPDIR)/html
+ @mkdir -p $(DOCSDIR)/html
+ @echo "Installing policy documentation"
+- $(verbose) $(INSTALL) -m 644 $(DOCFILES) $(DOCSDIR)
+- $(verbose) $(INSTALL) -m 644 $(wildcard $(HTMLDIR)/*) $(DOCSDIR)/html
++ $(verbose) install -m 644 $(DOCFILES) $(DOCSDIR)
++ $(verbose) install -m 644 $(wildcard $(HTMLDIR)/*) $(DOCSDIR)/html
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.3.6/policy/mls
--- nsaserefpolicy/policy/mls 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.6/policy/mls 2006-08-08 16:15:43.000000000 -0400
@@ -67,6 +227,21 @@
+dontaudit domain anaconda_t:fifo_file r_file_perms;
+dontaudit domain anaconda_t:unix_stream_socket connectto;
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.6/policy/modules/admin/bootloader.te
+--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-08-02 10:34:09.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/admin/bootloader.te 2006-08-10 14:25:32.000000000 -0400
+@@ -83,8 +83,10 @@
+ dev_read_rand(bootloader_t)
+ dev_read_urand(bootloader_t)
+ dev_read_sysfs(bootloader_t)
+-# for reading BIOS data
++# for reading/Writing BIOS data
+ dev_read_raw_memory(bootloader_t)
++dev_read_bios_memory(bootloader_t)
++dev_write_bios_memory(bootloader_t)
+
+ fs_getattr_xattr_fs(bootloader_t)
+ fs_getattr_tmpfs(bootloader_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.6/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/admin/consoletype.te 2006-08-08 16:15:43.000000000 -0400
@@ -133,6 +308,29 @@
')
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.6/policy/modules/admin/rpm.if
+--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-08-02 10:34:09.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/admin/rpm.if 2006-08-10 13:47:39.000000000 -0400
+@@ -75,12 +75,13 @@
+ ')
+
+ rpm_domtrans($1)
+- role $2 types rpm_t;
+- role $2 types rpm_script_t;
+- seutil_run_loadpolicy(rpm_script_t,$2,$3)
+- seutil_run_semanage(rpm_script_t,$2,$3)
+- seutil_run_setfiles(rpm_script_t,$2,$3)
+- seutil_run_restorecon(rpm_script_t,$2,$3)
++ #role $2 types rpm_t;
++ #role $2 types rpm_script_t;
++ role_transition $2 rpm_exec_t system_r;
++ seutil_run_loadpolicy(rpm_script_t,system_r,$3)
++ seutil_run_semanage(rpm_script_t,system_r,$3)
++ seutil_run_setfiles(rpm_script_t,system_r,$3)
++ seutil_run_restorecon(rpm_script_t,system_r,$3)
+ allow rpm_t $3:chr_file rw_term_perms;
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.3.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-08-02 10:34:09.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/admin/usermanage.te 2006-08-08 16:15:43.000000000 -0400
@@ -154,6 +352,14 @@
nscd_socket_use(useradd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.6/policy/modules/apps/java.fc
+--- nsaserefpolicy/policy/modules/apps/java.fc 2006-07-14 17:04:31.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/apps/java.fc 2006-08-10 15:37:22.000000000 -0400
+@@ -10,3 +10,4 @@
+ /usr/lib(.*/)?bin/java([^/]*)? -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
+ /usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
++/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-2.3.6/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2006-08-08 14:59:36.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/apps/mozilla.if 2006-08-08 16:15:43.000000000 -0400
@@ -212,10 +418,79 @@
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.3.6/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-08-02 10:34:05.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/kernel/devices.fc 2006-08-10 14:22:57.000000000 -0400
+@@ -37,7 +37,7 @@
+ /dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/null -c gen_context(system_u:object_r:null_device_t,s0)
+ /dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
+-/dev/nvram -c gen_context(system_u:object_r:memory_device_t,s15:c0.c255)
++/dev/nvram -c gen_context(system_u:object_r:bios_device_t,s15:c0.c255)
+ /dev/par.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/patmgr[01] -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.3.6/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-08-02 10:34:05.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/kernel/devices.if 2006-08-10 14:25:22.000000000 -0400
+@@ -2992,3 +2992,40 @@
+
+ typeattribute $1 devices_unconfined_type;
+ ')
++
++########################################
++## <summary>
++## read bios memory devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_read_bios',`
++ gen_require(`
++ type bios_device_t;
++ ')
++
++ allow $1 bios_device_t:chr_file r_file_perms;
++')
++
++########################################
++## <summary>
++## write bios memory devices.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`dev_write_bios',`
++ gen_require(`
++ type bios_device_t;
++ ')
++
++ allow $1 bios_device_t:chr_file write;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.te serefpolicy-2.3.6/policy/modules/kernel/devices.te
--- nsaserefpolicy/policy/modules/kernel/devices.te 2006-08-02 10:34:05.000000000 -0400
-+++ serefpolicy-2.3.6/policy/modules/kernel/devices.te 2006-08-08 16:15:43.000000000 -0400
-@@ -166,7 +166,7 @@
++++ serefpolicy-2.3.6/policy/modules/kernel/devices.te 2006-08-10 14:22:36.000000000 -0400
+@@ -72,6 +72,12 @@
+ dev_node(lvm_control_t)
+
+ #
++# bios_device_t is the type of /dev/nvram
++#
++type bios_device_t;
++dev_node(bios_device_t)
++
++#
+ # memory_device_t is the type of /dev/kmem,
+ # /dev/mem and /dev/port.
+ #
+@@ -166,7 +172,7 @@
dev_node(vmware_device_t)
type watchdog_device_t;
@@ -536,7 +811,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.6/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.6/policy/modules/services/cups.te 2006-08-08 16:15:43.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/services/cups.te 2006-08-10 15:07:59.000000000 -0400
@@ -74,13 +74,14 @@
#
@@ -572,6 +847,30 @@
sysnet_read_config(cupsd_t)
+@@ -232,6 +236,15 @@
+ ')
+
+ optional_policy(`
++ apm_domtrans_client(cupsd_t)
++')
++
++optional_policy(`
++ logrotate_domtrans(cupsd_t)
++')
++
++
++optional_policy(`
+ cron_system_entry(cupsd_t, cupsd_exec_t)
+ ')
+
+@@ -419,6 +432,7 @@
+ term_use_generic_ptys(cupsd_config_t)
+
+ unconfined_rw_pipes(cupsd_config_t)
++ unconfined_rw_pipes(cupsd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.3.6/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/services/cyrus.te 2006-08-09 12:58:45.000000000 -0400
@@ -618,6 +917,18 @@
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-2.3.6/policy/modules/services/mta.fc
+--- nsaserefpolicy/policy/modules/services/mta.fc 2006-08-02 10:34:07.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/services/mta.fc 2006-08-10 10:10:26.000000000 -0400
+@@ -2,6 +2,8 @@
+ /etc/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ /etc/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ /etc/mail(/.*)? gen_context(system_u:object_r:etc_mail_t,s0)
++/etc/mail/aliases -- gen_context(system_u:object_r:etc_aliases_t,s0)
++/etc/mail/aliases\.db -- gen_context(system_u:object_r:etc_aliases_t,s0)
+ ifdef(`distro_redhat',`
+ /etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-2.3.6/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/services/nis.te 2006-08-08 16:15:43.000000000 -0400
@@ -642,6 +953,18 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.3.6/policy/modules/services/openvpn.te
+--- nsaserefpolicy/policy/modules/services/openvpn.te 2006-08-02 10:34:07.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/services/openvpn.te 2006-08-10 09:10:52.000000000 -0400
+@@ -33,7 +33,7 @@
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+ allow openvpn_t self:tcp_socket create_socket_perms;
+-allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
++allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ allow openvpn_t openvpn_etc_t:dir r_dir_perms;
+ allow openvpn_t openvpn_etc_t:file r_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.6/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/services/pegasus.if 2006-08-08 16:15:43.000000000 -0400
@@ -748,7 +1071,16 @@
corenet_tcp_sendrecv_all_nodes(procmail_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.3.6/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.6/policy/modules/services/samba.te 2006-08-08 16:15:43.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/services/samba.te 2006-08-10 09:22:27.000000000 -0400
+@@ -171,7 +171,7 @@
+ #
+ # smbd Local policy
+ #
+-allow smbd_t self:capability { setgid setuid sys_resource lease dac_override dac_read_search };
++allow smbd_t self:capability { fowner setgid setuid sys_resource lease dac_override dac_read_search };
+ dontaudit smbd_t self:capability sys_tty_config;
+ allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow smbd_t self:process setrlimit;
@@ -191,7 +191,7 @@
allow smbd_t samba_etc_t:dir rw_dir_perms;
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -924,14 +1256,22 @@
allow squid_t self:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.3.6/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.6/policy/modules/services/ssh.if 2006-08-08 16:15:43.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/services/ssh.if 2006-08-10 12:38:16.000000000 -0400
@@ -1,5 +1,4 @@
## <summary>Secure shell client and server policy.</summary>
-
#######################################
## <summary>
## Basic SSH client template.
-@@ -717,3 +716,27 @@
+@@ -330,7 +329,6 @@
+ allow $1_ssh_agent_t $1_ssh_agent_tmp_t:dir manage_dir_perms;
+ allow $1_ssh_agent_t $1_ssh_agent_tmp_t:sock_file manage_file_perms;
+ files_tmp_filetrans($1_ssh_agent_t,$1_ssh_agent_tmp_t,{ dir sock_file })
+-
+ # for ssh-add
+ allow $2 $1_ssh_agent_t:unix_stream_socket connectto;
+ allow $2 $1_ssh_agent_tmp_t:sock_file write;
+@@ -717,3 +715,27 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
@@ -959,6 +1299,32 @@
+ allow ssh_keygen_t $1:fifo_file rw_file_perms;
+ allow ssh_keygen_t $1:process sigchld;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.3.6/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te 2006-08-02 10:34:07.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/services/ssh.te 2006-08-10 11:38:43.000000000 -0400
+@@ -39,6 +39,9 @@
+ type ssh_agent_exec_t;
+ files_type(ssh_agent_exec_t)
+
++ type ssh_agent_tmp_t;
++ files_tmp_file(ssh_agent_tmp_t)
++
+ type ssh_keygen_t;
+ init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+ role system_r types ssh_keygen_t;
+@@ -61,6 +64,12 @@
+
+ type sshd_tmp_t;
+ files_tmp_file(sshd_tmp_t)
++
++ allow ssh_agent_t ssh_agent_tmp_t:dir create_dir_perms;
++ allow ssh_agent_t ssh_agent_tmp_t:file create_file_perms;
++ allow ssh_agent_t ssh_agent_tmp_t:sock_file create_file_perms;
++ files_tmp_filetrans(ssh_agent_t, tmp_t, { dir file sock_file })
++
+ ')
+
+ #################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-2.3.6/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2006-08-02 10:34:07.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/services/stunnel.te 2006-08-08 16:15:43.000000000 -0400
@@ -1158,6 +1524,17 @@
unconfined_domain_noaudit(xdm_xserver_t)
unconfined_domtrans(xdm_xserver_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.3.6/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-08-02 10:34:09.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/system/authlogin.te 2006-08-10 13:18:13.000000000 -0400
+@@ -273,6 +273,7 @@
+
+ term_dontaudit_use_unallocated_ttys(system_chkpwd_t)
+ term_dontaudit_use_generic_ptys(system_chkpwd_t)
++term_dontaudit_use_all_user_ttys(system_chkpwd_t)
+
+ userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.3.6/policy/modules/system/fstools.te
--- nsaserefpolicy/policy/modules/system/fstools.te 2006-08-02 10:34:08.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/system/fstools.te 2006-08-08 16:15:43.000000000 -0400
@@ -1350,6 +1727,17 @@
## Allow process to read legacy time localization info
## </summary>
## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.3.6/policy/modules/system/modutils.te
+--- nsaserefpolicy/policy/modules/system/modutils.te 2006-08-02 10:34:08.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/system/modutils.te 2006-08-10 13:13:14.000000000 -0400
+@@ -183,6 +183,7 @@
+ fs_getattr_xattr_fs(depmod_t)
+
+ term_use_console(depmod_t)
++term_use_all_terms(depmod_t)
+
+ corecmd_search_bin(depmod_t)
+ corecmd_search_sbin(depmod_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.3.6/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2006-07-14 17:04:44.000000000 -0400
+++ serefpolicy-2.3.6/policy/modules/system/mount.te 2006-08-08 16:38:58.000000000 -0400
@@ -1890,7 +2278,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-07-14 17:04:43.000000000 -0400
-+++ serefpolicy-2.3.6/policy/modules/system/userdomain.te 2006-08-08 16:15:43.000000000 -0400
++++ serefpolicy-2.3.6/policy/modules/system/userdomain.te 2006-08-10 13:44:38.000000000 -0400
@@ -56,14 +56,6 @@
# Local policy
#
@@ -1906,15 +2294,6 @@
ifdef(`targeted_policy',`
# Define some type aliases to help with compatibility with
# macros and domains from the "strict" policy.
-@@ -85,7 +77,7 @@
- # compatibility for switching from strict
- # dominance { role secadm_r { role system_r; }}
- # dominance { role auditadm_r { role system_r; }}
--# dominance { role sysadm_r { role system_r; }}
-+ dominance { role sysadm_r { role system_r; }}
- # dominance { role user_r { role system_r; }}
- # dominance { role staff_r { role system_r; }}
-
@@ -124,34 +116,34 @@
# user role change rules:
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.248
retrieving revision 1.249
diff -u -r1.248 -r1.249
--- selinux-policy.spec 9 Aug 2006 19:14:24 -0000 1.248
+++ selinux-policy.spec 11 Aug 2006 03:11:59 -0000 1.249
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.3.6
-Release: 2
+Release: 3
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -347,6 +347,9 @@
%endif
%changelog
+* Th Aug 10 2006 Dan Walsh <dwalsh at redhat.com> 2.3.6-3
+- Misc fixes
+
* Wed Aug 9 2006 Dan Walsh <dwalsh at redhat.com> 2.3.6-2
- More fixes for strict policy
More information about the fedora-cvs-commits
mailing list