rpms/selinux-policy/FC-5 policy-20060822.patch,1.2,1.3
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Aug 29 22:59:57 UTC 2006
- Previous message (by thread): rpms/kernel/devel audit-combined.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.2586, 1.2586.2.1
- Next message (by thread): rpms/wireless-tools/devel .cvsignore, 1.15, 1.16 sources, 1.15, 1.16 wireless-tools.spec, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv29894
Modified Files:
policy-20060822.patch
Log Message:
* Mon Aug 28 2006 Dan Walsh <dwalsh at redhat.com> 2.3.7-3.fc5
- Backport some fixes for FC5 from rawhide
policy-20060822.patch:
mls | 9 -
modules/admin/amanda.fc | 51 -------
modules/admin/anaconda.te | 20 ++-
modules/admin/bootloader.te | 4
modules/admin/consoletype.te | 11 +
modules/admin/firstboot.te | 2
modules/admin/prelink.te | 3
modules/admin/rpm.fc | 2
modules/admin/rpm.if | 13 +
modules/admin/usermanage.te | 5
modules/apps/java.fc | 9 +
modules/apps/mozilla.if | 2
modules/apps/wine.te | 2
modules/kernel/corecommands.fc | 1
modules/kernel/corecommands.if | 1
modules/kernel/corenetwork.te.in | 7 -
modules/kernel/devices.fc | 4
modules/kernel/devices.if | 37 +++++
modules/kernel/devices.te | 8 +
modules/kernel/files.if | 18 ++
modules/kernel/filesystem.te | 2
modules/kernel/kernel.if | 75 +++++++++++
modules/kernel/terminal.if | 19 ++
modules/services/afs.te | 14 --
modules/services/amavis.te | 7 +
modules/services/apache.te | 5
modules/services/avahi.te | 2
modules/services/bind.te | 1
modules/services/bluetooth.te | 5
modules/services/clamav.if | 1
modules/services/cpucontrol.te | 2
modules/services/cron.if | 18 ++
modules/services/cron.te | 9 -
modules/services/cups.te | 31 +++-
modules/services/cyrus.te | 5
modules/services/dbus.if | 6
modules/services/dovecot.te | 2
modules/services/gatekeeper.te | 15 --
modules/services/inn.te | 1
modules/services/ldap.te | 2
modules/services/mta.fc | 2
modules/services/networkmanager.te | 2
modules/services/ntp.te | 2
modules/services/openvpn.te | 2
modules/services/pegasus.if | 31 ++++
modules/services/pegasus.te | 5
modules/services/postfix.te | 7 +
modules/services/postgresql.te | 1
modules/services/procmail.te | 1
modules/services/radius.te | 2
modules/services/rpc.if | 2
modules/services/rpc.te | 7 -
modules/services/samba.te | 8 -
modules/services/setroubleshoot.fc | 9 +
modules/services/setroubleshoot.if | 3
modules/services/setroubleshoot.te | 112 ++++++++++++++++
modules/services/spamassassin.te | 5
modules/services/squid.te | 4
modules/services/ssh.if | 24 +++
modules/services/ssh.te | 85 ++++++------
modules/services/stunnel.te | 6
modules/services/sysstat.te | 3
modules/services/xserver.if | 68 +++++++++-
modules/services/xserver.te | 15 +-
modules/system/authlogin.if | 21 ---
modules/system/authlogin.te | 1
modules/system/fstools.te | 1
modules/system/hostname.te | 10 +
modules/system/init.if | 7 -
modules/system/init.te | 2
modules/system/libraries.fc | 19 ++
modules/system/locallogin.te | 4
modules/system/logging.fc | 3
modules/system/logging.if | 21 +++
modules/system/logging.te | 11 +
modules/system/lvm.fc | 2
modules/system/lvm.te | 6
modules/system/miscfiles.fc | 1
modules/system/miscfiles.if | 18 ++
modules/system/modutils.te | 1
modules/system/mount.te | 7 +
modules/system/selinuxutil.te | 15 ++
modules/system/udev.fc | 1
modules/system/udev.te | 1
modules/system/unconfined.fc | 1
modules/system/unconfined.if | 2
modules/system/unconfined.te | 9 -
modules/system/userdomain.if | 246 ++++++++++++++++++++++++-------------
modules/system/userdomain.te | 48 +++----
modules/system/xen.if | 38 +++++
modules/system/xen.te | 26 +++
91 files changed, 1008 insertions(+), 351 deletions(-)
Index: policy-20060822.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/policy-20060822.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- policy-20060822.patch 28 Aug 2006 19:31:07 -0000 1.2
+++ policy-20060822.patch 29 Aug 2006 22:59:55 -0000 1.3
@@ -1119,6 +1119,18 @@
ifdef(`distro_redhat',`
/etc/postfix/aliases.* gen_context(system_u:object_r:etc_aliases_t,s0)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.3.7/policy/modules/services/networkmanager.te
+--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-08-12 06:57:28.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/services/networkmanager.te 2006-08-28 15:31:53.000000000 -0400
+@@ -20,7 +20,7 @@
+
+ allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock};
+ dontaudit NetworkManager_t self:capability sys_tty_config;
+-allow NetworkManager_t self:process { setcap getsched signal_perms };
++allow NetworkManager_t self:process { setcap getsched signal_perms ptrace };
+ allow NetworkManager_t self:fifo_file rw_file_perms;
+ allow NetworkManager_t self:unix_dgram_socket { sendto create_socket_perms };
+ allow NetworkManager_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-2.3.7/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2006-08-12 06:57:20.000000000 -0400
+++ serefpolicy-2.3.7/policy/modules/services/ntp.te 2006-08-28 14:20:46.000000000 -0400
@@ -1488,8 +1500,16 @@
+files_getattr_all_dirs(setroubleshootd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.3.7/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-08-12 06:57:20.000000000 -0400
-+++ serefpolicy-2.3.7/policy/modules/services/spamassassin.te 2006-08-28 14:20:46.000000000 -0400
-@@ -194,3 +194,7 @@
++++ serefpolicy-2.3.7/policy/modules/services/spamassassin.te 2006-08-29 18:51:34.000000000 -0400
+@@ -135,6 +135,7 @@
+ term_dontaudit_use_generic_ptys(spamd_t)
+ files_dontaudit_read_root_files(spamd_t)
+ tunable_policy(`spamd_enable_home_dirs',`
++ userdom_home_filetrans_generic_user_home_dir(spamd_t)
+ userdom_manage_generic_user_home_content_dirs(spamd_t)
+ userdom_manage_generic_user_home_content_files(spamd_t)
+ userdom_manage_generic_user_home_content_symlinks(spamd_t)
+@@ -194,3 +195,7 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -1543,6 +1563,133 @@
+ allow ssh_keygen_t $1:fifo_file rw_file_perms;
+ allow ssh_keygen_t $1:process sigchld;
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.3.7/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te 2006-08-12 06:57:20.000000000 -0400
++++ serefpolicy-2.3.7/policy/modules/services/ssh.te 2006-08-28 17:23:55.000000000 -0400
+@@ -12,8 +12,10 @@
+ type ssh_exec_t;
+ corecmd_executable_file(ssh_exec_t)
+
++type ssh_keygen_t;
+ type ssh_keygen_exec_t;
+ corecmd_executable_file(ssh_keygen_exec_t)
++init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+
+ type ssh_keysign_exec_t;
+ corecmd_executable_file(ssh_keysign_exec_t)
+@@ -39,10 +41,6 @@
+ type ssh_agent_exec_t;
+ files_type(ssh_agent_exec_t)
+
+- type ssh_keygen_t;
+- init_system_domain(ssh_keygen_t,ssh_keygen_exec_t)
+- role system_r types ssh_keygen_t;
+-
+ ssh_server_template(sshd)
+ ssh_server_template(sshd_extern)
+
+@@ -200,62 +198,61 @@
+ # ssh_keygen local policy
+ #
+
+-ifdef(`targeted_policy',`',`
+- # ssh_keygen_t is the type of the ssh-keygen program when run at install time
+- # and by sysadm_t
++# ssh_keygen_t is the type of the ssh-keygen program when run at install time
++# and by sysadm_t
+
+- dontaudit ssh_keygen_t self:capability sys_tty_config;
+- allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
++dontaudit ssh_keygen_t self:capability sys_tty_config;
++allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal };
+
+- allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
++allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms;
+
+- allow ssh_keygen_t sshd_key_t:file create_file_perms;
+- files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
++allow ssh_keygen_t sshd_key_t:file create_file_perms;
++files_etc_filetrans(ssh_keygen_t,sshd_key_t,file)
+
+- kernel_read_kernel_sysctls(ssh_keygen_t)
++kernel_read_kernel_sysctls(ssh_keygen_t)
+
+- fs_search_auto_mountpoints(ssh_keygen_t)
++fs_search_auto_mountpoints(ssh_keygen_t)
+
+- dev_read_sysfs(ssh_keygen_t)
+- dev_read_urand(ssh_keygen_t)
++dev_read_sysfs(ssh_keygen_t)
++dev_read_urand(ssh_keygen_t)
+
+- term_dontaudit_use_console(ssh_keygen_t)
++term_dontaudit_use_console(ssh_keygen_t)
+
+- domain_use_interactive_fds(ssh_keygen_t)
++domain_use_interactive_fds(ssh_keygen_t)
+
+- files_read_etc_files(ssh_keygen_t)
++files_read_etc_files(ssh_keygen_t)
+
+- init_use_fds(ssh_keygen_t)
+- init_use_script_ptys(ssh_keygen_t)
++init_use_fds(ssh_keygen_t)
++init_use_script_ptys(ssh_keygen_t)
+
+- libs_use_ld_so(ssh_keygen_t)
+- libs_use_shared_libs(ssh_keygen_t)
++libs_use_ld_so(ssh_keygen_t)
++libs_use_shared_libs(ssh_keygen_t)
+
+- logging_send_syslog_msg(ssh_keygen_t)
++logging_send_syslog_msg(ssh_keygen_t)
+
+- allow ssh_keygen_t proc_t:dir r_dir_perms;
+- allow ssh_keygen_t proc_t:lnk_file read;
++allow ssh_keygen_t proc_t:dir r_dir_perms;
++allow ssh_keygen_t proc_t:lnk_file read;
+
+- userdom_use_sysadm_ttys(ssh_keygen_t)
+- userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
++userdom_use_sysadm_ttys(ssh_keygen_t)
++userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t)
+
+- # cjp: with the old daemon_(base_)domain being broken up into
+- # a daemon and system interface, this probably is not needed:
+- ifdef(`direct_sysadm_daemon',`
+- userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
+- ')
++# cjp: with the old daemon_(base_)domain being broken up into
++# a daemon and system interface, this probably is not needed:
++ifdef(`direct_sysadm_daemon',`
++ userdom_dontaudit_use_sysadm_terms(ssh_keygen_t)
++')
+
+- ifdef(`targeted_policy', `
+- term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
+- term_dontaudit_use_generic_ptys(ssh_keygen_t)
+- files_dontaudit_read_root_files(ssh_keygen_t)
+- ')
++ifdef(`targeted_policy', `
++ term_dontaudit_use_unallocated_ttys(ssh_keygen_t)
++ term_dontaudit_use_generic_ptys(ssh_keygen_t)
++ files_dontaudit_read_root_files(ssh_keygen_t)
++')
+
+- optional_policy(`
+- seutil_sigchld_newrole(ssh_keygen_t)
+- ')
++optional_policy(`
++ seutil_sigchld_newrole(ssh_keygen_t)
++')
+
+- optional_policy(`
+- udev_read_db(ssh_keygen_t)
+- ')
++optional_policy(`
++ udev_read_db(ssh_keygen_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/stunnel.te serefpolicy-2.3.7/policy/modules/services/stunnel.te
--- nsaserefpolicy/policy/modules/services/stunnel.te 2006-08-12 06:57:28.000000000 -0400
+++ serefpolicy-2.3.7/policy/modules/services/stunnel.te 2006-08-28 14:20:46.000000000 -0400
- Previous message (by thread): rpms/kernel/devel audit-combined.patch, NONE, 1.1.2.1 kernel-2.6.spec, 1.2586, 1.2586.2.1
- Next message (by thread): rpms/wireless-tools/devel .cvsignore, 1.15, 1.16 sources, 1.15, 1.16 wireless-tools.spec, 1.33, 1.34
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list