rpms/selinux-policy/devel policy-20061106.patch, 1.30, 1.31 selinux-policy.spec, 1.357, 1.358
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Dec 1 21:52:10 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv15646
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Fri Dec 1 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-5
- More fixes for quota
Resolves: #212957
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 2
policy/global_tunables | 46 ++++
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.te | 4
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 9
policy/modules/admin/quota.te | 20 +
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 ++
policy/modules/admin/rpm.te | 41 +--
policy/modules/admin/usermanage.te | 3
policy/modules/apps/java.fc | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 30 ++
policy/modules/kernel/corenetwork.te.in | 15 +
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 108 +++++++++-
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 +
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 21 ++
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.if | 26 --
policy/modules/services/cron.te | 7
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12 +
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11 -
policy/modules/services/lpd.if | 52 ++--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 5
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15 -
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 ++
policy/modules/services/pcscd.te | 58 +++++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13 +
policy/modules/services/procmail.te | 16 +
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 3
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++++
policy/modules/services/uucp.te | 44 +++-
policy/modules/services/xserver.if | 40 +++
policy/modules/system/authlogin.if | 14 +
policy/modules/system/authlogin.te | 5
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.te | 17 +
policy/modules/system/iptables.te | 6
policy/modules/system/libraries.fc | 26 +-
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 +++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++++
policy/modules/system/miscfiles.fc | 1
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 109 ++++++++++
policy/modules/system/selinuxutil.te | 105 ++--------
policy/modules/system/sysnetwork.te | 3
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 15 +
policy/modules/system/userdomain.if | 336 +++++++++++++++++++++++++++-----
policy/modules/system/userdomain.te | 10
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 +++
115 files changed, 1557 insertions(+), 340 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- policy-20061106.patch 1 Dec 2006 17:58:00 -0000 1.30
+++ policy-20061106.patch 1 Dec 2006 21:52:08 -0000 1.31
@@ -12,8 +12,23 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/global_tunables 2006-11-30 17:03:20.000000000 -0500
-@@ -574,6 +574,13 @@
++++ serefpolicy-2.4.6/policy/global_tunables 2006-12-01 15:25:57.000000000 -0500
+@@ -82,6 +82,14 @@
+
+ ## <desc>
+ ## <p>
++## Allow ftp servers to login to local users and
++## read/write all files on the system, governed by DAC.
++## </p>
++## </desc>
++gen_tunable(allow_ftpd_full_access,false)
++
++## <desc>
++## <p>
+ ## Allow gssd to read temp directory.
+ ## </p>
+ ## </desc>
+@@ -574,6 +582,13 @@
gen_tunable(xdm_sysadm_login,false)
')
@@ -27,7 +42,7 @@
########################################
#
# Targeted policy specific
-@@ -589,6 +596,13 @@
+@@ -589,6 +604,13 @@
## <desc>
## <p>
@@ -41,7 +56,7 @@
## Allow mount to mount any file
## </p>
## </desc>
-@@ -596,8 +610,30 @@
+@@ -596,8 +618,30 @@
## <desc>
## <p>
@@ -279,8 +294,15 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/quota.te serefpolicy-2.4.6/policy/modules/admin/quota.te
--- nsaserefpolicy/policy/modules/admin/quota.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/quota.te 2006-11-30 17:03:20.000000000 -0500
-@@ -27,9 +27,12 @@
++++ serefpolicy-2.4.6/policy/modules/admin/quota.te 2006-12-01 15:42:27.000000000 -0500
+@@ -21,15 +21,18 @@
+ allow quota_t self:process signal_perms;
+
+ # for /quota.*
+-allow quota_t quota_db_t:file { read write quotaon };
++allow quota_t quota_db_t:file { create_file_perms quotaon };
+
+ kernel_list_proc(quota_t)
kernel_read_proc_symlinks(quota_t)
kernel_read_kernel_sysctls(quota_t)
@@ -1327,7 +1349,7 @@
corecmd_read_bin_files($1_dbusd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.4.6/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2006-11-16 17:15:20.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-01 11:58:00.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/services/ftp.te 2006-12-01 15:24:24.000000000 -0500
@@ -103,6 +103,7 @@
corenet_tcp_bind_ftp_port(ftpd_t)
corenet_tcp_bind_ftp_data_port(ftpd_t)
@@ -1344,6 +1366,34 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
+@@ -173,6 +175,11 @@
+ fs_manage_nfs_files(ftpd_t)
+ ')
+
++tunable_policy(`allow_ftpd_full_access',`
++ allow ftpd_t self:capability { dac_override dac_read_search };
++ auth_manage_all_files_except_shadow(ftpd_t)
++')
++
+ tunable_policy(`ftp_home_dir',`
+ allow ftpd_t self:capability { dac_override dac_read_search };
+
+@@ -182,10 +189,15 @@
+ userdom_manage_all_users_home_content_dirs(ftpd_t)
+ userdom_manage_all_users_home_content_files(ftpd_t)
+ userdom_manage_all_users_home_content_symlinks(ftpd_t)
++ auth_manage_all_files_except_shadow(ftpd_t)
+
+ ifdef(`targeted_policy',`
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(ftpd_t,{ dir file lnk_file sock_file fifo_file })
++ files_manage_generic_tmp_files(ftpd_t)
+ ')
++ auth_read_all_dirs_except_shadow(ftpd_t)
++ auth_read_all_files_except_shadow(ftpd_t)
++ auth_read_all_symlinks_except_shadow(ftpd_t)
+ ')
+
+ tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.4.6/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2006-11-16 17:15:20.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/services/hal.fc 2006-11-30 17:03:20.000000000 -0500
@@ -2338,7 +2388,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-01 12:43:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-01 15:41:41.000000000 -0500
@@ -232,6 +232,14 @@
tunable_policy(`allow_polyinstantiation',`
@@ -2412,8 +2462,8 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/clock.te serefpolicy-2.4.6/policy/modules/system/clock.te
--- nsaserefpolicy/policy/modules/system/clock.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/clock.te 2006-11-30 17:03:20.000000000 -0500
-@@ -25,7 +25,7 @@
++++ serefpolicy-2.4.6/policy/modules/system/clock.te 2006-12-01 16:42:11.000000000 -0500
+@@ -25,16 +25,16 @@
dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -2422,9 +2472,11 @@
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
-@@ -34,7 +34,8 @@
- kernel_list_proc(hwclock_t)
- kernel_read_proc_symlinks(hwclock_t)
+
+ kernel_read_kernel_sysctls(hwclock_t)
+-kernel_list_proc(hwclock_t)
+-kernel_read_proc_symlinks(hwclock_t)
++kernel_read_system_state(hwclock_t)
-corecmd_search_bin(hwclock_t)
+corecmd_exec_bin(hwclock_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.357
retrieving revision 1.358
diff -u -r1.357 -r1.358
--- selinux-policy.spec 1 Dec 2006 17:58:00 -0000 1.357
+++ selinux-policy.spec 1 Dec 2006 21:52:08 -0000 1.358
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,10 @@
%endif
%changelog
+* Fri Dec 1 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-5
+- More fixes for quota
+Resolves: #212957
+
* Fri Dec 1 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-4
- ncsd needs to use avahi sockets
Resolves: #217640
More information about the fedora-cvs-commits
mailing list