rpms/selinux-policy/devel .cvsignore, 1.40, 1.41 modules-strict.conf, 1.6, 1.7 policy-20060207.patch, 1.11, 1.12 selinux-policy.spec, 1.111, 1.112 sources, 1.44, 1.45
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Feb 20 22:11:44 UTC 2006
- Previous message (by thread): rpms/gnucash/devel .cvsignore, 1.12.2.4, 1.12.2.5 gnucash.spec, 1.18.2.14, 1.18.2.15 sources, 1.12.2.4, 1.12.2.5
- Next message (by thread): rpms/dhcp/devel dhcp-3.0.3-bz176615.patch, 1.1, 1.2 dhcp.spec, 1.86, 1.87
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv17190
Modified Files:
.cvsignore modules-strict.conf policy-20060207.patch
selinux-policy.spec sources
Log Message:
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- .cvsignore 19 Feb 2006 12:17:14 -0000 1.40
+++ .cvsignore 20 Feb 2006 22:11:40 -0000 1.41
@@ -41,3 +41,4 @@
serefpolicy-2.2.14.tgz
serefpolicy-2.2.15.tgz
serefpolicy-2.2.16.tgz
+serefpolicy-2.2.17.tgz
Index: modules-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-strict.conf,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- modules-strict.conf 19 Feb 2006 12:17:15 -0000 1.6
+++ modules-strict.conf 20 Feb 2006 22:11:40 -0000 1.7
@@ -1048,14 +1048,14 @@
#
# Common policy for authentication and user login.
#
-authlogin = module
+authlogin = base
# Layer: system
# Module: libraries
#
# Policy for system libraries.
#
-libraries = module
+libraries = base
# Layer: system
# Module: raid
policy-20060207.patch:
policy/modules/admin/su.if | 19 ++----
policy/modules/apps/slocate.te | 2
policy/modules/kernel/devices.if | 39 ++++++++++++++
policy/modules/services/cron.if | 2
policy/modules/services/cron.te | 4 +
policy/modules/services/cups.if | 19 ++++++
policy/modules/services/spamassassin.te | 1
policy/modules/services/ssh.if | 2
policy/modules/system/authlogin.te | 2
policy/modules/system/mount.te | 2
policy/modules/system/selinuxutil.fc | 7 ++
policy/modules/system/selinuxutil.if | 87 ++++++++++++++++++++++++++++++++
policy/modules/system/selinuxutil.te | 72 ++++++++++++++++++++++++--
policy/modules/system/userdomain.if | 24 ++++++++
policy/modules/system/userdomain.te | 2
support/Makefile.devel | 12 +++-
16 files changed, 277 insertions(+), 19 deletions(-)
Index: policy-20060207.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060207.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20060207.patch 19 Feb 2006 12:17:15 -0000 1.11
+++ policy-20060207.patch 20 Feb 2006 22:11:40 -0000 1.12
@@ -1,112 +1,134 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.16/policy/global_tunables
---- nsaserefpolicy/policy/global_tunables 2006-02-16 09:05:13.000000000 -0500
-+++ serefpolicy-2.2.16/policy/global_tunables 2006-02-19 07:09:54.000000000 -0500
-@@ -469,3 +469,11 @@
- ## </desc>
- gen_tunable(xdm_sysadm_login,false)
- ')
-+
-+## <desc>
-+## <p>
-+## Allow spammd to read/write user home directories.
-+## </p>
-+## </desc>
-+gen_tunable(spamd_enable_home_dirs,true)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.if serefpolicy-2.2.16/policy/modules/admin/amanda.if
---- nsaserefpolicy/policy/modules/admin/amanda.if 2006-02-10 21:34:11.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/admin/amanda.if 2006-02-19 07:09:54.000000000 -0500
-@@ -90,3 +90,40 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.2.17/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if 2006-02-14 07:20:23.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/admin/su.if 2006-02-20 16:22:06.000000000 -0500
+@@ -220,6 +220,14 @@
+ nscd_socket_use($1_su_t)
+ ')
- dontaudit $1 amanda_dumpdates_t:file { getattr read };
- ')
++ # Modify .Xauthority file (via xauth program).
++ optional_policy(`xserver',`
++# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
++# file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
++# file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
++ xserver_domtrans_user_xauth($1, $1_su_t)
++ ')
+
-+########################################
-+## <summary>
-+## Allow read/writing /etc/dumpdates.
+ ifdef(`TODO',`
+ # Caused by su - init scripts
+ dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
+@@ -235,17 +243,6 @@
+ dontaudit $1_su_t home_dir_type:dir { search write };
+ ')
+
+- # Modify .Xauthority file (via xauth program).
+- ifdef(`xauth.te', `
+- file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
+- file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
+- file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
+- domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
+- ')
+-
+- ifdef(`cyrus.te', `
+- allow $1_su_t cyrus_var_lib_t:dir search;
+- ')
+ ifdef(`ssh.te', `
+ # Access sshd cookie files.
+ allow $1_su_t sshd_tmp_t:file rw_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.2.17/policy/modules/apps/slocate.te
+--- nsaserefpolicy/policy/modules/apps/slocate.te 2006-01-25 15:58:58.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/apps/slocate.te 2006-02-20 16:22:06.000000000 -0500
+@@ -36,6 +36,8 @@
+
+ files_list_all(locate_t)
+ files_getattr_all_files(locate_t)
++# mls Higher level directories will be refused, so dontaudit
++files_dontaudit_getattr_all_dirs(locate_t)
+ files_read_etc_runtime_files(locate_t)
+ files_read_etc_files(locate_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-2.2.17/policy/modules/kernel/devices.if
+--- nsaserefpolicy/policy/modules/kernel/devices.if 2006-02-20 14:07:36.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/kernel/devices.if 2006-02-20 16:22:06.000000000 -0500
+@@ -1115,6 +1115,45 @@
+
+ ########################################
+ ## <summary>
++## Setattr the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to allow
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`amanda_rw_dumpdates_files',`
++interface(`dev_setattr_dri_dev',`
+ gen_require(`
-+ type amanda_dumpdates_t;
++ type device_t, dri_device_t;
+ ')
+
-+ allow $1 amanda_dumpdates_t:file rw_file_perms;
++ allow $1 device_t:dir r_dir_perms;
++ allow $1 dri_device_t:chr_file setattr;
+')
++
+########################################
+## <summary>
-+## Allow read/writing amanda logs
++## getattr the dri devices.
+## </summary>
+## <param name="domain">
+## <summary>
-+## Domain to allow
++## Domain allowed access.
+## </summary>
+## </param>
+#
-+interface(`amanda_append_log_files',`
++interface(`dev_getattr_dri_dev',`
+ gen_require(`
-+ type amanda_log_t;
++ type device_t, dri_device_t;
+ ')
+
-+ allow $1 amanda_log_t:file ra_file_perms;
++ allow $1 device_t:dir r_dir_perms;
++ allow $1 dri_device_t:chr_file getattr;
+')
+
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.2.16/policy/modules/admin/amanda.te
---- nsaserefpolicy/policy/modules/admin/amanda.te 2006-02-03 15:45:54.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/admin/amanda.te 2006-02-19 07:09:54.000000000 -0500
-@@ -86,7 +86,7 @@
- # Amanda local policy
- #
-
--allow amanda_t self:capability { chown dac_override setuid };
-+allow amanda_t self:capability { chown dac_override setuid kill };
- allow amanda_t self:process { setpgid signal };
- allow amanda_t self:fifo_file { getattr read write ioctl lock };
- allow amanda_t self:unix_stream_socket create_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-2.2.16/policy/modules/admin/vpn.te
---- nsaserefpolicy/policy/modules/admin/vpn.te 2006-02-16 16:42:39.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/admin/vpn.te 2006-02-19 07:13:16.000000000 -0500
-@@ -11,6 +11,7 @@
-
- type vpnc_exec_t;
- domain_entry_file(vpnc_t,vpnc_exec_t)
-+role system_r types vpnc_t;
-
- type vpnc_tmp_t;
- files_tmp_file(vpnc_tmp_t)
-@@ -69,6 +70,7 @@
- dev_read_sysfs(vpnc_t)
-
- fs_getattr_xattr_fs(vpnc_t)
-+fs_getattr_tmpfs(vpnc_t)
-
- term_use_all_user_ptys(vpnc_t)
- term_use_all_user_ttys(vpnc_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.2.16/policy/modules/apps/java.fc
---- nsaserefpolicy/policy/modules/apps/java.fc 2006-01-17 13:22:13.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/apps/java.fc 2006-02-19 07:09:54.000000000 -0500
-@@ -3,3 +3,4 @@
- #
- /usr(/.*)?/bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
- /usr/bin/gij -- gen_context(system_u:object_r:java_exec_t,s0)
-+/usr/bin/gcj-dbtool -- gen_context(system_u:object_r:java_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.2.16/policy/modules/apps/java.if
---- nsaserefpolicy/policy/modules/apps/java.if 2006-02-16 09:05:14.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/apps/java.if 2006-02-19 07:09:54.000000000 -0500
-@@ -178,3 +178,28 @@
- xserver_user_client_template($1,$1_javaplugin_t,$1_javaplugin_tmpfs_t)
- ')
- ')
-+
+########################################
+## <summary>
-+## Execute the java program in the java domain.
+ ## Read input event devices (/dev/input).
+ ## </summary>
+ ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.if serefpolicy-2.2.17/policy/modules/services/cron.if
+--- nsaserefpolicy/policy/modules/services/cron.if 2006-02-20 14:07:37.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/services/cron.if 2006-02-20 16:22:06.000000000 -0500
+@@ -544,7 +544,7 @@
+ type system_crond_t;
+ ')
+
+- allow $1 system_crond_t:file rw_file_perms;
++ allow $1 system_crond_t:fifo_file rw_file_perms;
+ ')
+
+ ########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-2.2.17/policy/modules/services/cron.te
+--- nsaserefpolicy/policy/modules/services/cron.te 2006-02-20 14:07:37.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/services/cron.te 2006-02-20 16:22:06.000000000 -0500
+@@ -398,6 +398,10 @@
+ prelink_delete_cache(system_crond_t)
+ ')
+
++ optional_policy(`postfix',`
++ postfix_read_config(system_crond_t)
++ ')
++
+ optional_policy(`samba',`
+ samba_read_config(system_crond_t)
+ samba_read_log(system_crond_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-2.2.17/policy/modules/services/cups.if
+--- nsaserefpolicy/policy/modules/services/cups.if 2006-02-10 21:34:13.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/services/cups.if 2006-02-20 16:22:06.000000000 -0500
+@@ -169,6 +169,25 @@
+
+ ########################################
+ ## <summary>
++## write cups log files.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -114,223 +136,86 @@
+## </summary>
+## </param>
+#
-+interface(`java_domtrans',`
++interface(`cups_write_log',`
+ gen_require(`
-+ type java_t, java_exec_t;
++ type cupsd_log_t;
+ ')
+
-+ corecmd_search_bin($1)
-+ domain_auto_trans($1, java_exec_t, java_t)
-+
-+ allow $1 java_t:fd use;
-+ allow java_t $1:fd use;
-+ allow java_t $1:fifo_file rw_file_perms;
-+ allow java_t $1:process sigchld;
++ logging_search_logs($1)
++ allow $1 cupsd_log_t:file write;
+')
+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.16/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te 2006-01-12 18:28:45.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/apps/java.te 2006-02-19 07:09:54.000000000 -0500
-@@ -6,5 +6,19 @@
- # Declarations
- #
-
-+type java_t;
-+domain_type(java_t)
-+
- type java_exec_t;
- files_type(java_exec_t)
-+
+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+ allow java_t self:process { execstack execmem };
-+ unconfined_domain_noaudit(java_t)
-+ role system_r types java_t;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.2.16/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-02-14 07:20:25.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/kernel/corenetwork.te.in 2006-02-19 07:09:54.000000000 -0500
-@@ -73,6 +73,7 @@
- network_port(imaze, tcp,5323,s0, udp,5323,s0)
- network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0, tcp,5666,s0)
- network_port(innd, tcp,119,s0)
-+network_port(router, udp,520,s0)
- network_port(ipp, tcp,631,s0, udp,631,s0)
- network_port(ircd, tcp,6667,s0)
- network_port(isakmp, udp,500,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.2.16/policy/modules/services/automount.te
---- nsaserefpolicy/policy/modules/services/automount.te 2006-02-14 07:20:25.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/automount.te 2006-02-19 07:09:54.000000000 -0500
-@@ -92,7 +92,7 @@
-
- files_dontaudit_write_var_dirs(automount_t)
- files_search_var_lib(automount_t)
--files_search_mnt(automount_t)
-+files_list_mnt(automount_t)
- files_getattr_home_dir(automount_t)
- files_read_etc_files(automount_t)
- files_read_etc_runtime_files(automount_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.2.16/policy/modules/services/avahi.te
---- nsaserefpolicy/policy/modules/services/avahi.te 2006-02-03 08:55:53.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/avahi.te 2006-02-19 07:09:54.000000000 -0500
-@@ -63,6 +63,7 @@
- domain_use_wide_inherit_fd(avahi_t)
-
- files_read_etc_files(avahi_t)
-+files_read_etc_runtime_files(avahi_t)
-
- init_use_fd(avahi_t)
- init_use_script_ptys(avahi_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-2.2.16/policy/modules/services/fetchmail.te
---- nsaserefpolicy/policy/modules/services/fetchmail.te 2006-02-14 07:20:26.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/fetchmail.te 2006-02-19 07:09:54.000000000 -0500
-@@ -67,6 +67,7 @@
-
- files_read_etc_files(fetchmail_t)
- files_read_etc_runtime_files(fetchmail_t)
-+files_dontaudit_search_home(fetchmail_t)
-
- fs_getattr_all_fs(fetchmail_t)
- fs_search_auto_mountpoints(fetchmail_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.16/policy/modules/services/hal.te
---- nsaserefpolicy/policy/modules/services/hal.te 2006-02-16 14:46:56.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/hal.te 2006-02-19 07:09:54.000000000 -0500
-@@ -22,7 +22,7 @@
- #
-
- # execute openvt which needs setuid
--allow hald_t self:capability { setuid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
-+allow hald_t self:capability { setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio };
- dontaudit hald_t self:capability sys_tty_config;
- allow hald_t self:process signal_perms;
- allow hald_t self:fifo_file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ktalk.fc serefpolicy-2.2.16/policy/modules/services/ktalk.fc
---- nsaserefpolicy/policy/modules/services/ktalk.fc 2005-11-14 18:24:08.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/ktalk.fc 2006-02-19 07:10:20.000000000 -0500
-@@ -1,2 +1,2 @@
--
- /usr/bin/ktalkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-+/usr/bin/in.talkd -- gen_context(system_u:object_r:ktalkd_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.16/policy/modules/services/spamassassin.te
---- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-02-14 07:20:28.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/spamassassin.te 2006-02-19 07:09:54.000000000 -0500
-@@ -77,7 +77,9 @@
- # DnsResolver.pm module which binds to
- # random ports >= 1024.
- corenet_udp_bind_generic_port(spamd_t)
-+corenet_udp_bind_imaze_port(spamd_t)
- corenet_tcp_connect_razor_port(spamd_t)
-+sysnet_use_ldap(spamd_t)
-
- dev_read_sysfs(spamd_t)
- dev_read_urand(spamd_t)
-@@ -122,8 +124,11 @@
- term_dontaudit_use_unallocated_ttys(spamd_t)
++## <summary>
+ ## Connect to ptal over an unix domain stream socket.
+ ## </summary>
+ ## <param name="domain">
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.2.17/policy/modules/services/spamassassin.te
+--- nsaserefpolicy/policy/modules/services/spamassassin.te 2006-02-20 14:07:37.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/services/spamassassin.te 2006-02-20 16:22:06.000000000 -0500
+@@ -124,6 +124,7 @@
term_dontaudit_use_generic_ptys(spamd_t)
files_dontaudit_read_root_files(spamd_t)
-- userdom_manage_generic_user_home_dirs(spamd_t)
-- userdom_manage_generic_user_home_files(spamd_t)
-+ tunable_policy(`spamd_enable_home_dirs',`
-+ userdom_manage_generic_user_home_dirs(spamd_t)
-+ userdom_manage_generic_user_home_files(spamd_t)
-+ userdom_manage_generic_user_home_symlinks(spamd_t)
-+ ')
+ tunable_policy(`spamd_enable_home_dirs',`
++ userdom_search_unpriv_user_home_dirs(spamd_t)
+ userdom_manage_generic_user_home_dirs(spamd_t)
+ userdom_manage_generic_user_home_files(spamd_t)
+ userdom_manage_generic_user_home_symlinks(spamd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-2.2.17/policy/modules/services/ssh.if
+--- nsaserefpolicy/policy/modules/services/ssh.if 2006-02-16 09:05:14.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/services/ssh.if 2006-02-20 16:22:06.000000000 -0500
+@@ -279,6 +279,8 @@
+
+ allow $1_ssh_agent_t { $1_ssh_agent_t $2 }:process signull;
+
++ allow $1_ssh_agent_t $1_ssh_agent_t:unix_stream_socket { connectto rw_socket_perms };
++
+ allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
+
+ # for ssh-add
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.2.17/policy/modules/system/authlogin.te
+--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-02-03 08:55:55.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/system/authlogin.te 2006-02-20 16:22:06.000000000 -0500
+@@ -153,6 +153,8 @@
+ dev_read_sysfs(pam_console_t)
+ dev_getattr_apm_bios_dev(pam_console_t)
+ dev_setattr_apm_bios_dev(pam_console_t)
++dev_getattr_dri_dev(pam_console_t)
++dev_setattr_dri_dev(pam_console_t)
+ dev_getattr_framebuffer_dev(pam_console_t)
+ dev_setattr_framebuffer_dev(pam_console_t)
+ dev_getattr_misc_dev(pam_console_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.2.17/policy/modules/system/mount.te
+--- nsaserefpolicy/policy/modules/system/mount.te 2006-02-14 07:20:31.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/system/mount.te 2006-02-20 16:22:06.000000000 -0500
+@@ -137,6 +137,8 @@
+ samba_domtrans_smbmount(mount_t)
')
- tunable_policy(`use_nfs_home_dirs',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.2.16/policy/modules/services/xserver.fc
---- nsaserefpolicy/policy/modules/services/xserver.fc 2006-02-07 10:43:26.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/xserver.fc 2006-02-19 07:09:54.000000000 -0500
-@@ -54,6 +54,7 @@
- /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
- /usr/bin/xauth -- gen_context(system_u:object_r:xauth_exec_t,s0)
- /usr/bin/Xorg -- gen_context(system_u:object_r:xserver_exec_t,s0)
-+/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-
- /usr/lib(64)?/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-2.2.16/policy/modules/services/zebra.te
---- nsaserefpolicy/policy/modules/services/zebra.te 2006-02-14 07:20:29.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/services/zebra.te 2006-02-19 07:09:54.000000000 -0500
-@@ -73,6 +73,7 @@
- corenet_tcp_bind_all_nodes(zebra_t)
- corenet_udp_bind_all_nodes(zebra_t)
- corenet_tcp_bind_zebra_port(zebra_t)
-+corenet_udp_bind_router_port(zebra_t)
-
- dev_associate_usbfs(zebra_var_run_t)
- dev_list_all_dev_nodes(zebra_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.2.16/policy/modules/system/fstools.te
---- nsaserefpolicy/policy/modules/system/fstools.te 2006-02-14 07:20:29.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/fstools.te 2006-02-19 07:09:54.000000000 -0500
-@@ -15,7 +15,7 @@
- type fsadm_tmp_t;
- files_tmp_file(fsadm_tmp_t)
-
--type swapfile_t;
-+type swapfile_t; # customizable
- files_type(swapfile_t)
-
- ########################################
-@@ -162,3 +162,8 @@
- optional_policy(`nis',`
- nis_use_ypbind(fsadm_t)
- ')
++userdom_mounton_generic_user_home_dir(mount_t)
+
-+optional_policy(`amanda',`
-+ amanda_rw_dumpdates_files(fsadm_t)
-+ amanda_append_log_files(fsadm_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.16/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-02-03 08:55:55.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/libraries.fc 2006-02-19 07:09:54.000000000 -0500
-@@ -62,7 +62,7 @@
- /usr/lib(64)?/im/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
- /usr/lib(64)?/iiim/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
-
--/usr/lib(64)?/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-2.2.16/policy/modules/system/modutils.if
---- nsaserefpolicy/policy/modules/system/modutils.if 2006-02-10 21:34:15.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/modutils.if 2006-02-19 07:09:55.000000000 -0500
-@@ -204,7 +204,7 @@
- ')
-
- modutils_domtrans_depmod($1)
-- role $2 types insmod_t;
-+ role $2 types depmod_t;
- allow insmod_t $3:chr_file rw_term_perms;
- ')
-
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.16/policy/modules/system/selinuxutil.fc
+ ifdef(`TODO',`
+ # TODO: Need to examine this further. Not sure how to handle this
+ #type sysadm_mount_source_t, file_type, sysadmfile, $1_file_type;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.2.17/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2006-01-09 11:32:54.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/selinuxutil.fc 2006-02-19 07:09:55.000000000 -0500
-@@ -39,3 +39,5 @@
++++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.fc 2006-02-20 17:04:24.000000000 -0500
+@@ -39,3 +39,10 @@
ifdef(`distro_debian', `
/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
')
+
+/usr/sbin/semodule -- gen_context(system_u:object_r:semodule_exec_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.16/policy/modules/system/selinuxutil.if
++
++/etc/selinux([^/]*/)?modules -d gen_context(system_u:object_r:selinux_config_t,s0)
++/etc/selinux([^/]*/)?modules/(active|tmp|previous)(/.*)? -- gen_context(system_u:object_r:semodule_store_t,s0)
++/etc/selinux([^/]*/)?modules/semanage.read.LOCK -- gen_context(system_u:object_r:semodule_read_lock_t,s0)
++/etc/selinux([^/]*/)?modules/semanage.trans.LOCK -- gen_context(system_u:object_r:semodule_trans_lock_t,s0)
+\ No newline at end of file
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-2.2.17/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2006-02-16 14:46:56.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/selinuxutil.if 2006-02-19 07:09:55.000000000 -0500
-@@ -671,7 +671,7 @@
-
- files_search_etc($1)
- allow $1 selinux_config_t:dir search;
-- allow $1 policy_config_t:dir rw_dir_perms;
-+ allow $1 policy_config_t:dir create_dir_perms;
- allow $1 policy_config_t:file create_file_perms;
- typeattribute $1 can_write_binary_policy;
- ')
-@@ -705,3 +705,28 @@
++++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.if 2006-02-20 17:01:53.000000000 -0500
+@@ -705,3 +705,90 @@
allow $1 policy_src_t:dir create_dir_perms;
allow $1 policy_src_t:file create_file_perms;
')
@@ -359,14 +244,87 @@
+ allow semodule_t $1:fifo_file rw_file_perms;
+ allow semodule_t $1:process sigchld;
+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.16/policy/modules/system/selinuxutil.te
++
++
++
++########################################
++## <summary>
++## Create, read, write, and delete files in
++## /etc/selinux/*/modules/*
++## such as mtab.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`seutil_manage_module_store_files',`
++ gen_require(`
++ type semodule_store_t;
++ ')
++
++ allow $1 semodule_store_t:dir rw_dir_perms;
++ allow $1 semodule_store_t:file create_file_perms;
++ type_transition $1 selinux_config_t:dir semodule_store_t;
++')
++
++
++#######################################
++## <summary>
++## Get read lock on module store
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`seutil_module_get_read_lock',`
++ gen_require(`
++ type semodule_read_lock_t;
++ ')
++
++ allow $1 semodule_read_lock_t:file rw_file_perms;
++')
++
++#######################################
++## <summary>
++## Get trans lock on module store
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`seutil_module_get_trans_lock',`
++ gen_require(`
++ type semodule_trans_lock_t;
++ ')
++
++ allow $1 semodule_trans_lock_t:file rw_file_perms;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.2.17/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-02-16 14:46:56.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/selinuxutil.te 2006-02-19 07:09:55.000000000 -0500
-@@ -535,3 +535,53 @@
- # scripts will put things in a state such that setfiles can not be run!
- allow setfiles_t lib_t:file { read execute };
- ') dnl endif TODO
++++ serefpolicy-2.2.17/policy/modules/system/selinuxutil.te 2006-02-20 17:08:53.000000000 -0500
+@@ -526,12 +526,74 @@
+
+ miscfiles_read_localization(setfiles_t)
+
++seutil_module_get_trans_lock(setfiles_t)
++seutil_module_get_read_lock(setfiles_t)
+
+ userdom_use_all_users_fd(setfiles_t)
+ # for config files in a home directory
+ userdom_read_all_user_files(setfiles_t)
+
+-ifdef(`TODO',`
+-# for upgrading glibc and other shared objects - without this the upgrade
+-# scripts will put things in a state such that setfiles can not be run!
+-allow setfiles_t lib_t:file { read execute };
+-') dnl endif TODO
+########################################
+#
+# Declarations
@@ -374,10 +332,20 @@
+
+type semodule_t;
+domain_type(semodule_t)
++
+type semodule_exec_t;
+domain_entry_file(semodule_t, semodule_exec_t)
+role system_r types semodule_t;
+
++type semodule_store_t;
++files_type(semodule_store_t)
++
++type semodule_read_lock_t;
++files_type(semodule_read_lock_t)
++
++type semodule_trans_lock_t;
++files_type(semodule_trans_lock_t)
++
+term_use_all_terms(semodule_t)
+allow semodule_t policy_config_t:file { read write };
+
@@ -401,6 +369,7 @@
+libs_use_shared_libs(semodule_t)
+libs_use_lib_files(semodule_t)
+
++mls_file_write_down(semodule_t)
+mls_rangetrans_target(semodule_t)
+
+optional_policy(`selinux', `
@@ -416,27 +385,58 @@
+seutil_use_newrole_fd(semodule_t)
+
+allow semodule_t self:unix_stream_socket create_stream_socket_perms;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.16/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2006-02-16 14:46:56.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/unconfined.te 2006-02-19 07:09:55.000000000 -0500
-@@ -157,6 +157,14 @@
- wine_domtrans(unconfined_t)
++
++seutil_manage_module_store_files(semodule_t)
++seutil_module_get_trans_lock(semodule_t)
++seutil_module_get_read_lock(semodule_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.17/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-02-20 14:07:38.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/system/userdomain.if 2006-02-20 16:22:06.000000000 -0500
+@@ -145,6 +145,7 @@
+ allow $1_t unpriv_userdomain:fd use;
+
+ kernel_read_kernel_sysctls($1_t)
++ kernel_read_net_sysctls($1_t)
+ kernel_dontaudit_list_unlabeled($1_t)
+ kernel_dontaudit_getattr_unlabeled_files($1_t)
+ kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
+@@ -414,6 +415,8 @@
+ optional_policy(`rpm',`
+ files_getattr_var_lib_dirs($1_t)
+ files_search_var_lib($1_t)
++ rpm_read_db($1_t)
++ rpm_dontaudit_manage_db($1_t)
')
-+ optional_policy(`java',`
-+ java_domtrans(unconfined_t)
-+ ')
+ optional_policy(`samba',`
+@@ -4423,3 +4426,24 @@
+ allow $1 user_home_dir_t:dir create_dir_perms;
+ files_filetrans_home($1,user_home_dir_t)
+ ')
+
-+ optional_policy(`vpn',`
-+ vpn_domtrans(unconfined_t)
++
++########################################
++## <summary>
++## mounton generic user home directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_mounton_generic_user_home_dir',`
++ gen_require(`
++ attribute user_home_dir_type, user_home_type;
+ ')
+
- optional_policy(`xserver',`
- xserver_domtrans_xdm_xserver(unconfined_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.16/policy/modules/system/userdomain.te
++ allow $1 user_home_dir_type:dir mounton;
++ allow $1 user_home_type:dir mounton;
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.17/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-02-16 14:46:56.000000000 -0500
-+++ serefpolicy-2.2.16/policy/modules/system/userdomain.te 2006-02-19 07:09:55.000000000 -0500
++++ serefpolicy-2.2.17/policy/modules/system/userdomain.te 2006-02-20 16:22:06.000000000 -0500
@@ -358,6 +358,8 @@
seutil_run_checkpolicy(secadm_t,secadm_r,admin_terminal)
seutil_run_loadpolicy(secadm_t,secadm_r,admin_terminal)
@@ -446,9 +446,9 @@
seutil_run_restorecon(secadm_t,secadm_r,admin_terminal)
', `
selinux_set_enforce_mode(sysadm_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.16/support/Makefile.devel
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-2.2.17/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2006-02-16 16:42:39.000000000 -0500
-+++ serefpolicy-2.2.16/support/Makefile.devel 2006-02-19 07:09:55.000000000 -0500
++++ serefpolicy-2.2.17/support/Makefile.devel 2006-02-20 16:22:06.000000000 -0500
@@ -1,3 +1,6 @@
+# installation paths
+SHAREDIR := $(PREFIX)/share/selinux
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -r1.111 -r1.112
--- selinux-policy.spec 19 Feb 2006 12:17:15 -0000 1.111
+++ selinux-policy.spec 20 Feb 2006 22:11:40 -0000 1.112
@@ -1,11 +1,14 @@
%define distro redhat
%define monolithic n
+%define BUILD_STRICT 0
+%define BUILD_TARGETED 0
+%define BUILD_MLS 1
%define POLICYVER 20
%define POLICYCOREUTILSVER 1.29.18-1
%define CHECKPOLICYVER 1.28-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.16
+Version: 2.2.17
Release: 1
License: GPL
Group: System Environment/Base
@@ -36,18 +39,6 @@
%{_mandir}/man8/*
%doc /usr/share/doc/%{name}-%{version}
-%package targeted
-Summary: SELinux targeted base policy
-Group: System Environment/Base
-Provides: selinux-policy-base
-Obsoletes: selinux-policy-targeted-sources
-Prereq: policycoreutils >= %{POLICYCOREUTILSVER}
-Prereq: coreutils
-Prereq: selinux-policy = %{version}-%{release}
-
-%description targeted
-SELinux Reference policy targeted base module.
-
%define setupCmds() \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} bare \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} conf \
@@ -63,6 +54,8 @@
%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/policy \
%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/modules/active \
%{__mkdir} -p $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/contexts/files \
+touch $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
+touch $RPM_BUILD_ROOT/%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} enableaudit \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \
install -m0644 base.pp ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/enableaudit.pp \
@@ -87,6 +80,8 @@
%config(noreplace) %{_sysconfdir}/selinux/%1/setrans.conf \
%ghost %{_sysconfdir}/selinux/%1/seusers \
%dir %{_sysconfdir}/selinux/%1/modules \
+%{_sysconfdir}/selinux/%1/modules/semanage.read.LOCK \
+%{_sysconfdir}/selinux/%1/modules/semanage.trans.LOCK \
%attr(700,root,root) %dir %{_sysconfdir}/selinux/%1/modules/active \
#%verify(not md5 size mtime) %attr(600,root,root) %config(noreplace) %{_sysconfdir}/selinux/%1/modules/active/seusers \
%dir %{_sysconfdir}/selinux/%1/policy/ \
@@ -143,6 +138,7 @@
mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8/
install -m 644 man/man8/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
+%if 0
# Build targeted policy
# Commented out because only targeted ref policy currently builds
%setupCmds targeted targeted-mcs y
@@ -153,6 +149,7 @@
make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} bare
make NAME=strict TYPE=strict-mcs DISTRO=%{distro} DIRECT_INITRC=y MONOLITHIC=%{monolithic} conf
%installCmds strict strict-mcs y
+%endif
# Build mls policy
%setupCmds mls strict-mls n
@@ -168,6 +165,19 @@
%clean
%{__rm} -fR $RPM_BUILD_ROOT
+%if 0
+%package targeted
+Summary: SELinux targeted base policy
+Group: System Environment/Base
+Provides: selinux-policy-base
+Obsoletes: selinux-policy-targeted-sources
+Prereq: policycoreutils >= %{POLICYCOREUTILSVER}
+Prereq: coreutils
+Prereq: selinux-policy = %{version}-%{release}
+
+%description targeted
+SELinux Reference policy targeted base module.
+
%files targeted
%fileList targeted
@@ -212,6 +222,7 @@
%triggerpostun targeted -- selinux-policy-targeted <= 2.0.7
%rebuildpolicy targeted
+%endif
%package mls
Summary: SELinux mls base policy
@@ -238,6 +249,7 @@
%files mls
%fileList mls
+%if 0
%package strict
Summary: SELinux strict base policy
Group: System Environment/Base
@@ -263,6 +275,8 @@
%files strict
%fileList strict
+%endif
+
%package devel
Summary: SELinux policy devel sources
Group: System Environment/Base
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- sources 19 Feb 2006 12:17:15 -0000 1.44
+++ sources 20 Feb 2006 22:11:40 -0000 1.45
@@ -1 +1 @@
-cf0c73ab94eb55f86f8843bfd585302b serefpolicy-2.2.16.tgz
+13c8e375555ca342df487f40e9d8217e serefpolicy-2.2.17.tgz
- Previous message (by thread): rpms/gnucash/devel .cvsignore, 1.12.2.4, 1.12.2.5 gnucash.spec, 1.18.2.14, 1.18.2.15 sources, 1.12.2.4, 1.12.2.5
- Next message (by thread): rpms/dhcp/devel dhcp-3.0.3-bz176615.patch, 1.1, 1.2 dhcp.spec, 1.86, 1.87
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list