rpms/selinux-policy/devel policy-20060608.patch,1.20,1.21
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jul 13 20:30:56 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv21936
Modified Files:
policy-20060608.patch
Log Message:
* Fri Jul 7 2006 Dan Walsh <dwalsh at redhat.com> 2.3.2-3
- Turn off auditallow on setting booleans
policy-20060608.patch:
global_tunables | 7 +
modules/admin/bootloader.te | 3
modules/admin/consoletype.te | 7 +
modules/admin/sudo.if | 2
modules/admin/usermanage.te | 4
modules/bgp.mod |binary
modules/bgp.pp |binary
modules/bgp.te | 12 ++
modules/kernel/corenetwork.te.in | 4
modules/kernel/devices.fc | 1
modules/kernel/files.fc | 1
modules/kernel/kernel.if | 38 +++++++
modules/kernel/selinux.if | 1
modules/kernel/storage.fc | 1
modules/services/automount.te | 8 +
modules/services/avahi.te | 1
modules/services/bluetooth.if | 23 ++++
modules/services/bluetooth.te | 2
modules/services/cups.te | 1
modules/services/cyrus.te | 1
modules/services/dbus.te | 2
modules/services/dovecot.fc | 1
modules/services/dovecot.te | 10 +
modules/services/hal.fc | 1
modules/services/hal.te | 7 +
modules/services/nscd.te | 2
modules/services/openvpn.te | 6 +
modules/services/pegasus.if | 31 ++++++
modules/services/pegasus.te | 5
modules/services/squid.te | 2
modules/services/tftp.te | 1
modules/services/xserver.if | 22 ++++
modules/services/zebra.te | 2
modules/system/getty.fc | 1
modules/system/getty.te | 3
modules/system/hostname.te | 5
modules/system/init.if | 7 -
modules/system/selinuxutil.te | 17 ++-
modules/system/setrans.te | 5
modules/system/sysnetwork.te | 1
modules/system/unconfined.fc | 1
modules/system/unconfined.te | 8 -
modules/system/userdomain.if | 201 ++++++++++++++++++++++++---------------
modules/system/userdomain.te | 32 ++----
44 files changed, 364 insertions(+), 126 deletions(-)
Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20060608.patch 13 Jul 2006 14:24:05 -0000 1.20
+++ policy-20060608.patch 13 Jul 2006 20:30:41 -0000 1.21
@@ -52,6 +52,18 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-2.3.2/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2006-04-04 18:06:38.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/admin/sudo.if 2006-07-13 10:52:18.000000000 -0400
+@@ -57,7 +57,7 @@
+ #
+
+ # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++ allow $1_sudo_t self:capability { audit_write fowner setuid setgid dac_override sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.3.2/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-06-20 09:54:00.000000000 -0400
+++ serefpolicy-2.3.2/policy/modules/admin/usermanage.te 2006-07-12 17:28:02.000000000 -0400
@@ -112,6 +124,17 @@
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.3.2/policy/modules/kernel/devices.fc
+--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-04-29 11:17:34.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/kernel/devices.fc 2006-07-13 14:41:33.000000000 -0400
+@@ -89,6 +89,7 @@
+
+ /dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+
++/dev/usbdev.* -c gen_context(system_u:object_r:usb_device_t,s0)
+ /dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+ /dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
+ /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.2/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-05-19 10:07:51.000000000 -0400
+++ serefpolicy-2.3.2/policy/modules/kernel/files.fc 2006-07-09 05:52:17.000000000 -0400
@@ -179,6 +202,17 @@
}
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.3.2/policy/modules/kernel/storage.fc
+--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-02-01 17:06:11.000000000 -0500
++++ serefpolicy-2.3.2/policy/modules/kernel/storage.fc 2006-07-13 11:30:44.000000000 -0400
+@@ -23,6 +23,7 @@
+ /dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0)
++/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
+ /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.2/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-06-21 16:21:02.000000000 -0400
+++ serefpolicy-2.3.2/policy/modules/services/automount.te 2006-07-10 09:06:39.000000000 -0400
@@ -267,7 +301,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.2/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-06-21 16:21:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/cups.te 2006-07-12 16:45:19.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/cups.te 2006-07-13 10:56:17.000000000 -0400
@@ -81,6 +81,7 @@
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
@@ -287,6 +321,60 @@
allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
allow cyrus_t cyrus_tmp_t:file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.3.2/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te 2006-07-07 07:35:31.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/dbus.te 2006-07-13 10:54:29.000000000 -0400
+@@ -30,7 +30,7 @@
+
+ # dac_override: /var/run/dbus is owned by messagebus on Debian
+ # cjp: dac_override should probably go in a distro_debian
+-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
++allow system_dbusd_t self:capability { audit_write dac_override setgid setpcap setuid };
+ dontaudit system_dbusd_t self:capability sys_tty_config;
+ allow system_dbusd_t self:process { getattr signal_perms setcap };
+ allow system_dbusd_t self:fifo_file { read write };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-2.3.2/policy/modules/services/dovecot.fc
+--- nsaserefpolicy/policy/modules/services/dovecot.fc 2005-10-21 23:17:31.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/dovecot.fc 2006-07-13 11:33:34.000000000 -0400
+@@ -29,6 +29,7 @@
+ /var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
+
+ /var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
++/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_lib_t,s0)
+
+
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.2/policy/modules/services/dovecot.te
+--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/dovecot.te 2006-07-13 11:33:09.000000000 -0400
+@@ -30,6 +30,10 @@
+ domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
+ role system_r types dovecot_auth_t;
+
++# /var/lib/dovecot holds SSL parameters file
++type dovecot_var_lib_t;
++files_type(dovecot_var_lib_t)
++
+ ########################################
+ #
+ # dovecot local policy
+@@ -186,6 +190,11 @@
+
+ sysnet_dns_name_resolve(dovecot_auth_t)
+
++# Allow dovecot to create and read SSL parameters file
++files_search_var_lib(dovecot_t)
++allow dovecot_t dovecot_var_lib_t:dir rw_dir_perms;
++allow dovecot_t dovecot_var_lib_t:file manage_file_perms;
++
+ optional_policy(`
+ kerberos_use(dovecot_auth_t)
+ ')
+@@ -201,3 +210,4 @@
+ optional_policy(`
+ nscd_socket_use(dovecot_auth_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.3.2/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2005-10-06 17:29:17.000000000 -0400
+++ serefpolicy-2.3.2/policy/modules/services/hal.fc 2006-07-09 05:52:17.000000000 -0400
@@ -297,7 +385,16 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.3.2/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-06-21 16:21:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/hal.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/hal.te 2006-07-13 10:55:51.000000000 -0400
+@@ -22,7 +22,7 @@
+ #
+
+ # execute openvt which needs setuid
+-allow hald_t self:capability { chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
++allow hald_t self:capability { audit_write chown setuid setgid kill net_admin sys_admin sys_nice dac_override dac_read_search mknod sys_rawio sys_tty_config };
+ dontaudit hald_t self:capability sys_tty_config;
+ allow hald_t self:process signal_perms;
+ allow hald_t self:fifo_file rw_file_perms;
@@ -163,6 +163,10 @@
')
@@ -314,6 +411,48 @@
vbetool_domtrans(hald_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.3.2/policy/modules/services/nscd.te
+--- nsaserefpolicy/policy/modules/services/nscd.te 2006-06-08 08:45:58.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/nscd.te 2006-07-13 10:55:24.000000000 -0400
+@@ -28,7 +28,7 @@
+ # Local policy
+ #
+
+-allow nscd_t self:capability { kill setgid setuid };
++allow nscd_t self:capability { audit_write kill setgid setuid };
+ dontaudit nscd_t self:capability sys_tty_config;
+ allow nscd_t self:process { getattr setsched signal_perms };
+ allow nscd_t self:fifo_file { read write };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.3.2/policy/modules/services/openvpn.te
+--- nsaserefpolicy/policy/modules/services/openvpn.te 2006-06-21 16:21:03.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/openvpn.te 2006-07-13 10:27:44.000000000 -0400
+@@ -33,6 +33,10 @@
+ allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow openvpn_t self:udp_socket create_socket_perms;
+ allow openvpn_t self:tcp_socket create_socket_perms;
++allow openvpn_t self:netlink_route_socket r_netlink_socket_perms;
++
++# Need to interact with terminals if config option "auth-user-pass" is used
++term_use_generic_ptys(openvpn_t)
+
+ allow openvpn_t openvpn_etc_t:dir r_dir_perms;
+ allow openvpn_t openvpn_etc_t:file r_file_perms;
+@@ -67,6 +71,7 @@
+ corenet_sendrecv_openvpn_server_packets(openvpn_t)
+ corenet_rw_tun_tap_dev(openvpn_t)
+
++dev_search_sysfs(openvpn_t)
+ dev_read_rand(openvpn_t)
+ dev_read_urand(openvpn_t)
+
+@@ -80,6 +85,7 @@
+
+ miscfiles_read_localization(openvpn_t)
+
++sysnet_dns_name_resolve(openvpn_t)
+ sysnet_exec_ifconfig(openvpn_t)
+
+ ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.2/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
+++ serefpolicy-2.3.2/policy/modules/services/pegasus.if 2006-07-09 05:52:17.000000000 -0400
@@ -510,7 +649,16 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.2/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-06-13 07:03:48.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/selinuxutil.te 2006-07-11 16:22:45.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/selinuxutil.te 2006-07-13 10:50:32.000000000 -0400
+@@ -239,7 +239,7 @@
+ # Newrole local policy
+ #
+
+-allow newrole_t self:capability { fowner setuid setgid dac_override };
++allow newrole_t self:capability { audit_write fowner setuid setgid dac_override };
+ allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
+ allow newrole_t self:process setexec;
+ allow newrole_t self:fd use;
@@ -352,6 +352,8 @@
kernel_relabelfrom_unlabeled_symlinks(restorecon_t)
kernel_relabelfrom_unlabeled_pipes(restorecon_t)
@@ -529,7 +677,21 @@
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
-@@ -538,16 +542,23 @@
+@@ -479,7 +483,7 @@
+
+ ifdef(`targeted_policy',`',`
+ allow run_init_t self:process setexec;
+- allow run_init_t self:capability setuid;
++ allow run_init_t self:capability { audit_write setuid };
+ allow run_init_t self:fifo_file rw_file_perms;
+ allow run_init_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+
+@@ -534,20 +538,27 @@
+ # semodule local policy
+ #
+
+-allow semanage_t self:capability dac_override;
++allow semanage_t self:capability { audit_write dac_override };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -565,6 +727,17 @@
+ rpm_use_script_fds(setrans_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.3.2/policy/modules/system/sysnetwork.te
+--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-06-13 07:03:48.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/sysnetwork.te 2006-07-13 11:10:37.000000000 -0400
+@@ -277,6 +277,7 @@
+ # for /sbin/ip
+ allow ifconfig_t self:packet_socket create_socket_perms;
+ allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
++allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+ allow ifconfig_t self:tcp_socket { create ioctl };
+ files_read_etc_files(ifconfig_t);
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.3.2/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-06-21 16:21:04.000000000 -0400
+++ serefpolicy-2.3.2/policy/modules/system/unconfined.fc 2006-07-11 15:59:13.000000000 -0400
More information about the fedora-cvs-commits
mailing list