rpms/selinux-policy/devel modules-strict.conf, 1.11, 1.12 modules-targeted.conf, 1.29, 1.30 policy-20060608.patch, 1.21, 1.22 selinux-policy.spec, 1.222, 1.223 policy-20060505.patch, 1.19, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Jul 14 20:09:57 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv7512
Modified Files:
modules-strict.conf modules-targeted.conf
policy-20060608.patch selinux-policy.spec
Removed Files:
policy-20060505.patch
Log Message:
* Fri Jul 14 2006 Dan Walsh <dwalsh at redhat.com> 2.3.2-4
- Add setroubleshoot policy
Index: modules-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-strict.conf,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- modules-strict.conf 9 May 2006 21:50:36 -0000 1.11
+++ modules-strict.conf 14 Jul 2006 20:09:54 -0000 1.12
@@ -1276,3 +1276,10 @@
# Policy for OPENVPN full-featured SSL VPN solution
#
openvpn = base
+
+# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+#
+setroubleshoot = base
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- modules-targeted.conf 8 Jun 2006 14:03:38 -0000 1.29
+++ modules-targeted.conf 14 Jul 2006 20:09:54 -0000 1.30
@@ -1093,5 +1093,12 @@
#
openvpn = base
+# Layer: services
+# Module: setroubleshoot
+#
+# Policy for the SELinux troubleshooting utility
+#
+setroubleshoot = base
+
policy-20060608.patch:
global_tunables | 7 +
modules/admin/bootloader.te | 3
modules/admin/consoletype.te | 7 +
modules/admin/rpm.if | 2
modules/admin/sudo.if | 2
modules/admin/usermanage.te | 4
modules/bgp.te | 12 ++
modules/kernel/corenetwork.te.in | 5
modules/kernel/devices.fc | 1
modules/kernel/files.fc | 1
modules/kernel/kernel.if | 38 ++++++
modules/kernel/selinux.if | 1
modules/kernel/storage.fc | 1
modules/services/automount.te | 8 +
modules/services/avahi.te | 1
modules/services/bluetooth.if | 23 ++++
modules/services/bluetooth.te | 2
modules/services/cups.te | 1
modules/services/cyrus.te | 1
modules/services/dbus.te | 2
modules/services/dovecot.fc | 1
modules/services/dovecot.te | 10 +
modules/services/ftp.te | 1
modules/services/hal.fc | 1
modules/services/hal.te | 7 +
modules/services/nscd.te | 2
modules/services/openvpn.te | 6 +
modules/services/pegasus.if | 31 +++++
modules/services/pegasus.te | 5
modules/services/setroubleshoot.fc | 8 +
modules/services/setroubleshoot.if | 24 ++++
modules/services/setroubleshoot.te | 121 ++++++++++++++++++++++
modules/services/squid.te | 2
modules/services/tftp.te | 1
modules/services/xserver.if | 22 +++-
modules/services/zebra.te | 2
modules/system/getty.fc | 1
modules/system/getty.te | 3
modules/system/hostname.te | 5
modules/system/init.if | 7 -
modules/system/logging.te | 7 +
modules/system/selinuxutil.te | 17 ++-
modules/system/setrans.te | 5
modules/system/sysnetwork.te | 1
modules/system/unconfined.fc | 1
modules/system/unconfined.te | 8 -
modules/system/userdomain.if | 201 +++++++++++++++++++++++--------------
modules/system/userdomain.te | 32 ++---
48 files changed, 526 insertions(+), 128 deletions(-)
Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- policy-20060608.patch 13 Jul 2006 20:30:41 -0000 1.21
+++ policy-20060608.patch 14 Jul 2006 20:09:54 -0000 1.22
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.3.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-06-08 08:45:56.000000000 -0400
-+++ serefpolicy-2.3.2/policy/global_tunables 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/global_tunables 2006-07-14 14:25:25.000000000 -0400
@@ -89,6 +89,13 @@
## <desc>
@@ -17,7 +17,7 @@
## </desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.2/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-06-21 16:21:01.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/admin/bootloader.te 2006-07-11 16:07:29.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/admin/bootloader.te 2006-07-14 14:25:25.000000000 -0400
@@ -48,7 +48,7 @@
# bootloader local policy
#
@@ -37,7 +37,7 @@
mls_file_read_up(bootloader_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.2/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/admin/consoletype.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/admin/consoletype.te 2006-07-14 14:25:25.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -52,9 +52,21 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.2/policy/modules/admin/rpm.if
+--- nsaserefpolicy/policy/modules/admin/rpm.if 2006-06-08 08:45:57.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/admin/rpm.if 2006-07-14 14:25:25.000000000 -0400
+@@ -232,7 +232,7 @@
+
+ files_search_var_lib($1)
+ allow $1 rpm_var_lib_t:dir rw_dir_perms;
+- allow $1 rpm_var_lib_t:file { getattr create read write append unlink };
++ allow $1 rpm_var_lib_t:file { getattr create read write append unlink lock };
+ allow $1 rpm_var_lib_t:lnk_file { getattr read write unlink };
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-2.3.2/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2006-04-04 18:06:38.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/admin/sudo.if 2006-07-13 10:52:18.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/admin/sudo.if 2006-07-14 14:25:25.000000000 -0400
@@ -57,7 +57,7 @@
#
@@ -66,7 +78,7 @@
allow $1_sudo_t self:fd use;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.3.2/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-06-20 09:54:00.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/admin/usermanage.te 2006-07-12 17:28:02.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/admin/usermanage.te 2006-07-14 14:25:25.000000000 -0400
@@ -187,7 +187,7 @@
# Groupadd local policy
#
@@ -85,11 +97,9 @@
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
-Binary files nsaserefpolicy/policy/modules/bgp.mod and serefpolicy-2.3.2/policy/modules/bgp.mod differ
-Binary files nsaserefpolicy/policy/modules/bgp.pp and serefpolicy-2.3.2/policy/modules/bgp.pp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/bgp.te serefpolicy-2.3.2/policy/modules/bgp.te
--- nsaserefpolicy/policy/modules/bgp.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.2/policy/modules/bgp.te 2006-07-10 10:52:30.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/bgp.te 2006-07-14 14:25:25.000000000 -0400
@@ -0,0 +1,12 @@
+module bgp 1.0;
+
@@ -105,7 +115,7 @@
+allow zebra_t port_t:tcp_socket name_bind;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.3.2/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-06-06 22:21:53.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/kernel/corenetwork.te.in 2006-07-11 16:31:56.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/kernel/corenetwork.te.in 2006-07-14 15:21:14.000000000 -0400
@@ -62,7 +62,7 @@
network_port(amavisd_send, tcp,10025,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
@@ -115,7 +125,15 @@
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
-@@ -145,7 +145,7 @@
+@@ -73,6 +73,7 @@
+ network_port(dhcpc, udp,68,s0)
+ network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0)
+ network_port(dict, tcp,2628,s0)
++network_port(setroubleshoot, tcp,3267,s0)
+ network_port(distccd, tcp,3632,s0)
+ network_port(dns, udp,53,s0, tcp,53,s0)
+ network_port(fingerd, tcp,79,s0)
+@@ -145,7 +146,7 @@
network_port(vnc, tcp,5900,s0)
network_port(xen, tcp,8002,s0)
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
@@ -126,7 +144,7 @@
# Defaults for reserved ports. Earlier portcon entries take precedence;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.3.2/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2006-04-29 11:17:34.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/kernel/devices.fc 2006-07-13 14:41:33.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/kernel/devices.fc 2006-07-14 14:25:25.000000000 -0400
@@ -89,6 +89,7 @@
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -137,7 +155,7 @@
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.3.2/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/kernel/files.fc 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/kernel/files.fc 2006-07-14 14:25:25.000000000 -0400
@@ -11,6 +11,7 @@
ifdef(`distro_redhat',`
/\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -148,7 +166,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.3.2/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2006-07-07 07:35:30.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/kernel/kernel.if 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/kernel/kernel.if 2006-07-14 14:25:25.000000000 -0400
@@ -2099,3 +2099,41 @@
typeattribute $1 kern_unconfined;
@@ -193,7 +211,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.3.2/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2006-05-19 13:46:37.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/kernel/selinux.if 2006-07-13 08:46:28.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/kernel/selinux.if 2006-07-14 14:25:25.000000000 -0400
@@ -214,7 +214,6 @@
if(!secure_mode_policyload) {
@@ -204,7 +222,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.3.2/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-02-01 17:06:11.000000000 -0500
-+++ serefpolicy-2.3.2/policy/modules/kernel/storage.fc 2006-07-13 11:30:44.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/kernel/storage.fc 2006-07-14 14:25:25.000000000 -0400
@@ -23,6 +23,7 @@
/dev/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
/dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,s15:c0.c255)
@@ -215,7 +233,7 @@
/dev/p[fg][0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.2/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-06-21 16:21:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/automount.te 2006-07-10 09:06:39.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/automount.te 2006-07-14 14:25:25.000000000 -0400
@@ -36,10 +36,12 @@
allow automount_t self:unix_dgram_socket create_socket_perms;
allow automount_t self:tcp_socket create_stream_socket_perms;
@@ -241,7 +259,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.3.2/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2006-05-26 14:02:27.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/avahi.te 2006-07-11 14:26:07.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/avahi.te 2006-07-14 14:25:25.000000000 -0400
@@ -78,6 +78,7 @@
miscfiles_read_localization(avahi_t)
@@ -252,7 +270,7 @@
userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.if serefpolicy-2.3.2/policy/modules/services/bluetooth.if
--- nsaserefpolicy/policy/modules/services/bluetooth.if 2006-02-10 17:05:19.000000000 -0500
-+++ serefpolicy-2.3.2/policy/modules/services/bluetooth.if 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/bluetooth.if 2006-07-14 14:25:25.000000000 -0400
@@ -111,3 +111,26 @@
dontaudit $1 bluetooth_helper_t:dir search;
dontaudit $1 bluetooth_helper_t:file { read getattr };
@@ -282,7 +300,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.3.2/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2006-06-08 08:45:57.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/bluetooth.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/bluetooth.te 2006-07-14 14:25:25.000000000 -0400
@@ -173,6 +173,7 @@
allow bluetooth_helper_t self:shm create_shm_perms;
allow bluetooth_helper_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -301,7 +319,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.3.2/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2006-06-21 16:21:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/cups.te 2006-07-13 10:56:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/cups.te 2006-07-14 14:25:25.000000000 -0400
@@ -81,6 +81,7 @@
allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t self:unix_dgram_socket create_socket_perms;
@@ -312,7 +330,7 @@
allow cupsd_t self:udp_socket create_socket_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyrus.te serefpolicy-2.3.2/policy/modules/services/cyrus.te
--- nsaserefpolicy/policy/modules/services/cyrus.te 2006-07-07 07:35:31.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/cyrus.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/cyrus.te 2006-07-14 14:25:25.000000000 -0400
@@ -41,6 +41,7 @@
allow cyrus_t self:unix_stream_socket connectto;
allow cyrus_t self:tcp_socket create_stream_socket_perms;
@@ -323,7 +341,7 @@
allow cyrus_t cyrus_tmp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.3.2/policy/modules/services/dbus.te
--- nsaserefpolicy/policy/modules/services/dbus.te 2006-07-07 07:35:31.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/dbus.te 2006-07-13 10:54:29.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/dbus.te 2006-07-14 14:25:25.000000000 -0400
@@ -30,7 +30,7 @@
# dac_override: /var/run/dbus is owned by messagebus on Debian
@@ -335,18 +353,18 @@
allow system_dbusd_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-2.3.2/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2005-10-21 23:17:31.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/dovecot.fc 2006-07-13 11:33:34.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/dovecot.fc 2006-07-14 14:25:25.000000000 -0400
@@ -29,6 +29,7 @@
/var/run/dovecot(-login)?(/.*)? gen_context(system_u:object_r:dovecot_var_run_t,s0)
/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
-+/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_lib_t,s0)
++/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.3.2/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/dovecot.te 2006-07-13 11:33:09.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/dovecot.te 2006-07-14 14:25:25.000000000 -0400
@@ -30,6 +30,10 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -375,9 +393,20 @@
nscd_socket_use(dovecot_auth_t)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.3.2/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2006-06-13 22:41:52.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/ftp.te 2006-07-14 14:25:25.000000000 -0400
+@@ -50,6 +50,7 @@
+ allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
+ allow ftpd_t self:tcp_socket create_stream_socket_perms;
+ allow ftpd_t self:udp_socket create_socket_perms;
++allow ftpd_t self:netlink_route_socket r_netlink_socket_perms;
+
+ allow ftpd_t ftpd_etc_t:file r_file_perms;
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.3.2/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2005-10-06 17:29:17.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/hal.fc 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/hal.fc 2006-07-14 14:25:25.000000000 -0400
@@ -1,4 +1,3 @@
-
/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -385,7 +414,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.3.2/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-06-21 16:21:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/hal.te 2006-07-13 10:55:51.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/hal.te 2006-07-14 14:25:25.000000000 -0400
@@ -22,7 +22,7 @@
#
@@ -413,7 +442,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.3.2/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/nscd.te 2006-07-13 10:55:24.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/nscd.te 2006-07-14 14:25:25.000000000 -0400
@@ -28,7 +28,7 @@
# Local policy
#
@@ -425,7 +454,7 @@
allow nscd_t self:fifo_file { read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-2.3.2/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2006-06-21 16:21:03.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/openvpn.te 2006-07-13 10:27:44.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/openvpn.te 2006-07-14 14:25:25.000000000 -0400
@@ -33,6 +33,10 @@
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
@@ -455,7 +484,7 @@
ifdef(`targeted_policy',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.if serefpolicy-2.3.2/policy/modules/services/pegasus.if
--- nsaserefpolicy/policy/modules/services/pegasus.if 2005-10-25 13:40:18.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/pegasus.if 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/pegasus.if 2006-07-14 14:25:25.000000000 -0400
@@ -1 +1,32 @@
## <summary>The Open Group Pegasus CIM/WBEM Server.</summary>
+
@@ -491,7 +520,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pegasus.te serefpolicy-2.3.2/policy/modules/services/pegasus.te
--- nsaserefpolicy/policy/modules/services/pegasus.te 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/pegasus.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/pegasus.te 2006-07-14 14:25:25.000000000 -0400
@@ -100,13 +100,12 @@
auth_use_nsswitch(pegasus_t)
@@ -508,9 +537,174 @@
files_read_var_lib_symlinks(pegasus_t)
hostname_exec(pegasus_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.fc serefpolicy-2.3.2/policy/modules/services/setroubleshoot.fc
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.3.2/policy/modules/services/setroubleshoot.fc 2006-07-14 15:03:01.000000000 -0400
+@@ -0,0 +1,8 @@
++# setroubleshoot executables
++
++/usr/lib/audit/setroubleshoot_dispatcher -- gen_context(system_u:object_r:setroubleshoot_exec_t,s0)
++
++/usr/sbin/setroubleshootd -- gen_context(system_u:object_r:setroubleshootd_exec_t,s0)
++
++/var/run/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_run_t,s0)
++/var/log/setroubleshoot(/.*)? gen_context(system_u:object_r:setroubleshoot_var_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.if serefpolicy-2.3.2/policy/modules/services/setroubleshoot.if
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.3.2/policy/modules/services/setroubleshoot.if 2006-07-14 14:25:25.000000000 -0400
+@@ -0,0 +1,24 @@
++## <summary>policy for setroubleshoot</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run setroubleshoot.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`setroubleshoot_domtrans',`
++ gen_require(`
++ type setroubleshoot_t, setroubleshoot_exec_t;
++ ')
++
++ domain_auto_trans($1,setroubleshoot_exec_t,setroubleshoot_t)
++
++ allow $1 setroubleshoot_t:fd use;
++ allow setroubleshoot_t $1:fd use;
++ allow setroubleshoot_t $1:fifo_file rw_file_perms;
++ allow setroubleshoot_t $1:process sigchld;
++')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.2/policy/modules/services/setroubleshoot.te
+--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-2.3.2/policy/modules/services/setroubleshoot.te 2006-07-14 15:38:25.000000000 -0400
+@@ -0,0 +1,121 @@
++policy_module(setroubleshoot,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type setroubleshootd_t;
++type setroubleshootd_exec_t;
++domain_type(setroubleshootd_t)
++init_daemon_domain(setroubleshootd_t, setroubleshootd_exec_t)
++
++type setroubleshoot_t;
++type setroubleshoot_exec_t;
++domain_type(setroubleshoot_t)
++corecmd_executable_file(setroubleshoot_t)
++
++# log files
++type setroubleshoot_var_log_t;
++logging_log_file(setroubleshoot_var_log_t)
++
++# pid files
++type setroubleshoot_var_run_t;
++files_pid_file(setroubleshoot_var_run_t)
++
++########################################
++#
++# setroubleshootd local policy
++#
++
++files_read_etc_files(setroubleshootd_t)
++libs_use_ld_so(setroubleshootd_t)
++libs_use_shared_libs(setroubleshootd_t)
++miscfiles_read_localization(setroubleshootd_t)
++
++logging_send_syslog_msg(setroubleshootd_t)
++
++# pid file
++allow setroubleshootd_t setroubleshoot_var_run_t:file manage_file_perms;
++allow setroubleshootd_t setroubleshoot_var_run_t:sock_file manage_file_perms;
++allow setroubleshootd_t setroubleshoot_var_run_t:dir rw_dir_perms;
++files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
++
++# log files
++allow setroubleshootd_t setroubleshoot_var_log_t:file create_file_perms;
++allow setroubleshootd_t setroubleshoot_var_log_t:sock_file create_file_perms;
++allow setroubleshootd_t setroubleshoot_var_log_t:dir { rw_dir_perms setattr };
++logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir })
++
++allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
++corenet_tcp_bind_lo_node(setroubleshootd_t)
++corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
++
++corecmd_exec_sbin(setroubleshootd_t)
++corecmd_exec_bin(setroubleshootd_t)
++
++dev_read_urand(setroubleshootd_t)
++
++kernel_read_kernel_sysctls(setroubleshootd_t)
++kernel_read_system_state(setroubleshootd_t)
++
++sysnet_read_config(setroubleshootd_t)
++
++init_read_utmp(setroubleshootd_t)
++init_dontaudit_write_utmp(setroubleshootd_t)
++
++term_dontaudit_use_console(setroubleshootd_t)
++term_dontaudit_use_generic_ptys(setroubleshootd_t)
++
++########################################
++#
++# setroubleshoot local policy
++#
++
++files_dontaudit_search_home(setroubleshootd_t)
++files_read_etc_files(setroubleshoot_t)
++
++libs_use_ld_so(setroubleshoot_t)
++libs_use_shared_libs(setroubleshoot_t)
++
++miscfiles_read_localization(setroubleshoot_t)
++
++allow setroubleshoot_t self:capability dac_override;
++allow setroubleshoot_t self:process { signal getattr };
++allow setroubleshoot_t self:fifo_file { read write };
++allow setroubleshoot_t self:unix_stream_socket create_stream_socket_perms;
++allow setroubleshoot_t self:unix_dgram_socket create_socket_perms;
++
++corecmd_exec_sbin(setroubleshoot_t)
++corecmd_exec_bin(setroubleshoot_t)
++
++logging_send_syslog_msg(setroubleshoot_t)
++
++#rpm_dontaudit_manage_db(setroubleshoot_t)
++# ****************BAD BAD BAD **********************
++rpm_read_db(setroubleshoot_t)
++rpm_manage_db(setroubleshoot_t)
++
++kernel_read_kernel_sysctls(setroubleshoot_t)
++kernel_read_system_state(setroubleshoot_t)
++
++files_read_usr_files(setroubleshoot_t)
++files_read_usr_symlinks(setroubleshoot_t)
++
++seutil_read_config(setroubleshoot_t)
++selinux_get_enforce_mode(setroubleshoot_t)
++
++# log files
++logging_search_logs(setroubleshoot_t)
++allow setroubleshoot_t setroubleshoot_var_log_t:file create_file_perms;
++allow setroubleshoot_t setroubleshoot_var_log_t:sock_file rw_file_perms;
++allow setroubleshoot_t setroubleshoot_var_log_t:dir r_dir_perms;
++
++files_search_pids(setroubleshoot_t)
++allow setroubleshoot_t setroubleshoot_var_run_t:dir r_dir_perms;
++allow setroubleshoot_t setroubleshoot_var_run_t:sock_file rw_file_perms;
++
++
++allow setroubleshoot_t setroubleshootd_t:unix_stream_socket { connectto rw_stream_socket_perms };
++
++allow setroubleshoot_t setroubleshoot_exec_t:file { entrypoint getattr ioctl read };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.3.2/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-07-07 07:35:32.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/squid.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/squid.te 2006-07-14 14:25:25.000000000 -0400
@@ -80,8 +80,10 @@
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
@@ -524,7 +718,7 @@
corenet_tcp_connect_http_port(squid_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.3.2/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/tftp.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/tftp.te 2006-07-14 14:25:25.000000000 -0400
@@ -78,6 +78,7 @@
miscfiles_read_localization(tftpd_t)
@@ -535,7 +729,7 @@
userdom_dontaudit_use_sysadm_ttys(tftpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.3.2/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2006-06-08 08:45:58.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/xserver.if 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/xserver.if 2006-07-14 14:25:25.000000000 -0400
@@ -317,7 +317,6 @@
')
@@ -574,7 +768,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebra.te serefpolicy-2.3.2/policy/modules/services/zebra.te
--- nsaserefpolicy/policy/modules/services/zebra.te 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/services/zebra.te 2006-07-10 10:43:24.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/services/zebra.te 2006-07-14 14:25:25.000000000 -0400
@@ -73,9 +73,11 @@
corenet_tcp_bind_all_nodes(zebra_t)
corenet_udp_bind_all_nodes(zebra_t)
@@ -589,7 +783,7 @@
dev_list_all_dev_nodes(zebra_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.fc serefpolicy-2.3.2/policy/modules/system/getty.fc
--- nsaserefpolicy/policy/modules/system/getty.fc 2006-07-07 07:35:32.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/getty.fc 2006-07-11 14:09:16.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/getty.fc 2006-07-14 14:25:25.000000000 -0400
@@ -9,3 +9,4 @@
/var/run/mgetty\.pid.* -- gen_context(system_u:object_r:getty_var_run_t,s0)
@@ -597,7 +791,7 @@
+/var/spool/voice -- gen_context(system_u:object_r:getty_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.3.2/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2006-04-12 12:59:10.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/getty.te 2006-07-11 14:07:15.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/getty.te 2006-07-14 14:25:25.000000000 -0400
@@ -37,7 +37,7 @@
#
@@ -617,7 +811,7 @@
init_use_script_ptys(getty_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.2/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-03-02 18:45:56.000000000 -0500
-+++ serefpolicy-2.3.2/policy/modules/system/hostname.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/hostname.te 2006-07-14 14:25:25.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -632,7 +826,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.3.2/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2006-06-06 22:21:56.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/init.if 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/init.if 2006-07-14 14:25:25.000000000 -0400
@@ -158,13 +158,6 @@
allow $1 initrc_t:fifo_file rw_file_perms;
allow $1 initrc_t:process sigchld;
@@ -647,9 +841,37 @@
')
########################################
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.2/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2006-06-13 07:03:45.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/logging.te 2006-07-14 14:25:25.000000000 -0400
+@@ -140,7 +140,7 @@
+ # Probably want a transition, and a new auditd_helper app
+ corecmd_exec_sbin(auditd_t)
+ corecmd_exec_bin(auditd_t)
+-
++corecmd_exec_shell(auditd_t)
+
+ domain_use_interactive_fds(auditd_t)
+
+@@ -176,6 +176,10 @@
+ ')
+
+ optional_policy(`
++ setroubleshoot_domtrans(auditd_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(auditd_t)
+ ')
+
+@@ -383,3 +387,4 @@
+ # log to the xconsole
+ xserver_rw_console(syslogd_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.3.2/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-06-13 07:03:48.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/selinuxutil.te 2006-07-13 10:50:32.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/selinuxutil.te 2006-07-14 14:25:25.000000000 -0400
@@ -239,7 +239,7 @@
# Newrole local policy
#
@@ -717,7 +939,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/setrans.te serefpolicy-2.3.2/policy/modules/system/setrans.te
--- nsaserefpolicy/policy/modules/system/setrans.te 2006-05-19 10:07:51.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/setrans.te 2006-07-11 23:15:28.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/setrans.te 2006-07-14 14:25:25.000000000 -0400
@@ -68,3 +68,8 @@
miscfiles_read_localization(setrans_t)
@@ -729,7 +951,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-2.3.2/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2006-06-13 07:03:48.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/sysnetwork.te 2006-07-13 11:10:37.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/sysnetwork.te 2006-07-14 14:25:25.000000000 -0400
@@ -277,6 +277,7 @@
# for /sbin/ip
allow ifconfig_t self:packet_socket create_socket_perms;
@@ -740,7 +962,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.3.2/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2006-06-21 16:21:04.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/unconfined.fc 2006-07-11 15:59:13.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/unconfined.fc 2006-07-14 14:25:25.000000000 -0400
@@ -9,4 +9,5 @@
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/local/RealPlay/realplay.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
@@ -749,7 +971,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.3.2/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2006-06-22 15:12:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/unconfined.te 2006-07-10 11:50:54.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/unconfined.te 2006-07-14 14:25:25.000000000 -0400
@@ -56,10 +56,6 @@
')
@@ -774,7 +996,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.2/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-06-22 15:12:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/userdomain.if 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/userdomain.if 2006-07-14 14:25:25.000000000 -0400
@@ -8,11 +8,10 @@
## <desc>
## <p>
@@ -1116,7 +1338,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.2/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-06-22 15:12:02.000000000 -0400
-+++ serefpolicy-2.3.2/policy/modules/system/userdomain.te 2006-07-09 05:52:17.000000000 -0400
++++ serefpolicy-2.3.2/policy/modules/system/userdomain.te 2006-07-14 14:25:25.000000000 -0400
@@ -56,14 +56,6 @@
# Local policy
#
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.222
retrieving revision 1.223
diff -u -r1.222 -r1.223
--- selinux-policy.spec 13 Jul 2006 14:24:05 -0000 1.222
+++ selinux-policy.spec 14 Jul 2006 20:09:54 -0000 1.223
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.3.2
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -341,6 +341,9 @@
%endif
%changelog
+* Fri Jul 14 2006 Dan Walsh <dwalsh at redhat.com> 2.3.2-4
+- Add setroubleshoot policy
+
* Fri Jul 7 2006 Dan Walsh <dwalsh at redhat.com> 2.3.2-3
- Turn off auditallow on setting booleans
--- policy-20060505.patch DELETED ---
More information about the fedora-cvs-commits
mailing list