rpms/selinux-policy/devel booleans-targeted.conf, 1.14, 1.15 modules-strict.conf, 1.12, 1.13 policy-20060608.patch, 1.27, 1.28 selinux-policy.spec, 1.226, 1.227
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Jul 19 18:39:34 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv1651
Modified Files:
booleans-targeted.conf modules-strict.conf
policy-20060608.patch selinux-policy.spec
Log Message:
* Tue Jul 18 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-4
- setroubleshootd fixes
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- booleans-targeted.conf 12 Jul 2006 02:50:30 -0000 1.14
+++ booleans-targeted.conf 19 Jul 2006 18:39:31 -0000 1.15
@@ -50,10 +50,6 @@
#
allow_smbd_anon_write = false
-# Allow sysadm to ptrace all processes
-#
-allow_ptrace = false
-
# Allow system to run with NIS
#
allow_ypbind = false
@@ -142,10 +138,6 @@
#
squid_connect_any = false
-# Allow ssh logins as sysadm_r:sysadm_t
-#
-ssh_sysadm_login = false
-
# Configure stunnel to be a standalone daemon orinetd service.
#
stunnel_is_daemon = false
@@ -186,10 +178,6 @@
#
spamd_enable_home_dirs = true
-# Allow staff_r users to search the sysadm homedir and read files (such as ~/.bashrc)
-#
-staff_read_sysadm_file = false
-
# Allow regular users direct mouse access
#
user_direct_mouse = false
Index: modules-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-strict.conf,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- modules-strict.conf 14 Jul 2006 20:09:54 -0000 1.12
+++ modules-strict.conf 19 Jul 2006 18:39:31 -0000 1.13
@@ -198,7 +198,7 @@
#
# APT advanced package toll.
#
-apt = module
+apt = off
# Layer: admin
# Module: dmesg
policy-20060608.patch:
global_tunables | 67 +++++------
modules/admin/bootloader.te | 4
modules/admin/consoletype.te | 7 +
modules/admin/netutils.te | 10 -
modules/admin/prelink.te | 1
modules/admin/rpm.fc | 2
modules/admin/rpm.if | 4
modules/admin/usermanage.te | 2
modules/kernel/corenetwork.te.in | 5
modules/kernel/devices.fc | 1
modules/kernel/files.fc | 1
modules/kernel/filesystem.te | 2
modules/kernel/kernel.if | 38 ++++++
modules/kernel/storage.fc | 1
modules/services/amavis.te | 2
modules/services/automount.te | 8 +
modules/services/avahi.te | 1
modules/services/bluetooth.if | 23 +++
modules/services/bluetooth.te | 2
modules/services/clamav.fc | 3
modules/services/clamav.if | 22 +++
modules/services/clamav.te | 20 ---
modules/services/cups.te | 4
modules/services/cyrus.te | 1
modules/services/dovecot.fc | 1
modules/services/dovecot.te | 10 +
modules/services/ftp.te | 2
modules/services/hal.te | 6 -
modules/services/lpd.if | 20 +--
modules/services/mailman.te | 15 ++
modules/services/nscd.if | 20 +++
modules/services/openvpn.te | 8 +
modules/services/pegasus.if | 31 +++++
modules/services/pegasus.te | 5
modules/services/postfix.te | 6 -
modules/services/postgrey.fc | 2
modules/services/postgrey.if | 19 +++
modules/services/postgrey.te | 20 +++
modules/services/procmail.te | 5
modules/services/radius.fc | 1
modules/services/radius.te | 8 +
modules/services/remotelogin.te | 1
modules/services/samba.te | 6 -
modules/services/setroubleshoot.fc | 8 +
modules/services/setroubleshoot.if | 24 ++++
modules/services/setroubleshoot.te | 128 +++++++++++++++++++++
modules/services/squid.te | 5
modules/services/tftp.te | 1
modules/services/xfs.te | 2
modules/services/xserver.if | 22 +++
modules/services/xserver.te | 3
modules/services/zebra.te | 2
modules/system/authlogin.if | 3
modules/system/authlogin.te | 1
modules/system/fstools.fc | 1
modules/system/getty.fc | 1
modules/system/getty.te | 3
modules/system/hostname.te | 5
modules/system/hotplug.te | 2
modules/system/init.if | 7 -
modules/system/libraries.fc | 2
modules/system/locallogin.te | 1
modules/system/logging.if | 2
modules/system/logging.te | 6 -
modules/system/selinuxutil.te | 21 +++
modules/system/setrans.te | 5
modules/system/sysnetwork.te | 1
modules/system/udev.te | 4
modules/system/unconfined.fc | 1
modules/system/unconfined.if | 1
modules/system/unconfined.te | 8 -
modules/system/userdomain.if | 221 ++++++++++++++++++++++++-------------
modules/system/userdomain.te | 38 ++----
modules/system/xen.te | 2
74 files changed, 739 insertions(+), 209 deletions(-)
Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- policy-20060608.patch 18 Jul 2006 15:51:20 -0000 1.27
+++ policy-20060608.patch 19 Jul 2006 18:39:31 -0000 1.28
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.3.3/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.3/policy/global_tunables 2006-07-17 11:43:02.000000000 -0400
++++ serefpolicy-2.3.3/policy/global_tunables 2006-07-19 12:33:32.000000000 -0400
@@ -89,6 +89,13 @@
## <desc>
@@ -15,7 +15,20 @@
## Allow java executable stack
## </p>
## </desc>
-@@ -311,13 +318,6 @@
+@@ -132,12 +139,6 @@
+ ## </desc>
+ gen_tunable(allow_smbd_anon_write,false)
+
+-## <desc>
+-## <p>
+-## Allow sysadm to ptrace all processes
+-## </p>
+-## </desc>
+-gen_tunable(allow_ptrace,false)
+
+ ## <desc>
+ ## <p>
+@@ -311,13 +312,6 @@
## <desc>
## <p>
@@ -29,6 +42,82 @@
## Allow squid to connect to all ports, not just
## HTTP, FTP, and Gopher ports.
## </p>
+@@ -326,13 +320,6 @@
+
+ ## <desc>
+ ## <p>
+-## Allow ssh logins as sysadm_r:sysadm_t
+-## </p>
+-## </desc>
+-gen_tunable(ssh_sysadm_login,false)
+-
+-## <desc>
+-## <p>
+ ## Configure stunnel to be a standalone daemon or
+ ## inetd service.
+ ## </p>
+@@ -353,6 +340,12 @@
+ ## </desc>
+ gen_tunable(use_samba_home_dirs,false)
+
++########################################
++#
++# Strict policy specific
++#
++
++ifdef(`strict_policy',`
+ ## <desc>
+ ## <p>
+ ## Control users use of ping and traceroute
+@@ -360,12 +353,28 @@
+ ## </desc>
+ gen_tunable(user_ping,false)
+
+-########################################
+-#
+-# Strict policy specific
+-#
++## <desc>
++## <p>
++## Allow sysadm to ptrace all processes
++## </p>
++## </desc>
++gen_tunable(allow_ptrace,false)
++
++## <desc>
++## <p>
++## Allow ssh logins as sysadm_r:sysadm_t
++## </p>
++## </desc>
++gen_tunable(ssh_sysadm_login,false)
++
++## <desc>
++## <p>
++## Allow staff_r users to search the sysadm home
++## dir and read files (such as ~/.bashrc)
++## </p>
++## </desc>
++gen_tunable(staff_read_sysadm_file,false)
+
+-ifdef(`strict_policy',`
+ ## <desc>
+ ## <p>
+ ## Allow gpg executable stack
+@@ -489,14 +498,6 @@
+
+ ## <desc>
+ ## <p>
+-## Allow staff_r users to search the sysadm home
+-## dir and read files (such as ~/.bashrc)
+-## </p>
+-## </desc>
+-gen_tunable(staff_read_sysadm_file,false)
+-
+-## <desc>
+-## <p>
+ ## Allow regular users direct mouse access
+ ## </p>
+ ## </desc>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/bootloader.te serefpolicy-2.3.3/policy/modules/admin/bootloader.te
--- nsaserefpolicy/policy/modules/admin/bootloader.te 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.3/policy/modules/admin/bootloader.te 2006-07-17 11:43:02.000000000 -0400
@@ -74,6 +163,26 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.3.3/policy/modules/admin/netutils.te
+--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-07-14 17:04:46.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/admin/netutils.te 2006-07-19 12:37:56.000000000 -0400
+@@ -211,11 +211,11 @@
+ ifdef(`targeted_policy',`
+ term_use_unallocated_ttys(traceroute_t)
+ term_use_generic_ptys(traceroute_t)
+-')
+-
+-tunable_policy(`user_ping',`
+- term_use_all_user_ttys(traceroute_t)
+- term_use_all_user_ptys(traceroute_t)
++',`
++ tunable_policy(`user_ping',`
++ term_use_all_user_ttys(traceroute_t)
++ term_use_all_user_ptys(traceroute_t)
++ ')
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.3.3/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.3.3/policy/modules/admin/prelink.te 2006-07-18 08:54:22.000000000 -0400
@@ -1066,13 +1175,13 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.3.3/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.3.3/policy/modules/services/setroubleshoot.te 2006-07-18 09:53:15.000000000 -0400
-@@ -0,0 +1,122 @@
++++ serefpolicy-2.3.3/policy/modules/services/setroubleshoot.te 2006-07-19 09:09:36.000000000 -0400
+@@ -0,0 +1,128 @@
+policy_module(setroubleshoot,1.0.0)
+
+########################################
+#
-+# Declarations
++# Declarations
+#
+
+type setroubleshootd_t;
@@ -1118,6 +1227,8 @@
+logging_log_filetrans(setroubleshootd_t,setroubleshoot_var_log_t,{ file dir })
+
+allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
++
++corenet_tcp_bind_generic_node(setroubleshootd_t)
+corenet_tcp_bind_lo_node(setroubleshootd_t)
+corenet_tcp_bind_setroubleshoot_port(setroubleshootd_t)
+
@@ -1133,6 +1244,7 @@
+
+init_read_utmp(setroubleshootd_t)
+init_dontaudit_write_utmp(setroubleshootd_t)
++init_use_fds(setroubleshootd_t)
+
+term_dontaudit_use_console(setroubleshootd_t)
+term_dontaudit_use_generic_ptys(setroubleshootd_t)
@@ -1142,6 +1254,7 @@
+# setroubleshoot local policy
+#
+
++
+files_dontaudit_search_home(setroubleshootd_t)
+files_read_etc_files(setroubleshoot_t)
+
@@ -1164,6 +1277,7 @@
+kernel_read_kernel_sysctls(setroubleshoot_t)
+kernel_read_system_state(setroubleshoot_t)
+
++files_dontaudit_getattr_tmp_dirs(setroubleshoot_t)
+files_read_usr_files(setroubleshoot_t)
+files_read_usr_symlinks(setroubleshoot_t)
+
@@ -1187,12 +1301,13 @@
+
+optional_policy(`
+ rpm_read_db(setroubleshoot_t)
++ rpm_dontaudit_manage_db(setroubleshoot_t)
+')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.3.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/services/squid.te 2006-07-17 11:43:02.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/squid.te 2006-07-19 11:33:04.000000000 -0400
@@ -80,8 +80,10 @@
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
@@ -1204,6 +1319,16 @@
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
+@@ -176,9 +178,6 @@
+ ')
+
+ ifdef(`TODO',`
+-ifdef(`apache.te',`
+-can_tcp_connect(squid_t, httpd_t)
+-')
+ #squid requires the following when run in diskd mode, the recommended setting
+ allow squid_t tmpfs_t:file { read write };
+ ') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.3.3/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2006-07-14 17:04:41.000000000 -0400
+++ serefpolicy-2.3.3/policy/modules/services/tftp.te 2006-07-17 11:43:02.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.226
retrieving revision 1.227
diff -u -r1.226 -r1.227
--- selinux-policy.spec 18 Jul 2006 15:51:21 -0000 1.226
+++ selinux-policy.spec 19 Jul 2006 18:39:31 -0000 1.227
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.3.3
-Release: 3
+Release: 4
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -341,6 +341,9 @@
%endif
%changelog
+* Tue Jul 18 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-4
+- setroubleshootd fixes
+
* Mon Jul 17 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-3
- Allow prelink to read bin_t symlink
- allow xfs to read random devices
More information about the fedora-cvs-commits
mailing list