rpms/selinux-policy/devel policy-20061106.patch,NONE,1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Nov 6 21:18:58 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv15236
Added Files:
policy-20061106.patch
Log Message:
* Fri Nov 3 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-1
- Merge with upstream
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 3
policy/global_tunables | 36 ++
policy/mls | 3
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 5
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 5
policy/modules/apps/java.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.te.in | 3
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 66 ++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 10
policy/modules/services/automount.te | 1
policy/modules/services/ccs.fc | 10
policy/modules/services/ccs.if | 83 +++++
policy/modules/services/ccs.te | 89 +++++
policy/modules/services/cron.if | 26 -
policy/modules/services/cron.te | 5
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 4
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 1
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 16 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 477 ++++++++++++++++++++++++++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 6
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 1
policy/modules/services/spamassassin.te | 4
policy/modules/services/squid.te | 7
policy/modules/services/ssh.te | 2
policy/modules/services/telnet.te | 1
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 2
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 14
policy/modules/system/iscsi.if | 2
policy/modules/system/libraries.fc | 3
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/mount.te | 11
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.if | 4
policy/modules/system/selinuxutil.te | 10
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 8
policy/modules/system/userdomain.if | 201 +++++++++++++
policy/modules/system/userdomain.te | 6
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 22 +
77 files changed, 1609 insertions(+), 78 deletions(-)
--- NEW FILE policy-20061106.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.3/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-10-23 16:14:53.000000000 -0400
+++ serefpolicy-2.4.3/policy/flask/access_vectors 2006-11-06 16:07:57.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
@@ -635,4 +637,5 @@
class context
{
translate
+ contains
}
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.3/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-06 11:13:22.000000000 -0500
+++ serefpolicy-2.4.3/policy/global_tunables 2006-11-06 12:11:58.000000000 -0500
@@ -574,6 +574,13 @@
gen_tunable(xdm_sysadm_login,false)
')
+## <desc>
+## <p>
+## Allow mount to mount any dir
+## </p>
+## </desc>
+gen_tunable(allow_mounton_anydir,true)
+
########################################
#
# Targeted policy specific
@@ -589,6 +596,13 @@
## <desc>
## <p>
+## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
+gen_tunable(allow_daemons_dump_core,false)
+
+## <desc>
+## <p>
## Allow mount to mount any file
## </p>
## </desc>
@@ -600,4 +614,26 @@
## </p>
## </desc>
gen_tunable(spamd_enable_home_dirs,true)
+
+## <desc>
+## <p>
+## Allow xen to read/write physical disk devices
+## </p>
+## </desc>
+gen_tunable(xen_use_raw_disk,true)
+
')
+
+## <desc>
+## <p>
+## Allow unconfined to dyntrans to unconfined_execmem
+## </p>
+## </desc>
+gen_tunable(allow_unconfined_execmem_dyntrans,false)
+
+## <desc>
+## <p>
+## Use lpd server instead of cups
+## </p>
+## </desc>
+gen_tunable(use_lpd_server,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.4.3/policy/mls
--- nsaserefpolicy/policy/mls 2006-11-06 11:13:22.000000000 -0500
+++ serefpolicy-2.4.3/policy/mls 2006-11-06 12:11:58.000000000 -0500
@@ -597,4 +597,7 @@
mlsconstrain context translate
(( h1 dom h2 ) or ( t1 == mlstranslate ));
+mlsconstrain context contains
+ ( h1 dom h2 );
+
') dnl end enable_mls
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/acct.te serefpolicy-2.4.3/policy/modules/admin/acct.te
--- nsaserefpolicy/policy/modules/admin/acct.te 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/admin/acct.te 2006-11-06 12:11:58.000000000 -0500
@@ -9,6 +9,7 @@
type acct_t;
type acct_exec_t;
init_system_domain(acct_t,acct_exec_t)
+userdom_executable_file(acct_exec_t)
type acct_data_t;
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.te serefpolicy-2.4.3/policy/modules/admin/amanda.te
--- nsaserefpolicy/policy/modules/admin/amanda.te 2006-11-06 11:13:21.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/admin/amanda.te 2006-11-06 12:11:58.000000000 -0500
@@ -75,6 +75,7 @@
allow amanda_t self:unix_dgram_socket create_socket_perms;
allow amanda_t self:tcp_socket create_stream_socket_perms;
allow amanda_t self:udp_socket create_socket_perms;
+allow amanda_t self:netlink_route_socket r_netlink_socket_perms;
# access to amanda_amandates_t
allow amanda_t amanda_amandates_t:file { getattr lock read write };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.4.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-10-19 11:47:40.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/admin/consoletype.te 2006-11-06 12:11:58.000000000 -0500
@@ -8,7 +8,12 @@
type consoletype_t;
type consoletype_exec_t;
-init_domain(consoletype_t,consoletype_exec_t)
+#dont transition from initrc
+#init_domain(consoletype_t,consoletype_exec_t)
+domain_type(consoletype_t)
+domain_entry_file(consoletype_t,consoletype_exec_t)
+role system_r types consoletype_t;
+
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
@@ -16,6 +21,7 @@
ifdef(`targeted_policy',`',`
init_system_domain(consoletype_t,consoletype_exec_t)
')
+userdom_executable_file(consoletype_exec_t)
########################################
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/dmesg.te serefpolicy-2.4.3/policy/modules/admin/dmesg.te
--- nsaserefpolicy/policy/modules/admin/dmesg.te 2006-07-14 17:04:46.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/admin/dmesg.te 2006-11-06 12:11:58.000000000 -0500
@@ -10,6 +10,7 @@
type dmesg_t;
type dmesg_exec_t;
init_system_domain(dmesg_t,dmesg_exec_t)
+ userdom_executable_file(dmesg_exec_t)
role system_r types dmesg_t;
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.4.3/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-10-19 11:47:40.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/admin/logwatch.te 2006-11-06 12:11:58.000000000 -0500
@@ -53,6 +53,7 @@
corecmd_exec_ls(logwatch_t)
dev_read_urand(logwatch_t)
+dev_search_sysfs(logwatch_t)
# Read /proc/PID directories for all domains.
domain_read_all_domains_state(logwatch_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-2.4.3/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2006-11-06 11:13:22.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/admin/netutils.te 2006-11-06 12:11:58.000000000 -0500
@@ -18,10 +18,12 @@
type ping_exec_t;
init_system_domain(ping_t,ping_exec_t)
role system_r types ping_t;
+userdom_executable_file(ping_exec_t)
type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t,traceroute_exec_t)
+userdom_executable_file(traceroute_exec_t)
role system_r types traceroute_t;
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-2.4.3/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2006-11-06 11:13:21.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/admin/prelink.te 2006-11-06 14:12:02.000000000 -0500
@@ -57,6 +57,7 @@
files_write_non_security_dirs(prelink_t)
files_read_etc_files(prelink_t)
files_read_etc_runtime_files(prelink_t)
+files_dontaudit_read_all_symlinks(prelink_t)
fs_getattr_xattr_fs(prelink_t)
@@ -79,9 +80,9 @@
ifdef(`targeted_policy',`
term_use_unallocated_ttys(prelink_t)
term_use_generic_ptys(prelink_t)
-
- # prelink executables in the user homedir
userdom_manage_generic_user_home_content_files(prelink_t)
+ userdom_execute_generic_user_home_content_files(prelink_t)
+ userdom_dontaudit_relabel_generic_user_home_content_files(prelink_t)
')
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.4.3/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2006-09-22 14:07:08.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/admin/rpm.fc 2006-11-06 12:11:58.000000000 -0500
@@ -21,6 +21,9 @@
[...2404 lines suppressed...]
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_manage_user_executables',`
+ gen_require(`
+ attribute user_exec_type;
+ ')
+ allow $1 user_exec_type:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap all executables as executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_mmap_all_executables',`
+ gen_require(`
+ attribute user_exec_type;
+ ')
+
+ allow $1 user_exec_type:file { getattr read execute };
+')
+
+########################################
+## <summary>
+## Relabel to and from the bin type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_relabel_all_executables',`
+ gen_require(`
+ attribute user_exec_type;
+ ')
+
+ allow $1 user_exec_type:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## dontaudit relabel of generic user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_relabel_generic_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ dontaudit $1 user_home_t:file { relabelto relabelfrom };
+')
+
+########################################
+## <summary>
+## allow execute of generic user
+## home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_execute_generic_user_home_content_files',`
+ gen_require(`
+ type user_home_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_t:file execute;
+')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.3/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-06 11:13:21.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/system/userdomain.te 2006-11-06 12:11:58.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
+# Executables to be run by user
+attribute user_exec_type;
+
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
@@ -428,6 +431,9 @@
')
optional_policy(`
+ nscd_role(sysadm_r)
+ ')
+ optional_policy(`
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.3/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-06 11:13:21.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/system/xen.fc 2006-11-06 12:11:58.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.3/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-06 11:13:21.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/system/xen.te 2006-11-06 12:20:00.000000000 -0500
@@ -152,6 +152,7 @@
dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
+dev_rw_xen(xend_t)
domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
@@ -164,7 +165,11 @@
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
-storage_raw_read_fixed_disk(xend_t)
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xend_t)
+ storage_raw_write_fixed_disk(xend_t)
+#')
+
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
@@ -236,6 +241,10 @@
files_read_usr_files(xenconsoled_t)
+dev_manage_xen(xenconsoled_t)
+dev_filetrans_xen(xenconsoled_t)
+dev_rw_sysfs(xenconsoled_t)
+
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
@@ -283,6 +292,12 @@
files_read_usr_files(xenstored_t)
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+#')
+storage_raw_read_removable_device(xenstored_t)
+
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
@@ -353,3 +368,8 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+files_search_mnt(xend_t)
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.3/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-10-16 12:20:19.000000000 -0400
+++ serefpolicy-2.4.3/Rules.modular 2006-11-06 12:11:58.000000000 -0500
@@ -219,6 +219,16 @@
########################################
#
+# Validate File Contexts
+#
+validatefc: $(base_pkg) $(base_fc)
+ @echo "Validating file context."
+ $(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
+ $(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
+ @echo "Success."
+
+########################################
+#
# Clean the sources
#
clean:
More information about the fedora-cvs-commits
mailing list