rpms/selinux-policy/devel policy-20061106.patch,1.11,1.12
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Nov 10 22:10:16 UTC 2006
- Previous message (by thread): rpms/lvm2/devel LVM2.2.02.14.tgz.asc, NONE, 1.1 .cvsignore, 1.39, 1.40 lvm2.spec, 1.86, 1.87 sources, 1.40, 1.41 upstream, 1.32, 1.33 clvmd-init-chkconfig.patch, 1.1, NONE
- Next message (by thread): rpms/shared-mime-info/devel shared-mime-info-0.19-image-pdf.patch, NONE, 1.1 shared-mime-info.spec, 1.46, 1.47
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv15442
Modified Files:
policy-20061106.patch
Log Message:
* Fri Nov 10 2006 Dan Walsh <dwalsh at redhat.com> 2.4.3-10
- Allow xen to connect to xen port
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 3
policy/global_tunables | 36 ++
policy/mls | 3
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 5
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 38 --
policy/modules/apps/java.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 12
policy/modules/kernel/corenetwork.te.in | 18 -
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 66 ++++
policy/modules/kernel/files.te | 2
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.te | 1
policy/modules/services/aide.fc | 3
policy/modules/services/aide.if | 56 +++
policy/modules/services/aide.te | 52 +++
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 10
policy/modules/services/automount.te | 1
policy/modules/services/bind.te | 1
policy/modules/services/ccs.fc | 10
policy/modules/services/ccs.if | 83 +++++
policy/modules/services/ccs.te | 89 +++++
policy/modules/services/cron.if | 26 -
policy/modules/services/cron.te | 5
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 4
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/hal.fc | 4
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 12
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 3
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/procmail.te | 16 +
policy/modules/services/ricci.fc | 20 +
policy/modules/services/ricci.if | 184 ++++++++++++
policy/modules/services/ricci.te | 483 ++++++++++++++++++++++++++++++++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 6
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 1
policy/modules/services/spamassassin.te | 4
policy/modules/services/squid.te | 7
policy/modules/services/ssh.te | 2
policy/modules/services/telnet.te | 1
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 2
policy/modules/system/authlogin.te | 1
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 14
policy/modules/system/iscsi.if | 2
policy/modules/system/libraries.fc | 12
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 13
policy/modules/system/modutils.te | 6
policy/modules/system/mount.te | 19 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.if | 4
policy/modules/system/selinuxutil.te | 13
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 11
policy/modules/system/userdomain.if | 201 +++++++++++++
policy/modules/system/userdomain.te | 10
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 29 +
96 files changed, 1823 insertions(+), 147 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- policy-20061106.patch 10 Nov 2006 20:37:08 -0000 1.11
+++ policy-20061106.patch 10 Nov 2006 22:10:14 -0000 1.12
@@ -445,7 +445,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2006-11-06 11:13:17.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in 2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/kernel/corenetwork.te.in 2006-11-10 15:53:05.000000000 -0500
@@ -43,11 +43,16 @@
sid port gen_context(system_u:object_r:port_t,s0)
@@ -472,7 +472,15 @@
network_port(cvs, tcp,2401,s0, udp,2401,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dbskkd, tcp,1178,s0)
-@@ -122,6 +128,8 @@
+@@ -108,6 +114,7 @@
+ network_port(nessus, tcp,1241,s0)
+ network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
+ network_port(ntp, udp,123,s0)
++network_port(ocsp, tcp,9080,s0)
+ network_port(openvpn, udp,1194,s0)
+ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_https, tcp,5989,s0)
+@@ -122,6 +129,8 @@
network_port(radacct, udp,1646,s0, udp,1813,s0)
network_port(radius, udp,1645,s0, udp,1812,s0)
network_port(razor, tcp,2703,s0)
@@ -481,7 +489,7 @@
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
-@@ -152,8 +160,11 @@
+@@ -152,8 +161,11 @@
# Defaults for reserved ports. Earlier portcon entries take precedence;
# these entries just cover any remaining reserved ports not otherwise declared.
@@ -1328,9 +1336,20 @@
allow hald_t hald_var_run_t:file create_file_perms;
allow hald_t hald_var_run_t:dir rw_dir_perms;
files_pid_filetrans(hald_t,hald_var_run_t,file)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.4.3/policy/modules/services/kerberos.if
+--- nsaserefpolicy/policy/modules/services/kerberos.if 2006-09-22 14:07:06.000000000 -0400
++++ serefpolicy-2.4.3/policy/modules/services/kerberos.if 2006-11-10 16:54:22.000000000 -0500
+@@ -57,6 +57,7 @@
+ corenet_udp_bind_all_nodes($1)
+ corenet_tcp_connect_kerberos_port($1)
+ corenet_sendrecv_kerberos_client_packets($1)
++ corenet_tcp_connect_ocsp_port($1)
+
+ sysnet_read_config($1)
+ sysnet_dns_name_resolve($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.4.3/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2006-10-19 11:47:39.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/kerberos.te 2006-11-09 14:03:18.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/kerberos.te 2006-11-10 16:53:44.000000000 -0500
@@ -24,6 +24,7 @@
# types for general configuration files in /etc
@@ -1339,6 +1358,30 @@
files_security_file(krb5_keytab_t)
# types for KDC configs and principal file(s)
+@@ -156,14 +157,21 @@
+ # Use capabilities. Surplus capabilities may be allowed.
+ allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
+ dontaudit krb5kdc_t self:capability sys_tty_config;
+-allow krb5kdc_t self:process signal_perms;
++allow krb5kdc_t self:process { getsched signal_perms };
+ allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
+-allow krb5kdc_t self:tcp_socket connected_stream_socket_perms;
++allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
+ allow krb5kdc_t self:udp_socket create_socket_perms;
+
++files_read_usr_symlinks(krb5kdc_t)
++files_read_var_files(krb5kdc_t)
++
+ allow krb5kdc_t krb5_conf_t:file r_file_perms;
+ dontaudit krb5kdc_t krb5_conf_t:file write;
+
++corenet_tcp_connect_ocsp_port(krb5kdc_t)
++corecmd_exec_sbin(krb5kdc_t)
++corecmd_exec_bin(krb5kdc_t)
++
+ can_exec(krb5kdc_t, krb5kdc_exec_t)
+
+ allow krb5kdc_t krb5kdc_conf_t:dir search;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/lpd.if serefpolicy-2.4.3/policy/modules/services/lpd.if
--- nsaserefpolicy/policy/modules/services/lpd.if 2006-11-06 11:13:19.000000000 -0500
+++ serefpolicy-2.4.3/policy/modules/services/lpd.if 2006-11-09 14:03:18.000000000 -0500
@@ -1405,12 +1448,12 @@
# Transition from the user domain to the derived domain.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.4.3/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2006-09-15 13:14:25.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/services/mta.if 2006-11-10 12:33:27.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/services/mta.if 2006-11-10 16:50:04.000000000 -0500
@@ -820,6 +820,7 @@
type mqueue_spool_t;
')
-+ dontaudit $1 mqueue_spool_t:dir search_perms;
++ dontaudit $1 mqueue_spool_t:dir search_dir_perms;
dontaudit $1 mqueue_spool_t:file { getattr read write };
')
@@ -1787,8 +1830,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ricci.te serefpolicy-2.4.3/policy/modules/services/ricci.te
--- nsaserefpolicy/policy/modules/services/ricci.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-09 20:52:15.000000000 -0500
-@@ -0,0 +1,479 @@
++++ serefpolicy-2.4.3/policy/modules/services/ricci.te 2006-11-10 17:09:48.000000000 -0500
+@@ -0,0 +1,483 @@
+policy_module(ricci,1.0.0)
+
+########################################
@@ -2268,6 +2311,10 @@
+optional_policy(`
+ consoletype_exec(ricci_modcluster_t)
+')
++
++# THis has got to go.
++unconfined_domain(ricci_modcluster_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.4.3/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2006-10-19 11:47:39.000000000 -0400
+++ serefpolicy-2.4.3/policy/modules/services/rsync.te 2006-11-09 14:03:18.000000000 -0500
@@ -2731,13 +2778,13 @@
+/var/lib/multipath(/.*)? gen_context(system_u:object_r:lvm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.4.3/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2006-10-19 11:47:40.000000000 -0400
-+++ serefpolicy-2.4.3/policy/modules/system/lvm.te 2006-11-10 13:55:37.000000000 -0500
++++ serefpolicy-2.4.3/policy/modules/system/lvm.te 2006-11-10 15:46:32.000000000 -0500
@@ -13,6 +13,9 @@
type clvmd_var_run_t;
files_pid_file(clvmd_var_run_t)
+type lvm_var_lib_t;
-+files_typee(lvm_var_lib_t)
++files_type(lvm_var_lib_t)
+
type lvm_t;
type lvm_exec_t;
- Previous message (by thread): rpms/lvm2/devel LVM2.2.02.14.tgz.asc, NONE, 1.1 .cvsignore, 1.39, 1.40 lvm2.spec, 1.86, 1.87 sources, 1.40, 1.41 upstream, 1.32, 1.33 clvmd-init-chkconfig.patch, 1.1, NONE
- Next message (by thread): rpms/shared-mime-info/devel shared-mime-info-0.19-image-pdf.patch, NONE, 1.1 shared-mime-info.spec, 1.46, 1.47
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list