rpms/selinux-policy/FC-5 policy-20061106.patch, NONE, 1.1 selinux-policy.spec, 1.185, 1.186
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Nov 22 14:51:27 UTC 2006
- Previous message (by thread): rpms/ntp/devel ntp.spec, 1.59, 1.60 ntpd.init, 1.22, 1.23 ntpd.sysconfig, 1.6, 1.7
- Next message (by thread): rpms/grep/devel grep-mem-exhausted.patch, NONE, 1.1 grep.spec, 1.62, 1.63
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/FC-5
In directory cvs.devel.redhat.com:/tmp/cvs-serv27151
Modified Files:
selinux-policy.spec
Added Files:
policy-20061106.patch
Log Message:
* Mon Nov 21 2006 Dan Walsh <dwalsh at redhat.com> 2.4.5-4.fc5
- Bump to fc6 policy
policy-20061106.patch:
Rules.modular | 10 +
doc/policy.dtd | 5
policy/flask/access_vectors | 2
policy/global_booleans | 9 +
policy/global_tunables | 286 +++++++++++++++++++++++++++++++-
policy/mls | 3
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/consoletype.te | 10 -
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9 -
policy/modules/admin/quota.te | 1
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 ++
policy/modules/admin/rpm.te | 37 +---
policy/modules/apps/java.fc | 2
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 30 +++
policy/modules/kernel/corenetwork.te.in | 15 +
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 90 +++++++++-
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10 +
policy/modules/services/apache.te | 16 +
policy/modules/services/automount.te | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.if | 26 --
policy/modules/services/cron.te | 5
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 4
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 1
policy/modules/services/hal.fc | 4
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11 +
policy/modules/services/lpd.if | 52 +++--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nscd.if | 20 ++
policy/modules/services/nscd.te | 3
policy/modules/services/oddjob.te | 3
policy/modules/services/pegasus.if | 31 +++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13 +
policy/modules/services/procmail.te | 16 +
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 3
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 +++++++
policy/modules/services/uucp.te | 44 ++++
policy/modules/services/xserver.if | 40 ++++
policy/modules/system/authlogin.if | 7
policy/modules/system/authlogin.te | 2
policy/modules/system/clock.te | 5
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 6
policy/modules/system/init.fc | 3
policy/modules/system/init.te | 14 +
policy/modules/system/iptables.te | 6
policy/modules/system/libraries.fc | 16 +
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 +++++
policy/modules/system/miscfiles.fc | 1
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 19 +-
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.if | 4
policy/modules/system/selinuxutil.te | 38 ++--
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 ++
policy/modules/system/unconfined.te | 11 +
policy/modules/system/userdomain.if | 280 +++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 10 +
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 +++
100 files changed, 1419 insertions(+), 205 deletions(-)
--- NEW FILE policy-20061106.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/doc/policy.dtd serefpolicy-2.4.5/doc/policy.dtd
--- nsaserefpolicy/doc/policy.dtd 2006-11-16 17:15:28.000000000 -0500
+++ serefpolicy-2.4.5/doc/policy.dtd 2006-11-21 11:11:32.000000000 -0500
@@ -11,14 +11,15 @@
<!ELEMENT required (#PCDATA)>
<!ATTLIST required
val (true|false) "false">
-<!ELEMENT tunable (desc)>
+<!ELEMENT tunable (category?, desc)>
<!ATTLIST tunable
name CDATA #REQUIRED
dftval CDATA #REQUIRED>
-<!ELEMENT bool (desc)>
+<!ELEMENT bool (category?, desc)>
<!ATTLIST bool
name CDATA #REQUIRED
dftval CDATA #REQUIRED>
+<!ELEMENT category (#PCDATA)>
<!ELEMENT summary (#PCDATA)>
<!ELEMENT interface (summary,desc?,param+,infoflow?,(rolebase|rolecap)?)>
<!ATTLIST interface name CDATA #REQUIRED lineno CDATA #REQUIRED>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.4.5/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-16 17:15:00.000000000 -0500
+++ serefpolicy-2.4.5/policy/flask/access_vectors 2006-11-17 09:19:51.000000000 -0500
@@ -619,6 +619,8 @@
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.4.5/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.4.5/policy/global_booleans 2006-11-21 11:37:37.000000000 -0500
@@ -5,6 +5,9 @@
#
ifdef(`strict_policy',`
+## <category>
+## all domains
+## </category>
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
@@ -15,6 +18,9 @@
gen_bool(secure_mode,false)
')
+## <category>
+## all domains
+## </category>
## <desc>
## <p>
## Disable transitions to insmod.
@@ -22,6 +28,9 @@
## </desc>
gen_bool(secure_mode_insmod,false)
+## <category>
+## all domains
+## </category>
## <desc>
## <p>
## boolean to determine whether the system permits loading policy, setting
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.4.5/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.4.5/policy/global_tunables 2006-11-21 11:37:20.000000000 -0500
@@ -9,6 +9,9 @@
# Common tunables
#
+## <category>
+## cvs
+## </category>
## <desc>
## <p>
## Allow cvs daemon to read shadow
@@ -17,6 +20,9 @@
#
gen_tunable(allow_cvs_read_shadow,false)
+## <category>
+## zebra
+## </category>
## <desc>
## <p>
## Allow zebra daemon to write it configuration files
@@ -25,6 +31,9 @@
#
gen_tunable(allow_zebra_write_config,false)
+## <category>
+## memory
+## </category>
## <desc>
## <p>
## Allow making the heap executable.
@@ -32,6 +41,9 @@
## </desc>
gen_tunable(allow_execheap,false)
+## <category>
+## memory
+## </category>
## <desc>
## <p>
## Allow making anonymous memory executable, e.g.
@@ -40,6 +52,9 @@
## </desc>
gen_tunable(allow_execmem,false)
+## <category>
+## memory
+## </category>
## <desc>
## <p>
## Allow making a modified private file
@@ -48,6 +63,9 @@
## </desc>
gen_tunable(allow_execmod,false)
+## <category>
+## memory
+## </category>
## <desc>
## <p>
## Allow making the stack executable via mprotect.
@@ -56,6 +74,9 @@
## </desc>
gen_tunable(allow_execstack,false)
+## <category>
+## ftp
+## </category>
## <desc>
## <p>
## Allow ftp servers to modify public files
@@ -64,6 +85,9 @@
## </desc>
gen_tunable(allow_ftpd_anon_write,false)
+## <category>
+## ftp
+## </category>
## <desc>
## <p>
## Allow ftp servers to use cifs
@@ -72,6 +96,9 @@
## </desc>
gen_tunable(allow_ftpd_use_cifs,false)
+## <category>
+## ftp
+## </category>
## <desc>
## <p>
## Allow ftp servers to use nfs
@@ -80,6 +107,9 @@
## </desc>
gen_tunable(allow_ftpd_use_nfs,false)
+## <category>
+## nfs
+## </category>
## <desc>
## <p>
## Allow gssd to read temp directory.
@@ -87,6 +117,9 @@
## </desc>
gen_tunable(allow_gssd_read_tmp,true)
+## <category>
+## web server
+## </category>
## <desc>
## <p>
## Allow Apache to modify public files
@@ -95,6 +128,9 @@
## </desc>
gen_tunable(allow_httpd_anon_write,false)
+## <category>
+## web server
+## </category>
## <desc>
## <p>
## Allow Apache to use mod_auth_pam
@@ -102,6 +138,9 @@
## </desc>
gen_tunable(allow_httpd_mod_auth_pam,false)
+## <category>
+## memory
+## </category>
## <desc>
## <p>
## Allow java executable stack
[...3600 lines suppressed...]
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_staff_home_dirs',`
+ ifdef(`targeted_policy',`
+ userdom_relabel_generic_user_home_dirs($1)
+ ',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 staff_home_dir_t:dir relabelto;
+ ')
+')
+
+########################################
+## <summary>
+## allow relabel of staff home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_generic_user_home_dirs',`
+ gen_require(`
+ type staff_home_dir_t;
+ ')
+
+ files_search_home($1)
+ allow $1 user_home_dir_t:dir relabelto;
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.5/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.4.5/policy/modules/system/userdomain.te 2006-11-17 09:19:51.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
+# Executables to be run by user
+attribute user_exec_type;
+
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
@@ -155,11 +158,15 @@
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
logging_read_generic_logs(secadm_t)
+ logging_read_audit_config(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
optional_policy(`
netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
')
+ optional_policy(`
+ aide_run(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
+ ')
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
@@ -428,6 +435,9 @@
')
optional_policy(`
+ nscd_role(sysadm_r)
+ ')
+ optional_policy(`
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.fc serefpolicy-2.4.5/policy/modules/system/xen.fc
--- nsaserefpolicy/policy/modules/system/xen.fc 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.4.5/policy/modules/system/xen.fc 2006-11-17 09:19:51.000000000 -0500
@@ -8,6 +8,7 @@
/usr/sbin/xm -- gen_context(system_u:object_r:xm_exec_t,s0)
/var/lib/xen(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
+/var/lib/xen/images(/.*)? gen_context(system_u:object_r:xen_image_t,s0)
/var/lib/xend(/.*)? gen_context(system_u:object_r:xend_var_lib_t,s0)
/var/lib/xenstored(/.*)? gen_context(system_u:object_r:xenstored_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.4.5/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.4.5/policy/modules/system/xen.te 2006-11-21 10:44:40.000000000 -0500
@@ -86,8 +86,8 @@
allow xend_t self:tcp_socket create_stream_socket_perms;
allow xend_t self:packet_socket create_socket_perms;
-allow xend_t xen_image_t:dir r_dir_perms;
-allow xend_t xen_image_t:file rw_file_perms;
+allow xend_t xen_image_t:dir create_dir_perms;
+allow xend_t xen_image_t:file create_file_perms;
allow xend_t xen_image_t:blk_file rw_file_perms;
allow xend_t xenctl_t:fifo_file create_file_perms;
@@ -143,6 +143,7 @@
corenet_tcp_bind_generic_port(xend_t)
corenet_tcp_bind_vnc_port(xend_t)
corenet_tcp_connect_xserver_port(xend_t)
+corenet_tcp_connect_xen_port(xend_t)
corenet_sendrecv_xserver_client_packets(xend_t)
corenet_sendrecv_xen_server_packets(xend_t)
corenet_sendrecv_soundd_server_packets(xend_t)
@@ -152,6 +153,7 @@
dev_manage_xen(xend_t)
dev_filetrans_xen(xend_t)
dev_rw_sysfs(xend_t)
+dev_rw_xen(xend_t)
domain_read_all_domains_state(xend_t)
domain_dontaudit_read_all_domains_state(xend_t)
@@ -163,8 +165,13 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xend_t)
+ storage_raw_write_fixed_disk(xend_t)
+#')
-storage_raw_read_fixed_disk(xend_t)
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
@@ -236,6 +243,10 @@
files_read_usr_files(xenconsoled_t)
+dev_manage_xen(xenconsoled_t)
+dev_filetrans_xen(xenconsoled_t)
+dev_rw_sysfs(xenconsoled_t)
+
term_create_pty(xenconsoled_t,xen_devpts_t);
term_use_generic_ptys(xenconsoled_t)
term_use_console(xenconsoled_t)
@@ -283,6 +294,12 @@
files_read_usr_files(xenstored_t)
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+#')
+storage_raw_read_removable_device(xenstored_t)
+
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
@@ -317,6 +334,11 @@
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file r_file_perms;
+allow xm_t xen_image_t:blk_file r_file_perms;
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xm_t)
+#')
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -353,3 +375,10 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.4.5/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
+++ serefpolicy-2.4.5/Rules.modular 2006-11-17 09:19:51.000000000 -0500
@@ -219,6 +219,16 @@
########################################
#
+# Validate File Contexts
+#
+validatefc: $(base_pkg) $(base_fc)
+ @echo "Validating file context."
+ $(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
+ $(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
+ @echo "Success."
+
+########################################
+#
# Clean the sources
#
clean:
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/FC-5/selinux-policy.spec,v
retrieving revision 1.185
retrieving revision 1.186
diff -u -r1.185 -r1.186
--- selinux-policy.spec 22 Nov 2006 14:25:20 -0000 1.185
+++ selinux-policy.spec 22 Nov 2006 14:51:25 -0000 1.186
@@ -20,7 +20,7 @@
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-20060822.patch
+patch: policy-20061106.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
- Previous message (by thread): rpms/ntp/devel ntp.spec, 1.59, 1.60 ntpd.init, 1.22, 1.23 ntpd.sysconfig, 1.6, 1.7
- Next message (by thread): rpms/grep/devel grep-mem-exhausted.patch, NONE, 1.1 grep.spec, 1.62, 1.63
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list