[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy/devel policy-20060915.patch, 1.17, 1.18 selinux-policy.spec, 1.297, 1.298



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv27056

Modified Files:
	policy-20060915.patch selinux-policy.spec 
Log Message:
* Thu Sep 27 2006 Dan Walsh <dwalsh redhat com> 2.3.16-6
- Fix setrans handling on MLS and useradd


policy-20060915.patch:
 Rules.modular                                |   10 
 config/appconfig-strict-mcs/seusers          |    3 
 config/appconfig-strict-mls/initrc_context   |    2 
 config/appconfig-strict-mls/seusers          |    3 
 config/appconfig-strict/seusers              |    1 
 config/appconfig-targeted-mcs/seusers        |    3 
 config/appconfig-targeted-mls/initrc_context |    2 
 config/appconfig-targeted-mls/seusers        |    3 
 config/appconfig-targeted/seusers            |    1 
 policy/global_tunables                       |   15 +
 policy/mcs                                   |    6 
 policy/mls                                   |   36 +-
 policy/modules/admin/acct.te                 |    1 
 policy/modules/admin/amanda.te               |    2 
 policy/modules/admin/bootloader.fc           |    1 
 policy/modules/admin/bootloader.te           |    7 
 policy/modules/admin/consoletype.te          |    8 
 policy/modules/admin/dmesg.te                |    1 
 policy/modules/admin/netutils.te             |    2 
 policy/modules/admin/prelink.if              |    2 
 policy/modules/admin/readahead.te            |    1 
 policy/modules/admin/rpm.fc                  |    2 
 policy/modules/admin/rpm.if                  |   21 +
 policy/modules/admin/rpm.te                  |    5 
 policy/modules/admin/su.if                   |    2 
 policy/modules/admin/usermanage.te           |    5 
 policy/modules/apps/java.fc                  |    2 
 policy/modules/apps/java.te                  |    2 
 policy/modules/apps/mono.te                  |    3 
 policy/modules/apps/slocate.te               |    1 
 policy/modules/kernel/corecommands.if        |   14 
 policy/modules/kernel/corenetwork.te.in      |   13 
 policy/modules/kernel/devices.fc             |    8 
 policy/modules/kernel/devices.if             |   20 +
 policy/modules/kernel/files.fc               |   27 -
 policy/modules/kernel/files.if               |   20 +
 policy/modules/kernel/filesystem.if          |   22 +
 policy/modules/kernel/filesystem.te          |    1 
 policy/modules/kernel/kernel.te              |   25 -
 policy/modules/kernel/mcs.te                 |   18 -
 policy/modules/kernel/mls.te                 |   10 
 policy/modules/kernel/selinux.te             |    2 
 policy/modules/kernel/storage.fc             |   49 +--
 policy/modules/kernel/storage.if             |    1 
 policy/modules/kernel/terminal.fc            |    2 
 policy/modules/services/apache.fc            |    9 
 policy/modules/services/automount.te         |    4 
 policy/modules/services/ccs.fc               |    8 
 policy/modules/services/ccs.if               |   65 ++++
 policy/modules/services/ccs.te               |   87 ++++++
 policy/modules/services/cron.te              |   19 +
 policy/modules/services/cups.te              |    3 
 policy/modules/services/cvs.te               |    1 
 policy/modules/services/dbus.if              |    1 
 policy/modules/services/dovecot.te           |    2 
 policy/modules/services/hal.te               |    1 
 policy/modules/services/lpd.fc               |    9 
 policy/modules/services/mta.te               |    1 
 policy/modules/services/nscd.if              |   20 +
 policy/modules/services/nscd.te              |    3 
 policy/modules/services/oddjob.fc            |    8 
 policy/modules/services/oddjob.if            |   99 ++++++
 policy/modules/services/oddjob.te            |   86 +++++
 policy/modules/services/pegasus.if           |   31 ++
 policy/modules/services/pegasus.te           |    5 
 policy/modules/services/procmail.te          |    1 
 policy/modules/services/ricci.fc             |   20 +
 policy/modules/services/ricci.if             |  184 ++++++++++++
 policy/modules/services/ricci.te             |  388 +++++++++++++++++++++++++++
 policy/modules/services/rsync.te             |    1 
 policy/modules/services/sendmail.te          |    1 
 policy/modules/services/setroubleshoot.te    |    2 
 policy/modules/services/smartmon.te          |    3 
 policy/modules/services/spamassassin.te      |    4 
 policy/modules/services/ssh.te               |    2 
 policy/modules/services/xserver.te           |    2 
 policy/modules/system/authlogin.if           |    2 
 policy/modules/system/fstools.te             |    3 
 policy/modules/system/hostname.te            |    6 
 policy/modules/system/init.fc                |    3 
 policy/modules/system/init.te                |    6 
 policy/modules/system/iscsi.fc               |    7 
 policy/modules/system/iscsi.if               |   24 +
 policy/modules/system/iscsi.te               |   74 +++++
 policy/modules/system/libraries.fc           |    1 
 policy/modules/system/logging.fc             |    8 
 policy/modules/system/logging.te             |    4 
 policy/modules/system/mount.fc               |    1 
 policy/modules/system/mount.if               |    1 
 policy/modules/system/mount.te               |    1 
 policy/modules/system/raid.te                |    5 
 policy/modules/system/selinuxutil.fc         |    6 
 policy/modules/system/selinuxutil.te         |    1 
 policy/modules/system/setrans.fc             |    2 
 policy/modules/system/setrans.te             |    1 
 policy/modules/system/unconfined.if          |    1 
 policy/modules/system/unconfined.te          |    6 
 policy/modules/system/userdomain.fc          |    2 
 policy/modules/system/userdomain.if          |   68 ++++
 policy/modules/system/userdomain.te          |    6 
 policy/modules/system/xen.te                 |    1 
 policy/users                                 |   14 
 102 files changed, 1567 insertions(+), 142 deletions(-)

Index: policy-20060915.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060915.patch,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- policy-20060915.patch	27 Sep 2006 23:56:21 -0000	1.17
+++ policy-20060915.patch	28 Sep 2006 16:45:43 -0000	1.18
@@ -286,6 +286,34 @@
  ')
  
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-2.3.16/policy/modules/admin/rpm.if
+--- nsaserefpolicy/policy/modules/admin/rpm.if	2006-09-15 13:14:27.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/rpm.if	2006-09-28 07:58:06.000000000 -0400
+@@ -257,3 +257,24 @@
+ 	dontaudit $1 rpm_var_lib_t:file create_file_perms;
+ 	dontaudit $1 rpm_var_lib_t:lnk_file create_lnk_perms;
+ ')
++
++########################################
++## <summary>
++##	Send and receive messages from
++##	rpm over dbus.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`rpm_dbus_chat',`
++	gen_require(`
++		type rpm_t;
++		class dbus send_msg;
++	')
++
++	allow $1 rpm_t:dbus send_msg;
++	allow rpm_t $1:dbus send_msg;
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.3.16/policy/modules/admin/rpm.te
 --- nsaserefpolicy/policy/modules/admin/rpm.te	2006-09-22 14:07:08.000000000 -0400
 +++ serefpolicy-2.3.16/policy/modules/admin/rpm.te	2006-09-27 16:13:07.000000000 -0400
@@ -322,7 +350,7 @@
  	')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.3.16/policy/modules/admin/usermanage.te
 --- nsaserefpolicy/policy/modules/admin/usermanage.te	2006-09-22 14:07:08.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/admin/usermanage.te	2006-09-27 17:08:00.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/admin/usermanage.te	2006-09-28 10:21:26.000000000 -0400
 @@ -379,6 +379,7 @@
  allow sysadm_passwd_t sysadm_passwd_tmp_t:file create_file_perms;
  files_tmp_filetrans(sysadm_passwd_t, sysadm_passwd_tmp_t, { file dir })
@@ -339,6 +367,23 @@
  ')
  
  ########################################
+@@ -473,6 +475,8 @@
+ selinux_compute_create_context(useradd_t)
+ selinux_compute_relabel_context(useradd_t)
+ selinux_compute_user_contexts(useradd_t)
++seutil_read_default_contexts(useradd_t)
++
+ # for getting the number of groups
+ kernel_read_kernel_sysctls(useradd_t)
+ 
+@@ -521,6 +525,7 @@
+ userdom_home_filetrans_generic_user_home_dir(useradd_t)
+ userdom_manage_generic_user_home_content_dirs(useradd_t)
+ userdom_manage_generic_user_home_content_files(useradd_t)
++userdom_manage_user_home_dirs(useradd_t)
+ userdom_manage_staff_home_dirs(useradd_t)
+ userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notdevfile_class_set)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.3.16/policy/modules/apps/java.fc
 --- nsaserefpolicy/policy/modules/apps/java.fc	2006-08-29 09:00:26.000000000 -0400
 +++ serefpolicy-2.3.16/policy/modules/apps/java.fc	2006-09-26 09:53:18.000000000 -0400
@@ -363,6 +408,17 @@
  	unconfined_domain_noaudit(java_t)
  	role system_r types java_t;
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.3.16/policy/modules/apps/mono.te
+--- nsaserefpolicy/policy/modules/apps/mono.te	2006-09-22 14:07:03.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/apps/mono.te	2006-09-28 07:58:50.000000000 -0400
+@@ -44,4 +44,7 @@
+ 	optional_policy(`
+ 		unconfined_dbus_connect(mono_t)
+ 	')
++	optional_policy(`
++		rpm_dbus_chat(mono_t)
++	')
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/slocate.te serefpolicy-2.3.16/policy/modules/apps/slocate.te
 --- nsaserefpolicy/policy/modules/apps/slocate.te	2006-07-14 17:04:31.000000000 -0400
 +++ serefpolicy-2.3.16/policy/modules/apps/slocate.te	2006-09-26 09:53:18.000000000 -0400
@@ -773,7 +829,7 @@
  range_transition unconfined_t initrc_exec_t s0;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.3.16/policy/modules/kernel/mls.te
 --- nsaserefpolicy/policy/modules/kernel/mls.te	2006-09-22 09:35:44.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/kernel/mls.te	2006-09-27 16:41:31.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/kernel/mls.te	2006-09-28 09:43:38.000000000 -0400
 @@ -64,9 +64,9 @@
  type setrans_exec_t;
  
@@ -786,7 +842,7 @@
 +range_transition initrc_t auditd_exec_t s15:c0.c1023;
 +range_transition kernel_t init_exec_t s0 - s15:c0.c1023;
 +range_transition kernel_t lvm_exec_t s0 - s15:c0.c1023;
-+range_transition initrc_t setrans_exec_t s15:c0.c1023;
++#range_transition initrc_t setrans_exec_t s15:c0.c1023;
 +range_transition run_init_t initrc_exec_t s0 - s15:c0.c1023;
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-2.3.16/policy/modules/kernel/selinux.te
@@ -917,7 +973,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-2.3.16/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2006-08-02 10:34:07.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/services/apache.fc	2006-09-26 09:53:18.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/apache.fc	2006-09-28 09:32:38.000000000 -0400
 @@ -80,3 +80,12 @@
  /var/www/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
  /var/www/icons(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -930,7 +986,7 @@
 +/opt/fortitude/modules(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 +/opt/fortitude/modules.local(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 +/opt/fortitude/logs(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
-+
++/opt/fortitude/run(/.*)?		gen_context(system_u:object_r:httpd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.16/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2006-09-22 14:07:05.000000000 -0400
 +++ serefpolicy-2.3.16/policy/modules/services/automount.te	2006-09-26 10:01:31.000000000 -0400
@@ -1290,6 +1346,19 @@
 +	role $1 types nscd_t;
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.3.16/policy/modules/services/nscd.te
+--- nsaserefpolicy/policy/modules/services/nscd.te	2006-09-25 15:11:11.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/services/nscd.te	2006-09-28 10:19:19.000000000 -0400
+@@ -120,6 +120,9 @@
+ 	term_dontaudit_use_unallocated_ttys(nscd_t)
+ 	term_dontaudit_use_generic_ptys(nscd_t)
+ 	files_dontaudit_read_root_files(nscd_t)
++',`
++	userdom_dontaudit_use_sysadm_ttys(nscd_t)
++	userdom_dontaudit_use_sysadm_ptys(nscd_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-2.3.16/policy/modules/services/oddjob.fc
 --- nsaserefpolicy/policy/modules/services/oddjob.fc	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-2.3.16/policy/modules/services/oddjob.fc	2006-09-26 09:53:18.000000000 -0400
@@ -2505,7 +2574,7 @@
  /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.3.16/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2006-09-25 15:11:11.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/system/logging.te	2006-09-27 15:58:55.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/logging.te	2006-09-28 09:40:54.000000000 -0400
 @@ -18,6 +18,7 @@
  
  type auditd_log_t;
@@ -2514,7 +2583,16 @@
  
  type auditd_t;
  # real declaration moved to mls until
-@@ -163,6 +164,7 @@
+@@ -94,6 +95,8 @@
+ 
+ logging_send_syslog_msg(auditctl_t)
+ 
++selinux_search_fs(auditctl_t)
++
+ ifdef(`targeted_policy',`
+ 	term_use_generic_ptys(auditctl_t)
+ 	term_use_unallocated_ttys(auditctl_t)
+@@ -163,6 +166,7 @@
  mls_file_read_up(auditd_t)
  mls_file_write_down(auditd_t) # Need to be able to write to /var/run/ directory
  mls_rangetrans_target(auditd_t)
@@ -2555,8 +2633,15 @@
  type mount_loopback_t; # customizable
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-2.3.16/policy/modules/system/raid.te
 --- nsaserefpolicy/policy/modules/system/raid.te	2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/system/raid.te	2006-09-26 09:53:18.000000000 -0400
-@@ -29,11 +29,13 @@
++++ serefpolicy-2.3.16/policy/modules/system/raid.te	2006-09-28 12:22:13.000000000 -0400
+@@ -23,17 +23,22 @@
+ dontaudit mdadm_t self:capability sys_tty_config;
+ allow mdadm_t self:process { sigchld sigkill sigstop signull signal };
+ 
++allow mdadm_t mdadm_var_run_t:dir rw_dir_perms;
+ allow mdadm_t mdadm_var_run_t:file create_file_perms;
+ files_pid_filetrans(mdadm_t,mdadm_var_run_t,file)
+ 
  kernel_read_system_state(mdadm_t)
  kernel_read_kernel_sysctls(mdadm_t)
  kernel_rw_software_raid_state(mdadm_t)
@@ -2567,6 +2652,8 @@
  dev_dontaudit_getattr_all_blk_files(mdadm_t)
  dev_dontaudit_getattr_all_chr_files(mdadm_t)
 +dev_dontaudit_getattr_generic_files(mdadm_t)
++dev_dontaudit_getattr_generic_chr_files(mdadm_t)
++dev_dontaudit_getattr_generic_blk_files(mdadm_t)
  
  fs_search_auto_mountpoints(mdadm_t)
  fs_dontaudit_list_tmpfs(mdadm_t)
@@ -2666,8 +2753,22 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.3.16/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2006-09-25 15:11:11.000000000 -0400
-+++ serefpolicy-2.3.16/policy/modules/system/userdomain.if	2006-09-27 16:25:54.000000000 -0400
-@@ -5338,3 +5338,45 @@
++++ serefpolicy-2.3.16/policy/modules/system/userdomain.if	2006-09-28 09:56:24.000000000 -0400
+@@ -3896,12 +3896,7 @@
+ #
+ interface(`userdom_manage_staff_home_dirs',`
+ 	ifdef(`targeted_policy',`
+-		gen_require(`
+-			type user_home_dir_t;
+-		')
+-
+-		files_search_home($1)
+-		allow $1 user_home_dir_t:dir manage_dir_perms;
++		userdom_manage_user_home_dirs($1)
+ 	',`
+ 		gen_require(`
+ 			type staff_home_dir_t;
+@@ -5338,3 +5333,64 @@
  	allow $1 user_home_dir_t:dir create_dir_perms;
  	files_home_filetrans($1,user_home_dir_t,dir)
  ')
@@ -2713,6 +2814,25 @@
 +	can_exec($1, user_exec_type)
 +')
 +
++########################################
++## <summary>
++##	Create, read, write, and delete user
++##	home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_manage_user_home_dirs',`
++	gen_require(`
++		type user_home_dir_t;
++	')
++	files_search_home($1)
++	allow $1 user_home_dir_t:dir manage_dir_perms;
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.3.16/policy/modules/system/userdomain.te
 --- nsaserefpolicy/policy/modules/system/userdomain.te	2006-09-25 15:11:11.000000000 -0400
 +++ serefpolicy-2.3.16/policy/modules/system/userdomain.te	2006-09-27 14:48:29.000000000 -0400
@@ -2736,6 +2856,17 @@
  		usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
  		usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
  		usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.16/policy/modules/system/xen.te
+--- nsaserefpolicy/policy/modules/system/xen.te	2006-09-22 14:07:07.000000000 -0400
++++ serefpolicy-2.3.16/policy/modules/system/xen.te	2006-09-28 12:06:41.000000000 -0400
+@@ -132,6 +132,7 @@
+ corenet_tcp_bind_soundd_port(xend_t)
+ corenet_tcp_bind_generic_port(xend_t)
+ corenet_tcp_bind_vnc_port(xend_t)
++corenet_tcp_connect_xserver_port(xend_t)
+ corenet_sendrecv_xen_server_packets(xend_t)
+ corenet_sendrecv_soundd_server_packets(xend_t)
+ corenet_rw_tun_tap_dev(xend_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.3.16/policy/users
 --- nsaserefpolicy/policy/users	2006-07-14 17:04:46.000000000 -0400
 +++ serefpolicy-2.3.16/policy/users	2006-09-26 09:53:18.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.297
retrieving revision 1.298
diff -u -r1.297 -r1.298
--- selinux-policy.spec	27 Sep 2006 23:56:21 -0000	1.297
+++ selinux-policy.spec	28 Sep 2006 16:45:43 -0000	1.298
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.3.16
-Release: 5
+Release: 6
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -349,6 +349,9 @@
 %endif
 
 %changelog
+* Thu Sep 27 2006 Dan Walsh <dwalsh redhat com> 2.3.16-6
+- Fix setrans handling on MLS and useradd
+
 * Wed Sep 27 2006 Dan Walsh <dwalsh redhat com> 2.3.16-5
 - Support for fuse
 - fix vigr


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]