rpms/selinux-policy/devel policy-20070219.patch,NONE,1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Feb 20 17:53:58 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv13469
Added Files:
policy-20070219.patch
Log Message:
* Thu Feb 15 2007 Dan Walsh <dwalsh at redhat.com> 2.5.3-3
- Add sepolgen support
- Add bugzilla policy
policy-20070219.patch:
Rules.modular | 10
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 147 +++++---
policy/mls | 31 +
policy/modules/admin/acct.te | 2
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/kudzu.te | 3
policy/modules/admin/netutils.te | 1
policy/modules/admin/prelink.te | 1
policy/modules/admin/quota.te | 1
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 44 ++
policy/modules/admin/rpm.te | 5
policy/modules/admin/su.if | 6
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 14
policy/modules/apps/games.fc | 4
policy/modules/apps/gnome.if | 25 +
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.if | 1
policy/modules/apps/loadkeys.if | 44 --
policy/modules/apps/mozilla.if | 1
policy/modules/apps/slocate.te | 2
policy/modules/apps/wine.fc | 1
policy/modules/kernel/corecommands.fc | 4
policy/modules/kernel/corecommands.if | 52 ++
policy/modules/kernel/corenetwork.if.in | 12
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 2
policy/modules/kernel/devices.if | 18
policy/modules/kernel/domain.if | 18
policy/modules/kernel/domain.te | 22 +
policy/modules/kernel/files.if | 54 ++
policy/modules/kernel/filesystem.if | 20 +
policy/modules/kernel/kernel.if | 3
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 20 +
policy/modules/kernel/mls.te | 3
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 20 +
policy/modules/kernel/terminal.te | 5
policy/modules/services/apache.fc | 20 -
policy/modules/services/apache.if | 158 ++++++++
policy/modules/services/apache.te | 18
policy/modules/services/apm.te | 1
policy/modules/services/automount.te | 1
policy/modules/services/bluetooth.te | 3
policy/modules/services/ccs.te | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 -
policy/modules/services/cron.te | 42 ++
policy/modules/services/cups.te | 3
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 58 +++
policy/modules/services/dhcp.te | 2
policy/modules/services/ftp.te | 7
policy/modules/services/hal.fc | 2
policy/modules/services/hal.te | 18
policy/modules/services/inetd.te | 5
policy/modules/services/kerberos.if | 4
policy/modules/services/kerberos.te | 4
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.fc | 3
policy/modules/services/nis.if | 3
policy/modules/services/nis.te | 23 +
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 4
policy/modules/services/pegasus.if | 27 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.te | 4
policy/modules/services/procmail.te | 13
policy/modules/services/pyzor.if | 22 +
policy/modules/services/pyzor.te | 7
policy/modules/services/ricci.te | 10
policy/modules/services/rpc.te | 26 +
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 2
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/spamassassin.fc | 1
policy/modules/services/spamassassin.if | 41 ++
policy/modules/services/spamassassin.te | 15
policy/modules/services/squid.fc | 1
policy/modules/services/squid.if | 2
policy/modules/services/squid.te | 12
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 39 ++
policy/modules/services/ssh.te | 5
policy/modules/services/uucp.te | 1
policy/modules/services/xserver.if | 2
policy/modules/system/authlogin.if | 87 +++-
policy/modules/system/authlogin.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14
policy/modules/system/init.if | 62 +++
policy/modules/system/init.te | 27 +
policy/modules/system/ipsec.if | 100 +++++
policy/modules/system/iptables.te | 20 -
policy/modules/system/libraries.fc | 4
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 11
policy/modules/system/lvm.if | 23 +
policy/modules/system/lvm.te | 32 +
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 31 -
policy/modules/system/modutils.te | 3
policy/modules/system/mount.te | 10
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 115 ++++++
policy/modules/system/selinuxutil.te | 151 ++------
policy/modules/system/unconfined.fc | 3
policy/modules/system/unconfined.if | 1
policy/modules/system/unconfined.te | 22 -
policy/modules/system/userdomain.if | 550 +++++++++++++++++++-----------
policy/modules/system/userdomain.te | 37 +-
policy/modules/system/xen.te | 26 +
policy/support/obj_perm_sets.spt | 2
127 files changed, 2130 insertions(+), 551 deletions(-)
--- NEW FILE policy-20070219.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/kerberos_selinux.8 serefpolicy-2.5.4/man/man8/kerberos_selinux.8
--- nsaserefpolicy/man/man8/kerberos_selinux.8 2007-02-19 11:32:55.000000000 -0500
+++ serefpolicy-2.5.4/man/man8/kerberos_selinux.8 2007-02-19 15:56:02.000000000 -0500
@@ -23,7 +23,7 @@
.EX
setsebool -P krb5kdc_disable_trans 1
service krb5kdc restart
-setsebool -P kadmind_disable_trans booleans 1
+setsebool -P kadmind_disable_trans 1
service kadmind restart
.EE
.PP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-2.5.4/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-16 17:15:00.000000000 -0500
+++ serefpolicy-2.5.4/policy/flask/access_vectors 2007-02-19 15:56:02.000000000 -0500
@@ -594,6 +594,8 @@
shmempwd
shmemgrp
shmemhost
+ getserv
+ shmemserv
}
# Define the access vector interpretation for controlling
@@ -619,6 +621,8 @@
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans serefpolicy-2.5.4/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.5.4/policy/global_booleans 2007-02-19 15:56:02.000000000 -0500
@@ -4,7 +4,6 @@
# file should be used.
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Enabling secure mode disallows programs, such as
@@ -13,7 +12,6 @@
## </p>
## </desc>
gen_bool(secure_mode,false)
-')
## <desc>
## <p>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.5.4/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-02-19 11:32:54.000000000 -0500
+++ serefpolicy-2.5.4/policy/global_tunables 2007-02-19 15:56:02.000000000 -0500
@@ -66,14 +66,6 @@
## <desc>
## <p>
-## Allow ftp servers to login to local users and
-## read/write all files on the system, governed by DAC.
-## </p>
-## </desc>
-gen_tunable(allow_ftpd_full_access,false)
-
-## <desc>
-## <p>
## Allow ftp servers to use cifs
## used for public file transfer services.
## </p>
@@ -90,6 +82,14 @@
## <desc>
## <p>
+## Allow ftp servers to login to local users and
+## read/write all files on the system, governed by DAC.
+## </p>
+## </desc>
+gen_tunable(allow_ftpd_full_access,false)
+
+## <desc>
+## <p>
## Allow gssd to read temp directory.
## </p>
## </desc>
@@ -336,13 +336,6 @@
## <desc>
## <p>
-## Allow ssh logins as sysadm_r:sysadm_t
-## </p>
-## </desc>
-gen_tunable(ssh_sysadm_login,false)
-
-## <desc>
-## <p>
## Configure stunnel to be a standalone daemon or
## inetd service.
## </p>
@@ -365,17 +358,16 @@
## <desc>
## <p>
-## Allow xdm logins as sysadm
+## Allow users to read system messages.
## </p>
## </desc>
-gen_tunable(xdm_sysadm_login,false)
+gen_tunable(user_dmesg,false)
########################################
#
# Strict policy specific
#
-ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
@@ -385,6 +377,45 @@
## <desc>
## <p>
+## Allow regular users direct mouse access
+## </p>
+## </desc>
+gen_tunable(user_direct_mouse,false)
+
+## <desc>
+## <p>
+## Allow users to control network interfaces
+## (also needs USERCTL=true)
+## </p>
+## </desc>
+gen_tunable(user_net_control,false)
+
+## <desc>
+## <p>
+## Allow user to r/w files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_rw_noexattrfile,false)
+
+## <desc>
+## <p>
+## Allow users to run TCP servers (bind to ports and accept connection from
+## the same domain and outside users) disabling this forces FTP passive mode
+## and may change other protocols.
+## </p>
+## </desc>
+gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow w to display everyone
+## </p>
+## </desc>
+gen_tunable(user_ttyfile_stat,false)
+
+## <desc>
+## <p>
## Allow gpg executable stack
## </p>
## </desc>
@@ -520,6 +551,13 @@
## <desc>
## <p>
+## Allow ssh logins as sysadm_r:sysadm_t
+## </p>
+## </desc>
+gen_tunable(ssh_sysadm_login,false)
+
+## <desc>
+## <p>
## Allow staff_r users to search the sysadm home
## dir and read files (such as ~/.bashrc)
## </p>
@@ -528,91 +566,96 @@
## <desc>
## <p>
-## Use lpd server instead of cups
+## Allow applications to write untrusted content
+## If this is disallowed, no Internet content
+## will be stored.
## </p>
## </desc>
-gen_tunable(use_lpd_server,false)
+gen_tunable(write_untrusted_content,false)
## <desc>
## <p>
-## Allow regular users direct mouse access
+## Allow xdm logins as sysadm
## </p>
## </desc>
-gen_tunable(user_direct_mouse,false)
[...5027 lines suppressed...]
+ attribute user_exec_type;
+ ')
+
+ allow $1 user_exec_type:file getattr;
+')
+
+########################################
+## <summary>
+## dontaudit getattr all user file type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_list_user_files',`
+ gen_require(`
+ attribute $1_file_type;
+ ')
+
+ dontaudit $2 $1_file_type:dir search_dir_perms;
+ dontaudit $2 $1_file_type:file getattr;
+')
+
+
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.5.4/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-02-19 11:32:53.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/system/userdomain.te 2007-02-19 15:56:03.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
+# Executables to be run by user
+attribute user_exec_type;
+
# The privhome attribute identifies every domain that can create files under
# regular user home directories in the regular context (IE act on behalf of
# a user in writing regular files)
@@ -56,10 +59,10 @@
# Local policy
#
+userdom_unpriv_user_template(user)
ifdef(`strict_policy',`
userdom_admin_user_template(sysadm)
userdom_unpriv_user_template(staff)
- userdom_unpriv_user_template(user)
# user role change rules:
# sysadm_r can change to user roles
@@ -396,9 +399,12 @@
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
- userdom_security_admin_template(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+ userdom_security_administrator(secadm_t,secadm_r,{ secadm_tty_device_t sysadm_devpts_t })
+# tunable_policy(`allow_sysadm_manage_security',`
+ userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
+# ')
', `
- userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
+ userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
')
')
@@ -423,6 +429,9 @@
')
optional_policy(`
+ nscd_role(sysadm_r)
+ ')
+ optional_policy(`
usermanage_run_admin_passwd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_groupadd(sysadm_t,sysadm_r,admin_terminal)
usermanage_run_useradd(sysadm_t,sysadm_r,admin_terminal)
@@ -449,15 +458,15 @@
unconfined_alias_domain(sysadm_t)
# User home directory type.
- type user_home_t alias { staff_home_t sysadm_home_t }, home_type, user_home_type;
- files_type(user_home_t)
- files_associate_tmp(user_home_t)
- fs_associate_tmpfs(user_home_t)
-
- type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t }, home_dir_type, home_type, user_home_dir_type;
- files_type(user_home_dir_t)
- files_associate_tmp(user_home_dir_t)
- fs_associate_tmpfs(user_home_dir_t)
+ typealias user_home_t alias { staff_home_t sysadm_home_t };
+# files_type(user_home_t)
+# files_associate_tmp(user_home_t)
+# fs_associate_tmpfs(user_home_t)
+
+ typealias user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t };
+# files_type(user_home_dir_t)
+# files_associate_tmp(user_home_dir_t)
+# fs_associate_tmpfs(user_home_dir_t)
# compatibility for switching from strict
# dominance { role secadm_r { role system_r; }}
@@ -493,4 +502,8 @@
optional_policy(`
samba_per_role_template(user)
')
+
+ optional_policy(`
+ ssh_per_role_template(user, user_t, user_r)
+ ')
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.5.4/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-01-02 12:57:49.000000000 -0500
+++ serefpolicy-2.5.4/policy/modules/system/xen.te 2007-02-19 15:56:03.000000000 -0500
@@ -166,8 +166,13 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
files_read_usr_files(xend_t)
+files_read_default_symlinks(xend_t)
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xend_t)
+ storage_raw_write_fixed_disk(xend_t)
+#')
-storage_raw_read_fixed_disk(xend_t)
storage_raw_read_removable_device(xend_t)
term_getattr_all_user_ptys(xend_t)
@@ -288,6 +293,12 @@
files_read_usr_files(xenstored_t)
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xenstored_t)
+ storage_raw_write_fixed_disk(xenstored_t)
+#')
+storage_raw_read_removable_device(xenstored_t)
+
term_use_generic_ptys(xenstored_t)
term_use_console(xenconsoled_t)
@@ -321,6 +332,11 @@
allow xm_t xen_image_t:dir rw_dir_perms;
allow xm_t xen_image_t:file read_file_perms;
+allow xm_t xen_image_t:blk_file r_file_perms;
+
+#tunable_policy(`xen_use_raw_disk',`
+ storage_raw_read_fixed_disk(xm_t)
+#')
kernel_read_system_state(xm_t)
kernel_read_kernel_sysctls(xm_t)
@@ -357,3 +373,11 @@
xen_append_log(xm_t)
xen_stream_connect(xm_t)
xen_stream_connect_xenstore(xm_t)
+
+#Should have a boolean wrapping these
+fs_list_auto_mountpoints(xend_t)
+files_search_mnt(xend_t)
+fs_write_nfs_files(xend_t)
+fs_read_nfs_files(xend_t)
+
+fs_read_dos_files(xend_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-2.5.4/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-01-02 12:57:51.000000000 -0500
+++ serefpolicy-2.5.4/policy/support/obj_perm_sets.spt 2007-02-19 15:56:03.000000000 -0500
@@ -215,7 +215,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-2.5.4/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
+++ serefpolicy-2.5.4/Rules.modular 2007-02-19 15:56:03.000000000 -0500
@@ -219,6 +219,16 @@
########################################
#
+# Validate File Contexts
+#
+validatefc: $(base_pkg) $(base_fc)
+ @echo "Validating file context."
+ $(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
+ $(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
+ @echo "Success."
+
+########################################
+#
# Clean the sources
#
clean:
More information about the fedora-cvs-commits
mailing list