rpms/selinux-policy/devel policy-20070219.patch, 1.31, 1.32 selinux-policy.spec, 1.419, 1.420
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Mar 23 15:42:52 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv11463
Modified Files:
policy-20070219.patch selinux-policy.spec
Log Message:
* Fri Mar 23 2007 Dan Walsh <dwalsh at redhat.com> 2.5.10-2
- Allow samba to run groupadd
policy-20070219.patch:
Rules.modular | 16 +
Rules.monolithic | 2
man/man8/ftpd_selinux.8 | 6
man/man8/httpd_selinux.8 | 17 --
man/man8/kerberos_selinux.8 | 9 -
man/man8/named_selinux.8 | 8
man/man8/nfs_selinux.8 | 2
man/man8/rsync_selinux.8 | 8
man/man8/samba_selinux.8 | 12 -
man/man8/ypbind_selinux.8 | 2
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 92 ++++++++++-
policy/mls | 31 ++-
policy/modules/admin/acct.te | 1
policy/modules/admin/amtu.fc | 3
policy/modules/admin/amtu.if | 53 ++++++
policy/modules/admin/amtu.te | 56 ++++++
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 18 ++
policy/modules/admin/kudzu.te | 2
policy/modules/admin/logwatch.te | 2
policy/modules/admin/netutils.te | 3
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 65 +++++++
policy/modules/admin/rpm.te | 2
policy/modules/admin/su.if | 6
policy/modules/admin/sudo.te | 5
policy/modules/admin/usermanage.te | 40 +++-
policy/modules/apps/games.fc | 1
policy/modules/apps/gnome.if | 26 +++
policy/modules/apps/gpg.fc | 2
policy/modules/apps/loadkeys.if | 44 +----
policy/modules/apps/mozilla.if | 1
policy/modules/kernel/corecommands.fc | 2
policy/modules/kernel/corecommands.if | 59 ++++---
policy/modules/kernel/corenetwork.if.in | 54 ++++++
policy/modules/kernel/corenetwork.te.in | 15 +
policy/modules/kernel/devices.if | 36 ++++
policy/modules/kernel/domain.if | 18 ++
policy/modules/kernel/domain.te | 23 ++
policy/modules/kernel/files.if | 81 ++++++++-
policy/modules/kernel/filesystem.if | 39 ++++
policy/modules/kernel/filesystem.te | 5
policy/modules/kernel/kernel.if | 23 ++
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 20 ++
policy/modules/kernel/mls.te | 3
policy/modules/kernel/selinux.if | 38 ++++
policy/modules/kernel/storage.fc | 3
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 17 +-
policy/modules/services/apache.if | 159 +++++++++++++++++++
policy/modules/services/apache.te | 60 ++++++-
policy/modules/services/apm.te | 4
policy/modules/services/automount.te | 2
policy/modules/services/ccs.te | 12 +
policy/modules/services/consolekit.fc | 1
policy/modules/services/consolekit.te | 26 ++-
policy/modules/services/cpucontrol.te | 1
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 +--
policy/modules/services/cron.te | 45 ++++-
policy/modules/services/cvs.te | 1
policy/modules/services/cyrus.te | 5
policy/modules/services/dbus.if | 57 ++++++
policy/modules/services/dhcp.te | 2
policy/modules/services/djbdns.te | 5
policy/modules/services/dovecot.te | 7
policy/modules/services/ftp.te | 5
policy/modules/services/hal.fc | 6
policy/modules/services/hal.te | 99 +++++++++++
policy/modules/services/howl.te | 2
policy/modules/services/inetd.if | 29 ---
policy/modules/services/inetd.te | 12 +
policy/modules/services/inn.te | 7
policy/modules/services/ircd.te | 7
policy/modules/services/irqbalance.te | 7
policy/modules/services/jabber.te | 7
policy/modules/services/kerberos.if | 21 ++
policy/modules/services/kerberos.te | 14 +
policy/modules/services/ldap.te | 7
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.te | 2
policy/modules/services/nis.if | 4
policy/modules/services/ntp.te | 1
policy/modules/services/pegasus.if | 18 ++
policy/modules/services/pegasus.te | 9 -
policy/modules/services/postfix.te | 2
policy/modules/services/ppp.te | 17 --
policy/modules/services/procmail.te | 1
policy/modules/services/pyzor.te | 1
policy/modules/services/radius.te | 4
policy/modules/services/rpc.if | 10 +
policy/modules/services/rpc.te | 3
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 44 +++++
policy/modules/services/samba.te | 24 ++
policy/modules/services/sasl.te | 11 +
policy/modules/services/smartmon.te | 5
policy/modules/services/spamassassin.te | 5
policy/modules/services/squid.fc | 2
policy/modules/services/squid.if | 22 ++
policy/modules/services/squid.te | 12 +
policy/modules/services/ssh.if | 39 ++++
policy/modules/services/ssh.te | 5
policy/modules/services/zabbix.fc | 4
policy/modules/services/zabbix.if | 87 ++++++++++
policy/modules/services/zabbix.te | 64 +++++++
policy/modules/system/application.fc | 1
policy/modules/system/application.if | 106 ++++++++++++
policy/modules/system/application.te | 14 +
policy/modules/system/authlogin.if | 83 ++++++++--
policy/modules/system/authlogin.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/fusermount.fc | 6
policy/modules/system/fusermount.if | 41 ++++
policy/modules/system/fusermount.te | 44 +++++
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14 +
policy/modules/system/init.if | 22 --
policy/modules/system/init.te | 26 ++-
policy/modules/system/ipsec.if | 100 ++++++++++++
policy/modules/system/ipsec.te | 3
policy/modules/system/iptables.te | 9 -
policy/modules/system/libraries.fc | 6
policy/modules/system/libraries.te | 20 ++
policy/modules/system/locallogin.te | 10 +
policy/modules/system/logging.if | 21 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.te | 5
policy/modules/system/modutils.te | 7
policy/modules/system/mount.fc | 3
policy/modules/system/mount.if | 37 ++++
policy/modules/system/mount.te | 51 +++++-
policy/modules/system/netlabel.te | 3
policy/modules/system/pcmcia.te | 6
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 7
policy/modules/system/selinuxutil.te | 70 +++-----
policy/modules/system/udev.fc | 2
policy/modules/system/udev.te | 6
policy/modules/system/unconfined.fc | 1
policy/modules/system/unconfined.te | 15 +
policy/modules/system/userdomain.if | 248 ++++++++++++++++--------------
policy/modules/system/userdomain.te | 44 ++++-
policy/modules/system/xen.te | 28 +++
policy/support/obj_perm_sets.spt | 2
153 files changed, 2612 insertions(+), 502 deletions(-)
Index: policy-20070219.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070219.patch,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- policy-20070219.patch 23 Mar 2007 14:32:31 -0000 1.31
+++ policy-20070219.patch 23 Mar 2007 15:42:50 -0000 1.32
@@ -605,6 +605,18 @@
+
+ dontaudit $1 firstboot_t:fifo_file { read write };
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.5.10/policy/modules/admin/kudzu.te
+--- nsaserefpolicy/policy/modules/admin/kudzu.te 2007-03-20 23:38:29.000000000 -0400
++++ serefpolicy-2.5.10/policy/modules/admin/kudzu.te 2007-03-23 10:42:14.000000000 -0400
+@@ -22,7 +22,7 @@
+ #
+
+ allow kudzu_t self:capability { dac_override sys_admin sys_rawio net_admin sys_tty_config mknod };
+-dontaudit kudzu_t self:capability sys_tty_config;
++dontaudit kudzu_t self:capability { sys_ptrace sys_tty_config };
+ allow kudzu_t self:process { signal_perms execmem };
+ allow kudzu_t self:fifo_file rw_fifo_file_perms;
+ allow kudzu_t self:unix_stream_socket { connectto create_stream_socket_perms };
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.5.10/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2007-02-19 11:32:54.000000000 -0500
+++ serefpolicy-2.5.10/policy/modules/admin/logwatch.te 2007-03-22 15:06:58.000000000 -0400
@@ -1203,7 +1215,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.5.10/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-02-19 11:32:51.000000000 -0500
-+++ serefpolicy-2.5.10/policy/modules/kernel/corenetwork.te.in 2007-03-22 15:06:58.000000000 -0400
++++ serefpolicy-2.5.10/policy/modules/kernel/corenetwork.te.in 2007-03-23 11:39:35.000000000 -0400
@@ -48,6 +48,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -1216,6 +1228,15 @@
# server_packet_t is the default type of IPv4 and IPv6 server packets.
#
type server_packet_t, packet_type, server_packet_type;
+@@ -100,7 +105,7 @@
+ network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+ network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+ network_port(ktalkd, udp,517,s0, udp,518,s0)
+-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
++network_port(ldap, tcp,3268,s0, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+ type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
+ network_port(lmtp, tcp,24,s0, udp,24,s0)
+ network_port(mail, tcp,2000,s0)
@@ -108,7 +113,7 @@
network_port(mysqld, tcp,3306,s0)
network_port(nessus, tcp,1241,s0)
@@ -3560,19 +3581,20 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.5.10/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-03-20 23:38:15.000000000 -0400
-+++ serefpolicy-2.5.10/policy/modules/services/samba.te 2007-03-22 15:06:59.000000000 -0400
-@@ -274,6 +274,10 @@
++++ serefpolicy-2.5.10/policy/modules/services/samba.te 2007-03-23 11:39:51.000000000 -0400
+@@ -274,6 +274,11 @@
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
+tunable_policy(`samba_domain_controller',`
+ usermanage_domtrans_useradd(smbd_t)
++ usermanage_domtrans_groupadd(smbd_t)
+')
+
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -341,8 +345,10 @@
+@@ -341,8 +346,10 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
@@ -3584,7 +3606,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
-@@ -742,3 +748,18 @@
+@@ -742,3 +749,18 @@
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.419
retrieving revision 1.420
diff -u -r1.419 -r1.420
--- selinux-policy.spec 23 Mar 2007 14:32:31 -0000 1.419
+++ selinux-policy.spec 23 Mar 2007 15:42:50 -0000 1.420
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.5.10
-Release: 1%{?dist}
+Release: 2%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -356,6 +356,9 @@
%endif
%changelog
+* Fri Mar 23 2007 Dan Walsh <dwalsh at redhat.com> 2.5.10-2
+- Allow samba to run groupadd
+
* Thu Mar 22 2007 Dan Walsh <dwalsh at redhat.com> 2.5.10-1
- Update to upstream
More information about the fedora-cvs-commits
mailing list