rpms/selinux-policy/devel policy-20070703.patch, NONE, 1.1 .cvsignore, 1.117, 1.118 selinux-policy.spec, 1.466, 1.467 sources, 1.128, 1.129 policy-20070525.patch, 1.12, NONE
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jul 3 19:21:23 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25699
Modified Files:
.cvsignore selinux-policy.spec sources
Added Files:
policy-20070703.patch
Removed Files:
policy-20070525.patch
Log Message:
* Mon Jul 2 2007 Dan Walsh <dwalsh at redhat.com> 3.0.1-5
- Default to user_u:system_r:unconfined_t
policy-20070703.patch:
--- NEW FILE policy-20070703.patch ---
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts serefpolicy-3.0.2/config/appconfig-strict-mls/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/config/appconfig-strict-mls/guest_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts serefpolicy-3.0.2/config/appconfig-strict-mls/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/config/appconfig-strict-mls/staff_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/user_u_default_contexts serefpolicy-3.0.2/config/appconfig-strict-mls/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-strict-mls/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/config/appconfig-strict-mls/user_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 user_r:user_crond_t:s0
+system_r:xdm_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_type serefpolicy-3.0.2/config/appconfig-targeted-mcs/default_type
--- nsaserefpolicy/config/appconfig-targeted-mcs/default_type 2007-05-25 09:09:09.000000000 -0400
+++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/default_type 2007-07-03 13:08:19.000000000 -0400
@@ -1 +1,4 @@
system_r:unconfined_t
+sysadm_r:sysadm_t
+staff_r:staff_t
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/guest_u_default_contexts serefpolicy-3.0.2/config/appconfig-targeted-mcs/guest_u_default_contexts
--- nsaserefpolicy/config/appconfig-targeted-mcs/guest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/guest_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,4 @@
+system_r:local_login_t:s0 guest_r:guest_t:s0
+system_r:remote_login_t:s0 guest_r:guest_t:s0
+system_r:sshd_t:s0 guest_r:guest_t:s0
+system_r:crond_t:s0 guest_r:guest_crond_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/initrc_context serefpolicy-3.0.2/config/appconfig-targeted-mcs/initrc_context
--- nsaserefpolicy/config/appconfig-targeted-mcs/initrc_context 2007-05-25 09:09:09.000000000 -0400
+++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/initrc_context 2007-07-03 13:08:19.000000000 -0400
@@ -1 +1 @@
-user_u:system_r:initrc_t:s0
+system_u:system_r:initrc_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/seusers serefpolicy-3.0.2/config/appconfig-targeted-mcs/seusers
--- nsaserefpolicy/config/appconfig-targeted-mcs/seusers 2007-05-31 15:35:39.000000000 -0400
+++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/seusers 2007-07-03 13:08:19.000000000 -0400
@@ -1,2 +1,2 @@
root:root:s0-mcs_systemhigh
-__default__:user_u:s0
+__default__:system_u:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/staff_u_default_contexts serefpolicy-3.0.2/config/appconfig-targeted-mcs/staff_u_default_contexts
--- nsaserefpolicy/config/appconfig-targeted-mcs/staff_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/staff_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,9 @@
+system_r:local_login_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:remote_login_t:s0 staff_r:staff_t:s0
+system_r:sshd_t:s0 staff_r:staff_t:s0 sysadm_r:sysadm_t:s0
+system_r:crond_t:s0 staff_r:staff_crond_t:s0 sysadm_r:sysadm_crond_t:s0 system_r:system_crond_t:s0 mailman_r:user_crond_t:s0
+system_r:xdm_t:s0 staff_r:staff_t:s0
+staff_r:staff_su_t:s0 staff_r:staff_t:s0
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/user_u_default_contexts serefpolicy-3.0.2/config/appconfig-targeted-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-targeted-mcs/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/config/appconfig-targeted-mcs/user_u_default_contexts 2007-07-03 13:08:19.000000000 -0400
@@ -0,0 +1,7 @@
+system_r:local_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:remote_login_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:sshd_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+system_r:crond_t:s0 system_r:unconfined_t:s0 user_r:user_crond_t:s0
+system_r:xdm_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-3.0.2/Makefile
--- nsaserefpolicy/Makefile 2007-05-29 13:53:56.000000000 -0400
+++ serefpolicy-3.0.2/Makefile 2007-07-03 13:08:19.000000000 -0400
@@ -158,8 +158,18 @@
headerdir = $(modpkgdir)/include
docsdir = $(prefix)/share/doc/$(PKGNAME)
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
# enable MLS if requested.
-ifeq "$(TYPE)" "mls"
+ifneq ($(findstring -mls,$(TYPE)),)
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
@@ -167,7 +177,7 @@
endif
# enable MLS if MCS requested.
-ifeq "$(TYPE)" "mcs"
+ifneq ($(findstring -mcs,$(TYPE)),)
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/ftpd_selinux.8 serefpolicy-3.0.2/man/man8/ftpd_selinux.8
--- nsaserefpolicy/man/man8/ftpd_selinux.8 2007-05-25 09:09:10.000000000 -0400
+++ serefpolicy-3.0.2/man/man8/ftpd_selinux.8 2007-07-03 13:08:19.000000000 -0400
@@ -12,7 +12,7 @@
.TP
chcon -R -t public_content_t /var/ftp
.TP
-If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
+If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.2/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2007-06-19 16:23:34.000000000 -0400
+++ serefpolicy-3.0.2/policy/flask/access_vectors 2007-07-03 13:08:19.000000000 -0400
@@ -598,6 +598,8 @@
shmempwd
shmemgrp
shmemhost
+ getserv
+ shmemserv
}
# Define the access vector interpretation for controlling
@@ -623,6 +625,8 @@
send
recv
relabelto
+ flow_in
+ flow_out
}
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.2/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.2/policy/global_tunables 2007-07-03 13:08:19.000000000 -0400
@@ -133,3 +133,10 @@
## </desc>
gen_tunable(write_untrusted_content,false)
+## <desc>
+## <p>
+## Allow users to connect to console (s390)
+## </p>
+## </desc>
+gen_tunable(allow_console_login,false)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-3.0.2/policy/mls
--- nsaserefpolicy/policy/mls 2007-07-03 07:06:36.000000000 -0400
+++ serefpolicy-3.0.2/policy/mls 2007-07-03 13:08:19.000000000 -0400
@@ -89,12 +89,14 @@
mlsconstrain { file lnk_file fifo_file dir chr_file blk_file sock_file } { write create setattr relabelfrom append unlink link rename mounton }
(( l1 eq l2 ) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
- (( t2 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+ (( t2 == mlsrangedobject ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
+# Directory "write" ops
mlsconstrain dir { add_name remove_name reparent rmdir }
- ((( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( l1 eq l2 ) or
+ (( t1 == mlsfilewriteinrange ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
(( t1 == mlsfilewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsfilewrite ) or
( t2 == mlstrustedobject ));
@@ -165,8 +167,20 @@
mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } relabelto
( h1 dom h2 );
+# the socket "read+write" ops
+# (Socket FDs are generally bidirectional, equivalent to open(..., O_RDWR),
+# require equal levels for unprivileged subjects, or read *and* write overrides)
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { accept connect }
+ (( l1 eq l2 ) or
+ (((( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread )) and
+ ((( t1 == mlsnetwriteranged ) and ( l1 dom l2 ) and ( l1 domby h2 )) or
+ (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlsnetwrite ))));
+
[...10211 lines suppressed...]
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.2/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.2/policy/modules/users/webadm.te 2007-07-03 13:08:20.000000000 -0400
@@ -0,0 +1,70 @@
+policy_module(webadm,1.0.0)
+
+########################################
+#
+# webadmin local policy
+#
+
+userdom_login_user_template(webadm)
+allow webadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+
+# Allow webadm_t to restart the apache service
+domain_dontaudit_search_all_domains_state(webadm_t)
+apache_domtrans(webadm_t)
+init_exec_script_files(webadm_t)
+domain_role_change_exemption(webadm_t)
+domain_obj_id_change_exemption(webadm_t)
+role_transition webadm_r httpd_exec_t system_r;
+allow webadm_r system_r;
+
+apache_manage_all_content(webadm_t)
+apache_manage_config(webadm_t)
+apache_manage_log(webadm_t)
+apache_manage_modules(webadm_t)
+apache_manage_lock(webadm_t)
+apache_manage_pid(webadm_t)
+apache_read_state(webadm_t)
+apache_signal(webadm_t)
+apache_getattr(webadm_t)
+apache_relabel(webadm_t)
+
+seutil_domtrans_restorecon(webadm_t)
+
+files_dontaudit_search_all_dirs(webadm_t)
+files_dontaudit_getattr_all_files(webadm_t)
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+selinux_get_enforce_mode(webadm_t)
+
+
+logging_send_syslog_msg(webadm_t)
+
+ifdef(`targeted_policy',`
+ term_use_generic_ptys(webadm_t)
+ term_use_unallocated_ttys(webadm_t)
+')
+
+userdom_dontaudit_search_sysadm_home_dirs(webadm_t)
+userdom_dontaudit_search_generic_user_home_dirs(webadm_t)
+
+bool webadm_read_user_files false;
+bool webadm_manage_user_files false;
+
+if (webadm_read_user_files) {
+ userdom_read_unpriv_users_home_content_files(webadm_t)
+ userdom_read_unpriv_users_tmp_files(webadm_t)
+}
+
+if (webadm_manage_user_files) {
+ userdom_manage_unpriv_users_home_content_dirs(webadm_t)
+ userdom_read_unpriv_users_tmp_files(webadm_t)
+ userdom_write_unpriv_users_tmp_files(webadm_t)
+}
+
+gen_require(`
+ type gadmin_t;
+')
+allow gadmin_t webadm_t:process transition;
+allow webadm_t gadmin_t:dir getattr;
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.2/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-05-29 14:10:59.000000000 -0400
+++ serefpolicy-3.0.2/policy/support/obj_perm_sets.spt 2007-07-03 13:08:20.000000000 -0400
@@ -201,7 +201,7 @@
define(`search_dir_perms',`{ getattr search }')
define(`list_dir_perms',`{ getattr search read lock ioctl }')
define(`add_entry_dir_perms',`{ getattr search lock ioctl write add_name }')
-define(`del_entry_dir_perms',`{ getattr search lock ioctl write remove_name }')
+define(`del_entry_dir_perms',`{ getattr search lock ioctl read write remove_name }')
define(`create_dir_perms',`{ getattr create }')
define(`rename_dir_perms',`{ getattr rename }')
define(`delete_dir_perms',`{ getattr rmdir }')
@@ -216,7 +216,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
define(`read_file_perms',`{ getattr read lock ioctl }')
-define(`mmap_file_perms',`{ getattr read execute }')
+define(`mmap_file_perms',`{ getattr read execute ioctl }')
define(`exec_file_perms',`{ getattr read execute execute_no_trans }')
define(`append_file_perms',`{ getattr append lock ioctl }')
define(`write_file_perms',`{ getattr write append lock ioctl }')
@@ -325,3 +325,13 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control }
+')
+
+define(`all_nscd', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ')
+define(`all_dbus', `{ acquire_svc send_msg } ')
+define(`all_passwd', `{ passwd chfn chsh rootok crontab } ')
+define(`all_association', `{ sendto recvfrom setcontext polmatch } ')
+
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.0.2/policy/users
--- nsaserefpolicy/policy/users 2007-05-31 15:36:08.000000000 -0400
+++ serefpolicy-3.0.2/policy/users 2007-07-03 13:08:20.000000000 -0400
@@ -16,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+gen_user(system_u, user, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -25,7 +25,7 @@
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-gen_user(user_u, user, user_r, s0, s0)
+gen_user(user_u, user, user_r system_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.2/Rules.modular
--- nsaserefpolicy/Rules.modular 2007-05-25 09:09:10.000000000 -0400
+++ serefpolicy-3.0.2/Rules.modular 2007-07-03 13:08:20.000000000 -0400
@@ -167,7 +167,7 @@
# these have to run individually because order matters:
$(verbose) $(GREP) '^sid ' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) '^fs_use_(xattr|task|trans)' $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
- $(verbose) $(GREP) ^genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
+ $(verbose) $(GREP) genfscon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $(tmpdir)/all_post.conf || true
@@ -219,6 +219,16 @@
########################################
#
+# Validate File Contexts
+#
+validatefc: $(base_pkg) $(base_fc)
+ @echo "Validating file context."
+ $(verbose) $(SEMOD_EXP) $(base_pkg) $(tmpdir)/policy.tmp
+ $(verbose) $(SETFILES) -c $(tmpdir)/policy.tmp $(base_fc)
+ @echo "Success."
+
+########################################
+#
# Clean the sources
#
clean:
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.2/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2007-05-29 13:53:56.000000000 -0400
+++ serefpolicy-3.0.2/support/Makefile.devel 2007-07-03 13:08:20.000000000 -0400
@@ -24,7 +24,7 @@
XMLLINT := $(BINDIR)/xmllint
# set default build options if missing
-TYPE ?= standard
+TYPE ?= strict
DIRECT_INITRC ?= n
POLY ?= n
QUIET ?= y
@@ -39,15 +39,25 @@
globaltun = $(HEADERDIR)/global_tunables.xml
globalbool = $(HEADERDIR)/global_booleans.xml
+# compile strict policy if requested.
+ifneq ($(findstring strict,$(TYPE)),)
+ M4PARAM += -D strict_policy
+endif
+
+# compile targeted policy if requested.
+ifneq ($(findstring targeted,$(TYPE)),)
+ M4PARAM += -D targeted_policy
+endif
+
# enable MLS if requested.
-ifeq "$(TYPE)" "mls"
+ifneq ($(findstring -mls,$(TYPE)),)
M4PARAM += -D enable_mls
CHECKPOLICY += -M
CHECKMODULE += -M
endif
# enable MLS if MCS requested.
-ifeq "$(TYPE)" "mcs"
+ifneq ($(findstring -mcs,$(TYPE)),)
M4PARAM += -D enable_mcs
CHECKPOLICY += -M
CHECKMODULE += -M
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/.cvsignore,v
retrieving revision 1.117
retrieving revision 1.118
diff -u -r1.117 -r1.118
--- .cvsignore 31 May 2007 18:40:35 -0000 1.117
+++ .cvsignore 3 Jul 2007 19:20:47 -0000 1.118
@@ -119,3 +119,4 @@
serefpolicy-2.6.4.tgz
serefpolicy-2.6.5.tgz
serefpolicy-3.0.1.tgz
+serefpolicy-3.0.2.tgz
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.466
retrieving revision 1.467
diff -u -r1.466 -r1.467
--- selinux-policy.spec 2 Jul 2007 20:32:38 -0000 1.466
+++ selinux-policy.spec 3 Jul 2007 19:20:47 -0000 1.467
@@ -16,12 +16,12 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.0.1
-Release: 6%{?dist}
+Version: 3.0.2
+Release: 1%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
-patch: policy-20070525.patch
+patch: policy-20070703.patch
Source1: modules-targeted.conf
Source2: booleans-targeted.conf
Source3: Makefile.devel
@@ -293,6 +293,7 @@
exit 0
%triggerpostun targeted -- selinux-policy-targeted < 3.0.1
+setsebool -P use_nfs_home_dirs=1
semanage login -m -s "system_u" __default__ 2> /dev/null
semanage user -a -P unconfined -R "unconfined_r system_r" unconfined_u 2> /dev/null
restorecon -R /root 2> /dev/null
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/sources,v
retrieving revision 1.128
retrieving revision 1.129
diff -u -r1.128 -r1.129
--- sources 26 Jun 2007 11:15:55 -0000 1.128
+++ sources 3 Jul 2007 19:20:47 -0000 1.129
@@ -1 +1 @@
-15e7cf49d82f31ea9b50c3520399c22d serefpolicy-3.0.1.tgz
+7487348a6530067125f23316f43ff369 serefpolicy-3.0.2.tgz
--- policy-20070525.patch DELETED ---
More information about the fedora-extras-commits
mailing list