rpms/selinux-policy/F-8 policy-20070703.patch, 1.124, 1.125 selinux-policy.spec, 1.569, 1.570
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Nov 7 22:11:00 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14844
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Nov 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-48
- Add obsoletes selinux-policy-strict
- Run inetd unconfined
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.124
retrieving revision 1.125
diff -u -r1.124 -r1.125
--- policy-20070703.patch 6 Nov 2007 21:51:09 -0000 1.124
+++ policy-20070703.patch 7 Nov 2007 22:10:56 -0000 1.125
@@ -3718,7 +3718,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-11-05 11:44:18.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:32:30.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -3771,7 +3771,15 @@
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -146,7 +156,7 @@
+@@ -122,6 +132,7 @@
+ network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_https, tcp,5989,s0)
++network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+ network_port(portmap, udp,111,s0, tcp,111,s0)
+ network_port(postgresql, tcp,5432,s0)
+@@ -146,7 +157,7 @@
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
network_port(ssh, tcp,22,s0)
@@ -3780,7 +3788,7 @@
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +170,19 @@
+@@ -160,13 +171,19 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
@@ -5562,17 +5570,18 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-10-29 23:59:29.000000000 -0400
-@@ -20,6 +20,8 @@
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-07 15:19:05.000000000 -0500
+@@ -20,6 +20,9 @@
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
++
## <desc>
## <p>
## Allow Apache to modify public files
-@@ -30,6 +32,13 @@
+@@ -30,6 +33,13 @@
## <desc>
## <p>
@@ -5586,7 +5595,7 @@
## Allow Apache to use mod_auth_pam
## </p>
## </desc>
-@@ -47,6 +56,13 @@
+@@ -47,6 +57,13 @@
## Allow http daemon to tcp connect
## </p>
## </desc>
@@ -5600,7 +5609,7 @@
gen_tunable(httpd_can_network_connect,false)
## <desc>
-@@ -97,7 +113,7 @@
+@@ -97,7 +114,7 @@
## Allow http daemon to communicate with the TTY
## </p>
## </desc>
@@ -5609,7 +5618,7 @@
## <desc>
## <p>
-@@ -106,6 +122,27 @@
+@@ -106,6 +123,27 @@
## </desc>
gen_tunable(httpd_unified,false)
@@ -5637,7 +5646,7 @@
attribute httpdcontent;
# domains that can exec all users scripts
-@@ -142,6 +179,9 @@
+@@ -142,6 +180,9 @@
type httpd_log_t;
logging_log_file(httpd_log_t)
@@ -5647,7 +5656,7 @@
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -182,6 +222,14 @@
+@@ -182,6 +223,14 @@
type httpd_tmpfs_t;
files_tmpfs_file(httpd_tmpfs_t)
@@ -5662,7 +5671,7 @@
# for apache2 memory mapped files
type httpd_var_lib_t;
files_type(httpd_var_lib_t)
-@@ -202,9 +250,11 @@
+@@ -202,9 +251,11 @@
# Apache server local policy
#
@@ -5675,7 +5684,7 @@
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
-@@ -244,6 +294,7 @@
+@@ -244,6 +295,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -5683,7 +5692,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -284,6 +335,7 @@
+@@ -284,6 +336,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -5691,7 +5700,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +382,10 @@
+@@ -330,6 +383,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -5702,7 +5711,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -348,7 +404,9 @@
+@@ -348,7 +405,9 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -5713,7 +5722,7 @@
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +418,7 @@
+@@ -360,6 +419,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -5721,7 +5730,7 @@
')
')
-@@ -367,6 +426,16 @@
+@@ -367,6 +427,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -5738,7 +5747,7 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +456,17 @@
+@@ -387,6 +457,17 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -5756,7 +5765,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +484,21 @@
+@@ -404,11 +485,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -5778,7 +5787,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +520,12 @@
+@@ -430,6 +521,12 @@
')
optional_policy(`
@@ -5791,7 +5800,7 @@
calamaris_read_www_files(httpd_t)
')
-@@ -442,8 +538,15 @@
+@@ -442,8 +539,15 @@
')
optional_policy(`
@@ -5808,7 +5817,7 @@
')
optional_policy(`
-@@ -457,11 +560,11 @@
+@@ -457,11 +561,11 @@
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -5821,7 +5830,7 @@
')
optional_policy(`
-@@ -481,6 +584,7 @@
+@@ -481,6 +585,7 @@
')
optional_policy(`
@@ -5829,7 +5838,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -512,10 +616,16 @@
+@@ -512,10 +617,16 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
@@ -5847,7 +5856,7 @@
########################################
#
# Apache PHP script local policy
-@@ -553,6 +663,7 @@
+@@ -553,6 +664,7 @@
optional_policy(`
mysql_stream_connect(httpd_php_t)
@@ -5855,7 +5864,7 @@
')
optional_policy(`
-@@ -567,7 +678,6 @@
+@@ -567,7 +679,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -5863,7 +5872,7 @@
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +691,10 @@
+@@ -581,6 +692,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -5874,7 +5883,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +720,10 @@
+@@ -606,6 +721,10 @@
miscfiles_read_localization(httpd_suexec_t)
@@ -5885,7 +5894,7 @@
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +738,13 @@
+@@ -620,10 +739,13 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -5900,7 +5909,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -634,6 +755,12 @@
+@@ -634,6 +756,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -5913,7 +5922,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +778,6 @@
+@@ -651,18 +779,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -5932,7 +5941,7 @@
########################################
#
# Apache system script local policy
-@@ -672,7 +787,8 @@
+@@ -672,7 +788,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -5942,7 +5951,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +802,66 @@
+@@ -686,15 +803,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -5958,15 +5967,15 @@
+')
+
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -6010,7 +6019,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -707,6 +874,20 @@
+@@ -707,6 +875,20 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -6031,7 +6040,7 @@
')
########################################
-@@ -728,3 +909,20 @@
+@@ -728,3 +910,20 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -8437,7 +8446,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-11-07 10:35:03.000000000 -0500
@@ -53,6 +53,8 @@
allow inetd_t inetd_var_run_t:file manage_file_perms;
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
@@ -8493,7 +8502,15 @@
optional_policy(`
amanda_search_lib(inetd_t)
')
-@@ -170,6 +185,9 @@
+@@ -154,6 +169,7 @@
+ ')
+
+ optional_policy(`
++ unconfined_domain(inetd_t)
+ unconfined_domtrans(inetd_t)
+ ')
+
+@@ -170,6 +186,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -8503,7 +8520,7 @@
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -212,13 +230,10 @@
+@@ -212,13 +231,10 @@
')
optional_policy(`
@@ -8529,7 +8546,7 @@
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-11-06 16:45:48.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2007-11-06 16:58:01.000000000 -0500
@@ -42,6 +42,10 @@
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@@ -8541,18 +8558,17 @@
tunable_policy(`allow_kerberos',`
allow $1 self:tcp_socket create_socket_perms;
-@@ -62,8 +66,8 @@
+@@ -61,9 +65,6 @@
+ corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
-
+-
- sysnet_read_config($1)
- sysnet_dns_name_resolve($1)
-+# sysnet_read_config($1)
-+# sysnet_dns_name_resolve($1)
')
optional_policy(`
-@@ -172,3 +176,51 @@
+@@ -172,3 +173,51 @@
allow $1 krb5kdc_conf_t:file read_file_perms;
')
@@ -12144,7 +12160,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.8/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/squid.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/squid.te 2007-11-07 10:42:33.000000000 -0500
@@ -36,7 +36,7 @@
# Local policy
#
@@ -12163,7 +12179,7 @@
# Grant permissions to create, access, and delete cache files.
manage_dirs_pattern(squid_t,squid_cache_t,squid_cache_t)
manage_files_pattern(squid_t,squid_cache_t,squid_cache_t)
-@@ -92,6 +94,7 @@
+@@ -92,10 +94,12 @@
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
@@ -12171,7 +12187,12 @@
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
-@@ -109,6 +112,8 @@
+ corenet_tcp_connect_http_cache_port(squid_t)
++corenet_tcp_connect_pgpkeyserver_port(squid_t)
+ corenet_sendrecv_http_client_packets(squid_t)
+ corenet_sendrecv_ftp_client_packets(squid_t)
+ corenet_sendrecv_gopher_client_packets(squid_t)
+@@ -109,6 +113,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
@@ -12180,7 +12201,7 @@
selinux_dontaudit_getattr_dir(squid_t)
-@@ -137,9 +142,6 @@
+@@ -137,9 +143,6 @@
miscfiles_read_certs(squid_t)
miscfiles_read_localization(squid_t)
@@ -12190,7 +12211,7 @@
userdom_use_unpriv_users_fds(squid_t)
userdom_dontaudit_use_unpriv_user_fds(squid_t)
userdom_dontaudit_search_sysadm_home_dirs(squid_t)
-@@ -149,19 +151,7 @@
+@@ -149,19 +152,7 @@
')
optional_policy(`
@@ -12211,7 +12232,7 @@
')
optional_policy(`
-@@ -176,7 +166,12 @@
+@@ -176,7 +167,12 @@
udev_read_db(squid_t)
')
@@ -12657,7 +12678,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-07 12:07:13.000000000 -0500
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -12681,7 +12702,22 @@
term_setattr_unallocated_ttys($1_xserver_t)
term_use_unallocated_ttys($1_xserver_t)
-@@ -251,7 +255,7 @@
+@@ -178,13 +182,7 @@
+ auth_search_pam_console_data($1_xserver_t)
+ ')
+
+- optional_policy(`
+- nis_use_ypbind($1_xserver_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_xserver_t)
+- ')
++ auth_use_nsswitch($1_xserver_t)
+
+ optional_policy(`
+ rhgb_getpgid($1_xserver_t)
+@@ -251,7 +249,7 @@
userdom_user_home_content($1,$1_fonts_cache_t)
type $1_fonts_config_t, fonts_config_type;
@@ -12690,7 +12726,7 @@
type $1_iceauth_t;
domain_type($1_iceauth_t)
-@@ -282,11 +286,15 @@
+@@ -282,11 +280,15 @@
domtrans_pattern($1_xserver_t, xauth_exec_t, $1_xauth_t)
allow $1_xserver_t $1_xauth_home_t:file { getattr read };
@@ -12706,7 +12742,7 @@
manage_dirs_pattern($2,$1_fonts_t,$1_fonts_t)
manage_files_pattern($2,$1_fonts_t,$1_fonts_t)
-@@ -316,6 +324,7 @@
+@@ -316,6 +318,7 @@
userdom_use_user_ttys($1,$1_xserver_t)
userdom_setattr_user_ttys($1,$1_xserver_t)
userdom_rw_user_tmpfs_files($1,$1_xserver_t)
@@ -12714,7 +12750,7 @@
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -353,12 +362,6 @@
+@@ -353,12 +356,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -12727,7 +12763,7 @@
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +390,14 @@
+@@ -387,6 +384,14 @@
')
optional_policy(`
@@ -12742,7 +12778,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -536,17 +547,15 @@
+@@ -536,17 +541,15 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -12766,7 +12802,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +564,54 @@
+@@ -555,25 +558,54 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -12829,7 +12865,7 @@
')
')
-@@ -626,6 +664,24 @@
+@@ -626,6 +658,24 @@
########################################
## <summary>
@@ -12854,7 +12890,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +715,73 @@
+@@ -659,6 +709,73 @@
########################################
## <summary>
@@ -12928,7 +12964,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1050,7 @@
+@@ -927,6 +1044,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -12936,7 +12972,7 @@
')
########################################
-@@ -987,6 +1111,37 @@
+@@ -987,6 +1105,37 @@
########################################
## <summary>
@@ -12974,7 +13010,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1291,7 @@
+@@ -1136,7 +1285,7 @@
type xdm_xserver_tmp_t;
')
@@ -12983,7 +13019,7 @@
')
########################################
-@@ -1325,3 +1480,63 @@
+@@ -1325,3 +1474,63 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -14612,7 +14648,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-11-07 17:05:02.000000000 -0500
@@ -65,11 +65,12 @@
/opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
/opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -14627,7 +14663,15 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -112,6 +113,7 @@
+@@ -80,6 +81,7 @@
+ /opt/netscape/plugins(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/netscape/plugins/libflashplayer\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/netscape/plugins/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/RealPlayer/codecs(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/RealPlayer/common(/.*)? gen_context(system_u:object_r:lib_t,s0)
+ /opt/RealPlayer/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+@@ -112,6 +114,7 @@
/usr/lib/vlc/codec/libdmo_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/vlc/codec/librealaudio_plugin.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -14635,7 +14679,7 @@
/usr/(.*/)?lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?(/.*)?/nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libsipphoneapi\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -135,6 +137,8 @@
+@@ -135,6 +138,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -14644,7 +14688,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -236,6 +240,8 @@
+@@ -236,6 +241,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -14653,7 +14697,7 @@
/usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# vmware
-@@ -284,3 +290,9 @@
+@@ -284,3 +291,9 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
@@ -15882,16 +15926,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-30 06:40:30.000000000 -0400
-@@ -432,6 +432,7 @@
- role $2 types run_init_t;
- allow run_init_t $3:chr_file rw_term_perms;
- allow $2 system_r;
-+ auth_run_upd_passwd_chk($1,$2,$3)
- ')
-
- ########################################
-@@ -585,7 +586,7 @@
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-11-07 11:59:45.000000000 -0500
+@@ -585,7 +585,7 @@
type selinux_config_t;
')
@@ -15900,7 +15936,7 @@
')
########################################
-@@ -604,7 +605,7 @@
+@@ -604,7 +604,7 @@
type selinux_config_t;
')
@@ -15909,7 +15945,7 @@
dontaudit $1 selinux_config_t:file { getattr read };
')
-@@ -669,6 +670,7 @@
+@@ -669,6 +669,7 @@
')
files_search_etc($1)
@@ -15917,7 +15953,7 @@
manage_files_pattern($1,selinux_config_t,selinux_config_t)
read_lnk_files_pattern($1,selinux_config_t,selinux_config_t)
')
-@@ -778,6 +780,28 @@
+@@ -778,6 +779,28 @@
########################################
## <summary>
@@ -15946,7 +15982,7 @@
## Read and write the file_contexts files.
## </summary>
## <param name="domain">
-@@ -968,6 +992,26 @@
+@@ -968,6 +991,26 @@
########################################
## <summary>
@@ -15973,7 +16009,7 @@
## Execute semanage in the semanage domain, and
## allow the specified role the semanage domain,
## and use the caller's terminal.
-@@ -979,7 +1023,7 @@
+@@ -979,7 +1022,7 @@
## </param>
## <param name="role">
## <summary>
@@ -15982,7 +16018,7 @@
## </summary>
## </param>
## <param name="terminal">
-@@ -1001,6 +1045,39 @@
+@@ -1001,6 +1044,39 @@
########################################
## <summary>
@@ -16022,7 +16058,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1058,3 +1135,138 @@
+@@ -1058,3 +1134,138 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -17267,7 +17303,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-06 16:01:20.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-07 15:17:58.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -17717,7 +17753,7 @@
# cjp: some of this probably can be removed
selinux_get_fs_mount($1_t)
selinux_validate_context($1_t)
-@@ -755,31 +731,15 @@
+@@ -755,31 +731,14 @@
storage_getattr_fixed_disk_dev($1_t)
auth_read_login_records($1_t)
@@ -17725,7 +17761,6 @@
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
auth_run_utempter($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
-+ auth_run_upd_passwd_chk($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
init_read_utmp($1_t)
- # The library functions always try to open read-write first,
@@ -17750,7 +17785,7 @@
seutil_run_newrole($1_t,$1_r,{ $1_devpts_t $1_tty_device_t })
seutil_exec_checkpolicy($1_t)
seutil_exec_setfiles($1_t)
-@@ -794,19 +754,12 @@
+@@ -794,19 +753,12 @@
files_read_default_symlinks($1_t)
files_read_default_sockets($1_t)
files_read_default_pipes($1_t)
@@ -17770,7 +17805,7 @@
optional_policy(`
alsa_read_rw_config($1_t)
')
-@@ -821,11 +774,6 @@
+@@ -821,11 +773,6 @@
')
optional_policy(`
@@ -17782,7 +17817,7 @@
allow $1_t self:dbus send_msg;
dbus_system_bus_client_template($1,$1_t)
-@@ -834,20 +782,20 @@
+@@ -834,20 +781,20 @@
')
optional_policy(`
@@ -17808,7 +17843,7 @@
')
')
-@@ -876,17 +824,17 @@
+@@ -876,17 +823,17 @@
')
optional_policy(`
@@ -17834,7 +17869,7 @@
')
optional_policy(`
-@@ -900,16 +848,6 @@
+@@ -900,16 +847,6 @@
')
optional_policy(`
@@ -17851,7 +17886,7 @@
resmgr_stream_connect($1_t)
')
-@@ -919,11 +857,6 @@
+@@ -919,11 +856,6 @@
')
optional_policy(`
@@ -17863,7 +17898,7 @@
samba_stream_connect_winbind($1_t)
')
-@@ -954,21 +887,166 @@
+@@ -954,21 +886,166 @@
## </summary>
## </param>
#
@@ -18036,7 +18071,7 @@
domain_interactive_fd($1_t)
typeattribute $1_devpts_t user_ptynode;
-@@ -977,23 +1055,51 @@
+@@ -977,23 +1054,51 @@
typeattribute $1_tmp_t user_tmpfile;
typeattribute $1_tty_device_t user_ttynode;
@@ -18099,7 +18134,7 @@
# port access is audited even if dac would not have allowed it, so dontaudit it here
corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
-@@ -1029,23 +1135,14 @@
+@@ -1029,23 +1134,14 @@
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_all_nodes($1_t)
@@ -18126,7 +18161,7 @@
optional_policy(`
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
')
-@@ -1054,17 +1151,6 @@
+@@ -1054,17 +1150,6 @@
setroubleshoot_stream_connect($1_t)
')
@@ -18144,7 +18179,7 @@
')
#######################################
-@@ -1102,6 +1188,8 @@
+@@ -1102,6 +1187,8 @@
class passwd { passwd chfn chsh rootok crontab };
')
@@ -18153,7 +18188,7 @@
##############################
#
# Declarations
-@@ -1127,7 +1215,7 @@
+@@ -1127,7 +1214,7 @@
# $1_t local policy
#
@@ -18162,7 +18197,7 @@
allow $1_t self:process { setexec setfscreate };
# Set password information for other users.
-@@ -1139,7 +1227,11 @@
+@@ -1139,7 +1226,11 @@
# Manipulate other users crontab.
allow $1_t self:passwd crontab;
@@ -18175,7 +18210,7 @@
kernel_read_software_raid_state($1_t)
kernel_getattr_core_if($1_t)
-@@ -1277,6 +1369,7 @@
+@@ -1277,6 +1368,7 @@
dev_relabel_all_dev_nodes($1)
files_create_boot_flag($1)
@@ -18183,7 +18218,7 @@
# Necessary for managing /boot/efi
fs_manage_dos_files($1)
-@@ -1642,9 +1735,13 @@
+@@ -1642,9 +1734,13 @@
template(`userdom_user_home_content',`
gen_require(`
attribute $1_file_type;
@@ -18197,7 +18232,7 @@
files_type($2)
')
-@@ -1894,10 +1991,46 @@
+@@ -1894,10 +1990,46 @@
template(`userdom_manage_user_home_content_dirs',`
gen_require(`
type $1_home_dir_t, $1_home_t;
@@ -18245,7 +18280,7 @@
')
########################################
-@@ -3078,7 +3211,7 @@
+@@ -3078,7 +3210,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -18254,7 +18289,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -4609,11 +4742,29 @@
+@@ -4609,11 +4741,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -18285,7 +18320,7 @@
')
########################################
-@@ -4633,6 +4784,14 @@
+@@ -4633,6 +4783,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -18300,7 +18335,7 @@
')
########################################
-@@ -5323,7 +5482,7 @@
+@@ -5323,7 +5481,7 @@
attribute user_tmpfile;
')
@@ -18309,7 +18344,7 @@
')
########################################
-@@ -5529,6 +5688,24 @@
+@@ -5529,6 +5687,24 @@
########################################
## <summary>
@@ -18334,7 +18369,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5736,386 @@
+@@ -5559,3 +5735,379 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -18573,17 +18608,10 @@
+ ')
+
+ optional_policy(`
-+ networkmanager_dontaudit_dbus_chat($1_t)
-+ ')
-+
-+ optional_policy(`
+ mono_per_role_template($1, $1_t, $1_r)
+ ')
+
+')
-+optional_policy(`
-+ setroubleshoot_dontaudit_stream_connect($1_usertype)
-+')
+
+# gnome keyring wants to read this. Needs to be exlicitly granted
+dev_dontaudit_read_rand($1_usertype)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.569
retrieving revision 1.570
diff -u -r1.569 -r1.570
--- selinux-policy.spec 6 Nov 2007 21:06:40 -0000 1.569
+++ selinux-policy.spec 7 Nov 2007 22:10:56 -0000 1.570
@@ -275,6 +275,7 @@
Provides: selinux-policy-base
Group: System Environment/Base
Obsoletes: selinux-policy-targeted-sources < 2
+Obsoletes: selinux-policy-strict
Requires(pre): policycoreutils >= %{POLICYCOREUTILSVER}
Requires(pre): coreutils
Requires(pre): selinux-policy = %{version}-%{release}
@@ -379,6 +380,10 @@
%endif
%changelog
+* Tue Nov 7 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-48
+- Add obsoletes selinux-policy-strict
+- Run inetd unconfined
+
* Tue Nov 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-47
- Allow all dns_resolves to use avahi stream
- Don't transition from unconfined_t to ping_t
More information about the fedora-extras-commits
mailing list