rpms/selinux-policy/devel booleans-targeted.conf, 1.34, 1.35 modules-targeted.conf, 1.70, 1.71 policy-20071023.patch, 1.5, 1.6 selinux-policy.spec, 1.554, 1.555
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sat Nov 10 13:21:07 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9207
Modified Files:
booleans-targeted.conf modules-targeted.conf
policy-20071023.patch selinux-policy.spec
Log Message:
* Sat Nov 10 2007 Dan Walsh <dwalsh at redhat.com> 3.1.1-1
- Update to upstream
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- booleans-targeted.conf 24 Oct 2007 19:31:28 -0000 1.34
+++ booleans-targeted.conf 10 Nov 2007 13:20:34 -0000 1.35
@@ -1,6 +1,6 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
#
-allow_execmem = true
+allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
#
@@ -8,7 +8,7 @@
# Allow making the stack executable via mprotect.Also requires allow_execmem.
#
-allow_execstack = true
+allow_execstack = false
# Allow ftpd to read cifs directories.
#
@@ -148,7 +148,7 @@
# Support NFS home directories
#
-use_nfs_home_dirs = false
+use_nfs_home_dirs = true
# Support SAMBA home directories
#
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- modules-targeted.conf 7 Nov 2007 19:42:24 -0000 1.70
+++ modules-targeted.conf 10 Nov 2007 13:20:34 -0000 1.71
@@ -887,6 +887,13 @@
#
postfix = base
+o# Layer: services
+# Module: postgrey
+#
+# email scanner
+#
+postgrey = base
+
# Layer: services
# Module: ppp
#
@@ -1500,6 +1507,13 @@
guest = module
# Layer: users
+# Module: xguest
+#
+# Minimally privs guest account on X Windows logins
+#
+xguest = module
+
+# Layer: users
# Module: logadm
#
# Minimally prived root role for managing logging system
policy-20071023.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.5 -r 1.6 policy-20071023.patch
Index: policy-20071023.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071023.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20071023.patch 7 Nov 2007 19:42:24 -0000 1.5
+++ policy-20071023.patch 10 Nov 2007 13:20:34 -0000 1.6
@@ -1,3 +1,14 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Changelog serefpolicy-3.1.0/Changelog
+--- nsaserefpolicy/Changelog 2007-11-08 09:29:27.000000000 -0500
++++ serefpolicy-3.1.0/Changelog 2007-11-06 09:28:26.000000000 -0500
+@@ -12,7 +12,6 @@
+ of confined and unconfined users.
+ - Added modules:
+ exim (Dan Walsh)
+- postfixpolicyd (Jan-Frode Myklebust)
+
+ * Fri Sep 28 2007 Chris PeBenito <selinux at tresys.com> - 20070928
+ - Add support for setting the unknown permissions handling.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.1.0/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-12 08:56:09.000000000 -0400
+++ serefpolicy-3.1.0/config/appconfig-mcs/default_contexts 2007-11-06 09:28:35.000000000 -0500
@@ -283,7 +294,7 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.1.0/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/global_tunables 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/global_tunables 2007-11-07 15:32:58.000000000 -0500
@@ -6,38 +6,35 @@
## <desc>
@@ -328,7 +339,33 @@
## </p>
## </desc>
gen_tunable(allow_polyinstantiation,false)
-@@ -132,3 +129,12 @@
+@@ -64,23 +61,14 @@
+
+ ## <desc>
+ ## <p>
+-## Allow email client to various content.
+-## nfs, samba, removable devices, user temp
+-## and untrusted content files
+-## </p>
+-## </desc>
+-gen_tunable(mail_read_content,false)
+-
+-## <desc>
+-## <p>
+-## Allow nfs to be exported read/write.
++## Allow any files/directories to be exported read/write via NFS.
+ ## </p>
+ ## </desc>
+ gen_tunable(nfs_export_all_rw,false)
+
+ ## <desc>
+ ## <p>
+-## Allow nfs to be exported read only
++## Allow any files/directories to be exported read/only via NFS.
+ ## </p>
+ ## </desc>
+ gen_tunable(nfs_export_all_ro,false)
+@@ -132,3 +120,12 @@
## </p>
## </desc>
gen_tunable(write_untrusted_content,false)
@@ -1462,7 +1499,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.1.0/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/su.if 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/admin/su.if 2007-11-08 11:40:26.000000000 -0500
@@ -41,12 +41,11 @@
allow $2 $1_su_t:process signal;
@@ -1580,7 +1617,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.1.0/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-23 07:37:52.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/admin/usermanage.te 2007-11-08 13:57:59.000000000 -0500
@@ -92,6 +92,7 @@
dev_read_urand(chfn_t)
@@ -1589,7 +1626,22 @@
auth_dontaudit_read_shadow(chfn_t)
# allow checking if a shell is executable
-@@ -297,9 +298,11 @@
+@@ -123,13 +124,7 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(chfn_t)
+
+-optional_policy(`
+- nis_use_ypbind(chfn_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(chfn_t)
+-')
++auth_use_nsswitch(chfn_t)
+
+ ########################################
+ #
+@@ -297,9 +292,11 @@
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
@@ -1601,7 +1653,35 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
-@@ -533,6 +536,12 @@
+@@ -334,12 +331,9 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(passwd_t)
+
+-optional_policy(`
+- nis_use_ypbind(passwd_t)
+-')
++auth_use_nsswitch(passwd_t)
+
+ optional_policy(`
+- nscd_socket_use(passwd_t)
+ nscd_domtrans(passwd_t)
+ ')
+
+@@ -425,12 +419,9 @@
+ # on user home dir
+ userdom_dontaudit_search_all_users_home_content(sysadm_passwd_t)
+
+-optional_policy(`
+- nis_use_ypbind(sysadm_passwd_t)
+-')
++auth_use_nsswitch(sysadm_passwd_t)
+
+ optional_policy(`
+- nscd_socket_use(sysadm_passwd_t)
+ nscd_domtrans(sysadm_passwd_t)
+ ')
+
+@@ -533,6 +524,12 @@
')
optional_policy(`
@@ -2847,20 +2927,29 @@
+/etc/apcupsd/offbattery -- gen_context(system_u:object_r:bin_t,s0)
+/etc/apcupsd/onbattery -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in
---- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-29 18:02:31.000000000 -0400
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-11-08 09:29:27.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:31:44.000000000 -0500
-@@ -132,6 +132,7 @@
+@@ -132,7 +132,7 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
+-network_port(postfix_policyd, tcp,10031,s0)
+network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postgresql, tcp,5432,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.1.0/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc 2007-11-06 09:28:35.000000000 -0500
-@@ -20,6 +20,7 @@
++++ serefpolicy-3.1.0/policy/modules/kernel/devices.fc 2007-11-10 07:48:09.000000000 -0500
+@@ -13,6 +13,7 @@
+ /dev/audio.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
++/dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
+ /dev/efirtc -c gen_context(system_u:object_r:clock_device_t,s0)
+ /dev/em8300.* -c gen_context(system_u:object_r:v4l_device_t,s0)
+@@ -20,6 +21,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
@@ -2868,7 +2957,7 @@
/dev/fw.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hiddev.* -c gen_context(system_u:object_r:usb_device_t,s0)
/dev/hpet -c gen_context(system_u:object_r:clock_device_t,s0)
-@@ -30,6 +31,7 @@
+@@ -30,6 +32,7 @@
/dev/js.* -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -2878,7 +2967,7 @@
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.1.0/policy/modules/kernel/devices.if
--- nsaserefpolicy/policy/modules/kernel/devices.if 2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-06 09:28:35.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/kernel/devices.if 2007-11-08 14:28:51.000000000 -0500
@@ -65,7 +65,7 @@
relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -2888,10 +2977,29 @@
relabelfrom_fifo_files_pattern($1,device_t,device_node)
[...1681 lines suppressed...]
++########################################
++## <summary>
+ ## Read and write user temporary files.
+ ## </summary>
+ ## <desc>
+@@ -3077,7 +3229,7 @@
#
template(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
@@ -14058,7 +14737,7 @@
')
files_tmp_filetrans($2,$1_tmp_t,$3)
-@@ -3911,7 +4044,7 @@
+@@ -3911,7 +4063,7 @@
type sysadm_t;
')
@@ -14067,7 +14746,7 @@
allow sysadm_t $1:fd use;
allow sysadm_t $1:fifo_file rw_file_perms;
allow sysadm_t $1:process sigchld;
-@@ -4201,11 +4334,11 @@
+@@ -4201,11 +4353,11 @@
## </param>
#
interface(`userdom_sigchld_sysadm',`
@@ -14083,7 +14762,7 @@
')
########################################
-@@ -4571,8 +4704,8 @@
+@@ -4571,8 +4723,8 @@
files_search_home($1)
allow $1 { sysadm_home_dir_t sysadm_home_t }:dir list_dir_perms;
@@ -14094,7 +14773,7 @@
')
########################################
-@@ -4592,8 +4725,8 @@
+@@ -4592,8 +4744,8 @@
files_search_tmp($1)
allow $1 sysadm_tmp_t:dir list_dir_perms;
@@ -14105,7 +14784,7 @@
')
########################################
-@@ -4608,11 +4741,29 @@
+@@ -4608,11 +4760,29 @@
#
interface(`userdom_search_all_users_home_dirs',`
gen_require(`
@@ -14136,7 +14815,7 @@
')
########################################
-@@ -4632,6 +4783,14 @@
+@@ -4632,6 +4802,14 @@
files_list_home($1)
allow $1 home_dir_type:dir list_dir_perms;
@@ -14151,7 +14830,7 @@
')
########################################
-@@ -4950,7 +5109,7 @@
+@@ -4950,7 +5128,7 @@
#
interface(`userdom_manage_generic_user_home_content_dirs',`
gen_require(`
@@ -14160,7 +14839,7 @@
')
files_search_home($1)
-@@ -5068,7 +5227,7 @@
+@@ -5068,7 +5246,7 @@
#
interface(`userdom_manage_generic_user_home_content_symlinks',`
gen_require(`
@@ -14169,7 +14848,7 @@
')
files_search_home($1)
-@@ -5088,7 +5247,7 @@
+@@ -5088,7 +5266,7 @@
#
interface(`userdom_manage_generic_user_home_content_pipes',`
gen_require(`
@@ -14178,7 +14857,7 @@
')
files_search_home($1)
-@@ -5108,7 +5267,7 @@
+@@ -5108,7 +5286,7 @@
#
interface(`userdom_manage_generic_user_home_content_sockets',`
gen_require(`
@@ -14187,7 +14866,7 @@
')
files_search_home($1)
-@@ -5322,7 +5481,7 @@
+@@ -5322,7 +5500,7 @@
attribute user_tmpfile;
')
@@ -14196,7 +14875,7 @@
')
########################################
-@@ -5528,6 +5687,24 @@
+@@ -5528,6 +5706,24 @@
########################################
## <summary>
@@ -14221,7 +14900,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5558,3 +5735,379 @@
+@@ -5558,3 +5754,379 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -14603,7 +15282,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-3.1.0/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-10-12 08:56:08.000000000 -0400
-+++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-11-06 16:05:43.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/system/userdomain.te 2007-11-07 15:10:02.000000000 -0500
@@ -17,20 +17,13 @@
## <desc>
@@ -15050,26 +15729,12 @@
+## <summary>Policy for guest user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/guest.te serefpolicy-3.1.0/policy/modules/users/guest.te
--- nsaserefpolicy/policy/modules/users/guest.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.1.0/policy/modules/users/guest.te 2007-11-06 09:28:35.000000000 -0500
-@@ -0,0 +1,18 @@
++++ serefpolicy-3.1.0/policy/modules/users/guest.te 2007-11-08 08:58:06.000000000 -0500
+@@ -0,0 +1,4 @@
+policy_module(guest,1.0.0)
+userdom_unpriv_login_user(guest)
+userdom_unpriv_login_user(gadmin)
-+userdom_unpriv_xwindows_login_user(xguest)
-+mozilla_per_role_template(xguest, xguest_t, xguest_r)
+
-+optional_policy(`
-+ consolekit_dbus_chat(xguest_t)
-+')
-+
-+optional_policy(`
-+ bluetooth_dbus_chat(xguest_t)
-+')
-+
-+# Allow mounting of file systems
-+optional_policy(`
-+ hal_dbus_chat(xguest_t)
-+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.1.0/policy/modules/users/logadm.fc
--- nsaserefpolicy/policy/modules/users/logadm.fc 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.1.0/policy/modules/users/logadm.fc 2007-11-06 09:28:35.000000000 -0500
@@ -15156,9 +15821,34 @@
+')
+allow gadmin_t webadm_t:process transition;
+allow webadm_t gadmin_t:dir getattr;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.fc serefpolicy-3.1.0/policy/modules/users/xguest.fc
+--- nsaserefpolicy/policy/modules/users/xguest.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.fc 2007-11-08 08:59:47.000000000 -0500
+@@ -0,0 +1 @@
++# No xguest file contexts.
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.if serefpolicy-3.1.0/policy/modules/users/xguest.if
+--- nsaserefpolicy/policy/modules/users/xguest.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.if 2007-11-08 08:59:47.000000000 -0500
+@@ -0,0 +1 @@
++## <summary>Policy for xguest user</summary>
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest.te serefpolicy-3.1.0/policy/modules/users/xguest.te
+--- nsaserefpolicy/policy/modules/users/xguest.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.1.0/policy/modules/users/xguest.te 2007-11-08 08:59:49.000000000 -0500
+@@ -0,0 +1,11 @@
++policy_module(xguest,1.0.0)
++userdom_unpriv_xwindows_login_user(xguest)
++mozilla_per_role_template(xguest, xguest_t, xguest_r)
++# Allow mounting of file systems
++optional_policy(`
++ hal_dbus_chat(xguest_t)
++')
++
++optional_policy(`
++ bluetooth_dbus_chat(xguest_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.1.0/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt 2007-11-06 09:28:36.000000000 -0500
++++ serefpolicy-3.1.0/policy/support/obj_perm_sets.spt 2007-11-09 14:33:41.000000000 -0500
@@ -204,7 +204,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.554
retrieving revision 1.555
diff -u -r1.554 -r1.555
--- selinux-policy.spec 7 Nov 2007 19:42:24 -0000 1.554
+++ selinux-policy.spec 10 Nov 2007 13:20:34 -0000 1.555
@@ -16,7 +16,7 @@
%define CHECKPOLICYVER 2.0.3-1
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 3.1.0
+Version: 3.1.1
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
@@ -179,7 +179,7 @@
# Build targeted policy
%{__rm} -fR %{buildroot}
mkdir -p %{buildroot}%{_mandir}
-cp -R man %{buildroot}%{_mandir}
+cp -R man/* %{buildroot}%{_mandir}
mkdir -p %{buildroot}%{_sysconfdir}/selinux
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
touch %{buildroot}%{_sysconfdir}/selinux/config
@@ -379,6 +379,9 @@
%endif
%changelog
+* Sat Nov 10 2007 Dan Walsh <dwalsh at redhat.com> 3.1.1-1
+- Update to upstream
+
* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 3.1.0-1
- Update to upstream
More information about the fedora-extras-commits
mailing list