rpms/sepostgresql/devel sepostgresql.init, 1.6, 1.7 sepostgresql.spec, 1.6, 1.7 sepostgresql.te, 1.6, 1.7

KaiGai Kohei (kaigai) fedora-extras-commits at redhat.com
Tue Nov 20 16:19:08 UTC 2007


Author: kaigai

Update of /cvs/pkgs/rpms/sepostgresql/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21522

Modified Files:
	sepostgresql.init sepostgresql.spec sepostgresql.te 
Log Message:
Add a security policy hotfix for labeled networking.
It enables client domains to communicate SE-PostgreSQL.



Index: sepostgresql.init
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql.init,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- sepostgresql.init	1 Nov 2007 14:00:32 -0000	1.6
+++ sepostgresql.init	20 Nov 2007 16:18:34 -0000	1.7
@@ -9,7 +9,7 @@
 
 PGVERSION="8.2.5"
 PGMAJORVERSION=`echo "$PGVERSION" | sed 's/^\([0-9]*\.[0-9]*\).*$/\1/'`
-SEPGVERSION="1.51"
+SEPGVERSION="1.66"
 
 # source function library
 . /etc/rc.d/init.d/functions


Index: sepostgresql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- sepostgresql.spec	1 Nov 2007 14:00:32 -0000	1.6
+++ sepostgresql.spec	20 Nov 2007 16:18:34 -0000	1.7
@@ -13,7 +13,7 @@
 Summary: Security Enhanced PostgreSQL
 Name: sepostgresql
 Version: 8.2.5
-Release: 1.51%{?sepgsql_extension}%{?dist}
+Release: 1.66%{?sepgsql_extension}%{?dist}
 License: BSD
 Group: Applications/Databases
 Url: http://code.google.com/p/sepgsql/
@@ -208,6 +208,9 @@
 %attr(700,sepgsql,sepgsql) %dir %{_localstatedir}/lib/sepgsql/backups
 
 %changelog
+* Wed Nov 21 2007 <kaigai at kaigai.gr.jp> - 8.2.5-1.66
+- Add a policy module hotfix for labeled networking
+
 * Thu Nov 1 2007 <kaigai at kaigai.gr.jp> - 8.2.5-1.51
 - Re-organize repository to prepare to branch 8.3.x based tree.
   (no differences from 8.2.5-1.33)


Index: sepostgresql.te
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/devel/sepostgresql.te,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- sepostgresql.te	1 Nov 2007 14:00:32 -0000	1.6
+++ sepostgresql.te	20 Nov 2007 16:18:34 -0000	1.7
@@ -1,4 +1,4 @@
-policy_module(sepostgresql, 1.51)
+policy_module(sepostgresql, 1.66)
 
 gen_require(`
 	all_userspace_class_perms
@@ -281,3 +281,30 @@
 tunable_policy(`! sepgsql_enable_audittuple || ! sepgsql_enable_auditdeny',`
 	dontaudit domain sepgsql_table_type : db_tuple all_db_tuple_perms;
 ')
+
+########################################
+#
+# Hotfixes for labeled networking
+# 
+# NOTE: These changes are to be merged in the later releases.
+optional_policy(`
+	gen_require(`
+		attribute sepgsql_server_type;
+		attribute sepgsql_users_domain;
+		attribute unconfined_domain_type;
+		type unlabeled_t;
+		type ipsec_spd_t;
+		type racoon_t;
+	')
+	# allow unconfined_t to set default SPD context
+	allow unconfined_domain_type ipsec_spd_t : association { setcontext };
+	# allow server/client domain to communicate via default SPD context
+	allow { sepgsql_server_type sepgsql_users_domain } ipsec_spd_t : association { polmatch };
+	allow { sepgsql_server_type sepgsql_users_domain } self : association { sendto };
+	allow sepgsql_server_type sepgsql_users_domain : { association tcp_socket } recvfrom;
+	allow sepgsql_users_domain sepgsql_server_type : { association tcp_socket } recvfrom;
+	# racoon_t/unlabeled_t related
+	allow unlabeled_t self : association { sendto };
+	allow unlabeled_t ipsec_spd_t : association { polmatch };
+	allow racoon_t unlabeled_t : association { setcontext };
+')




More information about the fedora-extras-commits mailing list