rpms/selinux-policy/F-7 policy-20070501.patch, 1.62, 1.63 selinux-policy.spec, 1.497, 1.498
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sat Oct 6 13:01:43 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10267
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-47
- Fixes for proftp
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- policy-20070501.patch 2 Oct 2007 04:16:19 -0000 1.62
+++ policy-20070501.patch 6 Oct 2007 13:01:10 -0000 1.63
@@ -186,15 +186,17 @@
logging_log_file(acct_data_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.fc serefpolicy-2.6.4/policy/modules/admin/alsa.fc
--- nsaserefpolicy/policy/modules/admin/alsa.fc 2007-05-07 14:51:05.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/admin/alsa.fc 2007-08-07 09:42:34.000000000 -0400
-@@ -1,4 +1,7 @@
++++ serefpolicy-2.6.4/policy/modules/admin/alsa.fc 2007-10-02 11:59:34.000000000 -0400
+@@ -1,4 +1,9 @@
/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
++/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-+/etc/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0)
++/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
+/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
++/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-2.6.4/policy/modules/admin/alsa.te
--- nsaserefpolicy/policy/modules/admin/alsa.te 2007-05-07 14:51:05.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/admin/alsa.te 2007-08-07 09:42:34.000000000 -0400
@@ -2249,7 +2251,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-09-11 14:40:52.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-10-05 10:05:49.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2377,7 +2379,52 @@
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3310,6 +3364,43 @@
+@@ -3203,6 +3257,44 @@
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to get the attributes
++## of all tmp sock_file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain not to audit.
++## </summary>
++## </param>
++#
++interface(`files_dontaudit_getattr_all_tmp_sockets',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ dontaudit $1 tmpfile:sock_file getattr;
++')
++
++########################################
++## <summary>
++## Allow attempts to get the attributes
++## of all tmp files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain not to audit.
++## </summary>
++## </param>
++#
++interface(`files_getattr_all_tmp_files',`
++ gen_require(`
++ attribute tmpfile;
++ ')
++
++ allow $1 tmpfile:file getattr;
++')
++
++########################################
++## <summary>
+ ## Read all tmp files.
+ ## </summary>
+ ## <param name="domain">
+@@ -3310,6 +3402,43 @@
########################################
## <summary>
@@ -2421,7 +2468,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3386,6 +3477,24 @@
+@@ -3386,6 +3515,24 @@
########################################
## <summary>
@@ -2446,7 +2493,7 @@
## Read symbolic links in /usr.
## </summary>
## <param name="domain">
-@@ -3432,6 +3541,24 @@
+@@ -3432,6 +3579,24 @@
########################################
## <summary>
@@ -2471,7 +2518,7 @@
## Do not audit attempts to search /usr/src.
## </summary>
## <param name="domain">
-@@ -3637,7 +3764,7 @@
+@@ -3637,7 +3802,7 @@
type var_t;
')
@@ -2480,7 +2527,7 @@
')
########################################
-@@ -3993,7 +4120,7 @@
+@@ -3993,7 +4158,7 @@
type var_lock_t;
')
@@ -2489,7 +2536,7 @@
')
########################################
-@@ -4012,7 +4139,7 @@
+@@ -4012,7 +4177,7 @@
type var_t, var_lock_t;
')
@@ -2498,7 +2545,7 @@
')
########################################
-@@ -4181,7 +4308,7 @@
+@@ -4181,7 +4346,7 @@
type var_run_t;
')
@@ -2507,7 +2554,7 @@
')
########################################
-@@ -4529,6 +4656,8 @@
+@@ -4529,6 +4694,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2516,7 +2563,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4551,6 +4680,8 @@
+@@ -4551,6 +4718,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2525,7 +2572,7 @@
')
########################################
-@@ -4588,3 +4719,28 @@
+@@ -4588,3 +4757,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -4794,7 +4841,7 @@
+/usr/local/Brother/inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.6.4/policy/modules/services/cups.te
--- nsaserefpolicy/policy/modules/services/cups.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/cups.te 2007-10-05 08:56:23.000000000 -0400
@@ -93,8 +93,6 @@
# generic socket here until appletalk socket is available in kernels
allow cupsd_t self:socket create_socket_perms;
@@ -4846,7 +4893,21 @@
auth_dontaudit_read_pam_pid(cupsd_t)
# Filter scripts may be shell scripts, and may invoke progs like /bin/mktemp
-@@ -207,6 +209,7 @@
+@@ -199,14 +201,17 @@
+ files_read_var_symlinks(cupsd_t)
+ # for /etc/printcap
+ files_dontaudit_write_etc_files(cupsd_t)
+-# smbspool seems to be iterating through all existing tmp files.
+-# redhat bug #214953
+-# cjp: this might be a broken behavior
+-files_dontaudit_getattr_all_tmp_files(cupsd_t)
++
++# smbspool is iterating through all existing tmp files.
++# Looking for kerberos files
++files_getattr_all_tmp_files(cupsd_t)
++files_read_all_tmp_files(cupsd_t)
++files_dontaudit_getattr_all_tmp_sockets(cupsd_t)
+
selinux_compute_access_vector(cupsd_t)
init_exec_script_files(cupsd_t)
@@ -4854,7 +4915,7 @@
libs_use_ld_so(cupsd_t)
libs_use_shared_libs(cupsd_t)
-@@ -214,6 +217,7 @@
+@@ -214,6 +219,7 @@
libs_read_lib_files(cupsd_t)
logging_send_syslog_msg(cupsd_t)
@@ -4862,7 +4923,7 @@
miscfiles_read_localization(cupsd_t)
# invoking ghostscript needs to read fonts
-@@ -223,6 +227,7 @@
+@@ -223,6 +229,7 @@
sysnet_read_config(cupsd_t)
@@ -4870,7 +4931,7 @@
userdom_dontaudit_use_unpriv_user_fds(cupsd_t)
userdom_dontaudit_search_all_users_home_content(cupsd_t)
-@@ -233,6 +238,10 @@
+@@ -233,6 +240,10 @@
lpd_relabel_spool(cupsd_t)
')
@@ -4881,7 +4942,7 @@
ifdef(`targeted_policy',`
files_dontaudit_read_root_files(cupsd_t)
-@@ -284,6 +293,10 @@
+@@ -284,6 +295,10 @@
')
optional_policy(`
@@ -4892,7 +4953,7 @@
nscd_socket_use(cupsd_t)
')
-@@ -294,6 +307,10 @@
+@@ -294,6 +309,10 @@
')
optional_policy(`
@@ -4903,7 +4964,7 @@
seutil_sigchld_newrole(cupsd_t)
')
-@@ -587,7 +604,7 @@
+@@ -587,7 +606,7 @@
dev_read_urand(hplip_t)
dev_read_rand(hplip_t)
dev_rw_generic_usb_dev(hplip_t)
@@ -5371,353 +5432,195 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-2.6.4/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-09-13 12:59:21.000000000 -0400
-@@ -0,0 +1,6 @@
++++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2007-10-05 09:28:27.000000000 -0400
+@@ -0,0 +1,16 @@
++# $Id$
++# Draft SELinux refpolicy module for the Exim MTA
++#
++# Devin Carraway <selinux/at/devin.com>
++
++/var/spool/exim4?(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
++/var/run/exim4?(/.*)? gen_context(system_u:object_r:exim_var_run_t,s0)
++/var/log/exim4?(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
++/usr/sbin/exim4? gen_context(system_u:object_r:exim_exec_t,s0)
++ifdef(`distro_debian', `
++/usr/sbin/update-exim4\.conf gen_context(system_u:object_r:exim_conf_update_exec_t,s0)
++# work around a misparse if the word template appears without adjustment
++/usr/sbin/update-exim4\.conf\.[t]emplate gen_context(system_u:object_r:exim_conf_update_exec_t,s0)
++/var/lib/exim4?(/.*)? gen_context(system_u:object_r:exim_lib_t,s0)
++')
+
-+/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
-+/etc/rc.d/init.d/exim -- gen_context(system_u:object_r:exim_script_exec_t,s0)
-+/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
-+/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
-+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-2.6.4/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/exim.if 2007-09-13 12:59:21.000000000 -0400
-@@ -0,0 +1,330 @@
-+
-+## <summary>policy for exim</summary>
++++ serefpolicy-2.6.4/policy/modules/services/exim.if 2007-10-05 09:28:30.000000000 -0400
+@@ -0,0 +1,157 @@
++## <summary>Exim service</summary>
+
+########################################
+## <summary>
-+## Execute a domain transition to run exim.
++## Permit transitions to the exim domain
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
+interface(`exim_domtrans',`
+ gen_require(`
+ type exim_t;
-+ type exim_exec_t;
-+ ')
-+
-+ domain_auto_trans($1,exim_exec_t,exim_t)
-+
-+ allow exim_t $1:fd use;
-+ allow exim_t $1:fifo_file rw_file_perms;
-+ allow exim_t $1:process sigchld;
-+')
-+
-+
-+########################################
-+## <summary>
-+## Execute exim server in the exim domain.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## The type of the process performing this action.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_script_domtrans',`
-+ gen_require(`
-+ type exim_script_exec_t;
-+ ')
-+
-+ init_script_domtrans_spec($1,exim_script_exec_t)
-+')
-+
-+########################################
-+## <summary>
-+## Do not audit attempts to read,
-+## exim tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_dontaudit_read_tmp_files',`
-+ gen_require(`
-+ type exim_tmp_t;
-+ ')
-+
-+ dontaudit $1 exim_tmp_t:file r_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to read, exim tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_read_tmp_files',`
-+ gen_require(`
-+ type exim_tmp_t;
-+ ')
-+
-+ allow $1 exim_tmp_t:file r_file_perms;
-+')
-+
-+########################################
-+## <summary>
-+## Allow domain to manage exim tmp files
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_manage_tmp',`
-+ gen_require(`
-+ type exim_tmp_t;
++ type exim_exec_t;
+ ')
+
-+ manage_dir_perms($1,exim_tmp_t,exim_tmp_t)
-+ manage_file_perms($1,exim_tmp_t,exim_tmp_t)
-+ manage_lnk_file_perms($1,exim_tmp_t,exim_tmp_t)
++ corecmd_search_sbin($1)
++ domtrans_pattern($1, exim_t, exim_exec_t)
+')
+
+########################################
+## <summary>
-+## Read exim PID files.
++## Read generated exim configuration
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_read_pid_files',`
++interface(`exim_read_lib',`
+ gen_require(`
-+ type exim_var_run_t;
++ type exim_lib_t;
+ ')
+
-+ files_search_pids($1)
-+ allow $1 exim_var_run_t:file r_file_perms;
++ files_search_var_lib($1)
++ read_files_pattern($1, exim_lib_t, exim_lib_t);
+')
+
+########################################
+## <summary>
-+## Manage exim var_run files.
++## Manage generated exim configuration
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_var_run',`
++interface(`exim_manage_lib',`
+ gen_require(`
-+ type exim_var_run_t;
++ type exim_lib_t;
+ ')
+
-+ manage_dir_perms($1,exim_var_run_t,exim_var_run_t)
-+ manage_file_perms($1,exim_var_run_t,exim_var_run_t)
-+ manage_lnk_file_perms($1,exim_var_run_t,exim_var_run_t)
++ files_search_var_lib($1)
++ manage_files_pattern($1, exim_lib_t, exim_lib_t);
+')
+
-+
+########################################
+## <summary>
-+## Allow the specified domain to read exim's log files.
++## Grants readonly access to Exim logs
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`exim_read_log',`
++interface(`exim_read_logs',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
-+ logging_search_logs($1)
-+ allow $1 exim_log_t:dir r_dir_perms;
-+ allow $1 exim_log_t:file { read getattr lock };
-+')
-+
-+########################################
-+## <summary>
-+## Allow the specified domain to append
-+## exim log files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed to transition.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_append_log',`
-+ gen_require(`
-+ type var_log_t, exim_log_t;
-+ ')
-+
-+ logging_search_logs($1)
-+ allow $1 exim_log_t:dir r_dir_perms;
-+ allow $1 exim_log_t:file { getattr append };
++ files_search_var($1)
++ read_files_pattern($1, exim_log_t, exim_log_t)
+')
+
+########################################
+## <summary>
-+## Allow domain to manage exim log files
++## Manage exim logs
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_log',`
++interface(`exim_manage_logs',`
+ gen_require(`
+ type exim_log_t;
+ ')
+
-+ manage_dir_perms($1,exim_log_t,exim_log_t)
-+ manage_file_perms($1,exim_log_t,exim_log_t)
-+ manage_lnk_file_perms($1,exim_log_t,exim_log_t)
++ files_search_var($1)
++ manage_files_pattern($1, exim_log_t, exim_log_t)
+')
+
+########################################
+## <summary>
-+## Search exim spool directories.
++## Read contents of exim spool
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_search_spool',`
++interface(`exim_read_spool',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
-+ allow $1 exim_spool_t:dir search_dir_perms;
+ files_search_spool($1)
++ list_dirs_pattern($1, exim_spool_t, exim_spool_t)
++ read_files_pattern($1, exim_spool_t, exim_spool_t)
+')
+
+########################################
+## <summary>
-+## Read exim spool files.
++## Modify/delete contents of exim mail spool
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_read_spool_files',`
-+ gen_require(`
-+ type exim_spool_t;
-+ ')
-+
-+ allow $1 exim_spool_t:file r_file_perms;
-+ allow $1 exim_spool_t:dir list_dir_perms;
-+ files_search_spool($1)
-+')
-+
-+########################################
-+## <summary>
-+## Create, read, write, and delete
-+## exim spool files.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`exim_manage_spool_files',`
++interface(`exim_manage_spool',`
+ gen_require(`
+ type exim_spool_t;
+ ')
+
-+ allow $1 exim_spool_t:file manage_file_perms;
-+ allow $1 exim_spool_t:dir rw_dir_perms;
+ files_search_spool($1)
++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
++ manage_files_pattern($1, exim_spool_t, exim_spool_t)
+')
+
+########################################
+## <summary>
-+## Allow domain to manage exim spool files
++## Create an exim mail spool (implies creating dirs in var_spool_t).
+## </summary>
+## <param name="domain">
-+## <summary>
-+## Domain to not audit.
-+## </summary>
++## <summary>
++## Domain allowed access.
++## </summary>
+## </param>
+#
-+interface(`exim_manage_spool',`
++interface(`exim_create_spool',`
+ gen_require(`
++ type var_spool_t;
+ type exim_spool_t;
+ ')
+
-+ manage_dir_perms($1,exim_spool_t,exim_spool_t)
-+ manage_file_perms($1,exim_spool_t,exim_spool_t)
-+ manage_lnk_file_perms($1,exim_spool_t,exim_spool_t)
-+')
-+
-+
-+########################################
-+## <summary>
-+## All of the rules required to administrate an exim environment
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed to manage the exim domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the terminal allow the dmidecode domain to use.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`exim_admin',`
-+ gen_require(`
-+ type exim_t;
-+ ')
-+
-+ allow $1 exim_t:process { ptrace signal_perms getattr };
-+ read_files_pattern($1, exim_t, exim_t)
-+
-+
-+ # Allow $1 to restart the apache service
-+ exim_script_domtrans($1)
-+ domain_system_change_exemption($1)
-+ role_transition $2 exim_script_exec_t system_r;
-+ allow $2 system_r;
-+
-+ exim_manage_tmp($1)
-+
-+ exim_manage_var_run($1)
-+
-+ exim_manage_log($1)
-+
-+ exim_manage_spool($1)
-+
++ create_dirs_pattern($1, var_spool_t, exim_spool_t)
++ filetrans_pattern($1, var_spool_t, exim_spool_t, dir)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-09-13 12:59:21.000000000 -0400
-@@ -0,0 +1,108 @@
-+policy_module(exim,1.0.0)
++++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-05 09:28:22.000000000 -0400
+@@ -0,0 +1,229 @@
++# $Id$
++# Draft SELinux refpolicy module for the Exim MTA
++#
++# Devin Carraway <selinux/at/devin.com>
++
++policy_module(exim, 1.0.0)
+
+########################################
+#
@@ -5726,14 +5629,16 @@
+
+type exim_t;
+type exim_exec_t;
-+domain_type(exim_t)
-+init_daemon_domain(exim_t, exim_exec_t)
++mta_mailserver(exim_t, exim_exec_t)
++mta_mailserver_user_agent(exim_t)
++application_executable_file(exim_exec_t)
++mta_mailclient(exim_exec_t)
+
+type exim_script_exec_t;
+init_script_type(exim_script_exec_t)
+
-+type exim_tmp_t;
-+files_tmp_file(exim_tmp_t)
++type exim_spool_t;
++files_type(exim_spool_t)
+
+type exim_var_run_t;
+files_pid_file(exim_var_run_t)
@@ -5741,78 +5646,153 @@
+type exim_log_t;
+logging_log_file(exim_log_t)
+
-+type exim_spool_t;
-+files_type(exim_spool_t)
-+
+########################################
+#
-+# exim local policy
++# exim booleans
+#
+
-+allow exim_t self:capability { dac_override dac_read_search setuid setgid };
-+
-+## internal communication is often done using fifo and unix sockets.
-+allow exim_t self:fifo_file rw_file_perms;
-+allow exim_t self:unix_stream_socket create_stream_socket_perms;
-+
-+allow exim_t exim_tmp_t:file manage_file_perms;
-+allow exim_t exim_tmp_t:dir create_dir_perms;
-+files_tmp_filetrans(exim_t,exim_tmp_t, { file dir })
-+
-+allow exim_t exim_var_run_t:file manage_file_perms;
-+allow exim_t exim_var_run_t:dir manage_dir_perms;
-+files_pid_filetrans(exim_t,exim_var_run_t, { file dir })
-+
-+allow exim_t exim_log_t:file manage_file_perms;
-+allow exim_t exim_log_t:dir { rw_dir_perms setattr };
-+logging_log_filetrans(exim_t,exim_log_t,{ file dir })
-+
-+allow exim_t exim_spool_t:dir manage_dir_perms;
-+allow exim_t exim_spool_t:file manage_file_perms;
-+allow exim_t exim_spool_t:sock_file create_file_perms;
-+files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++## <desc>
++## <p>
++## Allow exim to connect to databases (postgres, mysql)
++## </p>
++## </desc>
++gen_tunable(exim_can_connect_db, false)
+
-+auth_use_nsswitch(exim_t)
++## <desc>
++## <p>
++## Allow exim to read files in users homedirectories
++## </p>
++## </desc>
++gen_tunable(exim_read_user_files, false)
+
-+can_exec(exim_t,exim_exec_t)
++## <desc>
++## <p>
++## Allow exim to manage files in users homedirectories
++## </p>
++## </desc>
++gen_tunable(exim_manage_user_files, false)
+
-+# Init script handling
-+domain_use_interactive_fds(exim_t)
++########################################
++#
++# exim local policy
++#
+
-+files_read_etc_files(exim_t)
++allow exim_t self:capability { sys_resource dac_override dac_read_search setuid setgid fowner chown };
++allow exim_t self:process { setrlimit setpgid };
++allow exim_t self:fifo_file rw_file_perms;
++allow exim_t self:tcp_socket create_stream_socket_perms;
++allow exim_t self:udp_socket create_socket_perms;
++allow exim_t self:unix_stream_socket create_stream_socket_perms;
+
-+sysnet_dns_name_resolve(exim_t)
+corenet_all_recvfrom_unlabeled(exim_t)
-+
-+allow exim_t self:tcp_socket create_stream_socket_perms;
++corenet_all_recvfrom_netlabel(exim_t)
++corenet_udp_sendrecv_all_if(exim_t)
++corenet_udp_sendrecv_all_nodes(exim_t)
+corenet_tcp_sendrecv_all_if(exim_t)
+corenet_tcp_sendrecv_all_nodes(exim_t)
-+corenet_tcp_sendrecv_all_ports(exim_t)
+corenet_tcp_bind_all_nodes(exim_t)
-+corenet_tcp_bind_smtp_port(exim_t)
+corenet_tcp_bind_amavisd_send_port(exim_t)
++corenet_tcp_bind_smtp_port(exim_t)
++corenet_tcp_connect_smtp_port(exim_t)
++corenet_tcp_sendrecv_smtp_port(exim_t)
++corenet_sendrecv_smtp_server_packets(exim_t)
++corenet_sendrecv_all_client_packets(exim_t)
++
++# make identd connections
+corenet_tcp_connect_auth_port(exim_t)
-+corenet_tcp_connect_inetd_child_port(exim_t)
++corenet_tcp_sendrecv_auth_port(exim_t)
+
-+corecmd_search_bin(exim_t)
++# connect to spamassassin
++corenet_tcp_connect_spamd_port(exim_t)
++corenet_tcp_sendrecv_spamd_port(exim_t)
+
+libs_use_ld_so(exim_t)
++libs_read_lib_files(exim_t)
++libs_exec_lib_files(exim_t)
+libs_use_shared_libs(exim_t)
-+logging_send_syslog_msg(exim_t)
++libs_legacy_use_shared_libs(exim_t)
+
-+miscfiles_read_localization(exim_t)
++# PID files
++manage_files_pattern(exim_t, exim_var_run_t, exim_var_run_t)
++files_pid_filetrans(exim_t, exim_var_run_t, file)
++
++auth_use_nsswitch(exim_t)
++
++# Exim uses BerkeleyDB, which checks /var/tmp but doesn't actually use it
++files_dontaudit_getattr_tmp_dirs(exim_t)
++files_search_usr(exim_t)
++files_search_var(exim_t)
++files_read_etc_files(exim_t)
++
++fs_getattr_xattr_fs(exim_t)
+
+kernel_read_kernel_sysctls(exim_t)
++kernel_dontaudit_read_system_state(exim_t)
++
++miscfiles_read_localization(exim_t)
++miscfiles_read_certs(exim_t)
+
-+mta_mailclient(exim_exec_t)
+mta_read_aliases(exim_t)
++mta_read_config(exim_t)
+mta_rw_spool(exim_t)
++mta_mailserver_delivery(exim_t)
++
++# Init script handling
++domain_use_interactive_fds(exim_t)
++
++can_exec(exim_t,exim_exec_t)
++
++exim_create_spool(exim_t)
++exim_manage_spool(exim_t)
++allow exim_t exim_spool_t:sock_file create_file_perms;
++files_spool_filetrans(exim_t,exim_spool_t, { file dir sock_file })
++
++## logging
++logging_send_syslog_msg(exim_t)
++exim_manage_logs(exim_t)
++logging_log_filetrans(exim_t, exim_log_t, { file dir })
++
++corecmd_search_bin(exim_t)
++
++# TLS sessions need entropy
++dev_read_urand(exim_t)
++dev_read_rand(exim_t)
++
++tunable_policy(`exim_can_connect_db',`
++ corenet_tcp_connect_mysqld_port(exim_t)
++ corenet_sendrecv_mysqld_client_packets(exim_t)
++ corenet_tcp_connect_postgresql_port(exim_t)
++ corenet_sendrecv_postgresql_client_packets(exim_t)
++')
++
++optional_policy(`
++ tunable_policy(`exim_can_connect_db',`
++ mysql_stream_connect(exim_t)
++ ')
++')
++
++optional_policy(`
++ tunable_policy(`exim_can_connect_db',`
++ postgresql_stream_connect(exim_t)
++ ')
++')
+
-+userdom_dontaudit_search_sysadm_home_dirs(exim_t)
-+userdom_dontaudit_search_generic_user_home_dirs(exim_t)
++optional_policy(`
++ mailman_read_data_files(exim_t)
++ mailman_domtrans(exim_t)
++')
+
-+bool exim_read_user_files false;
-+bool exim_manage_user_files false;
++optional_policy(`
++ procmail_domtrans(exim_t)
++')
++
++optional_policy(`
++ sasl_connect(exim_t)
++')
++
++optional_policy(`
++ cyrus_stream_connect(exim_t)
++')
+
+if (exim_read_user_files) {
+ userdom_read_unpriv_users_home_content_files(exim_t)
@@ -5825,9 +5805,48 @@
+ userdom_write_unpriv_users_tmp_files(exim_t)
+}
+
++## receipt & validation
++
++optional_policy(`
++ clamav_domtrans_clamscan(exim_t)
++ clamav_stream_connect(exim_t)
++')
++
++optional_policy(`
++ spamassassin_exec(exim_t)
++ spamassassin_exec_client(exim_t)
++')
++
++# courier authdaemon; authdaemon doesn't have a type for its UNIX domain
++# socket, nor a public interface for it yet.
++ifdef(`TODO', `
++optional_policy(`
++ gen_require(`
++ type courier_var_run_t;
++ ')
++ files_search_pids(exim_t)
++ stream_connect_pattern(exim_t, courier_var_run_t, courier_var_run_t)
++')
++')
++
++# Debian uses a template based config generator which generates config
++# files under /var
++ifdef(`distro_debian',`
++ type exim_lib_t;
++ files_config_file(exim_lib_t)
++ exim_read_lib(exim_t)
++
++ type exim_lib_update_t;
++ type exim_lib_update_exec_t;
++ init_domain(exim_lib_update_t, exim_lib_update_exec_t)
++ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t)
++ mta_read_lib(exim_lib_update_t)
++ exim_manage_var_lib(exim_lib_update_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-10-04 10:58:50.000000000 -0400
@@ -88,6 +88,7 @@
allow ftpd_t self:unix_stream_socket create_stream_socket_perms;
allow ftpd_t self:tcp_socket create_stream_socket_perms;
@@ -5836,7 +5855,27 @@
allow ftpd_t ftpd_etc_t:file read_file_perms;
-@@ -156,6 +157,7 @@
+@@ -105,9 +106,10 @@
+ manage_sock_files_pattern(ftpd_t,ftpd_tmpfs_t,ftpd_tmpfs_t)
+ fs_tmpfs_filetrans(ftpd_t,ftpd_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
++manage_dirs_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+ manage_sock_files_pattern(ftpd_t,ftpd_var_run_t,ftpd_var_run_t)
+-files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
++files_pid_filetrans(ftpd_t,ftpd_var_run_t,{ file dir} )
+
+ # proftpd requires the client side to bind a socket so that
+ # it can stat the socket to perform access control decisions,
+@@ -122,6 +124,7 @@
+
+ kernel_read_kernel_sysctls(ftpd_t)
+ kernel_read_system_state(ftpd_t)
++kernel_search_network_state(ftpd_t)
+
+ dev_read_sysfs(ftpd_t)
+ dev_read_urand(ftpd_t)
+@@ -156,6 +159,7 @@
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -5844,7 +5883,7 @@
# Append to /var/log/wtmp.
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
-@@ -167,6 +169,8 @@
+@@ -167,6 +171,8 @@
libs_use_ld_so(ftpd_t)
libs_use_shared_libs(ftpd_t)
@@ -5853,7 +5892,7 @@
logging_send_syslog_msg(ftpd_t)
miscfiles_read_localization(ftpd_t)
-@@ -223,10 +227,15 @@
+@@ -223,10 +229,15 @@
userdom_manage_all_users_home_content_dirs(ftpd_t)
userdom_manage_all_users_home_content_files(ftpd_t)
userdom_manage_all_users_home_content_symlinks(ftpd_t)
@@ -5871,8 +5910,8 @@
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.6.4/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-09-11 15:14:23.000000000 -0400
-@@ -2,15 +2,22 @@
++++ serefpolicy-2.6.4/policy/modules/services/hal.fc 2007-10-05 09:47:34.000000000 -0400
+@@ -2,15 +2,25 @@
/etc/hal/device\.d/printer_remove\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
/etc/hal/capability\.d/printer_update\.hal -- gen_context(system_u:object_r:hald_exec_t,s0)
@@ -5900,6 +5939,9 @@
+
+/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
++
++/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
++/var/log/pm(/.*)? gen_context(system_u:object_r:hald_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.if serefpolicy-2.6.4/policy/modules/services/hal.if
--- nsaserefpolicy/policy/modules/services/hal.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/hal.if 2007-08-07 09:42:35.000000000 -0400
@@ -6004,7 +6046,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.6.4/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-09-21 14:56:10.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/hal.te 2007-10-05 09:47:20.000000000 -0400
@@ -61,8 +61,6 @@
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
@@ -6610,7 +6652,7 @@
## Read sendmail binary.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-09-13 13:02:46.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-06 08:53:21.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -6629,7 +6671,7 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -52,6 +54,7 @@
+@@ -52,9 +54,12 @@
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
@@ -6637,7 +6679,12 @@
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -91,12 +94,14 @@
++fs_rw_anon_inodefs_files(system_mail_t)
++
+ init_use_script_ptys(system_mail_t)
+
+ userdom_use_sysadm_terms(system_mail_t)
+@@ -91,12 +96,14 @@
optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
@@ -6652,7 +6699,7 @@
')
optional_policy(`
-@@ -109,6 +114,7 @@
+@@ -109,6 +116,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -10031,6 +10078,18 @@
corecmd_list_bin(xfs_t)
dev_read_sysfs(xfs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-2.6.4/policy/modules/services/xserver.fc
+--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/xserver.fc 2007-10-02 11:51:15.000000000 -0400
+@@ -92,7 +92,7 @@
+ /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+ /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
+-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+ /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.6.4/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/xserver.if 2007-08-07 09:42:35.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.497
retrieving revision 1.498
diff -u -r1.497 -r1.498
--- selinux-policy.spec 2 Oct 2007 04:16:19 -0000 1.497
+++ selinux-policy.spec 6 Oct 2007 13:01:10 -0000 1.498
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 46%{?dist}
+Release: 47%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
%endif
%changelog
+* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-47
+- Fixes for proftp
+
* Mon Oct 1 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-46
- Allow smbcontrol to work on terminal windows
More information about the fedora-extras-commits
mailing list