rpms/selinux-policy/F-8 policy-20070703.patch, 1.187, 1.188 selinux-policy.spec, 1.614, 1.615
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Feb 26 23:02:20 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27854
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Thu Feb 21 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-89
- Add jkubin changes for nx and groupadd
- Add isns port
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.187
retrieving revision 1.188
diff -u -r1.187 -r1.188
--- policy-20070703.patch 20 Feb 2008 18:32:25 -0000 1.187
+++ policy-20070703.patch 26 Feb 2008 23:02:12 -0000 1.188
@@ -2431,7 +2431,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-3.0.8/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/usermanage.te 2008-02-21 10:15:40.000000000 -0500
@@ -92,10 +92,12 @@
dev_read_urand(chfn_t)
@@ -2445,7 +2445,15 @@
domain_use_interactive_fds(chfn_t)
-@@ -297,9 +299,11 @@
+@@ -238,6 +240,7 @@
+ userdom_use_unpriv_users_fds(groupadd_t)
+ # for when /root is the cwd
+ userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
++userdom_dontaudit_search_all_users_home_content(groupadd_t)
+
+ optional_policy(`
+ dpkg_use_fds(groupadd_t)
+@@ -297,9 +300,11 @@
term_use_all_user_ttys(passwd_t)
term_use_all_user_ptys(passwd_t)
@@ -2457,7 +2465,7 @@
# allow checking if a shell is executable
corecmd_check_exec_shell(passwd_t)
-@@ -315,6 +319,7 @@
+@@ -315,6 +320,7 @@
# /usr/bin/passwd asks for w access to utmp, but it will operate
# correctly without it. Do not audit write denials to utmp.
init_dontaudit_rw_utmp(passwd_t)
@@ -2465,7 +2473,15 @@
libs_use_ld_so(passwd_t)
libs_use_shared_libs(passwd_t)
-@@ -520,6 +525,10 @@
+@@ -511,6 +517,7 @@
+ userdom_use_unpriv_users_fds(useradd_t)
+ # for when /root is the cwd
+ userdom_dontaudit_search_sysadm_home_dirs(useradd_t)
++userdom_dontaudit_search_all_users_home_content(useradd_t)
+ # Add/remove user home directories
+ userdom_home_filetrans_generic_user_home_dir(useradd_t)
+ userdom_manage_all_users_home_content_dirs(useradd_t)
+@@ -520,6 +527,10 @@
mta_manage_spool(useradd_t)
optional_policy(`
@@ -2476,7 +2492,7 @@
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
-@@ -529,6 +538,12 @@
+@@ -529,6 +540,12 @@
')
optional_policy(`
@@ -2970,6 +2986,52 @@
-
type gconfd_exec_t;
application_executable_file(gconfd_exec_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.0.8/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2007-10-22 13:21:41.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gpg.if 2008-02-20 17:42:34.000000000 -0500
+@@ -80,6 +80,10 @@
+ allow $1_gpg_t self:fifo_file rw_fifo_file_perms;
+ allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
+
++ # Thunderbird leaks descriptors
++ dontaudit $1_gpg_t $2:tcp_socket rw_socket_perms;
++ dontaudit $1_gpg_t $2:udp_socket rw_socket_perms;
++
+ # transition from the gpg domain to the helper domain
+ domtrans_pattern($1_gpg_t,gpg_helper_exec_t,$1_gpg_helper_t)
+
+@@ -116,6 +120,8 @@
+ files_read_usr_files($1_gpg_t)
+ files_dontaudit_search_var($1_gpg_t)
+
++ auth_use_nsswitch($1_gpg_t)
++
+ libs_use_shared_libs($1_gpg_t)
+ libs_use_ld_so($1_gpg_t)
+
+@@ -123,14 +129,8 @@
+
+ logging_send_syslog_msg($1_gpg_t)
+
+- sysnet_read_config($1_gpg_t)
+-
+ userdom_use_user_terminals($1,$1_gpg_t)
+
+- optional_policy(`
+- nis_use_ypbind($1_gpg_t)
+- ')
+-
+ ifdef(`TODO',`
+ # Read content to encrypt/decrypt/sign
+ read_content($1_gpg_t, $1)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.0.8/policy/modules/apps/gpg.te
+--- nsaserefpolicy/policy/modules/apps/gpg.te 2007-10-22 13:21:41.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/apps/gpg.te 2008-02-20 17:31:23.000000000 -0500
+@@ -19,3 +19,4 @@
+ # type for the pinentry executable
+ type pinentry_exec_t;
+ application_executable_file(pinentry_exec_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-3.0.8/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2007-10-22 13:21:41.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/apps/java.fc 2008-02-06 09:05:24.000000000 -0500
@@ -4232,7 +4294,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-15 16:34:22.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/corenetwork.te.in 2008-02-20 17:16:46.000000000 -0500
@@ -55,6 +55,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -4253,7 +4315,7 @@
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0, udp,5060,s0)
network_port(auth, tcp,113,s0)
-@@ -93,10 +99,11 @@
+@@ -93,27 +99,34 @@
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0) # 8118 is for privoxy
network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
network_port(howl, tcp,5335,s0, udp,5353,s0)
@@ -4267,7 +4329,12 @@
network_port(innd, tcp,119,s0)
network_port(ipp, tcp,631,s0, udp,631,s0)
network_port(ircd, tcp,6667,s0)
-@@ -108,12 +115,17 @@
+ network_port(isakmp, udp,500,s0)
+ network_port(iscsi, tcp,3260,s0)
++network_port(isns, tcp,3205,s0, udp,3205,s0)
+ network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
+ network_port(jabber_interserver, tcp,5269,s0)
+ network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
network_port(ktalkd, udp,517,s0, udp,518,s0)
@@ -4287,7 +4354,7 @@
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
network_port(nmbd, udp,137,s0, udp,138,s0)
-@@ -122,10 +134,12 @@
+@@ -122,10 +135,12 @@
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
@@ -4300,7 +4367,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -137,16 +151,16 @@
+@@ -137,16 +152,16 @@
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
network_port(rndc, tcp,953,s0)
@@ -4320,7 +4387,7 @@
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
-@@ -160,13 +174,19 @@
+@@ -160,13 +175,19 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
@@ -4824,7 +4891,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-02-20 12:11:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2008-02-26 17:53:57.000000000 -0500
@@ -6,6 +6,22 @@
# Declarations
#
@@ -4862,7 +4929,17 @@
# Use trusted objects in /dev
dev_rw_null(domain)
-@@ -129,8 +149,46 @@
+@@ -91,6 +111,9 @@
+
+ # list the root directory
+ files_list_root(domain)
++# Apps getattr on the current working directory when they start, this just
++# eliminates lots of bogus avc messages
++files_getattr_all_dirs(domain)
+
+ tunable_policy(`global_ssp',`
+ # enable reading of urandom for all domains:
+@@ -129,8 +152,46 @@
# For /proc/pid
allow unconfined_domain_type domain:dir r_dir_perms;
@@ -4925,8 +5002,34 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-01-17 12:47:39.000000000 -0500
-@@ -343,8 +343,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/files.if 2008-02-26 17:53:00.000000000 -0500
+@@ -306,6 +306,25 @@
+
+ ########################################
+ ## <summary>
++## Do not audit attempts to get the attributes
++## of all directories.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`files_getattr_all_dirs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:dir getattr;
++')
++
++########################################
++## <summary>
+ ## List all non-security directories.
+ ## </summary>
+ ## <param name="domain">
+@@ -343,8 +362,7 @@
########################################
## <summary>
@@ -4936,7 +5039,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -352,12 +351,29 @@
+@@ -352,12 +370,29 @@
## </summary>
## </param>
#
@@ -4967,7 +5070,7 @@
allow $1 { file_type -security_file_type }:file mounton;
')
-@@ -376,7 +392,7 @@
+@@ -376,7 +411,7 @@
attribute file_type, security_file_type;
')
@@ -4976,7 +5079,7 @@
')
########################################
-@@ -656,44 +672,6 @@
+@@ -656,44 +691,6 @@
########################################
## <summary>
@@ -5021,7 +5124,7 @@
## Read all symbolic links.
## </summary>
## <param name="domain">
-@@ -885,6 +863,8 @@
+@@ -885,6 +882,8 @@
attribute file_type;
')
@@ -5030,7 +5133,7 @@
allow $1 { file_type $2 }:dir list_dir_perms;
relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
-@@ -1106,6 +1086,24 @@
+@@ -1106,6 +1105,24 @@
########################################
## <summary>
@@ -5055,7 +5158,7 @@
## List the contents of the root directory.
## </summary>
## <param name="domain">
-@@ -1192,6 +1190,25 @@
+@@ -1192,6 +1209,25 @@
########################################
## <summary>
@@ -5081,7 +5184,7 @@
## Do not audit attempts to read or write
## character device nodes in the root directory.
## </summary>
-@@ -1229,6 +1246,24 @@
+@@ -1229,6 +1265,24 @@
########################################
## <summary>
@@ -5106,7 +5209,7 @@
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -2023,6 +2058,31 @@
+@@ -2023,6 +2077,31 @@
########################################
## <summary>
@@ -5138,7 +5241,7 @@
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
-@@ -3107,6 +3167,24 @@
+@@ -3107,6 +3186,24 @@
########################################
## <summary>
@@ -5163,7 +5266,7 @@
## Manage temporary files and directories in /tmp.
## </summary>
## <param name="domain">
-@@ -3198,6 +3276,44 @@
+@@ -3198,6 +3295,44 @@
########################################
## <summary>
@@ -5208,7 +5311,7 @@
## Read all tmp files.
## </summary>
## <param name="domain">
-@@ -3323,6 +3439,42 @@
+@@ -3323,6 +3458,42 @@
########################################
## <summary>
@@ -5251,7 +5354,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3381,7 +3533,7 @@
+@@ -3381,7 +3552,7 @@
########################################
## <summary>
@@ -5260,7 +5363,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3389,17 +3541,17 @@
+@@ -3389,17 +3560,17 @@
## </summary>
## </param>
#
@@ -5281,7 +5384,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3407,12 +3559,12 @@
+@@ -3407,12 +3578,12 @@
## </summary>
## </param>
#
@@ -5296,7 +5399,7 @@
')
########################################
-@@ -4043,7 +4195,7 @@
+@@ -4043,7 +4214,7 @@
type var_t, var_lock_t;
')
@@ -5305,7 +5408,7 @@
')
########################################
-@@ -4285,6 +4437,25 @@
+@@ -4285,6 +4456,25 @@
########################################
## <summary>
@@ -5331,7 +5434,7 @@
## Do not audit attempts to write to daemon runtime data files.
## </summary>
## <param name="domain">
-@@ -4560,6 +4731,8 @@
+@@ -4560,6 +4750,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -5340,7 +5443,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4755,11 @@
+@@ -4582,6 +4774,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -5352,7 +5455,7 @@
')
########################################
-@@ -4619,3 +4797,28 @@
+@@ -4619,3 +4816,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -5411,7 +5514,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-02-15 16:28:22.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2008-02-26 17:48:01.000000000 -0500
@@ -271,45 +271,6 @@
########################################
@@ -5642,7 +5745,15 @@
interface(`fs_dontaudit_read_ramfs_files',`
gen_require(`
type ramfs_t;
-@@ -3322,6 +3421,24 @@
+@@ -3206,6 +3305,7 @@
+ ')
+
+ allow $1 filesystem_type:filesystem getattr;
++ files_getattr_all_file_type_fs($1)
+ ')
+
+ ########################################
+@@ -3322,6 +3422,24 @@
########################################
## <summary>
@@ -5667,7 +5778,7 @@
## List all directories with a filesystem type.
## </summary>
## <param name="domain">
-@@ -3533,3 +3650,62 @@
+@@ -3533,3 +3651,62 @@
relabelfrom_blk_files_pattern($1,noxattrfs,noxattrfs)
relabelfrom_chr_files_pattern($1,noxattrfs,noxattrfs)
')
@@ -5732,7 +5843,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-10-22 13:21:41.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2008-02-21 11:17:46.000000000 -0500
@@ -21,6 +21,7 @@
# Use xattrs for the following filesystem types.
@@ -5749,15 +5860,18 @@
fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
# Use the allocating task SID to label inodes in the following filesystem
-@@ -80,6 +82,7 @@
+@@ -80,8 +82,10 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
allow fusefs_t self:filesystem associate;
+allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
++genfscon fusectl / gen_context(system_u:object_r:fusefs_t,s0)
-@@ -116,6 +119,7 @@
+ type futexfs_t;
+ fs_type(futexfs_t)
+@@ -116,6 +120,7 @@
type ramfs_t;
fs_type(ramfs_t)
@@ -5765,7 +5879,7 @@
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
type romfs_t;
-@@ -133,6 +137,16 @@
+@@ -133,6 +138,16 @@
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -6277,7 +6391,7 @@
dev_read_rand(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2008-02-26 16:33:42.000000000 -0500
@@ -16,7 +16,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -6286,7 +6400,23 @@
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -71,5 +70,16 @@
+@@ -33,6 +32,7 @@
+ /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ ')
+
++/usr/share/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+@@ -48,6 +48,7 @@
+
+ /var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
++/var/lib/drupal(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
+ /var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
+ /var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+ /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
+@@ -71,5 +72,16 @@
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -7579,8 +7709,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.0.8/policy/modules/services/bitlbee.te
--- nsaserefpolicy/policy/modules/services/bitlbee.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2008-01-17 09:03:07.000000000 -0500
-@@ -0,0 +1,73 @@
++++ serefpolicy-3.0.8/policy/modules/services/bitlbee.te 2008-02-26 16:46:48.000000000 -0500
+@@ -0,0 +1,75 @@
+
+policy_module(bitlbee, 1.0.0)
+
@@ -7636,6 +7766,8 @@
+# and to MSNP (MSN Messenger) servers:
+corenet_tcp_connect_msnp_port(bitlbee_t)
+corenet_tcp_sendrecv_msnp_port(bitlbee_t)
++corenet_tcp_connect_http_port(bitlbee_t)
++corenet_tcp_sendrecv_http_port(bitlbee_t)
+
+dev_read_rand(bitlbee_t)
+dev_read_urand(bitlbee_t)
@@ -12128,6 +12260,15 @@
logrotate_exec(ntpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nx.fc serefpolicy-3.0.8/policy/modules/services/nx.fc
+--- nsaserefpolicy/policy/modules/services/nx.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nx.fc 2008-02-21 10:10:33.000000000 -0500
+@@ -1,3 +1,5 @@
++
++/usr/libexec/nx/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+ /opt/NX/bin/nxserver -- gen_context(system_u:object_r:nx_server_exec_t,s0)
+
+ /opt/NX/home/nx/\.ssh(/.*)? gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/oddjob.fc serefpolicy-3.0.8/policy/modules/services/oddjob.fc
--- nsaserefpolicy/policy/modules/services/oddjob.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/oddjob.fc 2008-01-31 15:24:30.000000000 -0500
@@ -14464,8 +14605,74 @@
/var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-01-17 09:03:07.000000000 -0500
-@@ -332,6 +332,25 @@
++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-02-26 17:24:56.000000000 -0500
+@@ -63,6 +63,25 @@
+
+ ########################################
+ ## <summary>
++## Execute samba net in the samba_unconfined_net domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`samba_domtrans_unconfined_net',`
++ gen_require(`
++ type samba_unconfined_net_t, samba_net_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1,samba_net_exec_t,samba_unconfined_net_t)
++')
++
++########################################
++## <summary>
+ ## Execute samba net in the samba_net domain, and
+ ## allow the specified role the samba_net domain.
+ ## </summary>
+@@ -93,6 +112,39 @@
+ allow samba_net_t $3:chr_file rw_term_perms;
+ ')
+
++
++########################################
++## <summary>
++## Execute samba net in the samba_unconfined_net domain, and
++## allow the specified role the samba_unconfined_net domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed the samba_unconfined_net domain.
++## </summary>
++## </param>
++## <param name="terminal">
++## <summary>
++## The type of the terminal allow the samba_unconfined_net domain to use.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`samba_run_net',`
++ gen_require(`
++ type samba_unconfined_net_t;
++ ')
++
++ samba_domtrans_unconfined_net($1)
++ role $2 types samba_unconfined_net_t;
++ allow samba_unconfined_net_t $3:chr_file rw_term_perms;
++')
++
+ ########################################
+ ## <summary>
+ ## Execute smbmount in the smbmount domain.
+@@ -332,6 +384,25 @@
########################################
## <summary>
@@ -14491,7 +14698,7 @@
## Allow the specified domain to
## read and write samba /var files.
## </summary>
-@@ -349,6 +368,7 @@
+@@ -349,6 +420,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1,samba_var_t,samba_var_t)
@@ -14499,7 +14706,7 @@
')
########################################
-@@ -493,3 +513,103 @@
+@@ -493,3 +565,103 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -14605,7 +14812,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-02-06 08:56:20.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-02-26 17:23:33.000000000 -0500
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -15001,7 +15208,20 @@
')
########################################
-@@ -828,3 +845,37 @@
+@@ -812,6 +829,12 @@
+ #
+
+ optional_policy(`
++ type samba_unconfined_net_t;
++ domain_type(samba_unconfined_net_t)
++ unconfined_domain(samba_unconfined_net_t)
++ manage_files_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t)
++ filetrans_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t,file)
++
+ type samba_unconfined_script_t;
+ type samba_unconfined_script_exec_t;
+ domain_type(samba_unconfined_script_t)
+@@ -828,3 +851,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -15159,7 +15379,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-02-06 10:23:01.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-02-26 09:15:49.000000000 -0500
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -15176,7 +15396,7 @@
-allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process signal;
+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
-+allow sendmail_t self:process { signal signull };
++allow sendmail_t self:process { setrlimit signal signull };
allow sendmail_t self:fifo_file rw_fifo_file_perms;
allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -15215,7 +15435,15 @@
files_search_spool(sendmail_t)
# for piping mail to a command
files_read_etc_runtime_files(sendmail_t)
-@@ -94,30 +104,34 @@
+@@ -83,6 +93,7 @@
+ # sendmail wants to read /var/run/utmp if the controlling tty is /dev/console
+ init_read_utmp(sendmail_t)
+ init_dontaudit_write_utmp(sendmail_t)
++init_rw_script_tmp_files(sendmail_t)
+
+ libs_use_ld_so(sendmail_t)
+ libs_use_shared_libs(sendmail_t)
+@@ -94,30 +105,34 @@
miscfiles_read_certs(sendmail_t)
miscfiles_read_localization(sendmail_t)
@@ -15256,7 +15484,7 @@
')
optional_policy(`
-@@ -128,6 +142,11 @@
+@@ -128,6 +143,11 @@
optional_policy(`
procmail_domtrans(sendmail_t)
@@ -15268,7 +15496,7 @@
')
optional_policy(`
-@@ -135,24 +154,25 @@
+@@ -135,24 +155,25 @@
')
optional_policy(`
@@ -15712,7 +15940,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2008-02-26 08:33:54.000000000 -0500
+@@ -53,7 +53,7 @@
+ # setuids to the user running spamc. Comment this if you are not
+ # using this ability.
+
+-allow spamd_t self:capability { setuid setgid dac_override sys_tty_config };
++allow spamd_t self:capability { kill setuid setgid dac_override sys_tty_config };
+ dontaudit spamd_t self:capability sys_tty_config;
+ allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow spamd_t self:fd use;
@@ -81,11 +81,12 @@
# var/lib files for spamd
@@ -16067,7 +16304,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2008-02-20 17:08:41.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -16077,18 +16314,20 @@
# ssh client executable.
type ssh_exec_t;
-@@ -80,6 +80,10 @@
+@@ -80,6 +80,12 @@
corenet_tcp_bind_xserver_port(sshd_t)
corenet_sendrecv_xserver_server_packets(sshd_t)
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
+userdom_read_all_users_home_content_files(sshd_t)
+userdom_read_all_users_home_dirs_symlinks(sshd_t)
++userdom_read_unpriv_users_home_content_files(sshd_t)
++
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
-@@ -100,6 +104,11 @@
+@@ -100,6 +106,11 @@
userdom_use_unpriv_users_ptys(sshd_t)
')
@@ -16100,7 +16339,7 @@
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +128,13 @@
+@@ -119,7 +130,13 @@
')
optional_policy(`
@@ -16115,7 +16354,7 @@
')
ifdef(`TODO',`
-@@ -231,9 +246,15 @@
+@@ -231,9 +248,15 @@
')
optional_policy(`
@@ -16389,7 +16628,7 @@
corenet_sendrecv_ftp_server_packets(ucspitcp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-3.0.8/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/uucp.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/uucp.te 2008-02-26 17:48:25.000000000 -0500
@@ -88,6 +88,8 @@
files_search_home(uucpd_t)
files_search_spool(uucpd_t)
@@ -16420,6 +16659,15 @@
########################################
#
# UUX Local policy
+@@ -124,6 +116,8 @@
+
+ files_read_etc_files(uux_t)
+
++fs_rw_anon_inodefs_files(uux_t)
++
+ libs_use_ld_so(uux_t)
+ libs_use_shared_libs(uux_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2008-01-17 09:03:07.000000000 -0500
@@ -17312,7 +17560,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-02-20 13:14:51.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2008-02-26 13:20:32.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -17395,7 +17643,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,20 +223,56 @@
+@@ -196,20 +223,58 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -17434,6 +17682,8 @@
+ ')
+
+ optional_policy(`
++ corecmd_exec_bin($1)
++ storage_getattr_fixed_disk_dev($1)
+ mount_domtrans($1)
+ ')
+
@@ -17453,7 +17703,7 @@
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
-@@ -309,9 +372,6 @@
+@@ -309,9 +374,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -17463,7 +17713,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +389,8 @@
+@@ -329,6 +391,8 @@
optional_policy(`
kerberos_use($1)
@@ -17472,7 +17722,7 @@
')
optional_policy(`
-@@ -347,6 +409,58 @@
+@@ -347,6 +411,58 @@
########################################
## <summary>
@@ -17531,7 +17781,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +809,24 @@
+@@ -695,6 +811,24 @@
########################################
## <summary>
@@ -17556,7 +17806,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,16 +1450,14 @@
+@@ -1318,16 +1452,14 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -17576,7 +17826,7 @@
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -1347,6 +1477,8 @@
+@@ -1347,6 +1479,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -17585,7 +17835,7 @@
')
')
-@@ -1381,3 +1513,181 @@
+@@ -1381,3 +1515,181 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -18135,7 +18385,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.8/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/init.if 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/init.if 2008-02-26 09:13:37.000000000 -0500
@@ -211,6 +211,21 @@
kernel_dontaudit_use_fds($1)
')
@@ -18759,7 +19009,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.te serefpolicy-3.0.8/policy/modules/system/iscsi.te
--- nsaserefpolicy/policy/modules/system/iscsi.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2008-01-29 09:44:14.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/iscsi.te 2008-02-20 17:17:45.000000000 -0500
@@ -29,7 +29,7 @@
#
@@ -18769,7 +19019,15 @@
allow iscsid_t self:fifo_file { read write };
allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow iscsid_t self:unix_dgram_socket create_socket_perms;
-@@ -68,6 +68,8 @@
+@@ -61,6 +61,7 @@
+ corenet_tcp_sendrecv_all_ports(iscsid_t)
+ corenet_tcp_connect_http_port(iscsid_t)
+ corenet_tcp_connect_iscsi_port(iscsid_t)
++corenet_tcp_connect_isns_port(iscsid_t)
+
+ dev_rw_sysfs(iscsid_t)
+
+@@ -68,6 +69,8 @@
files_read_etc_files(iscsid_t)
@@ -21436,7 +21694,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2008-01-17 09:03:07.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2008-02-26 17:33:09.000000000 -0500
@@ -5,36 +5,57 @@
#
# Declarations
@@ -21626,7 +21884,8 @@
optional_policy(`
samba_per_role_template(unconfined)
- samba_run_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+- samba_run_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ samba_run_unconfined_net(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
samba_run_winbind_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ samba_run_smbcontrol(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
')
@@ -21649,26 +21908,31 @@
+ mozilla_per_role_template(unconfined, unconfined_t, unconfined_r)
+ unconfined_domain(unconfined_mozilla_t)
+ allow unconfined_mozilla_t self:process { execstack execmem };
-+')
-+
-+optional_policy(`
-+ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
')
optional_policy(`
- xserver_domtrans_xdm_xserver(unconfined_t)
++ kismet_run(unconfined_t, unconfined_r, { unconfined_tty_device_t unconfined_devpts_t })
++')
++
++optional_policy(`
+ xserver_run_xdm_xserver(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
+ xserver_xdm_rw_shm(unconfined_t)
')
########################################
-@@ -219,14 +236,38 @@
+@@ -219,14 +236,43 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
+allow unconfined_execmem_t unconfined_t:process transition;
optional_policy(`
++ gen_require(`
++ type unconfined_dbusd_t;
++ ')
++ unconfined_domain(unconfined_dbusd_t)
++
dbus_stub(unconfined_execmem_t)
init_dbus_chat_script(unconfined_execmem_t)
@@ -21712,7 +21976,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-02-11 18:07:56.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-02-20 17:31:58.000000000 -0500
@@ -29,8 +29,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.614
retrieving revision 1.615
diff -u -r1.614 -r1.615
--- selinux-policy.spec 20 Feb 2008 18:32:25 -0000 1.614
+++ selinux-policy.spec 26 Feb 2008 23:02:12 -0000 1.615
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 88%{?dist}
+Release: 89%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,10 @@
%endif
%changelog
+* Thu Feb 21 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-89
+- Add jkubin changes for nx and groupadd
+- Add isns port
+
* Wed Feb 20 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-88
- Add policy for /dev/autofs
More information about the fedora-extras-commits
mailing list