rpms/libselinux/devel libselinux-rhat.patch,1.138,1.139
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jan 8 11:07:41 UTC 2008
- Previous message (by thread): rpms/logwatch/devel logwatch-7.3.6-amavis.patch, NONE, 1.1 logwatch-7.3.6-maillog.patch, NONE, 1.1 logwatch-7.3.6-oldfiles.patch, NONE, 1.1 logwatch-7.3.6-usage.patch, NONE, 1.1 logwatch.spec, 1.84, 1.85 logwatch-7.3.4-mailto.patch, 1.1, NONE
- Next message (by thread): rpms/koverartist/F-7 koverartist.spec,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/libselinux/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv20988
Modified Files:
libselinux-rhat.patch
Log Message:
* Tue Jan 8 2008 Dan Walsh <dwalsh at redhat.com> - 2.0.46-4
- Add pid_t typemap for swig bindings
libselinux-rhat.patch:
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.138 -r 1.139 libselinux-rhat.patch
Index: libselinux-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/libselinux/devel/libselinux-rhat.patch,v
retrieving revision 1.138
retrieving revision 1.139
diff -u -r1.138 -r1.139
--- libselinux-rhat.patch 8 Jan 2008 10:25:03 -0000 1.138
+++ libselinux-rhat.patch 8 Jan 2008 11:07:27 -0000 1.139
@@ -501,3402 +501,3 @@
if (rc < 0) {
fprintf(stderr, "matchpathcon(%s) failed: %s\n", path,
strerror(errno));
-
---- nsaserefpolicy/policy/modules/services/inetd.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/inetd.te 2007-12-19 05:38:09.000000000 -0500
-@@ -30,6 +30,10 @@
- type inetd_child_var_run_t;
- files_pid_file(inetd_child_var_run_t)
-
-+ifdef(`enable_mcs',`
-+ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
-+')
-+
- ########################################
- #
- # Local policy
-@@ -84,6 +88,7 @@
- corenet_udp_bind_ftp_port(inetd_t)
- corenet_tcp_bind_inetd_child_port(inetd_t)
- corenet_udp_bind_inetd_child_port(inetd_t)
-+corenet_tcp_bind_ircd_port(inetd_t)
- corenet_udp_bind_ktalkd_port(inetd_t)
- corenet_tcp_bind_printer_port(inetd_t)
- corenet_udp_bind_rlogind_port(inetd_t)
-@@ -137,6 +142,7 @@
- miscfiles_read_localization(inetd_t)
-
- # xinetd needs MLS override privileges to work
-+mls_fd_use_all_levels(inetd_t)
- mls_fd_share_all_levels(inetd_t)
- mls_socket_read_to_clearance(inetd_t)
- mls_socket_write_to_clearance(inetd_t)
-@@ -164,6 +170,7 @@
- ')
-
- optional_policy(`
-+ unconfined_domain(inetd_t)
- unconfined_domtrans(inetd_t)
- ')
-
-@@ -180,6 +187,9 @@
- # for identd
- allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
- allow inetd_child_t self:capability { setuid setgid };
-+allow inetd_child_t self:dir search;
-+allow inetd_child_t self:{ lnk_file file } { getattr read };
-+
- files_search_home(inetd_child_t)
-
- manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -226,3 +236,7 @@
- optional_policy(`
- unconfined_domain(inetd_child_t)
- ')
-+
-+optional_policy(`
-+ inetd_service_domain(inetd_child_t,bin_t)
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inn.te serefpolicy-3.2.5/policy/modules/services/inn.te
---- nsaserefpolicy/policy/modules/services/inn.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/inn.te 2007-12-19 15:36:20.000000000 -0500
-@@ -22,7 +22,7 @@
- files_pid_file(innd_var_run_t)
-
- type news_spool_t;
--files_type(news_spool_t)
-+files_mountpoint(news_spool_t)
-
- ########################################
- #
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.2.5/policy/modules/services/kerberos.fc
---- nsaserefpolicy/policy/modules/services/kerberos.fc 2006-11-16 17:15:21.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/kerberos.fc 2007-12-19 05:38:09.000000000 -0500
-@@ -16,3 +16,4 @@
-
- /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
- /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
-+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.2.5/policy/modules/services/kerberos.if
---- nsaserefpolicy/policy/modules/services/kerberos.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/kerberos.if 2007-12-19 05:38:09.000000000 -0500
-@@ -43,7 +43,13 @@
- dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
- dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
-
-+ #kerberos libraries are attempting to set the correct file context
-+ dontaudit $1 self:process setfscreate;
-+ seutil_dontaudit_read_file_contexts($1)
-+
- tunable_policy(`allow_kerberos',`
-+ fs_rw_tmpfs_files($1)
-+
- allow $1 self:tcp_socket create_socket_perms;
- allow $1 self:udp_socket create_socket_perms;
-
-@@ -61,11 +67,7 @@
- corenet_tcp_connect_ocsp_port($1)
- corenet_sendrecv_kerberos_client_packets($1)
- corenet_sendrecv_ocsp_client_packets($1)
--
-- sysnet_read_config($1)
-- sysnet_dns_name_resolve($1)
- ')
--
- optional_policy(`
- tunable_policy(`allow_kerberos',`
- pcscd_stream_connect($1)
-@@ -172,3 +174,51 @@
- allow $1 krb5kdc_conf_t:file read_file_perms;
-
- ')
-+
-+########################################
-+## <summary>
-+## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`kerberos_manage_host_rcache',`
-+ gen_require(`
-+ type krb5_host_rcache_t;
-+ ')
-+
-+ tunable_policy(`allow_kerberos',`
-+ files_search_tmp($1)
-+ allow $1 self:process setfscreate;
-+ selinux_validate_context($1)
-+ seutil_read_file_contexts($1)
-+ allow $1 krb5_host_rcache_t:file manage_file_perms;
-+ ')
-+ # creates files as system_u no matter what the selinux user
-+ domain_obj_id_change_exemption($1)
-+')
-+
-+########################################
-+## <summary>
-+## Connect to krb524 service
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`kerberos_524_connect',`
-+ tunable_policy(`allow_kerberos',`
-+ allow $1 self:udp_socket create_socket_perms;
-+ corenet_all_recvfrom_unlabeled($1)
-+ corenet_udp_sendrecv_all_if($1)
-+ corenet_udp_sendrecv_all_nodes($1)
-+ corenet_udp_sendrecv_kerberos_master_port($1)
-+ corenet_udp_bind_all_nodes($1)
-+ ')
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.2.5/policy/modules/services/kerberos.te
---- nsaserefpolicy/policy/modules/services/kerberos.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/kerberos.te 2007-12-19 05:38:09.000000000 -0500
-@@ -54,6 +54,9 @@
- type krb5kdc_var_run_t;
- files_pid_file(krb5kdc_var_run_t)
-
-+type krb5_host_rcache_t;
-+files_tmp_file(krb5_host_rcache_t)
-+
- ########################################
- #
- # kadmind local policy
-@@ -62,7 +65,7 @@
- # Use capabilities. Surplus capabilities may be allowed.
- allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
- dontaudit kadmind_t self:capability sys_tty_config;
--allow kadmind_t self:process signal_perms;
-+allow kadmind_t self:process { setfscreate signal_perms };
- allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
- allow kadmind_t self:unix_dgram_socket { connect create write };
- allow kadmind_t self:tcp_socket connected_stream_socket_perms;
-@@ -91,6 +94,7 @@
- kernel_read_kernel_sysctls(kadmind_t)
- kernel_list_proc(kadmind_t)
- kernel_read_proc_symlinks(kadmind_t)
-+kernel_read_system_state(kadmind_t)
-
- corenet_all_recvfrom_unlabeled(kadmind_t)
- corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +122,9 @@
[...3011 lines suppressed...]
-+
-+ domtrans_pattern($1,sendmail_exec_t,unconfined_sendmail_t)
-+')
-+
-+########################################
-+## <summary>
-+## Execute sendmail in the unconfined sendmail domain, and
-+## allow the specified role the unconfined sendmail domain,
-+## and use the caller's terminal.
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role to be allowed the unconfined sendmail domain.
-+## </summary>
-+## </param>
-+## <param name="terminal">
-+## <summary>
-+## The type of the terminal allow the unconfined sendmail domain to use.
-+## </summary>
-+## </param>
-+## <rolecap/>
-+#
-+interface(`sendmail_run_unconfined',`
-+ gen_require(`
-+ type unconfined_sendmail_t;
-+ ')
-+
-+ sendmail_domtrans_unconfined($1)
-+ role $2 types unconfined_sendmail_t;
-+ allow unconfined_sendmail_t $3:chr_file rw_file_perms;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.2.5/policy/modules/services/sendmail.te
---- nsaserefpolicy/policy/modules/services/sendmail.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/sendmail.te 2007-12-31 15:42:11.000000000 -0500
-@@ -20,13 +20,17 @@
- mta_mailserver_delivery(sendmail_t)
- mta_mailserver_sender(sendmail_t)
-
-+type unconfined_sendmail_t;
-+application_domain(unconfined_sendmail_t,sendmail_exec_t)
-+role system_r types unconfined_sendmail_t;
-+
- ########################################
- #
- # Sendmail local policy
- #
-
--allow sendmail_t self:capability { setuid setgid net_bind_service sys_nice chown sys_tty_config };
--allow sendmail_t self:process signal;
-+allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
-+allow sendmail_t self:process { signal signull };
- allow sendmail_t self:fifo_file rw_fifo_file_perms;
- allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
- allow sendmail_t self:unix_dgram_socket create_socket_perms;
-@@ -47,6 +51,7 @@
- kernel_read_kernel_sysctls(sendmail_t)
- # for piping mail to a command
- kernel_read_system_state(sendmail_t)
-+kernel_read_network_state(sendmail_t)
-
- corenet_all_recvfrom_unlabeled(sendmail_t)
- corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -97,20 +102,35 @@
-
- userdom_dontaudit_use_unpriv_user_fds(sendmail_t)
- userdom_dontaudit_search_sysadm_home_dirs(sendmail_t)
-+userdom_read_all_users_home_content_files(sendmail_t)
-
- mta_read_config(sendmail_t)
- mta_etc_filetrans_aliases(sendmail_t)
- # Write to /etc/aliases and /etc/mail.
--mta_rw_aliases(sendmail_t)
-+mta_manage_aliases(sendmail_t)
- # Write to /var/spool/mail and /var/spool/mqueue.
- mta_manage_queue(sendmail_t)
- mta_manage_spool(sendmail_t)
-+mta_sendmail_exec(sendmail_t)
-+
-+optional_policy(`
-+ cron_read_pipes(sendmail_t)
-+')
-
- optional_policy(`
- clamav_search_lib(sendmail_t)
- ')
-
- optional_policy(`
-+ cyrus_stream_connect(sendmail_t)
-+ clamav_stream_connect(sendmail_t)
-+')
-+
-+optional_policy(`
-+ munin_dontaudit_search_lib(sendmail_t)
-+')
-+
-+optional_policy(`
- postfix_exec_master(sendmail_t)
- postfix_read_config(sendmail_t)
- postfix_search_spool(sendmail_t)
-@@ -125,24 +145,25 @@
- ')
-
- optional_policy(`
-+ sasl_connect(sendmail_t)
-+')
-+
-+optional_policy(`
-+ spamd_stream_connect(sendmail_t)
-+')
-+
-+optional_policy(`
- udev_read_db(sendmail_t)
- ')
-
--ifdef(`TODO',`
--allow sendmail_t etc_mail_t:dir rw_dir_perms;
--allow sendmail_t etc_mail_t:file manage_file_perms;
--# for the start script to run make -C /etc/mail
--allow initrc_t etc_mail_t:dir rw_dir_perms;
--allow initrc_t etc_mail_t:file manage_file_perms;
--allow system_mail_t initrc_t:fd use;
--allow system_mail_t initrc_t:fifo_file write;
--
--# When sendmail runs as user_mail_domain, it needs some extra permissions
--# to update /etc/mail/statistics.
--allow user_mail_domain etc_mail_t:file rw_file_perms;
-+########################################
-+#
-+# Unconfined sendmail local policy
-+# Allow unconfined domain to run newalias and have transitions work
-+#
-
--# Silently deny attempts to access /root.
--dontaudit system_mail_t { staff_home_dir_t sysadm_home_dir_t}:dir { getattr search };
-+optional_policy(`
-+ mta_etc_filetrans_aliases(unconfined_sendmail_t)
-+ unconfined_domain(unconfined_sendmail_t)
-+')
-
--dontaudit sendmail_t admin_tty_type:chr_file { getattr ioctl };
--') dnl end TODO
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te
---- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/setroubleshoot.te 2007-12-19 05:38:09.000000000 -0500
-@@ -27,8 +27,8 @@
- # setroubleshootd local policy
- #
-
--allow setroubleshootd_t self:capability { dac_override sys_tty_config };
--allow setroubleshootd_t self:process { signull signal getattr getsched };
-+allow setroubleshootd_t self:capability { dac_override sys_nice sys_tty_config };
-+allow setroubleshootd_t self:process { getattr getsched setsched sigkill signull signal };
- allow setroubleshootd_t self:fifo_file rw_fifo_file_perms;
- allow setroubleshootd_t self:tcp_socket create_stream_socket_perms;
- allow setroubleshootd_t self:unix_stream_socket { create_stream_socket_perms connectto };
-@@ -52,7 +52,9 @@
-
- kernel_read_kernel_sysctls(setroubleshootd_t)
- kernel_read_system_state(setroubleshootd_t)
-+kernel_read_net_sysctls(setroubleshootd_t)
- kernel_read_network_state(setroubleshootd_t)
-+kernel_dontaudit_list_all_proc(setroubleshootd_t)
-
- corecmd_exec_bin(setroubleshootd_t)
- corecmd_exec_shell(setroubleshootd_t)
-@@ -73,7 +75,7 @@
-
- files_read_usr_files(setroubleshootd_t)
- files_read_etc_files(setroubleshootd_t)
--files_getattr_all_dirs(setroubleshootd_t)
-+files_list_all(setroubleshootd_t)
- files_getattr_all_files(setroubleshootd_t)
-
- fs_getattr_all_dirs(setroubleshootd_t)
-@@ -110,6 +112,7 @@
- optional_policy(`
- dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
- dbus_connect_system_bus(setroubleshootd_t)
-+ dbus_system_domain(setroubleshootd_t,setroubleshootd_exec_t)
- ')
-
- optional_policy(`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-3.2.5/policy/modules/services/snmp.te
---- nsaserefpolicy/policy/modules/services/snmp.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/snmp.te 2007-12-19 05:38:09.000000000 -0500
-@@ -81,8 +81,7 @@
- files_read_usr_files(snmpd_t)
- files_read_etc_runtime_files(snmpd_t)
- files_search_home(snmpd_t)
--files_getattr_boot_dirs(snmpd_t)
--files_dontaudit_getattr_home_dir(snmpd_t)
-+auth_read_all_dirs_except_shadow(snmpd_t)
-
- fs_getattr_all_dirs(snmpd_t)
- fs_getattr_all_fs(snmpd_t)
- Previous message (by thread): rpms/logwatch/devel logwatch-7.3.6-amavis.patch, NONE, 1.1 logwatch-7.3.6-maillog.patch, NONE, 1.1 logwatch-7.3.6-oldfiles.patch, NONE, 1.1 logwatch-7.3.6-usage.patch, NONE, 1.1 logwatch.spec, 1.84, 1.85 logwatch-7.3.4-mailto.patch, 1.1, NONE
- Next message (by thread): rpms/koverartist/F-7 koverartist.spec,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list