rpms/selinux-policy/F-9 policy-20071130.patch, 1.231, 1.232 selinux-policy.spec, 1.721, 1.722
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 29 18:41:22 UTC 2008
- Previous message (by thread): rpms/mdadm/devel mdadm-2.6.7.1-metadata.patch, NONE, 1.1 mdadm-2.6.7.1-partitionable.patch, NONE, 1.1 mdadm-2.6.7.1-raid10-incremental.patch, NONE, 1.1 .cvsignore, 1.20, 1.21 mdadm-2.5.2-cflags.patch, 1.1, 1.2 mdadm-2.6.1-build.patch, 1.3, 1.4 mdadm.rules, 1.2, 1.3 mdadm.spec, 1.54, 1.55 sources, 1.20, 1.21
- Next message (by thread): rpms/libdvdread/EL-5 libdvdread.spec,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21991
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Tue Oct 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-105
- Allow spamd to manage exim spool
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.231
retrieving revision 1.232
diff -u -r1.231 -r1.232
--- policy-20071130.patch 21 Oct 2008 18:32:05 -0000 1.231
+++ policy-20071130.patch 29 Oct 2008 18:40:50 -0000 1.232
@@ -7654,7 +7654,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/corenetwork.if.in 2008-10-29 11:08:45.000000000 -0400
@@ -1441,10 +1441,11 @@
#
interface(`corenet_tcp_bind_all_unreserved_ports',`
@@ -7665,15 +7665,16 @@
')
- allow $1 { port_type -reserved_port_type }:tcp_socket name_bind;
-+ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:udp_socket name_bind;
++ allow $1 { port_type -hi_reserved_port_t -reserved_port_t }:tcp_socket name_bind;
')
########################################
-@@ -1459,10 +1460,10 @@
+@@ -1459,10 +1460,11 @@
#
interface(`corenet_udp_bind_all_unreserved_ports',`
gen_require(`
- attribute port_type, reserved_port_type;
++ attribute port_type;
+ type hi_reserved_port_t, reserved_port_t;
')
@@ -8549,7 +8550,7 @@
# /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-10-24 08:41:54.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -8562,7 +8563,32 @@
files_type($1)
')
-@@ -1266,6 +1271,24 @@
+@@ -1023,6 +1028,24 @@
+ ## </summary>
+ ## </param>
+ #
++interface(`files_relabel_all_file_type_fs',`
++ gen_require(`
++ attribute file_type;
++ ')
++
++ allow $1 file_type:filesystem { relabelfrom relabelto };
++')
++
++########################################
++## <summary>
++## Relabel a filesystem to the type of a file.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
+ interface(`files_relabelto_all_file_type_fs',`
+ gen_require(`
+ attribute file_type;
+@@ -1266,6 +1289,24 @@
########################################
## <summary>
@@ -8587,7 +8613,7 @@
## Unmount a rootfs filesystem.
## </summary>
## <param name="domain">
-@@ -1852,6 +1875,26 @@
+@@ -1852,6 +1893,26 @@
########################################
## <summary>
@@ -8614,7 +8640,7 @@
## Do not audit attempts to write generic files in /etc.
## </summary>
## <param name="domain">
-@@ -2072,7 +2115,8 @@
+@@ -2072,7 +2133,8 @@
#
interface(`files_read_etc_runtime_files',`
gen_require(`
@@ -8624,7 +8650,7 @@
')
allow $1 etc_t:dir list_dir_perms;
-@@ -2114,7 +2158,8 @@
+@@ -2114,7 +2176,8 @@
#
interface(`files_rw_etc_runtime_files',`
gen_require(`
@@ -8634,7 +8660,7 @@
')
allow $1 etc_t:dir list_dir_perms;
-@@ -2136,7 +2181,8 @@
+@@ -2136,7 +2199,8 @@
#
interface(`files_manage_etc_runtime_files',`
gen_require(`
@@ -8644,7 +8670,7 @@
')
manage_files_pattern($1,{ etc_t etc_runtime_t },etc_runtime_t)
-@@ -2160,7 +2206,8 @@
+@@ -2160,7 +2224,8 @@
#
interface(`files_etc_filetrans_etc_runtime',`
gen_require(`
@@ -8654,7 +8680,7 @@
')
filetrans_pattern($1,etc_t,etc_runtime_t,$2)
-@@ -2187,6 +2234,49 @@
+@@ -2187,6 +2252,49 @@
########################################
## <summary>
@@ -8704,7 +8730,7 @@
## Do not audit attempts to search directories on new filesystems
## that have not yet been labeled.
## </summary>
-@@ -2707,6 +2797,24 @@
+@@ -2707,6 +2815,24 @@
########################################
## <summary>
@@ -8729,7 +8755,7 @@
## Create, read, write, and delete symbolic links in /mnt.
## </summary>
## <param name="domain">
-@@ -3357,6 +3465,8 @@
+@@ -3357,6 +3483,8 @@
delete_lnk_files_pattern($1,tmpfile,tmpfile)
delete_fifo_files_pattern($1,tmpfile,tmpfile)
delete_sock_files_pattern($1,tmpfile,tmpfile)
@@ -8738,7 +8764,7 @@
')
########################################
-@@ -3492,6 +3602,47 @@
+@@ -3492,6 +3620,47 @@
########################################
## <summary>
@@ -8786,7 +8812,7 @@
## Create, read, write, and delete files in the /usr directory.
## </summary>
## <param name="domain">
-@@ -3510,6 +3661,24 @@
+@@ -3510,6 +3679,24 @@
########################################
## <summary>
@@ -8811,7 +8837,7 @@
## Relabel a file to the type used in /usr.
## </summary>
## <param name="domain">
-@@ -4712,12 +4881,14 @@
+@@ -4712,12 +4899,14 @@
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -8827,7 +8853,7 @@
')
')
-@@ -4756,3 +4927,71 @@
+@@ -4756,3 +4945,71 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -11329,7 +11355,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-10-21 09:36:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-10-27 16:01:19.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -12701,7 +12727,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.3.1/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/avahi.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/avahi.te 2008-10-27 15:27:01.000000000 -0400
@@ -10,6 +10,12 @@
type avahi_exec_t;
init_daemon_domain(avahi_t,avahi_exec_t)
@@ -13944,12 +13970,12 @@
# Calendar (PCP) local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.fc serefpolicy-3.3.1/policy/modules/services/cron.fc
--- nsaserefpolicy/policy/modules/services/cron.fc 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/cron.fc 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/cron.fc 2008-10-28 08:37:49.000000000 -0400
@@ -17,6 +17,8 @@
/var/run/fcron\.fifo -s gen_context(system_u:object_r:crond_var_run_t,s0)
/var/run/fcron\.pid -- gen_context(system_u:object_r:crond_var_run_t,s0)
-+/var/spool/anacron(/.*) gen_context(system_u:object_r:system_cron_spool_t,s0)
++/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
+
/var/spool/at -d gen_context(system_u:object_r:cron_spool_t,s0)
/var/spool/at/spool -d gen_context(system_u:object_r:cron_spool_t,s0)
@@ -19167,8 +19193,8 @@
+/etc/rc\.d/init\.d/kerneloops -- gen_context(system_u:object_r:kerneloops_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.if serefpolicy-3.3.1/policy/modules/services/kerneloops.if
--- nsaserefpolicy/policy/modules/services/kerneloops.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if 2008-10-14 11:43:20.000000000 -0400
-@@ -0,0 +1,125 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerneloops.if 2008-10-22 16:50:48.000000000 -0400
+@@ -0,0 +1,140 @@
+
+## <summary>policy for kerneloops</summary>
+
@@ -19191,6 +19217,24 @@
+ domtrans_pattern($1,kerneloops_exec_t,kerneloops_t)
+')
+
++########################################
++## <summary>
++## Allow domain to manage kerneloops tmp files
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`kerneloops_manage_tmp_files',`
++ gen_require(`
++ type kerneloops_tmp_t;
++ ')
++
++ manage_files_pattern($1, kerneloops_tmp_t, kerneloops_tmp_t)
++ files_search_tmp($1)
++')
+
+########################################
+## <summary>
@@ -19276,28 +19320,25 @@
+#
+interface(`kerneloops_admin',`
+ gen_require(`
-+ type kerneloops_t;
++ type kerneloops_t, kerneloops_initrc_exec_t;
++ type kerneloops_tmp_t;
+ ')
+
+ allow $1 kerneloops_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, kerneloops_t, kerneloops_t)
+
-+
-+ gen_require(`
-+ type kerneloops_script_exec_t;
-+ ')
-+
+ # Allow kerneloops_t to restart the apache service
+ kerneloops_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 kerneloops_script_exec_t system_r;
+ allow $2 system_r;
+
++ admin_pattern($1, kerneloops_tmp_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.3.1/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerneloops.te 2008-10-14 11:43:20.000000000 -0400
-@@ -0,0 +1,57 @@
++++ serefpolicy-3.3.1/policy/modules/services/kerneloops.te 2008-10-22 16:49:51.000000000 -0400
+@@ -0,0 +1,63 @@
+policy_module(kerneloops,1.0.0)
+
+########################################
@@ -19313,6 +19354,9 @@
+type kerneloops_script_exec_t;
+init_script_file(kerneloops_script_exec_t)
+
++type kerneloops_tmp_t;
++files_tmp_file(kerneloops_tmp_t)
++
+########################################
+#
+# kerneloops local policy
@@ -19336,6 +19380,9 @@
+corenet_tcp_bind_http_port(kerneloops_t)
+corenet_tcp_connect_http_port(kerneloops_t)
+
++manage_files_pattern(kerneloops_t, kerneloops_tmp_t, kerneloops_tmp_t)
++files_tmp_filetrans(kerneloops_t,kerneloops_tmp_t,file)
++
+files_read_etc_files(kerneloops_t)
+
+kernel_read_ring_buffer(kerneloops_t)
@@ -20180,7 +20227,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.3.1/policy/modules/services/munin.te
--- nsaserefpolicy/policy/modules/services/munin.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/munin.te 2008-10-28 19:45:45.000000000 -0400
@@ -25,26 +25,33 @@
type munin_var_run_t alias lrrd_var_run_t;
files_pid_file(munin_var_run_t)
@@ -20231,7 +20278,7 @@
corenet_all_recvfrom_unlabeled(munin_t)
corenet_all_recvfrom_netlabel(munin_t)
-@@ -73,27 +82,37 @@
+@@ -73,27 +82,38 @@
corenet_udp_sendrecv_all_nodes(munin_t)
corenet_tcp_sendrecv_all_ports(munin_t)
corenet_udp_sendrecv_all_ports(munin_t)
@@ -20244,7 +20291,7 @@
dev_read_urand(munin_t)
domain_use_interactive_fds(munin_t)
-+domain_dontaudit_read_all_domains_state(munin_t)
++domain_read_all_domains_state(munin_t)
files_read_etc_files(munin_t)
files_read_etc_runtime_files(munin_t)
@@ -20253,9 +20300,10 @@
fs_getattr_all_fs(munin_t)
fs_search_auto_mountpoints(munin_t)
-
-+auth_use_nsswitch(munin_t)
++fs_list_inotifyfs(munin_t)
+
++auth_use_nsswitch(munin_t)
+
libs_use_ld_so(munin_t)
libs_use_shared_libs(munin_t)
@@ -20270,7 +20318,7 @@
userdom_dontaudit_use_unpriv_user_fds(munin_t)
userdom_dontaudit_search_sysadm_home_dirs(munin_t)
-@@ -108,7 +127,21 @@
+@@ -108,7 +128,21 @@
')
optional_policy(`
@@ -20293,7 +20341,7 @@
')
optional_policy(`
-@@ -118,3 +151,9 @@
+@@ -118,3 +152,9 @@
optional_policy(`
udev_read_db(munin_t)
')
@@ -24230,7 +24278,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-10-29 10:47:47.000000000 -0400
@@ -71,7 +71,7 @@
# PPPD Local policy
#
@@ -24321,7 +24369,7 @@
miscfiles_read_localization(pptp_t)
sysnet_read_config(pptp_t)
-+sysnet_exec_ifconfig(pppd_t)
++sysnet_exec_ifconfig(pptp_t)
userdom_dontaudit_use_unpriv_user_fds(pptp_t)
userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
@@ -24565,8 +24613,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-10-14 11:43:20.000000000 -0400
-@@ -0,0 +1,325 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-10-24 09:28:40.000000000 -0400
+@@ -0,0 +1,338 @@
+
+policy_module(prelude, 1.0.0)
+
@@ -24638,7 +24686,7 @@
+# prelude local policy
+#
+
-+allow prelude_t self:capability sys_tty_config;
++allow prelude_t self:capability { dac_override sys_tty_config };
+allow prelude_t self:fifo_file rw_file_perms;
+allow prelude_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_t self:netlink_route_socket r_netlink_socket_perms;
@@ -24707,7 +24755,7 @@
+#
+# prelude_audisp local policy
+#
-+
++allow prelude_audisp_t self:capability dac_override;
+allow prelude_audisp_t self:fifo_file rw_file_perms;
+allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
@@ -24755,15 +24803,17 @@
+# prelude_correlator local policy
+#
+
++allow prelude_correlator_t self:capability dac_override;
+allow prelude_correlator_t self:netlink_route_socket r_netlink_socket_perms;
+allow prelude_correlator_t self:tcp_socket create_stream_socket_perms;
+allow prelude_correlator_t self:unix_dgram_socket create_socket_perms;
+
++allow prelude_correlator_t prelude_correlator_config_t:dir list_dir_perms;
+read_files_pattern(prelude_correlator_t, prelude_correlator_config_t, prelude_correlator_config_t)
+
+prelude_manage_spool(prelude_correlator_t)
+
-+corecmd_search_sbin(prelude_correlator_t)
++corecmd_search_bin(prelude_correlator_t)
+
+corenet_all_recvfrom_unlabeled(prelude_correlator_t)
+corenet_all_recvfrom_netlabel(prelude_correlator_t)
@@ -24771,6 +24821,8 @@
+corenet_tcp_sendrecv_all_nodes(prelude_correlator_t)
+corenet_tcp_connect_prelude_port(prelude_correlator_t)
+
++kernel_read_sysctl(prelude_correlator_t)
++
+dev_read_rand(prelude_correlator_t)
+dev_read_urand(prelude_correlator_t)
+
@@ -24818,7 +24870,7 @@
+manage_files_pattern(prelude_lml_t, prelude_lml_var_run_t, prelude_lml_var_run_t)
+files_pid_filetrans(prelude_lml_t, prelude_lml_var_run_t, file)
+
-+corecmd_search_bin(prelude_lml_t)
++corecmd_exec_bin(prelude_lml_t)
+
+corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+corenet_tcp_sendrecv_all_nodes(prelude_lml_t)
@@ -24830,6 +24882,8 @@
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
++kernel_read_sysctl(prelude_lml_t)
++
+files_list_etc(prelude_lml_t)
+files_read_etc_files(prelude_lml_t)
+files_read_etc_runtime_files(prelude_lml_t)
@@ -24839,6 +24893,8 @@
+files_search_var_lib(prelude_lml_t)
+
+fs_list_inotifyfs(prelude_lml_t)
++fs_read_anon_inodefs_files(prelude_lml_t)
++fs_rw_anon_inodefs_files(prelude_lml_t)
+
+auth_use_nsswitch(prelude_lml_t)
+
@@ -24854,6 +24910,8 @@
+
+sysnet_dns_name_resolve(prelude_lml_t)
+
++userdom_read_all_users_state(prelude_lml_t)
++
+optional_policy(`
+ gamin_exec(prelude_lml_t)
+')
@@ -24870,10 +24928,13 @@
+
+optional_policy(`
+ apache_content_template(prewikka)
-+ files_search_tmp(httpd_prewikka_script_t)
+ files_read_etc_files(httpd_prewikka_script_t)
++ files_search_tmp(httpd_prewikka_script_t)
+
-+ apache_search_sys_content(httpd_prewikka_script_t)
++ kernel_read_sysctl(httpd_prewikka_script_t)
++ kernel_search_network_sysctl(httpd_prewikka_script_t)
++
++ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
+
+ corenet_tcp_connect_postgresql_port(httpd_prewikka_script_t)
+
@@ -24881,7 +24942,7 @@
+
+ logging_send_syslog_msg(httpd_prewikka_script_t)
+
-+ can_exec(httpd_prewikka_script_t, httpd_prewikka_script_exec_t)
++ apache_search_sys_content(httpd_prewikka_script_t)
+
+ optional_policy(`
+ mysql_search_db(httpd_prewikka_script_t)
@@ -26840,7 +26901,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-10-21 13:55:35.000000000 -0400
@@ -17,6 +17,13 @@
## <desc>
@@ -26985,16 +27046,18 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -320,6 +346,8 @@
+@@ -320,6 +346,10 @@
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
++usermanage_read_crack_db(smbd_t)
++
+term_use_ptmx(smbd_t)
+
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -340,6 +368,25 @@
+@@ -340,6 +370,25 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -27020,7 +27083,7 @@
')
optional_policy(`
-@@ -363,6 +410,12 @@
+@@ -363,6 +412,12 @@
udev_read_db(smbd_t)
')
@@ -27033,7 +27096,7 @@
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
auth_read_all_files_except_shadow(smbd_t)
-@@ -391,7 +444,7 @@
+@@ -391,7 +446,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -27042,7 +27105,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +456,7 @@
+@@ -403,8 +458,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -27052,7 +27115,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +491,7 @@
+@@ -439,6 +493,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -27060,7 +27123,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +575,7 @@
+@@ -522,6 +577,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -27068,7 +27131,7 @@
corecmd_list_bin(smbmount_t)
-@@ -533,41 +587,50 @@
+@@ -533,41 +589,50 @@
auth_use_nsswitch(smbmount_t)
@@ -27129,7 +27192,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +640,9 @@
+@@ -577,7 +642,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -27140,7 +27203,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -602,10 +667,12 @@
+@@ -602,10 +669,12 @@
dev_read_urand(swat_t)
@@ -27153,7 +27216,7 @@
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -614,6 +681,7 @@
+@@ -614,6 +683,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -27161,7 +27224,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -631,6 +699,17 @@
+@@ -631,6 +701,17 @@
kerberos_use(swat_t)
')
@@ -27179,7 +27242,7 @@
########################################
#
# Winbind local policy
-@@ -673,12 +752,15 @@
+@@ -673,12 +754,15 @@
manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
@@ -27195,7 +27258,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -764,8 +846,13 @@
+@@ -764,8 +848,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -27209,7 +27272,7 @@
')
########################################
-@@ -774,19 +861,64 @@
+@@ -774,19 +863,64 @@
#
optional_policy(`
@@ -29106,7 +29169,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.3.1/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/spamassassin.te 2008-10-28 08:44:03.000000000 -0400
@@ -21,8 +21,10 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -29222,7 +29285,7 @@
fs_manage_cifs_files(spamd_t)
')
-@@ -171,6 +219,7 @@
+@@ -171,10 +219,15 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -29230,7 +29293,15 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -198,6 +247,11 @@
+ optional_policy(`
++ exim_manage_spool(spamd_t)
++')
++
++optional_policy(`
+ mysql_search_db(spamd_t)
+ mysql_stream_connect(spamd_t)
+ ')
+@@ -198,6 +251,11 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -29242,7 +29313,7 @@
')
optional_policy(`
-@@ -212,3 +266,216 @@
+@@ -212,3 +270,216 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -30265,7 +30336,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tor.te serefpolicy-3.3.1/policy/modules/services/tor.te
--- nsaserefpolicy/policy/modules/services/tor.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/tor.te 2008-10-14 11:43:20.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/tor.te 2008-10-24 08:19:23.000000000 -0400
@@ -26,11 +26,15 @@
type tor_var_run_t;
files_pid_file(tor_var_run_t)
@@ -30278,7 +30349,7 @@
# tor local policy
#
-+allow tor_t self:capability { setgid setuid };
++allow tor_t self:capability { setgid setuid sys_tty_config };
allow tor_t self:fifo_file { read write };
allow tor_t self:unix_stream_socket create_stream_socket_perms;
allow tor_t self:netlink_route_socket r_netlink_socket_perms;
@@ -33786,7 +33857,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-10-20 14:36:17.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-10-29 14:03:49.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -33982,7 +34053,19 @@
logging_send_syslog_msg(initrc_t)
logging_manage_generic_logs(initrc_t)
logging_read_all_logs(initrc_t)
-@@ -478,6 +518,7 @@
+@@ -414,6 +454,11 @@
+ # happens during boot (/sbin/rc execs init scripts)
+ seutil_read_default_contexts(initrc_t)
+
++ # /lib/rcscripts/net/system.sh rewrites resolv.conf :(
++ sysnet_create_config(initrc_t)
++ sysnet_write_config(initrc_t)
++ sysnet_setattr_config(initrc_t)
++
+ optional_policy(`
+ arpwatch_manage_data_files(initrc_t)
+ ')
+@@ -478,6 +523,7 @@
optional_policy(`
#for /etc/rc.d/init.d/nfs to create /etc/exports
rpc_write_exports(initrc_t)
@@ -33990,7 +34073,7 @@
')
optional_policy(`
-@@ -496,6 +537,31 @@
+@@ -496,6 +542,31 @@
')
')
@@ -34022,7 +34105,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,16 +620,12 @@
+@@ -554,16 +625,12 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -34043,7 +34126,7 @@
')
optional_policy(`
-@@ -639,12 +701,6 @@
+@@ -639,12 +706,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -34056,7 +34139,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -705,6 +761,9 @@
+@@ -705,6 +766,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -34066,7 +34149,7 @@
')
optional_policy(`
-@@ -717,9 +776,11 @@
+@@ -717,9 +781,11 @@
squid_manage_logs(initrc_t)
')
@@ -34081,7 +34164,7 @@
')
optional_policy(`
-@@ -738,6 +799,11 @@
+@@ -738,6 +804,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -34093,7 +34176,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -752,6 +818,10 @@
+@@ -752,6 +823,10 @@
')
optional_policy(`
@@ -34104,7 +34187,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -774,3 +844,4 @@
+@@ -774,3 +849,4 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -34786,7 +34869,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.3.1/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-10-15 17:44:59.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.te 2008-10-27 14:56:48.000000000 -0400
@@ -61,10 +61,29 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -34817,15 +34900,7 @@
########################################
#
# Auditctl local policy
-@@ -84,6 +103,7 @@
- kernel_read_kernel_sysctls(auditctl_t)
- kernel_read_proc_symlinks(auditctl_t)
-
-+
- domain_read_all_domains_state(auditctl_t)
- domain_use_interactive_fds(auditctl_t)
-
-@@ -112,6 +132,7 @@
+@@ -112,6 +131,7 @@
allow auditd_t self:file { getattr read write };
allow auditd_t self:unix_dgram_socket create_socket_perms;
allow auditd_t self:fifo_file rw_file_perms;
@@ -34833,7 +34908,7 @@
allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
-@@ -133,9 +154,18 @@
+@@ -133,9 +153,18 @@
fs_getattr_all_fs(auditd_t)
fs_search_auto_mountpoints(auditd_t)
@@ -34852,7 +34927,7 @@
# Needs to be able to run dispatcher. see /etc/audit/auditd.conf
# Probably want a transition, and a new auditd_helper app
corecmd_exec_bin(auditd_t)
-@@ -150,6 +180,8 @@
+@@ -150,6 +179,8 @@
logging_set_audit_parameters(auditd_t)
logging_send_syslog_msg(auditd_t)
@@ -34861,7 +34936,7 @@
libs_use_ld_so(auditd_t)
libs_use_shared_libs(auditd_t)
-@@ -158,9 +190,12 @@
+@@ -158,9 +189,12 @@
mls_file_read_all_levels(auditd_t)
mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
@@ -34874,7 +34949,7 @@
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
-@@ -171,6 +206,10 @@
+@@ -171,6 +205,10 @@
')
optional_policy(`
@@ -34885,7 +34960,7 @@
seutil_sigchld_newrole(auditd_t)
')
-@@ -208,6 +247,7 @@
+@@ -208,6 +246,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -34893,7 +34968,7 @@
domain_use_interactive_fds(klogd_t)
-@@ -252,7 +292,6 @@
+@@ -252,7 +291,6 @@
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
allow syslogd_t self:process { signal_perms setpgid };
@@ -34901,16 +34976,7 @@
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
-@@ -262,7 +301,7 @@
- allow syslogd_t self:tcp_socket create_stream_socket_perms;
-
- allow syslogd_t syslog_conf_t:file read_file_perms;
--
-+
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
- files_pid_filetrans(syslogd_t,devlog_t,sock_file)
-@@ -274,6 +313,9 @@
+@@ -274,6 +312,9 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@@ -34920,7 +34986,7 @@
# manage temporary files
manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
-@@ -289,12 +331,14 @@
+@@ -289,6 +330,7 @@
manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
@@ -34928,13 +34994,15 @@
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
- kernel_read_messages(syslogd_t)
+@@ -296,6 +338,8 @@
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
-+files_read_kernel_symbol_table(syslogd_t)
++files_read_kernel_symbol_table(syslogd_t)
++
dev_filetrans(syslogd_t,devlog_t,sock_file)
dev_read_sysfs(syslogd_t)
+
@@ -327,6 +371,8 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
@@ -35003,6 +35071,7 @@
+
+## internal communication is often done using fifo and unix sockets.
+allow audisp_t self:fifo_file rw_file_perms;
++allow audisp_t self:unix_dgram_socket create_socket_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+
@@ -35021,7 +35090,6 @@
+mls_file_write_all_levels(audisp_t)
+
+corecmd_search_bin(audisp_t)
-+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+sysnet_dns_name_resolve(audisp_t)
+
@@ -35558,7 +35626,7 @@
samba_run_smbmount($1, $2, $3)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.3.1/policy/modules/system/mount.te
--- nsaserefpolicy/policy/modules/system/mount.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-10-20 11:20:36.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/mount.te 2008-10-24 08:41:12.000000000 -0400
@@ -18,17 +18,18 @@
init_system_domain(mount_t,mount_exec_t)
role system_r types mount_t;
@@ -35634,6 +35702,15 @@
term_use_all_terms(mount_t)
+@@ -87,7 +95,7 @@
+ files_mounton_all_mountpoints(mount_t)
+ files_unmount_rootfs(mount_t)
+ # These rules need to be generalized. Only admin, initrc should have it:
+-files_relabelto_all_file_type_fs(mount_t)
++files_relabel_all_file_type_fs(mount_t)
+ files_mount_all_file_type_fs(mount_t)
+ files_unmount_all_file_type_fs(mount_t)
+ # for when /etc/mtab loses its type
@@ -100,6 +108,8 @@
init_use_fds(mount_t)
init_use_script_ptys(mount_t)
@@ -38299,7 +38376,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-10-15 11:50:09.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-10-28 09:54:16.000000000 -0400
@@ -29,9 +29,14 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.721
retrieving revision 1.722
diff -u -r1.721 -r1.722
--- selinux-policy.spec 21 Oct 2008 18:32:06 -0000 1.721
+++ selinux-policy.spec 29 Oct 2008 18:40:51 -0000 1.722
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 104%{?dist}
+Release: 105%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -309,11 +309,6 @@
[ "${SELINUXTYPE}" != "targeted" ] && exit 0
setsebool -P use_nfs_home_dirs=1
semanage user -l | grep -s unconfined_u
-if [ $? -eq 0 ]; then
- semanage user -m -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-else
- semanage user -a -P user -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u 2> /dev/null
-fi
seuser=`semanage login -l | grep __default__ | awk '{ print $2 }'`
[ "$seuser" != "unconfined_u" ] && semanage login -m -s "unconfined_u" -r s0-s0:c0.c1023 __default__
seuser=`semanage login -l | grep root | awk '{ print $2 }'`
@@ -387,6 +382,9 @@
%endif
%changelog
+* Tue Oct 28 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-105
+- Allow spamd to manage exim spool
+
* Mon Oct 20 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-104
- Remove mod_fcgid-selinux package
- Previous message (by thread): rpms/mdadm/devel mdadm-2.6.7.1-metadata.patch, NONE, 1.1 mdadm-2.6.7.1-partitionable.patch, NONE, 1.1 mdadm-2.6.7.1-raid10-incremental.patch, NONE, 1.1 .cvsignore, 1.20, 1.21 mdadm-2.5.2-cflags.patch, 1.1, 1.2 mdadm-2.6.1-build.patch, 1.3, 1.4 mdadm.rules, 1.2, 1.3 mdadm.spec, 1.54, 1.55 sources, 1.20, 1.21
- Next message (by thread): rpms/libdvdread/EL-5 libdvdread.spec,1.3,1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list