rpms/selinux-policy/devel modules-mls.conf, 1.35, 1.36 modules-targeted.conf, 1.99, 1.100 policy-20080710.patch, 1.36, 1.37
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Sep 18 14:19:37 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19722
Modified Files:
modules-mls.conf modules-targeted.conf policy-20080710.patch
Log Message:
* Thu Sep 11 2008 Dan Walsh <dwalsh at redhat.com> 3.5.8-1
- Merge upstream changes
- Add Xavier Toth patches
Index: modules-mls.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -r1.35 -r1.36
--- modules-mls.conf 12 Sep 2008 14:21:04 -0000 1.35
+++ modules-mls.conf 18 Sep 2008 14:19:06 -0000 1.36
@@ -161,7 +161,7 @@
#
# Virtual Private Networking client
#
-vpn = base
+vpn = module
# Layer: admin
# Module: su
@@ -189,7 +189,7 @@
#
# Automated backup program.
#
-amanda = base
+amanda = module
# Layer: admin
# Module: logrotate
@@ -232,14 +232,14 @@
#
# Digital Certificate Tracking
#
-certwatch = base
+certwatch = module
# Layer: admin
# Module: tmpreaper
#
# Manage temporary directory sizes and file ages
#
-tmpreaper = base
+tmpreaper = module
# Layer: admin
# Module: dmidecode
@@ -253,7 +253,7 @@
#
# Policy for GNU Privacy Guard and related programs.
#
-gpg = base
+gpg = module
# Layer: apps
# Module: loadkeys
@@ -267,7 +267,7 @@
#
# Web server log analysis
#
-webalizer = base
+webalizer = module
# Layer: kernel
# Module: bootloader
@@ -288,7 +288,7 @@
#
# Policy for NIS (YP) servers and clients
#
-nis = base
+nis = module
# Layer: services
# Module: distcc
@@ -302,7 +302,7 @@
#
# Remote shell service.
#
-rshd = base
+rshd = module
# Layer: services
# Module: cpucontrol
@@ -323,35 +323,35 @@
#
# Berkeley internet name domain DNS server.
#
-bind = base
+bind = module
# Layer: services
# Module: canna
#
# Canna - kana-kanji conversion server
#
-canna = base
+canna = module
# Layer: services
# Module: uucp
#
# Unix to Unix Copy
#
-uucp = base
+uucp = module
# Layer: services
# Module: sasl
#
# SASL authentication server
#
-sasl = base
+sasl = module
# Layer: services
# Module: pegasus
#
# The Open Group Pegasus CIM/WBEM Server.
#
-pegasus = base
+pegasus = module
# Layer: services
# Module: cron
@@ -374,7 +374,7 @@
# name Service Switch daemon for resolving names
# from Windows NT servers.
#
-samba = base
+samba = module
# Layer: services
# Module: dbus
@@ -388,21 +388,21 @@
#
# Port of Apple Rendezvous multicast DNS
#
-howl = base
+howl = module
# Layer: services
# Module: postgresql
#
# PostgreSQL relational database
#
-postgresql = base
+postgresql = module
# Layer: services
# Module: snmp
#
# Simple network management protocol services
#
-snmp = base
+snmp = module
# Layer: services
# Module: remotelogin
@@ -430,56 +430,56 @@
#
# Mailman is for managing electronic mail discussion and e-newsletter lists
#
-mailman = base
+mailman = module
# Layer: services
# Module: dbskk
#
# Dictionary server for the SKK Japanese input method system.
#
-dbskk = base
+dbskk = module
# Layer: services
# Module: ldap
#
# OpenLDAP directory server
#
-ldap = base
+ldap = module
# Layer: services
# Module: tftp
#
# Trivial file transfer protocol daemon
#
-tftp = base
+tftp = module
# Layer: services
# Module: portmap
#
# RPC port mapping service.
#
-portmap = base
+portmap = module
# Layer: services
# Module: arpwatch
#
# Ethernet activity monitor.
#
-arpwatch = base
+arpwatch = module
# Layer: services
# Module: dovecot
#
# Dovecot POP and IMAP mail server
#
-dovecot = base
+dovecot = module
# Layer: services
# Module: cups
#
# Common UNIX printing system
#
-cups = base
+cups = module
# Layer: services
# Module: networkmanager
@@ -493,35 +493,35 @@
#
# Internet News NNTP server
#
-inn = base
+inn = module
# Layer: services
# Module: sysstat
#
# Policy for sysstat. Reports on various system states
#
-sysstat = base
+sysstat = module
# Layer: services
# Module: comsat
#
# Comsat, a biff server.
#
-comsat = base
+comsat = module
# Layer: services
# Module: squid
#
# Squid caching http proxy server
#
-squid = base
+squid = module
# Layer: services
# Module: zebra
#
# Zebra border gateway protocol network routing service
#
-zebra = base
+zebra = module
# Layer: services
# Module: xfs
@@ -535,35 +535,35 @@
#
# KDE Talk daemon
#
-ktalk = base
+ktalk = module
# Layer: services
# Module: procmail
#
# Procmail mail delivery agent
#
-procmail = base
+procmail = module
# Layer: services
# Module: lpd
#
# Line printer daemon
#
-lpd = base
+lpd = module
# Layer: services
# Module: cyrus
#
# Cyrus is an IMAP service intended to be run on sealed servers
#
-cyrus = base
+cyrus = module
# Layer: services
# Module: rdisc
#
# Network router discovery daemon
#
-rdisc = base
+rdisc = module
# Layer: services
# Module: xserver
@@ -584,21 +584,21 @@
#
# Point to Point Protocol daemon creates links in ppp networks
#
-ppp = base
+ppp = module
# Layer: services
# Module: ftp
#
# File transfer protocol service
#
-ftp = base
+ftp = module
# Layer: services
# Module: gpm
#
# General Purpose Mouse driver
#
-gpm = base
+gpm = module
# Layer: services
# Module: mta
@@ -612,28 +612,28 @@
#
# Postfix email server
#
-postfix = base
+postfix = module
# Layer: services
# Module: fetchmail
#
# Remote-mail retrieval and forwarding utility
#
-fetchmail = base
+fetchmail = module
# Layer: services
# Module: ntp
#
# Network time protocol daemon
#
-ntp = base
+ntp = module
# Layer: services
# Module: bluetooth
#
# Bluetooth tools and system services.
#
-bluetooth = base
+bluetooth = module
# Layer: services
# Module: hal
@@ -647,7 +647,7 @@
#
# mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
#
-avahi = base
+avahi = module
# Layer: services
# Module: rpc
@@ -661,35 +661,35 @@
#
# Apache web server
#
-apache = base
+apache = module
# Layer: services
# Module: rsync
#
# Fast incremental file transfer for synchronization
#
-rsync = base
+rsync = module
# Layer: services
# Module: automount
#
# Filesystem automounter service.
#
-automount = base
+automount = module
# Layer: services
# Module: kerberos
#
# MIT Kerberos admin and KDC
#
-kerberos = base
+kerberos = module
# Layer: services
# Module: dhcp
#
# Dynamic host configuration protocol (DHCP) server
#
-dhcp = base
+dhcp = module
# Layer: services
# Module: ssh
@@ -710,42 +710,42 @@
#
# Policy for MySQL
#
-mysql = base
+mysql = module
# Layer: services
# Module: dictd
#
# Dictionary daemon
#
-dictd = base
+dictd = module
# Layer: services
# Module: finger
#
# Finger user information service.
#
-finger = base
+finger = module
# Layer: services
# Module: radius
#
# RADIUS authentication and accounting server.
#
-radius = base
+radius = module
# Layer: services
# Module: spamassassin
#
# Filter used for removing unsolicited email.
#
-spamassassin = base
+spamassassin = module
# Layer: services
# Module: radvd
#
# IPv6 router advertisement daemon
#
-radvd = base
+radvd = module
# Layer: services
# Module: apm
@@ -767,35 +767,35 @@
#
# Policy for TCP daemon.
#
-tcpd = base
+tcpd = module
# Layer: services
# Module: stunnel
#
# SSL Tunneling Proxy
#
-stunnel = base
+stunnel = module
# Layer: services
# Module: privoxy
#
# Privacy enhancing web proxy.
#
-privoxy = base
+privoxy = module
# Layer: services
# Module: cvs
#
# Concurrent versions system
#
-cvs = base
+cvs = module
# Layer: services
# Module: rlogin
#
# Remote login daemon
#
-rlogin = base
+rlogin = module
# Layer: system
# Module: application
@@ -965,7 +965,7 @@
#
# TCP/IP encryption
#
-ipsec = base
+ipsec = module
# Layer: apps
# Module: java
@@ -986,7 +986,7 @@
#
# locate executable
#
-slocate = base
+slocate = module
# Layer: services
# Module: logwatch
@@ -1008,14 +1008,14 @@
#
# Policy for OPENVPN full-featured SSL VPN solution
#
-openvpn = base
+openvpn = module
# Layer: services
# Module: smartmon
#
# Smart disk monitoring daemon policy
#
-smartmon = base
+smartmon = module
# Layer: system
# Module: netlabel
@@ -1023,14 +1023,14 @@
#
# Basic netlabel types and interfaces.
#
-netlabel = base
+netlabel = module
# Layer: services
# Module: aide
#
# Policy for aide
#
-aide = base
+aide = module
# Layer: service
# Module: pcscd
@@ -1131,16 +1131,31 @@
rpcbind = module
+# Layer: apps
+# Module: wm
+#
+# X windows window manager
+#
+wm = module
+
# Layer: services
-# Module: xserver
+# Module: virt
#
-# X windows login display manager
+# Virtualization libraries
#
-xserver = module
+virt = module
# Layer: apps
-# Module: wm
+# Module: qemu
#
-# X windows window manager
+# Virtualization emulator
#
-wm = module
+qemu = module
+
+# Layer: system
+# Module: brctl
+#
+# Utilities for configuring the linux ethernet bridge
+#
+brctl = base
+
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100
--- modules-targeted.conf 17 Sep 2008 23:56:23 -0000 1.99
+++ modules-targeted.conf 18 Sep 2008 14:19:06 -0000 1.100
@@ -108,7 +108,7 @@
#
# Filesystem automounter service.
#
-automount = base
+automount = module
# Layer: services
# Module: avahi
@@ -331,7 +331,7 @@
#
# Dynamic host configuration protocol (DHCP) server
#
-dhcp = base
+dhcp = module
# Layer: services
# Module: dictd
@@ -374,7 +374,7 @@
#
# Dovecot POP and IMAP mail server
#
-dovecot = base
+dovecot = module
# Layer: apps
# Module: gpg
@@ -489,7 +489,7 @@
#
# Hardware abstraction layer
#
-hal = module
+hal = base
# Layer: services
# Module: polkit
@@ -741,7 +741,7 @@
#
# mono executable
#
-mono = base
+mono = module
# Layer: system
# Module: mount
@@ -785,7 +785,6 @@
#
mrtg = module
-
# Layer: services
# Module: mta
#
@@ -985,7 +984,7 @@
#
# File system quota management
#
-quota = off
+quota = base
# Layer: system
# Module: raid
@@ -1027,7 +1026,7 @@
#
# X windows login display manager
#
-rhgb = base
+rhgb = module
# Layer: services
# Module: rdisc
@@ -1041,7 +1040,7 @@
#
# Policy for rshd, rlogind, and telnetd.
#
-remotelogin = module
+remotelogin = base
# Layer: services
# Module: ricci
@@ -1446,7 +1445,7 @@
#
# Virtual Private Networking client
#
-vpn = base
+vpn = module
# Layer: admin
# Module: vbetool
@@ -1663,3 +1662,12 @@
# high-performance memory object caching system
#
memcached = module
+
+# Layer: system
+# Module: netlabel
+# Required in base
+#
+# Basic netlabel types and interfaces.
+#
+netlabel = module
+
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -r1.36 -r1.37
--- policy-20080710.patch 17 Sep 2008 23:56:23 -0000 1.36
+++ policy-20080710.patch 18 Sep 2008 14:19:06 -0000 1.37
@@ -26600,7 +26600,7 @@
/etc/ssh/ssh_host_key -- gen_context(system_u:object_r:sshd_key_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if
--- nsaserefpolicy/policy/modules/services/ssh.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-17 08:49:09.000000000 -0400
++++ serefpolicy-3.5.8/policy/modules/services/ssh.if 2008-09-18 08:51:19.000000000 -0400
@@ -36,6 +36,7 @@
gen_require(`
attribute ssh_server;
@@ -26660,15 +26660,16 @@
corenet_all_recvfrom_unlabeled($1_ssh_t)
corenet_all_recvfrom_netlabel($1_ssh_t)
-@@ -115,6 +118,7 @@
+@@ -115,6 +118,8 @@
corenet_tcp_sendrecv_all_ports($1_ssh_t)
corenet_tcp_connect_ssh_port($1_ssh_t)
corenet_sendrecv_ssh_client_packets($1_ssh_t)
++ corenet_tcp_bind_all_nodes($1_ssh_t)
+ corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
dev_read_urand($1_ssh_t)
-@@ -212,7 +216,7 @@
+@@ -212,7 +217,7 @@
ssh_basic_client_template($1, $2, $3)
@@ -26677,7 +26678,7 @@
type $1_ssh_agent_t;
application_domain($1_ssh_agent_t, ssh_agent_exec_t)
-@@ -240,9 +244,9 @@
+@@ -240,9 +245,9 @@
manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26690,7 +26691,7 @@
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-@@ -254,6 +258,8 @@
+@@ -254,6 +259,8 @@
userdom_use_unpriv_users_fds($1_ssh_t)
userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
userdom_search_user_home_dirs($1,$1_ssh_t)
@@ -26699,7 +26700,7 @@
# Write to the user domain tty.
userdom_use_user_terminals($1,$1_ssh_t)
# needs to read krb tgt
-@@ -282,21 +288,10 @@
+@@ -282,21 +289,10 @@
')
optional_policy(`
@@ -26722,7 +26723,7 @@
##############################
#
# $1_ssh_agent_t local policy
-@@ -383,10 +378,6 @@
+@@ -383,10 +379,6 @@
xserver_rw_xdm_pipes($1_ssh_agent_t)
')
@@ -26733,7 +26734,7 @@
##############################
#
# $1_ssh_keysign_t local policy
-@@ -413,6 +404,25 @@
+@@ -413,6 +405,25 @@
')
')
@@ -26759,7 +26760,7 @@
#######################################
## <summary>
## The template to define a ssh server.
-@@ -443,13 +453,14 @@
+@@ -443,13 +454,14 @@
type $1_var_run_t;
files_pid_file($1_var_run_t)
@@ -26775,7 +26776,7 @@
allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
term_create_pty($1_t,$1_devpts_t)
-@@ -479,6 +490,10 @@
+@@ -479,6 +491,10 @@
corenet_tcp_bind_ssh_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_ssh_server_packets($1_t)
@@ -26786,7 +26787,7 @@
fs_dontaudit_getattr_all_fs($1_t)
-@@ -506,9 +521,14 @@
+@@ -506,9 +522,14 @@
userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
userdom_search_all_users_home_dirs($1_t)
@@ -26801,7 +26802,7 @@
')
tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +537,7 @@
+@@ -517,11 +538,7 @@
optional_policy(`
kerberos_use($1_t)
@@ -26814,7 +26815,7 @@
')
optional_policy(`
-@@ -710,3 +726,22 @@
+@@ -710,3 +727,22 @@
dontaudit $1 sshd_key_t:file { getattr read };
')
More information about the fedora-extras-commits
mailing list