rpms/selinux-policy/F-11 modules-targeted.conf, 1.125, 1.126 policy-20090105.patch, 1.111, 1.112 selinux-policy.spec, 1.848, 1.849
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Apr 30 22:22:24 UTC 2009
- Previous message (by thread): rpms/selinux-policy/devel modules-targeted.conf, 1.125, 1.126 policy-20090105.patch, 1.105, 1.106 selinux-policy.spec, 1.842, 1.843
- Next message (by thread): rpms/qdevelop/F-11 qdevelop-0.27.4-qt451.patch, NONE, 1.1 qdevelop.spec, 1.7, 1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7834
Modified Files:
modules-targeted.conf policy-20090105.patch
selinux-policy.spec
Log Message:
* Thu Apr 30 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-26
- Add shorewall policy
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/modules-targeted.conf,v
retrieving revision 1.125
retrieving revision 1.126
diff -u -p -r1.125 -r1.126
--- modules-targeted.conf 28 Apr 2009 20:09:25 -0000 1.125
+++ modules-targeted.conf 30 Apr 2009 22:21:52 -0000 1.126
@@ -1179,20 +1179,6 @@ rsync = module
rwho = module
# Layer: services
-# Module: sasl
-#
-# SASL authentication server
-#
-sasl = module
-
-# Layer: services
-# Module: sendmail
-#
-# Policy for sendmail.
-#
-sendmail = base
-
-# Layer: services
# Module: samba
#
# SMB and CIFS client/server programs for UNIX and
@@ -1208,6 +1194,13 @@ samba = module
#
sambagui = module
+# Layer: services
+# Module: sasl
+#
+# SASL authentication server
+#
+sasl = module
+
# Layer: apps
# Module: screen
#
@@ -1230,6 +1223,20 @@ selinux = base
#
selinuxutil = base
+# Layer: services
+# Module: sendmail
+#
+# Policy for sendmail.
+#
+sendmail = base
+
+# Layer: services
+# Module: shorewall
+#
+# Policy for shorewall
+#
+shorewall = base
+
# Layer: system
# Module: setrans
# Required in base
policy-20090105.patch:
Index: policy-20090105.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090105.patch,v
retrieving revision 1.111
retrieving revision 1.112
diff -u -p -r1.111 -r1.112
--- policy-20090105.patch 30 Apr 2009 11:51:03 -0000 1.111
+++ policy-20090105.patch 30 Apr 2009 22:21:52 -0000 1.112
@@ -788,7 +788,7 @@ diff -b -B --ignore-all-space --exclude-
-/usr/sbin/readahead -- gen_context(system_u:object_r:readahead_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/readahead.te serefpolicy-3.6.12/policy/modules/admin/readahead.te
--- nsaserefpolicy/policy/modules/admin/readahead.te 2009-01-05 15:39:44.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-28 15:47:35.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/admin/readahead.te 2009-04-30 14:18:18.000000000 -0400
@@ -11,8 +11,8 @@
init_daemon_domain(readahead_t, readahead_exec_t)
application_domain(readahead_t, readahead_exec_t)
@@ -820,7 +820,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(readahead_t)
kernel_dontaudit_getattr_core_if(readahead_t)
-@@ -46,6 +49,7 @@
+@@ -46,10 +49,12 @@
storage_raw_read_fixed_disk(readahead_t)
domain_use_interactive_fds(readahead_t)
@@ -828,7 +828,12 @@ diff -b -B --ignore-all-space --exclude-
files_dontaudit_getattr_all_sockets(readahead_t)
files_list_non_security(readahead_t)
-@@ -58,6 +62,7 @@
+ files_read_non_security_files(readahead_t)
++files_dontaudit_getattr_non_security_blk_files(readahead_t)
+
+ fs_getattr_all_fs(readahead_t)
+ fs_search_auto_mountpoints(readahead_t)
+@@ -58,6 +63,7 @@
fs_dontaudit_search_ramfs(readahead_t)
fs_dontaudit_read_ramfs_pipes(readahead_t)
fs_dontaudit_read_ramfs_files(readahead_t)
@@ -836,7 +841,7 @@ diff -b -B --ignore-all-space --exclude-
fs_read_tmpfs_symlinks(readahead_t)
fs_list_inotifyfs(readahead_t)
-@@ -72,6 +77,7 @@
+@@ -72,6 +78,7 @@
init_getattr_initctl(readahead_t)
logging_send_syslog_msg(readahead_t)
@@ -4847,7 +4852,7 @@ diff -b -B --ignore-all-space --exclude-
+corecmd_executable_file(wm_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc
--- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2009-03-05 10:34:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/corecommands.fc 2009-04-30 08:31:43.000000000 -0400
@@ -32,6 +32,8 @@
#
# /etc
@@ -4866,7 +4871,15 @@ diff -b -B --ignore-all-space --exclude-
#
# /usr
#
-@@ -299,3 +303,20 @@
+@@ -210,6 +214,7 @@
+ /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
++/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+@@ -299,3 +304,20 @@
ifdef(`distro_suse',`
/var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0)
')
@@ -5388,7 +5401,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/nfs/rpc_pipefs(/.*)? <<none>>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.12/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-01-05 15:39:38.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/kernel/files.if 2009-04-30 14:18:05.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -10372,7 +10385,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.6.12/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-29 13:51:27.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/consolekit.te 2009-04-30 17:45:01.000000000 -0400
@@ -13,6 +13,9 @@
type consolekit_var_run_t;
files_pid_file(consolekit_var_run_t)
@@ -10451,7 +10464,7 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
unconfined_dbus_chat(consolekit_t)
-@@ -61,6 +94,32 @@
+@@ -61,6 +94,33 @@
')
optional_policy(`
@@ -10466,6 +10479,7 @@ diff -b -B --ignore-all-space --exclude-
xserver_stream_connect(consolekit_t)
+ xserver_ptrace_xdm(consolekit_t)
+ xserver_common_app(consolekit_t)
++ corenet_tcp_connect_xserver_port(consolekit_t)
+')
+
+optional_policy(`
@@ -14990,8 +15004,8 @@ diff -b -B --ignore-all-space --exclude-
cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.6.12/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-29 10:14:21.000000000 -0400
-@@ -1,6 +1,10 @@
++++ serefpolicy-3.6.12/policy/modules/services/milter.fc 2009-04-30 17:48:59.000000000 -0400
+@@ -1,6 +1,15 @@
-/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
-/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
@@ -15004,6 +15018,11 @@ diff -b -B --ignore-all-space --exclude-
+/var/lib/miltermilter.* gen_context(system_u:object_r:spamass_milter_state_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
++/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
++
++/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.6.12/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 2008-11-25 09:01:08.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/milter.if 2009-04-24 13:45:41.000000000 -0400
@@ -15043,7 +15062,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.6.12/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 2008-11-25 09:01:08.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-24 08:31:02.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/milter.te 2009-04-30 18:09:54.000000000 -0400
@@ -14,6 +14,12 @@
milter_template(regex)
milter_template(spamass)
@@ -15068,6 +15087,47 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_system_state(spamass_milter_t)
# When used with -b or -B options, the milter invokes sendmail to send mail
+@@ -53,3 +63,40 @@
+
+ # The main job of the milter is to pipe spam through spamc and act on the result
+ spamassassin_domtrans_client(spamass_milter_t)
++
++########################################
++#
++# milter-greylist Declarations
++#
++
++milter_template(greylist)
++
++########################################
++#
++# milter-greylist local policy
++# ensure smtp clients retry mail like real MTAs and not spamware
++# http://hcpnet.free.fr/milter-greylist/
++#
++
++# Look up username for dropping privs
++auth_use_nsswitch(greylist_milter_t)
++
++# It creates a pid file /var/run/milter-greylist.pid
++files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
++
++# It removes any existing socket (not owned by root) whilst running as root,
++# fixes permissions, renices itself and then calls setgid() and setuid() to
++# drop privileges
++kernel_read_kernel_sysctls(greylist_milter_t)
++allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
++allow greylist_milter_t self:process { setsched getsched };
++
++# Allow the milter to read a GeoIP database in /usr/share
++files_read_usr_files(greylist_milter_t)
++
++# The milter runs from /var/lib/milter-greylist and maintains files there
++files_search_var_lib(greylist_milter_t);
++
++# Config is in /etc/mail/greylist.conf
++mta_read_config(greylist_milter_t)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.12/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/services/mta.fc 2009-04-23 09:44:57.000000000 -0400
@@ -15103,7 +15163,7 @@ diff -b -B --ignore-all-space --exclude-
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.12/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/mta.if 2009-04-30 08:19:03.000000000 -0400
@@ -130,6 +130,15 @@
sendmail_create_log($1_mail_t)
')
@@ -15112,7 +15172,7 @@ diff -b -B --ignore-all-space --exclude-
+ exim_read_log($1_mail_t)
+ exim_append_log($1_mail_t)
+ exim_manage_spool_files($1_mail_t)
-+')
++ ')
+
+ optional_policy(`
+ uucp_manage_spool($1_mail_t)
@@ -21425,7 +21485,7 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-29 13:03:31.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-04-30 08:12:22.000000000 -0400
@@ -89,7 +89,7 @@
type sendmail_t;
')
@@ -21886,6 +21946,298 @@ diff -b -B --ignore-all-space --exclude-
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.fc serefpolicy-3.6.12/policy/modules/services/shorewall.fc
+--- nsaserefpolicy/policy/modules/services/shorewall.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/shorewall.fc 2009-04-30 08:33:41.000000000 -0400
+@@ -0,0 +1,12 @@
++
++/etc/rc\.d/init\.d/shorewall -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
++/etc/rc\.d/init\.d/shorewall-lite -- gen_context(system_u:object_r:shorewall_initrc_exec_t,s0)
++
++/etc/shorewall(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
++/etc/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_etc_t,s0)
++
++/sbin/shorewall -- gen_context(system_u:object_r:shorewall_exec_t,s0)
++/sbin/shorewall-lite -- gen_context(system_u:object_r:shorewall_exec_t,s0)
++
++/var/lib/shorewall(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
++/var/lib/shorewall-lite(/.*)? gen_context(system_u:object_r:shorewall_var_lib_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.if serefpolicy-3.6.12/policy/modules/services/shorewall.if
+--- nsaserefpolicy/policy/modules/services/shorewall.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/shorewall.if 2009-04-30 08:29:56.000000000 -0400
+@@ -0,0 +1,166 @@
++## <summary>policy for shorewall</summary>
++
++########################################
++## <summary>
++## Execute a domain transition to run shorewall.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`shorewall_domtrans',`
++ gen_require(`
++ type shorewall_t;
++ type shorewall_exec_t;
++ ')
++
++ domtrans_pattern($1, shorewall_exec_t, shorewall_t)
++')
++
++#######################################
++## <summary>
++## Read shorewall etc configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_read_etc',`
++ gen_require(`
++ type shorewall_etc_t;
++ ')
++
++ files_search_etc($1)
++ read_files_pattern($1, shorewall_etc_t, shorewall_etc_t)
++')
++
++#######################################
++## <summary>
++## Read shorewall PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_read_pid_files',`
++ gen_require(`
++ type shorewall_var_run_t;
++ ')
++
++ files_search_pids($1)
++ read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
++')
++
++#######################################
++## <summary>
++## Read and write shorewall PID files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_rw_pid_files',`
++ gen_require(`
++ type shorewall_var_run_t;
++ ')
++
++ files_search_pids($1)
++ rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
++')
++
++######################################
++## <summary>
++## Read shorewall /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_read_var_lib',`
++ gen_require(`
++ type shorewall_t;
++ ')
++
++ files_search_var_lib($1)
++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++ read_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++')
++
++#######################################
++## <summary>
++## Read and write shorewall /var/lib files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`shorewall_rw_var_lib',`
++ gen_require(`
++ type shorewall_t;
++ ')
++
++ files_search_var_lib($1)
++ search_dirs_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++ rw_files_pattern($1, shorewall_var_lib_t, shorewall_var_lib_t)
++')
++
++#######################################
++## <summary>
++## All of the rules required to administrate
++## an shorewall environment
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="role">
++## <summary>
++## The role to be allowed to manage the syslog domain.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`shorewall_admin',`
++ gen_require(`
++ type shorewall_t, shorewall_var_run_t, shorewall_lock_t;
++ type shorewall_initrc_exec_t, shorewall_var_lib_t;
++ type shorewall_tmp_t;
++ ')
++
++ allow $1 shorewall_t:process { ptrace signal_perms };
++ ps_process_pattern($1, shorewall_t)
++
++ init_labeled_script_domtrans($1, shorewall_initrc_exec_t)
++ domain_system_change_exemption($1)
++ role_transition $2 shorewall_initrc_exec_t system_r;
++ allow $2 system_r;
++
++ files_search_etc($1)
++ admin_pattern($1, shorewall_etc_t)
++
++ files_search_locks($1)
++ admin_pattern($1, shorewall_lock_t)
++
++ files_search_pids($1)
++ admin_pattern($1, shorewall_var_run_t)
++
++ files_search_var_lib($1)
++ admin_pattern($1, shorewall_var_lib_t)
++
++ files_search_tmp($1)
++ admin_pattern($1, shorewall_tmp_t)
++')
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/shorewall.te serefpolicy-3.6.12/policy/modules/services/shorewall.te
+--- nsaserefpolicy/policy/modules/services/shorewall.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.6.12/policy/modules/services/shorewall.te 2009-04-30 08:29:56.000000000 -0400
+@@ -0,0 +1,102 @@
++policy_module(shorewall,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type shorewall_t;
++type shorewall_exec_t;
++init_daemon_domain(shorewall_t, shorewall_exec_t)
++
++type shorewall_initrc_exec_t;
++init_script_file(shorewall_initrc_exec_t)
++
++# etc files
++type shorewall_etc_t;
++files_config_file(shorewall_etc_t)
++
++# lock files
++type shorewall_lock_t;
++files_lock_file(shorewall_lock_t)
++
++# tmp files
++type shorewall_tmp_t;
++files_tmp_file(shorewall_tmp_t)
++
++# var/lib files
++type shorewall_var_lib_t;
++files_type(shorewall_var_lib_t)
++
++########################################
++#
++# shorewall local policy
++#
++
++allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace};
++dontaudit shorewall_t self:capability sys_tty_config;
++
++allow shorewall_t self:fifo_file rw_fifo_file_perms;
++
++# etc file
++read_files_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
++list_dirs_pattern(shorewall_t, shorewall_etc_t, shorewall_etc_t)
++
++# lock files
++manage_files_pattern(shorewall_t,shorewall_lock_t,shorewall_lock_t)
++files_lock_filetrans(shorewall_t, shorewall_lock_t, file)
++
++# var/lib files for shorewall
++exec_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
++manage_dirs_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
++manage_files_pattern(shorewall_t,shorewall_var_lib_t,shorewall_var_lib_t)
++files_var_lib_filetrans(shorewall_t,shorewall_var_lib_t, { dir file })
++
++# tmp files for shorewall
++manage_dirs_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
++manage_files_pattern(shorewall_t,shorewall_tmp_t,shorewall_tmp_t)
++files_tmp_filetrans(shorewall_t, shorewall_tmp_t, { file dir })
++
++kernel_read_kernel_sysctls(shorewall_t)
++kernel_read_system_state(shorewall_t)
++kernel_read_network_state(shorewall_t)
++kernel_rw_net_sysctls(shorewall_t)
++
++corecmd_exec_bin(shorewall_t)
++corecmd_exec_shell(shorewall_t)
++
++dev_read_urand(shorewall_t)
++
++fs_getattr_all_fs(shorewall_t)
++
++domain_read_all_domains_state(shorewall_t)
++
++files_getattr_kernel_modules(shorewall_t)
++files_read_etc_files(shorewall_t)
++files_read_usr_files(shorewall_t)
++files_search_kernel_modules(shorewall_t)
++
++init_rw_utmp(shorewall_t)
++
++libs_use_ld_so(shorewall_t)
++libs_use_shared_libs(shorewall_t)
++
++logging_send_syslog_msg(shorewall_t)
++
++miscfiles_read_localization(shorewall_t)
++
++userdom_dontaudit_list_admin_dir(shorewall_t)
++
++sysnet_domtrans_ifconfig(shorewall_t)
++iptables_domtrans(shorewall_t)
++
++optional_policy(`
++ modutils_domtrans_insmod(shorewall_t)
++')
++
++optional_policy(`
++ ulogd_search_log(shorewall_t)
++')
++
++permissive shorewall_t;
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.6.12/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.12/policy/modules/services/smartmon.te 2009-04-23 09:44:57.000000000 -0400
@@ -22122,7 +22474,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-27 11:45:25.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-04-30 08:12:59.000000000 -0400
@@ -20,6 +20,35 @@
## </desc>
gen_tunable(spamd_enable_home_dirs, true)
@@ -22178,7 +22530,15 @@ diff -b -B --ignore-all-space --exclude-
type spamd_spool_t;
files_type(spamd_spool_t)
-@@ -159,6 +195,7 @@
+@@ -110,6 +146,7 @@
+ dev_read_urand(spamassassin_t)
+
+ fs_search_auto_mountpoints(spamassassin_t)
++fs_getattr_all_fs(spamassassin_t)
+
+ # this should probably be removed
+ corecmd_list_bin(spamassassin_t)
+@@ -159,6 +196,7 @@
corenet_udp_sendrecv_all_ports(spamassassin_t)
corenet_tcp_connect_all_ports(spamassassin_t)
corenet_sendrecv_all_client_packets(spamassassin_t)
@@ -22186,7 +22546,15 @@ diff -b -B --ignore-all-space --exclude-
sysnet_read_config(spamassassin_t)
')
-@@ -216,16 +253,32 @@
+@@ -195,6 +233,7 @@
+ optional_policy(`
+ mta_read_config(spamassassin_t)
+ sendmail_stub(spamassassin_t)
++ sendmail_rw_unix_stream_sockets(spamassassin_t)
+ ')
+
+ ########################################
+@@ -216,16 +255,32 @@
allow spamc_t self:unix_stream_socket connectto;
allow spamc_t self:tcp_socket create_stream_socket_perms;
allow spamc_t self:udp_socket create_socket_perms;
@@ -22219,7 +22587,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_all_recvfrom_unlabeled(spamc_t)
corenet_all_recvfrom_netlabel(spamc_t)
-@@ -239,6 +292,7 @@
+@@ -239,6 +294,7 @@
corenet_sendrecv_all_client_packets(spamc_t)
fs_search_auto_mountpoints(spamc_t)
@@ -22227,7 +22595,7 @@ diff -b -B --ignore-all-space --exclude-
# cjp: these should probably be removed:
corecmd_list_bin(spamc_t)
-@@ -255,9 +309,15 @@
+@@ -255,9 +311,15 @@
files_dontaudit_search_var(spamc_t)
# cjp: this may be removable:
files_list_home(spamc_t)
@@ -22243,7 +22611,7 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(spamc_t)
# cjp: this should probably be removed:
-@@ -265,13 +325,16 @@
+@@ -265,13 +327,16 @@
sysnet_read_config(spamc_t)
@@ -22267,7 +22635,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -280,16 +343,21 @@
+@@ -280,16 +345,21 @@
')
optional_policy(`
@@ -22291,7 +22659,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -301,7 +369,7 @@
+@@ -301,7 +371,7 @@
# setuids to the user running spamc. Comment this if you are not
# using this ability.
@@ -22300,7 +22668,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit spamd_t self:capability sys_tty_config;
allow spamd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow spamd_t self:fd use;
-@@ -317,10 +385,13 @@
+@@ -317,10 +387,13 @@
allow spamd_t self:unix_stream_socket connectto;
allow spamd_t self:tcp_socket create_stream_socket_perms;
allow spamd_t self:udp_socket create_socket_perms;
@@ -22315,7 +22683,7 @@ diff -b -B --ignore-all-space --exclude-
files_spool_filetrans(spamd_t, spamd_spool_t, { file dir })
manage_dirs_pattern(spamd_t, spamd_tmp_t, spamd_tmp_t)
-@@ -329,10 +400,11 @@
+@@ -329,10 +402,11 @@
# var/lib files for spamd
allow spamd_t spamd_var_lib_t:dir list_dir_perms;
@@ -22328,7 +22696,7 @@ diff -b -B --ignore-all-space --exclude-
files_pid_filetrans(spamd_t, spamd_var_run_t, { dir file })
kernel_read_all_sysctls(spamd_t)
-@@ -382,22 +454,27 @@
+@@ -382,22 +456,27 @@
init_dontaudit_rw_utmp(spamd_t)
@@ -22360,7 +22728,7 @@ diff -b -B --ignore-all-space --exclude-
fs_manage_cifs_files(spamd_t)
')
-@@ -415,6 +492,7 @@
+@@ -415,6 +494,7 @@
optional_policy(`
dcc_domtrans_client(spamd_t)
@@ -22368,7 +22736,7 @@ diff -b -B --ignore-all-space --exclude-
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -424,10 +502,6 @@
+@@ -424,10 +504,6 @@
')
optional_policy(`
@@ -22379,7 +22747,7 @@ diff -b -B --ignore-all-space --exclude-
postfix_read_config(spamd_t)
')
-@@ -442,6 +516,10 @@
+@@ -442,6 +518,10 @@
optional_policy(`
razor_domtrans(spamd_t)
@@ -22390,7 +22758,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -454,5 +532,9 @@
+@@ -454,5 +534,9 @@
')
optional_policy(`
@@ -23312,8 +23680,8 @@ diff -b -B --ignore-all-space --exclude-
+/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ulogd.if serefpolicy-3.6.12/policy/modules/services/ulogd.if
--- nsaserefpolicy/policy/modules/services/ulogd.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-23 09:44:57.000000000 -0400
-@@ -0,0 +1,127 @@
++++ serefpolicy-3.6.12/policy/modules/services/ulogd.if 2009-04-30 08:29:56.000000000 -0400
+@@ -0,0 +1,146 @@
+## <summary>policy for ulogd</summary>
+
+########################################
@@ -23378,6 +23746,25 @@ diff -b -B --ignore-all-space --exclude-
+ read_files_pattern($1, ulogd_var_log_t, ulogd_var_log_t)
+')
+
++#######################################
++## <summary>
++## Allow the specified domain to search ulogd's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`ulogd_search_log',`
++ gen_require(`
++ type ulogd_var_log_t;
++ ')
++
++ logging_search_logs($1)
++ allow $1 ulogd_var_log_t:dir search_dir_perms;
++')
++
+########################################
+## <summary>
+## Allow the specified domain to append to ulogd's log files.
@@ -23693,7 +24080,7 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.12/policy/modules/services/virt.te
--- nsaserefpolicy/policy/modules/services/virt.te 2009-01-19 11:06:49.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-27 11:40:19.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/virt.te 2009-04-30 18:07:51.000000000 -0400
@@ -8,19 +8,24 @@
## <desc>
@@ -23905,11 +24292,14 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -198,5 +272,80 @@
- ')
+@@ -195,8 +269,84 @@
- optional_policy(`
-- unconfined_domain(virtd_t)
+ xen_stream_connect(virtd_t)
+ xen_stream_connect_xenstore(virtd_t)
++ xen_read_image_files(virtd_t)
++')
++
++optional_policy(`
+ udev_domtrans(virtd_t)
+')
+
@@ -23982,9 +24372,10 @@ diff -b -B --ignore-all-space --exclude-
+
+optional_policy(`
+ xen_rw_image_files(svirt_t)
-+')
-+
-+optional_policy(`
+ ')
+
+ optional_policy(`
+- unconfined_domain(virtd_t)
+ xen_rw_image_files(svirt_t)
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/w3c.te serefpolicy-3.6.12/policy/modules/services/w3c.te
@@ -24081,7 +24472,7 @@ diff -b -B --ignore-all-space --exclude-
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.6.12/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/services/xserver.if 2009-04-30 17:44:47.000000000 -0400
@@ -90,7 +90,7 @@
allow $2 xauth_home_t:file manage_file_perms;
allow $2 xauth_home_t:file { relabelfrom relabelto };
@@ -26711,8 +27102,8 @@ diff -b -B --ignore-all-space --exclude-
dev_read_urand(racoon_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.6.12/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2009-04-06 12:42:08.000000000 -0400
-+++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-23 09:44:57.000000000 -0400
-@@ -1,9 +1,12 @@
++++ serefpolicy-3.6.12/policy/modules/system/iptables.fc 2009-04-30 08:29:56.000000000 -0400
+@@ -1,9 +1,11 @@
/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
-/sbin/iptables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -26727,7 +27118,7 @@ diff -b -B --ignore-all-space --exclude-
+/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
- /var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
+-/var/lib/shorewall(/.*)? -- gen_context(system_u:object_r:iptables_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2009-04-06 12:42:08.000000000 -0400
+++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2009-04-23 09:44:57.000000000 -0400
@@ -28774,7 +29165,7 @@ diff -b -B --ignore-all-space --exclude-
+/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.6.12/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.if 2009-04-30 18:03:37.000000000 -0400
@@ -43,6 +43,39 @@
sysnet_domtrans_dhcpc($1)
@@ -28945,7 +29336,7 @@ diff -b -B --ignore-all-space --exclude-
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.6.12/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2009-01-19 11:07:34.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/modules/system/sysnetwork.te 2009-04-30 18:03:46.000000000 -0400
@@ -20,6 +20,9 @@
init_daemon_domain(dhcpc_t,dhcpc_exec_t)
role system_r types dhcpc_t;
@@ -28983,16 +29374,17 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(dhcpc_t,dhcpc_state_t,dhcpc_state_t)
filetrans_pattern(dhcpc_t,dhcp_state_t,dhcpc_state_t,file)
-@@ -65,7 +69,7 @@
+@@ -65,7 +69,8 @@
# Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
# in /etc created by dhcpcd will be labelled net_conf_t.
-allow dhcpc_t net_conf_t:file manage_file_perms;
+sysnet_manage_config(dhcpc_t)
++allow dhcpc_t net_conf_t:file relabel_file_perms;
files_etc_filetrans(dhcpc_t,net_conf_t,file)
# create temp files
-@@ -116,7 +120,7 @@
+@@ -116,7 +121,7 @@
corecmd_exec_shell(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
@@ -29001,7 +29393,7 @@ diff -b -B --ignore-all-space --exclude-
files_read_etc_files(dhcpc_t)
files_read_etc_runtime_files(dhcpc_t)
-@@ -183,25 +187,23 @@
+@@ -183,25 +188,23 @@
')
optional_policy(`
@@ -29035,7 +29427,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -212,6 +214,7 @@
+@@ -212,6 +215,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -29043,7 +29435,7 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
-@@ -223,6 +226,10 @@
+@@ -223,6 +227,10 @@
')
optional_policy(`
@@ -29054,7 +29446,7 @@ diff -b -B --ignore-all-space --exclude-
kernel_read_xen_state(dhcpc_t)
kernel_write_xen_state(dhcpc_t)
xen_append_log(dhcpc_t)
-@@ -236,7 +243,6 @@
+@@ -236,7 +244,6 @@
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
@@ -29062,7 +29454,7 @@ diff -b -B --ignore-all-space --exclude-
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
-@@ -250,6 +256,7 @@
+@@ -250,6 +257,7 @@
allow ifconfig_t self:sem create_sem_perms;
allow ifconfig_t self:msgq create_msgq_perms;
allow ifconfig_t self:msg { send receive };
@@ -29070,7 +29462,7 @@ diff -b -B --ignore-all-space --exclude-
# Create UDP sockets, necessary when called from dhcpc
allow ifconfig_t self:udp_socket create_socket_perms;
-@@ -259,13 +266,20 @@
+@@ -259,13 +267,20 @@
allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
allow ifconfig_t self:tcp_socket { create ioctl };
@@ -29091,7 +29483,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_rw_tun_tap_dev(ifconfig_t)
-@@ -276,8 +290,13 @@
+@@ -276,8 +291,13 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -29105,7 +29497,7 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(ifconfig_t)
-@@ -296,6 +315,8 @@
+@@ -296,6 +316,8 @@
seutil_use_runinit_fds(ifconfig_t)
@@ -29114,7 +29506,7 @@ diff -b -B --ignore-all-space --exclude-
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
-@@ -332,6 +353,14 @@
+@@ -332,6 +354,14 @@
')
optional_policy(`
@@ -32215,8 +32607,17 @@ diff -b -B --ignore-all-space --exclude-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-3.6.12/policy/modules/system/xen.if
--- nsaserefpolicy/policy/modules/system/xen.if 2009-01-05 15:39:43.000000000 -0500
-+++ serefpolicy-3.6.12/policy/modules/system/xen.if 2009-04-23 09:44:57.000000000 -0400
-@@ -167,11 +167,14 @@
++++ serefpolicy-3.6.12/policy/modules/system/xen.if 2009-04-30 18:08:14.000000000 -0400
+@@ -71,6 +71,8 @@
+ ')
+
+ files_list_var_lib($1)
++
++ list_dirs_pattern($1, xend_var_lib_t, xend_var_lib_t)
+ read_files_pattern($1,{ xend_var_lib_t xen_image_t },xen_image_t)
+ ')
+
+@@ -167,11 +169,14 @@
#
interface(`xen_stream_connect',`
gen_require(`
@@ -32232,7 +32633,7 @@ diff -b -B --ignore-all-space --exclude-
')
########################################
-@@ -191,3 +194,46 @@
+@@ -191,3 +196,46 @@
domtrans_pattern($1,xm_exec_t,xm_t)
')
@@ -32571,7 +32972,7 @@ diff -b -B --ignore-all-space --exclude-
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.12/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2009-03-12 11:16:47.000000000 -0400
-+++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-23 09:44:57.000000000 -0400
++++ serefpolicy-3.6.12/policy/support/obj_perm_sets.spt 2009-04-30 18:02:45.000000000 -0400
@@ -225,7 +225,7 @@
define(`create_lnk_file_perms',`{ create getattr }')
define(`rename_lnk_file_perms',`{ getattr rename }')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.848
retrieving revision 1.849
diff -u -p -r1.848 -r1.849
--- selinux-policy.spec 30 Apr 2009 11:51:04 -0000 1.848
+++ selinux-policy.spec 30 Apr 2009 22:21:53 -0000 1.849
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 25%{?dist}
+Release: 26%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -480,7 +480,10 @@ exit 0
%endif
%changelog
-* Wed Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-25
+* Thu Apr 30 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-26
+- Add shorewall policy
+
+* Wed Apr 29 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-25
- Additional rules for fprintd and sssd
* Tue Apr 28 2009 Dan Walsh <dwalsh at redhat.com> 3.6.12-24
- Previous message (by thread): rpms/selinux-policy/devel modules-targeted.conf, 1.125, 1.126 policy-20090105.patch, 1.105, 1.106 selinux-policy.spec, 1.842, 1.843
- Next message (by thread): rpms/qdevelop/F-11 qdevelop-0.27.4-qt451.patch, NONE, 1.1 qdevelop.spec, 1.7, 1.8
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list