rpms/selinux-policy/F-10 policy-20080710.patch, 1.165, 1.166 selinux-policy.spec, 1.792, 1.793

Miroslav Grepl mgrepl at fedoraproject.org
Thu May 7 10:39:49 UTC 2009


Author: mgrepl

Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28410

Modified Files:
	policy-20080710.patch selinux-policy.spec 
Log Message:
- Fix /sbin/ip6tables-save context
- Fix milter policy



policy-20080710.patch:

Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.165
retrieving revision 1.166
diff -u -p -r1.165 -r1.166
--- policy-20080710.patch	24 Apr 2009 08:45:04 -0000	1.165
+++ policy-20080710.patch	7 May 2009 10:39:46 -0000	1.166
@@ -18892,16 +18892,23 @@ diff --exclude-from=exclude -N -u -r nsa
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.5.13/policy/modules/services/milter.fc
 --- nsaserefpolicy/policy/modules/services/milter.fc	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.fc	2009-03-17 16:49:14.000000000 +0100
-@@ -0,0 +1,8 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.fc	2009-05-04 10:32:34.000000000 +0200
+@@ -0,0 +1,15 @@
 +
 +/usr/sbin/milter-regex				--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
 +/usr/sbin/spamass-milter			--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 +/var/lib/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_state_t,s0)
 +/var/run/spamass-milter(/.*)?				gen_context(system_u:object_r:spamass_milter_data_t,s0)
 +/var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/milter.*                               --      gen_context(system_u:object_r:spamass_milter_data_t,s0)
 +
 +/var/spool/milter-regex(/.*)?				gen_context(system_u:object_r:regex_milter_data_t,s0)
++/usr/sbin/milter-greylist                       --      gen_context(system_u:object_r:greylist_milter_exec_t,s0)
++
++/var/lib/milter-greylist(/.*)?                          gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/run/milter-greylist(/.*)?                          gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/run/milter-greylist\.pid                   --      gen_context(system_u:object_r:greylist_milter_data_t,s0)
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.5.13/policy/modules/services/milter.if
 --- nsaserefpolicy/policy/modules/services/milter.if	1970-01-01 01:00:00.000000000 +0100
 +++ serefpolicy-3.5.13/policy/modules/services/milter.if	2009-04-24 10:10:52.000000000 +0200
@@ -19012,8 +19019,8 @@ diff --exclude-from=exclude -N -u -r nsa
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.5.13/policy/modules/services/milter.te
 --- nsaserefpolicy/policy/modules/services/milter.te	1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.te	2009-03-17 16:48:44.000000000 +0100
-@@ -0,0 +1,69 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.te	2009-05-04 10:31:04.000000000 +0200
+@@ -0,0 +1,107 @@
 +
 +policy_module(milter, 1.0.0)
 +
@@ -19083,6 +19090,44 @@ diff --exclude-from=exclude -N -u -r nsa
 +
 +# The main job of the milter is to pipe spam through spamc and act on the result
 +spamassassin_domtrans_spamc(spamass_milter_t)
++
++#######################################
++#
++# milter-greylist Declarations
++#
++
++milter_template(greylist)
++
++#######################################
++#
++# milter-greylist local policy
++#   ensure smtp clients retry mail like real MTAs and not spamware
++#   http://hcpnet.free.fr/milter-greylist/
++#
++
++# Look up username for dropping privs
++auth_use_nsswitch(greylist_milter_t)
++
++# It creates a pid file /var/run/milter-greylist.pid
++files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
++
++# It removes any existing socket (not owned by root) whilst running as root,
++# fixes permissions, renices itself and then calls setgid() and setuid() to
++# drop privileges
++kernel_read_kernel_sysctls(greylist_milter_t)
++allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
++allow greylist_milter_t self:process { setsched getsched };
++
++# Allow the milter to read a GeoIP database in /usr/share
++files_read_usr_files(greylist_milter_t)
++
++# The milter runs from /var/lib/milter-greylist and maintains files there
++files_search_var_lib(greylist_milter_t);
++
++# Config is in /etc/mail/greylist.conf
++mta_read_config(greylist_milter_t)
++
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc
 --- nsaserefpolicy/policy/modules/services/mta.fc	2008-10-17 14:49:11.000000000 +0200
 +++ serefpolicy-3.5.13/policy/modules/services/mta.fc	2009-02-10 15:07:15.000000000 +0100
@@ -24827,8 +24872,20 @@ diff --exclude-from=exclude -N -u -r nsa
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.13/policy/modules/services/privoxy.te
 --- nsaserefpolicy/policy/modules/services/privoxy.te	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/privoxy.te	2009-02-10 15:07:15.000000000 +0100
-@@ -10,6 +10,9 @@
++++ serefpolicy-3.5.13/policy/modules/services/privoxy.te	2009-04-29 11:29:29.000000000 +0200
+@@ -6,10 +6,21 @@
+ # Declarations
+ #
+ 
++## <desc>
++## <p>
++## Allow privoxy to connect to all ports, not just
++## HTTP, FTP, and Gopher ports.
++## </p>
++## </desc>
++gen_tunable(privoxy_connect_any, false)
++
+ type privoxy_t; # web_client_domain
  type privoxy_exec_t;
  init_daemon_domain(privoxy_t, privoxy_exec_t)
  
@@ -24838,7 +24895,7 @@ diff --exclude-from=exclude -N -u -r nsa
  type privoxy_etc_rw_t;
  files_type(privoxy_etc_rw_t)
  
-@@ -50,6 +53,7 @@
+@@ -50,6 +61,7 @@
  corenet_tcp_connect_http_port(privoxy_t)
  corenet_tcp_connect_http_cache_port(privoxy_t)
  corenet_tcp_connect_ftp_port(privoxy_t)
@@ -24846,6 +24903,18 @@ diff --exclude-from=exclude -N -u -r nsa
  corenet_tcp_connect_tor_port(privoxy_t)
  corenet_sendrecv_http_cache_client_packets(privoxy_t)
  corenet_sendrecv_http_cache_server_packets(privoxy_t)
+@@ -81,6 +93,11 @@
+ # cjp: this should really not be needed
+ sysadm_use_terms(privoxy_t)
+ 
++tunable_policy(`privoxy_connect_any',`
++	corenet_tcp_connect_all_ports(privoxy_t)
++	corenet_sendrecv_all_packets(privoxy_t)
++')
++
+ optional_policy(`
+ 	nis_use_ypbind(privoxy_t)
+ ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.13/policy/modules/services/procmail.fc
 --- nsaserefpolicy/policy/modules/services/procmail.fc	2008-10-17 14:49:13.000000000 +0200
 +++ serefpolicy-3.5.13/policy/modules/services/procmail.fc	2009-02-10 15:07:15.000000000 +0100
@@ -26131,7 +26200,7 @@ diff --exclude-from=exclude -N -u -r nsa
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rpc.te	2009-04-23 09:19:05.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/rpc.te	2009-05-05 14:18:33.000000000 +0200
 @@ -23,7 +23,7 @@
  gen_tunable(allow_nfsd_anon_write, false)
  
@@ -26141,7 +26210,7 @@ diff --exclude-from=exclude -N -u -r nsa
  
  rpc_domain_template(gssd)
  
-@@ -68,11 +68,13 @@
+@@ -68,16 +68,20 @@
  # for rpc.rquotad
  kernel_read_sysctl(rpcd_t)  
  kernel_rw_fs_sysctls(rpcd_t)
@@ -26155,7 +26224,14 @@ diff --exclude-from=exclude -N -u -r nsa
  fs_list_rpc(rpcd_t)
  fs_read_rpc_files(rpcd_t)
  fs_read_rpc_symlinks(rpcd_t)
-@@ -101,6 +103,7 @@
+ fs_read_rpc_sockets(rpcd_t) 
+ 
++storage_getattr_fixed_disk_dev(rpcd_t)
++
+ selinux_dontaudit_read_fs(rpcd_t)
+ 
+ miscfiles_read_certs(rpcd_t)
+@@ -101,6 +105,7 @@
  # for /proc/fs/nfs/exports - should we have a new type?
  kernel_read_system_state(nfsd_t) 
  kernel_read_network_state(nfsd_t) 
@@ -26163,7 +26239,7 @@ diff --exclude-from=exclude -N -u -r nsa
  
  corenet_tcp_bind_all_rpc_ports(nfsd_t)
  corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -116,6 +119,7 @@
+@@ -116,6 +121,7 @@
  # cjp: this should really have its own type
  files_manage_mounttab(rpcd_t)
  
@@ -26171,7 +26247,7 @@ diff --exclude-from=exclude -N -u -r nsa
  fs_mount_nfsd_fs(nfsd_t) 
  fs_search_nfsd_fs(nfsd_t) 
  fs_getattr_all_fs(nfsd_t) 
-@@ -123,6 +127,7 @@
+@@ -123,6 +129,7 @@
  fs_rw_nfsd_fs(nfsd_t) 
  
  storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -26179,7 +26255,7 @@ diff --exclude-from=exclude -N -u -r nsa
  
  # Read access to public_content_t and public_content_rw_t
  miscfiles_read_public_files(nfsd_t)
-@@ -133,13 +138,22 @@
+@@ -133,13 +140,22 @@
  ') 
  
  tunable_policy(`nfs_export_all_rw',`
@@ -26203,7 +26279,7 @@ diff --exclude-from=exclude -N -u -r nsa
  ')
  
  ########################################
-@@ -162,6 +176,7 @@
+@@ -162,6 +178,7 @@
  
  corecmd_exec_bin(gssd_t)
  
@@ -26211,7 +26287,7 @@ diff --exclude-from=exclude -N -u -r nsa
  fs_list_rpc(gssd_t) 
  fs_read_rpc_sockets(gssd_t) 
  fs_read_rpc_files(gssd_t) 
-@@ -170,9 +185,14 @@
+@@ -170,9 +187,14 @@
  files_read_usr_symlinks(gssd_t) 
  
  auth_use_nsswitch(gssd_t)
@@ -26226,7 +26302,7 @@ diff --exclude-from=exclude -N -u -r nsa
  tunable_policy(`allow_gssd_read_tmp',`
  	userdom_list_unpriv_users_tmp(gssd_t) 
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
-@@ -180,8 +200,7 @@
+@@ -180,8 +202,7 @@
  ')
  
  optional_policy(`
@@ -28664,7 +28740,7 @@ diff --exclude-from=exclude -N -u -r nsa
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2009-04-24 10:11:36.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te	2009-04-27 10:20:11.000000000 +0200
 @@ -21,16 +21,24 @@
  gen_tunable(spamd_enable_home_dirs, true)
  
@@ -28848,7 +28924,7 @@ diff --exclude-from=exclude -N -u -r nsa
  ')
  
  optional_policy(`
-@@ -211,5 +261,141 @@
+@@ -211,5 +261,142 @@
  ')
  
  optional_policy(`
@@ -28906,6 +28982,7 @@ diff --exclude-from=exclude -N -u -r nsa
 +read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 +
 +fs_search_auto_mountpoints(spamc_t)
++fs_list_inotifyfs(spamc_t)  
 +
 +domain_use_interactive_fds(spamc_t)
 +
@@ -33476,9 +33553,8 @@ diff --exclude-from=exclude -N -u -r nsa
  allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.5.13/policy/modules/system/iptables.fc
 --- nsaserefpolicy/policy/modules/system/iptables.fc	2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/iptables.fc	2009-04-16 11:43:52.000000000 +0200
-@@ -1,8 +1,13 @@
-+/sbin/ip6tables.*       	--      gen_context(system_u:object_r:iptables_exec_t,s0)
++++ serefpolicy-3.5.13/policy/modules/system/iptables.fc	2009-05-04 12:51:08.000000000 +0200
+@@ -1,8 +1,12 @@
 +/sbin/ipchains.*        	--      gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ip6?tables  		-- 	gen_context(system_u:object_r:iptables_exec_t,s0)
 +/sbin/ip6?tables-restore  	-- 	gen_context(system_u:object_r:iptables_exec_t,s0)


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.792
retrieving revision 1.793
diff -u -p -r1.792 -r1.793
--- selinux-policy.spec	24 Apr 2009 08:45:05 -0000	1.792
+++ selinux-policy.spec	7 May 2009 10:39:48 -0000	1.793
@@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.5.13
-Release: 58%{?dist}
+Release: 59%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,10 @@ exit 0
 %endif
 
 %changelog
+* Thu May 7 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-59
+- Fix /sbin/ip6tables-save context
+- Fix milter policy
+
 * Fri Apr 24 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-58
 - Allow nfs to share removable media
 




More information about the fedora-extras-commits mailing list