rpms/selinux-policy/F-10 policy-20080710.patch, 1.165, 1.166 selinux-policy.spec, 1.792, 1.793
Miroslav Grepl
mgrepl at fedoraproject.org
Thu May 7 10:39:49 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28410
Modified Files:
policy-20080710.patch selinux-policy.spec
Log Message:
- Fix /sbin/ip6tables-save context
- Fix milter policy
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.165
retrieving revision 1.166
diff -u -p -r1.165 -r1.166
--- policy-20080710.patch 24 Apr 2009 08:45:04 -0000 1.165
+++ policy-20080710.patch 7 May 2009 10:39:46 -0000 1.166
@@ -18892,16 +18892,23 @@ diff --exclude-from=exclude -N -u -r nsa
+files_type(mailscanner_spool_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.fc serefpolicy-3.5.13/policy/modules/services/milter.fc
--- nsaserefpolicy/policy/modules/services/milter.fc 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.fc 2009-03-17 16:49:14.000000000 +0100
-@@ -0,0 +1,8 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.fc 2009-05-04 10:32:34.000000000 +0200
+@@ -0,0 +1,15 @@
+
+/usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
+/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
+/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
++/var/run/milter.* -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
+
+/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
++/usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0)
++
++/var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0)
++/var/run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.if serefpolicy-3.5.13/policy/modules/services/milter.if
--- nsaserefpolicy/policy/modules/services/milter.if 1970-01-01 01:00:00.000000000 +0100
+++ serefpolicy-3.5.13/policy/modules/services/milter.if 2009-04-24 10:10:52.000000000 +0200
@@ -19012,8 +19019,8 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/milter.te serefpolicy-3.5.13/policy/modules/services/milter.te
--- nsaserefpolicy/policy/modules/services/milter.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.5.13/policy/modules/services/milter.te 2009-03-17 16:48:44.000000000 +0100
-@@ -0,0 +1,69 @@
++++ serefpolicy-3.5.13/policy/modules/services/milter.te 2009-05-04 10:31:04.000000000 +0200
+@@ -0,0 +1,107 @@
+
+policy_module(milter, 1.0.0)
+
@@ -19083,6 +19090,44 @@ diff --exclude-from=exclude -N -u -r nsa
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+spamassassin_domtrans_spamc(spamass_milter_t)
++
++#######################################
++#
++# milter-greylist Declarations
++#
++
++milter_template(greylist)
++
++#######################################
++#
++# milter-greylist local policy
++# ensure smtp clients retry mail like real MTAs and not spamware
++# http://hcpnet.free.fr/milter-greylist/
++#
++
++# Look up username for dropping privs
++auth_use_nsswitch(greylist_milter_t)
++
++# It creates a pid file /var/run/milter-greylist.pid
++files_pid_filetrans(greylist_milter_t, greylist_milter_data_t, file)
++
++# It removes any existing socket (not owned by root) whilst running as root,
++# fixes permissions, renices itself and then calls setgid() and setuid() to
++# drop privileges
++kernel_read_kernel_sysctls(greylist_milter_t)
++allow greylist_milter_t self:capability { chown dac_override setgid setuid sys_nice };
++allow greylist_milter_t self:process { setsched getsched };
++
++# Allow the milter to read a GeoIP database in /usr/share
++files_read_usr_files(greylist_milter_t)
++
++# The milter runs from /var/lib/milter-greylist and maintains files there
++files_search_var_lib(greylist_milter_t);
++
++# Config is in /etc/mail/greylist.conf
++mta_read_config(greylist_milter_t)
++
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.5.13/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-10-17 14:49:11.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/mta.fc 2009-02-10 15:07:15.000000000 +0100
@@ -24827,8 +24872,20 @@ diff --exclude-from=exclude -N -u -r nsa
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.5.13/policy/modules/services/privoxy.te
--- nsaserefpolicy/policy/modules/services/privoxy.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/privoxy.te 2009-02-10 15:07:15.000000000 +0100
-@@ -10,6 +10,9 @@
++++ serefpolicy-3.5.13/policy/modules/services/privoxy.te 2009-04-29 11:29:29.000000000 +0200
+@@ -6,10 +6,21 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow privoxy to connect to all ports, not just
++## HTTP, FTP, and Gopher ports.
++## </p>
++## </desc>
++gen_tunable(privoxy_connect_any, false)
++
+ type privoxy_t; # web_client_domain
type privoxy_exec_t;
init_daemon_domain(privoxy_t, privoxy_exec_t)
@@ -24838,7 +24895,7 @@ diff --exclude-from=exclude -N -u -r nsa
type privoxy_etc_rw_t;
files_type(privoxy_etc_rw_t)
-@@ -50,6 +53,7 @@
+@@ -50,6 +61,7 @@
corenet_tcp_connect_http_port(privoxy_t)
corenet_tcp_connect_http_cache_port(privoxy_t)
corenet_tcp_connect_ftp_port(privoxy_t)
@@ -24846,6 +24903,18 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_tcp_connect_tor_port(privoxy_t)
corenet_sendrecv_http_cache_client_packets(privoxy_t)
corenet_sendrecv_http_cache_server_packets(privoxy_t)
+@@ -81,6 +93,11 @@
+ # cjp: this should really not be needed
+ sysadm_use_terms(privoxy_t)
+
++tunable_policy(`privoxy_connect_any',`
++ corenet_tcp_connect_all_ports(privoxy_t)
++ corenet_sendrecv_all_packets(privoxy_t)
++')
++
+ optional_policy(`
+ nis_use_ypbind(privoxy_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.5.13/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2008-10-17 14:49:13.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/services/procmail.fc 2009-02-10 15:07:15.000000000 +0100
@@ -26131,7 +26200,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.5.13/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-04-23 09:19:05.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/rpc.te 2009-05-05 14:18:33.000000000 +0200
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@@ -26141,7 +26210,7 @@ diff --exclude-from=exclude -N -u -r nsa
rpc_domain_template(gssd)
-@@ -68,11 +68,13 @@
+@@ -68,16 +68,20 @@
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
kernel_rw_fs_sysctls(rpcd_t)
@@ -26155,7 +26224,14 @@ diff --exclude-from=exclude -N -u -r nsa
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
fs_read_rpc_symlinks(rpcd_t)
-@@ -101,6 +103,7 @@
+ fs_read_rpc_sockets(rpcd_t)
+
++storage_getattr_fixed_disk_dev(rpcd_t)
++
+ selinux_dontaudit_read_fs(rpcd_t)
+
+ miscfiles_read_certs(rpcd_t)
+@@ -101,6 +105,7 @@
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -26163,7 +26239,7 @@ diff --exclude-from=exclude -N -u -r nsa
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -116,6 +119,7 @@
+@@ -116,6 +121,7 @@
# cjp: this should really have its own type
files_manage_mounttab(rpcd_t)
@@ -26171,7 +26247,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_mount_nfsd_fs(nfsd_t)
fs_search_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
-@@ -123,6 +127,7 @@
+@@ -123,6 +129,7 @@
fs_rw_nfsd_fs(nfsd_t)
storage_dontaudit_read_fixed_disk(nfsd_t)
@@ -26179,7 +26255,7 @@ diff --exclude-from=exclude -N -u -r nsa
# Read access to public_content_t and public_content_rw_t
miscfiles_read_public_files(nfsd_t)
-@@ -133,13 +138,22 @@
+@@ -133,13 +140,22 @@
')
tunable_policy(`nfs_export_all_rw',`
@@ -26203,7 +26279,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
########################################
-@@ -162,6 +176,7 @@
+@@ -162,6 +178,7 @@
corecmd_exec_bin(gssd_t)
@@ -26211,7 +26287,7 @@ diff --exclude-from=exclude -N -u -r nsa
fs_list_rpc(gssd_t)
fs_read_rpc_sockets(gssd_t)
fs_read_rpc_files(gssd_t)
-@@ -170,9 +185,14 @@
+@@ -170,9 +187,14 @@
files_read_usr_symlinks(gssd_t)
auth_use_nsswitch(gssd_t)
@@ -26226,7 +26302,7 @@ diff --exclude-from=exclude -N -u -r nsa
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
-@@ -180,8 +200,7 @@
+@@ -180,8 +202,7 @@
')
optional_policy(`
@@ -28664,7 +28740,7 @@ diff --exclude-from=exclude -N -u -r nsa
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.5.13/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2008-10-17 14:49:11.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-04-24 10:11:36.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/services/spamassassin.te 2009-04-27 10:20:11.000000000 +0200
@@ -21,16 +21,24 @@
gen_tunable(spamd_enable_home_dirs, true)
@@ -28848,7 +28924,7 @@ diff --exclude-from=exclude -N -u -r nsa
')
optional_policy(`
-@@ -211,5 +261,141 @@
+@@ -211,5 +261,142 @@
')
optional_policy(`
@@ -28906,6 +28982,7 @@ diff --exclude-from=exclude -N -u -r nsa
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
+fs_search_auto_mountpoints(spamc_t)
++fs_list_inotifyfs(spamc_t)
+
+domain_use_interactive_fds(spamc_t)
+
@@ -33476,9 +33553,8 @@ diff --exclude-from=exclude -N -u -r nsa
allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.fc serefpolicy-3.5.13/policy/modules/system/iptables.fc
--- nsaserefpolicy/policy/modules/system/iptables.fc 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/iptables.fc 2009-04-16 11:43:52.000000000 +0200
-@@ -1,8 +1,13 @@
-+/sbin/ip6tables.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
++++ serefpolicy-3.5.13/policy/modules/system/iptables.fc 2009-05-04 12:51:08.000000000 +0200
+@@ -1,8 +1,12 @@
+/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ip6?tables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/selinux-policy.spec,v
retrieving revision 1.792
retrieving revision 1.793
diff -u -p -r1.792 -r1.793
--- selinux-policy.spec 24 Apr 2009 08:45:05 -0000 1.792
+++ selinux-policy.spec 7 May 2009 10:39:48 -0000 1.793
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 58%{?dist}
+Release: 59%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -460,6 +460,10 @@ exit 0
%endif
%changelog
+* Thu May 7 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-59
+- Fix /sbin/ip6tables-save context
+- Fix milter policy
+
* Fri Apr 24 2009 Miroslav Grepl <mgrepl at redhat.com> 3.5.13-58
- Allow nfs to share removable media
More information about the fedora-extras-commits
mailing list