rpms/selinux-policy-targeted/devel policy-20050414.patch, 1.9, 1.10 selinux-policy-targeted.spec, 1.283, 1.284
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 25 17:49:38 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv31395
Modified Files:
policy-20050414.patch selinux-policy-targeted.spec
Log Message:
* Sun Apr 24 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-5
- Fix file_context conflicts for fsadm
- Add Russels patches
- Restore webalizer
- Add transitionbool for httpd_suexec
policy-20050414.patch:
domains/misc/kernel.te | 4 ++
domains/program/fsadm.te | 2 -
domains/program/getty.te | 13 ++-------
domains/program/hostname.te | 6 +---
domains/program/init.te | 2 -
domains/program/initrc.te | 9 +++---
domains/program/klogd.te | 3 ++
domains/program/load_policy.te | 3 --
domains/program/modutil.te | 2 -
domains/program/unused/amanda.te | 18 ++++++++++---
domains/program/unused/amavis.te | 7 -----
domains/program/unused/apache.te | 20 +++++---------
domains/program/unused/auditd.te | 44 ++++++++++++++++++++++++-------
domains/program/unused/clamav.te | 2 -
domains/program/unused/consoletype.te | 13 ++++-----
domains/program/unused/cups.te | 3 ++
domains/program/unused/dhcpc.te | 11 +++++--
domains/program/unused/hald.te | 4 ++
domains/program/unused/hotplug.te | 8 +----
domains/program/unused/ntpd.te | 3 --
domains/program/unused/portmap.te | 5 ++-
domains/program/unused/prelink.te | 2 -
domains/program/unused/squid.te | 4 --
domains/program/unused/tinydns.te | 2 -
domains/program/unused/udev.te | 7 +++--
domains/program/unused/webalizer.te | 2 -
domains/user.te | 7 +++++
file_contexts/distros.fc | 1
file_contexts/program/auditd.fc | 2 -
file_contexts/program/compat.fc | 17 ++++++++----
file_contexts/program/getty.fc | 2 +
file_contexts/program/i18n_input.fc | 2 -
file_contexts/program/portmap.fc | 1
file_contexts/program/traceroute.fc | 2 +
file_contexts/program/udev.fc | 1
file_contexts/program/webalizer.fc | 2 +
file_contexts/types.fc | 2 -
macros/core_macros.te | 1
macros/global_macros.te | 12 ++++++++
macros/program/cdrecord_macros.te | 2 -
macros/program/mozilla_macros.te | 2 -
macros/program/ypbind_macros.te | 4 ++
man/man8/httpd_selinux.8 | 6 ++++
targeted/appconfig/default_contexts | 1
targeted/domains/program/compat.te | 3 --
targeted/domains/program/hotplug.te | 17 ------------
targeted/domains/program/udev.te | 17 ------------
targeted/domains/program/xdm.te | 1
targeted/domains/unconfined.te | 3 +-
targeted/initial_sid_contexts | 47 ----------------------------------
tunables/distro.tun | 2 -
tunables/tunable.tun | 6 ++--
types/network.te | 1
53 files changed, 176 insertions(+), 187 deletions(-)
Index: policy-20050414.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050414.patch,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- policy-20050414.patch 22 Apr 2005 20:48:36 -0000 1.9
+++ policy-20050414.patch 25 Apr 2005 17:49:34 -0000 1.10
@@ -9,6 +9,18 @@
+ifdef(`targeted_policy', `
+typeattribute kernel_t unrestricted;
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/fsadm.te policy-1.23.12/domains/program/fsadm.te
+--- nsapolicy/domains/program/fsadm.te 2005-04-04 10:21:10.000000000 -0400
++++ policy-1.23.12/domains/program/fsadm.te 2005-04-25 10:04:33.000000000 -0400
+@@ -100,7 +100,7 @@
+ allow fsadm_t kernel_t:system syslog_console;
+
+ # Access terminals.
+-allow fsadm_t { initrc_devpts_t admin_tty_type }:chr_file rw_file_perms;
++allow fsadm_t { initrc_devpts_t admin_tty_type devtty_t }:chr_file rw_file_perms;
+ ifdef(`gnome-pty-helper.te', `allow fsadm_t sysadm_gph_t:fd use;')
+ allow fsadm_t privfd:fd use;
+ allow fsadm_t devpts_t:dir { getattr search };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/getty.te policy-1.23.12/domains/program/getty.te
--- nsapolicy/domains/program/getty.te 2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.12/domains/program/getty.te 2005-04-22 16:17:17.000000000 -0400
@@ -215,7 +227,7 @@
-')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.12/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-04-20 15:40:34.000000000 -0400
-+++ policy-1.23.12/domains/program/unused/apache.te 2005-04-22 11:24:55.000000000 -0400
++++ policy-1.23.12/domains/program/unused/apache.te 2005-04-25 13:34:10.000000000 -0400
@@ -290,7 +290,7 @@
allow httpd_helper_t httpd_log_t:file { append };
@@ -225,6 +237,15 @@
# the TTY or PTY associated with the session. The httpd appears
# to run correctly without this permission, so the permission
# are dontaudited here.
+@@ -322,7 +322,7 @@
+ # The following are types for SUEXEC,which runs user scripts as their
+ # own user ID
+ #
+-daemon_sub_domain(httpd_t, httpd_suexec)
++daemon_sub_domain(httpd_t, httpd_suexec, `, transitionbool')
+ allow httpd_t httpd_suexec_exec_t:file read;
+
+ #########################################################
@@ -335,8 +335,8 @@
allow httpd_suexec_t { var_t var_log_t }:dir search;
allow httpd_suexec_t home_root_t:dir search;
@@ -272,8 +293,13 @@
-allow httpd_t var_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/auditd.te policy-1.23.12/domains/program/unused/auditd.te
--- nsapolicy/domains/program/unused/auditd.te 2005-04-20 15:40:34.000000000 -0400
-+++ policy-1.23.12/domains/program/unused/auditd.te 2005-04-22 14:08:06.000000000 -0400
-@@ -5,30 +5,46 @@
++++ policy-1.23.12/domains/program/unused/auditd.te 2005-04-25 11:10:33.000000000 -0400
+@@ -2,33 +2,57 @@
+ #
+ # Authors: Colin Walters <walters at verbum.org>
+ #
++# Some fixes by Paul Moore <paul.moore at hp.com>
++#
define(`audit_manager_domain', `
allow $1 auditd_etc_t:file rw_file_perms;
create_dir_file($1, auditd_log_t)
@@ -298,11 +324,11 @@
-allow auditd_t auditd_log_t:dir { setattr rw_dir_perms };
+allow auditd_t var_log_t:dir search;
+rw_dir_create_file(auditd_t, auditd_log_t)
++
++can_exec(auditd_t, init_exec_t)
can_exec(auditd_t, init_exec_t)
-allow auditd_t auditd_etc_t:file r_file_perms;
-
-+can_exec(auditd_t, init_exec_t)
+allow auditd_t initctl_t:fifo_file write;
+
+type auditctl_t, domain, privlog;
@@ -312,7 +338,7 @@
+allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t etc_t:file { getattr read };
+allow auditctl_t admin_tty_type:chr_file rw_file_perms;
-+
+
+type auditd_etc_t, file_type, secure_file_type;
+allow { auditd_t auditctl_t } auditd_etc_t:file r_file_perms;
+
@@ -325,11 +351,17 @@
')
-can_exec(auditd_t, init_exec_t)
-allow auditd_t initctl_t:fifo_file write;
++allow initrc_t auditd_etc_t:file r_file_perms;
++
++role system_r types auditctl_t;
++domain_auto_trans(initrc_t, auditctl_exec_t, auditctl_t)
++
+dontaudit auditctl_t local_login_t:fd use;
+allow auditctl_t proc_t:dir search;
+allow auditctl_t sysctl_kernel_t:dir search;
+allow auditctl_t sysctl_kernel_t:file read;
+allow auditd_t self:process setsched;
++dontaudit auditctl_t init_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/clamav.te policy-1.23.12/domains/program/unused/clamav.te
--- nsapolicy/domains/program/unused/clamav.te 2005-04-06 06:57:44.000000000 -0400
+++ policy-1.23.12/domains/program/unused/clamav.te 2005-04-22 07:01:47.000000000 -0400
@@ -521,6 +553,26 @@
allow ntpd_t winbind_var_run_t:sock_file rw_file_perms;
')
-allow sysadm_t ntp_port_t:udp_socket name_bind;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/portmap.te policy-1.23.12/domains/program/unused/portmap.te
+--- nsapolicy/domains/program/unused/portmap.te 2005-03-24 08:58:27.000000000 -0500
++++ policy-1.23.12/domains/program/unused/portmap.te 2005-04-25 10:04:05.000000000 -0400
+@@ -58,13 +58,14 @@
+ domain_auto_trans(initrc_t, portmap_helper_exec_t, portmap_helper_t)
+ dontaudit portmap_helper_t self:capability { net_admin };
+ allow portmap_helper_t self:capability { net_bind_service };
+-allow portmap_helper_t { var_run_t initrc_var_run_t } :file rw_file_perms;
++allow portmap_helper_t initrc_var_run_t:file rw_file_perms;
++file_type_auto_trans(portmap_helper_t, var_run_t, portmap_var_run_t, file)
+ allow portmap_helper_t self:netlink_route_socket r_netlink_socket_perms;
+ can_network(portmap_helper_t)
+ allow portmap_helper_t port_type:tcp_socket name_connect;
+ can_ypbind(portmap_helper_t)
+ dontaudit portmap_helper_t admin_tty_type:chr_file rw_file_perms;
+ allow portmap_helper_t etc_t:file { getattr read };
+-dontaudit portmap_helper_t userdomain:fd use;
++dontaudit portmap_helper_t { userdomain privfd }:fd use;
+ allow portmap_helper_t reserved_port_t:{ tcp_socket udp_socket } name_bind;
+ dontaudit portmap_helper_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.23.12/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te 2005-04-04 10:21:11.000000000 -0400
+++ policy-1.23.12/domains/program/unused/prelink.te 2005-04-21 08:05:17.000000000 -0400
@@ -594,6 +646,18 @@
+ifdef(`unlimitedUtils', `
+unconfined_domain(udev_t)
+')
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/webalizer.te policy-1.23.12/domains/program/unused/webalizer.te
+--- nsapolicy/domains/program/unused/webalizer.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.12/domains/program/unused/webalizer.te 2005-04-25 13:15:57.000000000 -0400
+@@ -4,7 +4,7 @@
+ #
+ # Depends: apache.te
+
+-application_domain(webalizer)
++application_domain(webalizer, `, nscd_client_domain')
+ # to use from cron
+ system_crond_entry(webalizer_exec_t,webalizer_t)
+ role system_r types webalizer_t;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/user.te policy-1.23.12/domains/user.te
--- nsapolicy/domains/user.te 2005-04-14 15:01:53.000000000 -0400
+++ policy-1.23.12/domains/user.te 2005-04-22 09:41:28.000000000 -0400
@@ -608,6 +672,17 @@
+allow userdomain ttyfile:chr_file getattr;
+}
+
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.12/file_contexts/distros.fc
+--- nsapolicy/file_contexts/distros.fc 2005-04-20 15:40:35.000000000 -0400
++++ policy-1.23.12/file_contexts/distros.fc 2005-04-24 08:35:47.000000000 -0400
+@@ -37,6 +37,7 @@
+ /usr/share/texmf/web2c/mktexupd -- system_u:object_r:bin_t
+ /usr/share/ssl/certs(/.*)? system_u:object_r:cert_t
+ /usr/share/ssl/private(/.*)? system_u:object_r:cert_t
++/etc/pki(/.*)? system_u:object_r:cert_t
+ /usr/share/ssl/misc(/.*)? system_u:object_r:bin_t
+ #
+ # /emul/ia32-linux/usr
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/auditd.fc policy-1.23.12/file_contexts/program/auditd.fc
--- nsapolicy/file_contexts/program/auditd.fc 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/file_contexts/program/auditd.fc 2005-04-21 08:05:17.000000000 -0400
@@ -620,8 +695,14 @@
/var/log/audit(/.*)? system_u:object_r:auditd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc policy-1.23.12/file_contexts/program/compat.fc
--- nsapolicy/file_contexts/program/compat.fc 2005-04-20 08:58:41.000000000 -0400
-+++ policy-1.23.12/file_contexts/program/compat.fc 2005-04-21 14:12:38.000000000 -0400
-@@ -4,11 +4,6 @@
++++ policy-1.23.12/file_contexts/program/compat.fc 2005-04-24 08:15:01.000000000 -0400
+@@ -1,19 +1,23 @@
++ifdef(`setfiles.te', `', `
+ # setfiles
+ /usr/sbin/setfiles.* -- system_u:object_r:setfiles_exec_t
++')
+
++ifdef(`mout.te', `', `
# mount
/bin/mount.* -- system_u:object_r:mount_exec_t
/bin/umount.* -- system_u:object_r:mount_exec_t
@@ -630,9 +711,30 @@
-/bin/hostname -- system_u:object_r:hostname_exec_t
-# consoletype
-/sbin/consoletype -- system_u:object_r:consoletype_exec_t
++')
++ifdef(`loadkeys.te', `', `
# loadkeys
/bin/unikeys -- system_u:object_r:loadkeys_exec_t
/bin/loadkeys -- system_u:object_r:loadkeys_exec_t
++')
++ifdef(`dmesg.te', `', `
+ # dmesg
+ /bin/dmesg -- system_u:object_r:dmesg_exec_t
++')
++ifdef(`fsadm.te', `', `
+ # fs admin utilities
+ /sbin/fsck.* -- system_u:object_r:fsadm_exec_t
+ /sbin/mkfs.* -- system_u:object_r:fsadm_exec_t
+@@ -50,6 +54,9 @@
+ /sbin/partx -- system_u:object_r:fsadm_exec_t
+ /usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
+ /sbin/partprobe -- system_u:object_r:fsadm_exec_t
++')
++ifdef(`kudzu.te', `', `
+ # kudzu
+ /usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
+ /sbin/kmodule -- system_u:object_r:kudzu_exec_t
++')
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/getty.fc policy-1.23.12/file_contexts/program/getty.fc
--- nsapolicy/file_contexts/program/getty.fc 2005-02-24 14:51:09.000000000 -0500
+++ policy-1.23.12/file_contexts/program/getty.fc 2005-04-22 16:17:17.000000000 -0400
@@ -654,6 +756,14 @@
/usr/bin/httx -- system_u:object_r:i18n_input_exec_t
/usr/bin/htt_xbe -- system_u:object_r:i18n_input_exec_t
/usr/lib(64)?/im/.*\.so.* -- system_u:object_r:shlib_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/portmap.fc policy-1.23.12/file_contexts/program/portmap.fc
+--- nsapolicy/file_contexts/program/portmap.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.12/file_contexts/program/portmap.fc 2005-04-25 10:03:52.000000000 -0400
+@@ -7,3 +7,4 @@
+ /usr/sbin/pmap_dump -- system_u:object_r:portmap_helper_exec_t
+ /usr/sbin/pmap_set -- system_u:object_r:portmap_helper_exec_t
+ ')
++/var/run/portmap.upgrade-state -- system_u:object_r:portmap_var_run_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/traceroute.fc policy-1.23.12/file_contexts/program/traceroute.fc
--- nsapolicy/file_contexts/program/traceroute.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.23.12/file_contexts/program/traceroute.fc 2005-04-21 09:45:13.000000000 -0400
@@ -676,6 +786,13 @@
/usr/bin/udevinfo -- system_u:object_r:udev_exec_t
/etc/dev\.d/.+ -- system_u:object_r:udev_helper_exec_t
/etc/udev/scripts/.+ -- system_u:object_r:udev_helper_exec_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/webalizer.fc policy-1.23.12/file_contexts/program/webalizer.fc
+--- nsapolicy/file_contexts/program/webalizer.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.12/file_contexts/program/webalizer.fc 2005-04-25 13:16:17.000000000 -0400
+@@ -1 +1,3 @@
+ #
++/usr/bin/webalizer -- system_u:object_r:webalizer_exec_t
++/var/lib/webalizer(/.*) system_u:object_r:webalizer_var_lib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.23.12/file_contexts/types.fc
--- nsapolicy/file_contexts/types.fc 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/file_contexts/types.fc 2005-04-21 08:22:16.000000000 -0400
@@ -699,6 +816,49 @@
allow $1 self:dir search;
allow $1 self:file { getattr read };
# Access selinuxfs.
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.12/macros/global_macros.te
+--- nsapolicy/macros/global_macros.te 2005-04-14 15:01:54.000000000 -0400
++++ policy-1.23.12/macros/global_macros.te 2005-04-25 13:38:39.000000000 -0400
+@@ -406,8 +406,19 @@
+
+ role system_r types $2_t;
+
++ifelse(index(`$3',`transitionbool'), -1, `
++
++domain_auto_trans($1, $2_exec_t, $2_t)
++
++', `
++
++bool $2_disable_trans false;
++
++if (! $2_disable_trans) {
+ domain_auto_trans($1, $2_exec_t, $2_t)
++}
+
++');
+ # Inherit and use descriptors from parent.
+ allow $2_t $1:fd use;
+ allow $2_t $1:process sigchld;
+@@ -712,6 +723,7 @@
+ if (allow_execmod) {
+ # Allow text relocations on system shared libraries, e.g. libGL.
+ allow $1 texrel_shlib_t:file execmod;
++allow $1 home_type:file execmod;
+ }
+
+ # Create/access any System V IPC objects.
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/cdrecord_macros.te policy-1.23.12/macros/program/cdrecord_macros.te
+--- nsapolicy/macros/program/cdrecord_macros.te 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.12/macros/program/cdrecord_macros.te 2005-04-25 10:07:49.000000000 -0400
+@@ -40,7 +40,7 @@
+ allow $1_cdrecord_t etc_t:file { getattr read };
+
+ # allow searching for cdrom-drive
+-allow $1_cdrecord_t device_t:dir { getattr search };
++allow $1_cdrecord_t device_t:dir r_dir_perms;
+ allow $1_cdrecord_t device_t:lnk_file { getattr read };
+
+ # allow cdrecord to write the CD
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.12/macros/program/mozilla_macros.te
--- nsapolicy/macros/program/mozilla_macros.te 2005-04-20 15:40:35.000000000 -0400
+++ policy-1.23.12/macros/program/mozilla_macros.te 2005-04-22 06:57:46.000000000 -0400
@@ -728,6 +888,22 @@
')
define(`can_ypbind', `
+diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.23.12/man/man8/httpd_selinux.8
+--- nsapolicy/man/man8/httpd_selinux.8 2005-04-07 22:22:56.000000000 -0400
++++ policy-1.23.12/man/man8/httpd_selinux.8 2005-04-25 13:37:04.000000000 -0400
+@@ -90,6 +90,12 @@
+ setsebool -P httpd_can_network_connect 1
+
+ .TP
++You can disable suexec transition, set httpd_suexec_disable_trans deny this
++.br
++
++setsebool -P httpd_suexec_disable_trans 1
++
++.TP
+ You can disable SELinux protection for the httpd daemon by executing:
+ .br
+
diff --exclude-from=exclude -N -u -r nsapolicy/targeted/appconfig/default_contexts policy-1.23.12/targeted/appconfig/default_contexts
--- nsapolicy/targeted/appconfig/default_contexts 2005-02-24 14:51:10.000000000 -0500
+++ policy-1.23.12/targeted/appconfig/default_contexts 2005-04-22 14:41:39.000000000 -0400
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.283
retrieving revision 1.284
diff -u -r1.283 -r1.284
--- selinux-policy-targeted.spec 22 Apr 2005 20:48:36 -0000 1.283
+++ selinux-policy-targeted.spec 25 Apr 2005 17:49:34 -0000 1.284
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.12
-Release: 4
+Release: 5
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -234,6 +234,12 @@
exit 0
%changelog
+* Sun Apr 24 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-5
+- Fix file_context conflicts for fsadm
+- Add Russels patches
+- Restore webalizer
+- Add transitionbool for httpd_suexec
+
* Fri Apr 22 2005 Dan Walsh <dwalsh at redhat.com> 1.23.12-4
- Fix consoletype
- Add udev, hotplug, consoletype,restorecon to targeted
More information about the fedora-cvs-commits
mailing list