rpms/selinux-policy/devel policy-20051208.patch, 1.19, 1.20 selinux-policy.spec, 1.56, 1.57
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Sat Dec 17 04:35:59 UTC 2005
- Previous message (by thread): rpms/postgresql/FC-4 .cvsignore, 1.24, 1.25 postgresql.pam, 1.1, 1.2 postgresql.spec, 1.52, 1.53 sources, 1.25, 1.26
- Next message (by thread): rpms/thunderbird/devel thunderbird.spec,1.56,1.57
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv29021
Modified Files:
policy-20051208.patch selinux-policy.spec
Log Message:
* Fri Dec 16 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-9
- Fix mls policy
policy-20051208.patch:
Makefile | 2
config/appconfig-strict-mcs/default_type | 6
config/appconfig-strict-mls/default_type | 6
config/appconfig-targeted-mcs/default_type | 2
config/appconfig-targeted-mls/default_type | 2
policy/global_tunables | 3
policy/mcs | 321 ++++---------------------
policy/mls | 372 ++++++-----------------------
policy/modules/admin/kudzu.te | 2
policy/modules/admin/logrotate.te | 4
policy/modules/admin/rpm.fc | 1
policy/modules/admin/rpm.te | 7
policy/modules/admin/tmpreaper.te | 3
policy/modules/apps/java.fc | 4
policy/modules/apps/java.if | 23 +
policy/modules/apps/java.te | 24 +
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/corenetwork.te.in | 12
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/files.fc | 27 +-
policy/modules/kernel/kernel.te | 28 +-
policy/modules/kernel/mls.te | 9
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 44 +--
policy/modules/services/automount.te | 9
policy/modules/services/cvs.fc | 2
policy/modules/services/cvs.te | 6
policy/modules/services/hal.te | 3
policy/modules/services/remotelogin.te | 1
policy/modules/services/sasl.te | 8
policy/modules/services/sendmail.te | 5
policy/modules/services/ssh.te | 10
policy/modules/system/authlogin.if | 12
policy/modules/system/authlogin.te | 1
policy/modules/system/getty.te | 3
policy/modules/system/init.te | 2
policy/modules/system/iptables.te | 2
policy/modules/system/libraries.fc | 17 +
policy/modules/system/locallogin.te | 1
policy/modules/system/logging.fc | 7
policy/modules/system/logging.te | 5
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 3
policy/modules/system/unconfined.te | 5
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.te | 2
policy/users | 8
48 files changed, 396 insertions(+), 639 deletions(-)
Index: policy-20051208.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051208.patch,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- policy-20051208.patch 16 Dec 2005 18:39:42 -0000 1.19
+++ policy-20051208.patch 17 Dec 2005 04:35:55 -0000 1.20
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mcs/default_type serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type
--- nsaserefpolicy/config/appconfig-strict-mcs/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mcs/default_type 2005-12-16 23:22:51.000000000 -0500
@@ -1,3 +1,3 @@
-sysadm_r:sysadm_t:s0
-staff_r:staff_t:s0
@@ -10,7 +10,7 @@
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.1.6/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-16 23:22:51.000000000 -0500
@@ -1,3 +1,3 @@
-sysadm_r:sysadm_t:s0
-staff_r:staff_t:s0
@@ -20,19 +20,19 @@
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_type serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type
--- nsaserefpolicy/config/appconfig-targeted-mcs/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type 2005-12-16 23:22:51.000000000 -0500
@@ -1 +1 @@
-system_r:unconfined_t:s0
+system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/default_type serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type
--- nsaserefpolicy/config/appconfig-targeted-mls/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mls/default_type 2005-12-16 23:22:51.000000000 -0500
@@ -1 +1 @@
-system_r:unconfined_t:s0
+system_r:unconfined_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.6/Makefile
--- nsaserefpolicy/Makefile 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/Makefile 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/Makefile 2005-12-16 23:22:51.000000000 -0500
@@ -92,7 +92,7 @@
# enable MLS if requested.
@@ -44,7 +44,7 @@
endif
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.1.6/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2005-12-12 23:05:35.000000000 -0500
-+++ serefpolicy-2.1.6/policy/global_tunables 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/global_tunables 2005-12-16 23:22:51.000000000 -0500
@@ -42,6 +42,9 @@
## Allow sasl to read shadow
gen_tunable(allow_saslauthd_read_shadow,false)
@@ -57,7 +57,7 @@
gen_tunable(allow_smbd_anon_write,false)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-2.1.6/policy/mcs
--- nsaserefpolicy/policy/mcs 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/mcs 2005-12-16 10:27:39.000000000 -0500
++++ serefpolicy-2.1.6/policy/mcs 2005-12-16 23:22:51.000000000 -0500
@@ -19,263 +19,70 @@
#
# Each category has a name and zero or more aliases.
@@ -388,7 +388,7 @@
# Each MCS level specifies a sensitivity and zero or more categories which may
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mls serefpolicy-2.1.6/policy/mls
--- nsaserefpolicy/policy/mls 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/mls 2005-12-16 13:06:24.000000000 -0500
++++ serefpolicy-2.1.6/policy/mls 2005-12-16 23:22:51.000000000 -0500
@@ -1,4 +1,3 @@
-
ifdef(`enable_mls',`
@@ -860,7 +860,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-2.1.6/policy/modules/admin/kudzu.te
--- nsaserefpolicy/policy/modules/admin/kudzu.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/kudzu.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/kudzu.te 2005-12-16 23:22:51.000000000 -0500
@@ -47,6 +47,8 @@
kernel_rw_hotplug_sysctl(kudzu_t)
kernel_rw_kernel_sysctl(kudzu_t)
@@ -872,7 +872,7 @@
dev_list_sysfs(kudzu_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-2.1.6/policy/modules/admin/logrotate.te
--- nsaserefpolicy/policy/modules/admin/logrotate.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/logrotate.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/logrotate.te 2005-12-16 23:22:51.000000000 -0500
@@ -67,6 +67,10 @@
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctl(logrotate_t)
@@ -886,7 +886,7 @@
fs_search_auto_mountpoints(logrotate_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-2.1.6/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/rpm.fc 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/rpm.fc 2005-12-16 23:22:51.000000000 -0500
@@ -1,5 +1,6 @@
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -896,7 +896,7 @@
/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.te serefpolicy-2.1.6/policy/modules/admin/rpm.te
--- nsaserefpolicy/policy/modules/admin/rpm.te 2005-12-14 10:38:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/rpm.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/rpm.te 2005-12-16 23:22:51.000000000 -0500
@@ -114,6 +114,10 @@
fs_getattr_all_fs(rpm_t)
fs_search_auto_mountpoints(rpm_t)
@@ -920,7 +920,7 @@
selinux_compute_access_vector(rpm_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/admin/tmpreaper.te 2005-12-16 23:22:51.000000000 -0500
@@ -39,6 +39,9 @@
miscfiles_read_localization(tmpreaper_t)
miscfiles_delete_man_pages(tmpreaper_t)
@@ -933,7 +933,7 @@
ifdef(`TODO',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.1.6/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.fc 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.fc 2005-12-16 23:22:51.000000000 -0500
@@ -0,0 +1,4 @@
+
+/usr/.*/java -- gen_context(system_u:object_r:java_exec_t,s0)
@@ -941,7 +941,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.if serefpolicy-2.1.6/policy/modules/apps/java.if
--- nsaserefpolicy/policy/modules/apps/java.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.if 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.if 2005-12-16 23:22:51.000000000 -0500
@@ -0,0 +1,23 @@
+## <summary>Load keyboard mappings.</summary>
+
@@ -968,7 +968,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.1.6/policy/modules/apps/java.te
--- nsaserefpolicy/policy/modules/apps/java.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/java.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/java.te 2005-12-16 23:22:51.000000000 -0500
@@ -0,0 +1,24 @@
+policy_module(java,1.0.0)
+
@@ -996,7 +996,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-2.1.6/policy/modules/apps/webalizer.te
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/apps/webalizer.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/apps/webalizer.te 2005-12-16 23:22:51.000000000 -0500
@@ -87,6 +87,7 @@
sysnet_read_config(webalizer_t)
@@ -1007,18 +1007,41 @@
apache_manage_sys_content(webalizer_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2005-12-02 17:53:26.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in 2005-12-16 09:28:14.000000000 -0500
-@@ -166,5 +166,7 @@
++++ serefpolicy-2.1.6/policy/modules/kernel/corenetwork.te.in 2005-12-16 23:26:11.000000000 -0500
+@@ -143,15 +143,15 @@
+ # nodes in net_contexts or net_contexts.mls.
+ #
+ type node_t, node_type;
+-sid node gen_context(system_u:object_r:node_t,s0)
++sid node gen_context(system_u:object_r:node_t,s0 - s15:c0.c255)
+
+ network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
+ network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
+ type node_internal_t, node_type; dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
+ network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
+-network_node(lo, s0, 127.0.0.1, 255.255.255.255)
++network_node(lo, s0 - s15:c0.c255, 127.0.0.1, 255.255.255.255)
+ network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
+-network_node(multicast, s0, ff00::, ff00::)
++network_node(multicast, s0 - s15:c0.c255, ff00::, ff00::)
+ network_node(site_local, s0, fec0::, ffc0::)
+ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
+
+@@ -164,7 +164,9 @@
+ # netif_t is the default type of network interfaces.
+ #
type netif_t, netif_type;
- sid netif gen_context(system_u:object_r:netif_t,s0)
+-sid netif gen_context(system_u:object_r:netif_t,s0)
++sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
-+type netif_lo_t, netif_type;
-+
- #network_interface(lo, lo,s0)
+-#network_interface(lo, lo,s0)
++ifdef(`mls_policy', `
++network_interface(lo, lo,s0 - s15:c0.c255)
++')
#network_interface(eth0, eth0,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-2.1.6/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/devices.fc 2005-12-16 10:51:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/devices.fc 2005-12-16 23:22:51.000000000 -0500
@@ -17,10 +17,10 @@
/dev/full -c gen_context(system_u:object_r:null_device_t,s0)
/dev/irlpt[0-9]+ -c gen_context(system_u:object_r:printer_device_t,s0)
@@ -1056,7 +1079,7 @@
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.1.6/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2005-12-01 17:57:16.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/files.fc 2005-12-16 13:31:57.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/files.fc 2005-12-16 23:22:51.000000000 -0500
@@ -24,7 +24,7 @@
# /boot
#
@@ -1148,7 +1171,7 @@
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.1.6/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te 2005-12-16 12:48:11.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te 2005-12-16 23:22:51.000000000 -0500
@@ -38,7 +38,7 @@
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
@@ -1210,9 +1233,23 @@
########################################
#
+@@ -197,9 +197,13 @@
+ # Kernel-generated traffic e.g., ICMP replies:
+ corenet_raw_sendrecv_all_if(kernel_t)
+ corenet_raw_sendrecv_all_nodes(kernel_t)
++corenet_raw_send_generic_if(kernel_t)
++
+ # Kernel-generated traffic e.g., TCP resets:
+ corenet_tcp_sendrecv_all_if(kernel_t)
+ corenet_tcp_sendrecv_all_nodes(kernel_t)
++corenet_raw_send_generic_node(kernel_t)
++corenet_raw_send_multicast_node(kernel_t)
+
+ dev_read_sysfs(kernel_t)
+ dev_search_usbfs(kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.6/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2005-12-13 15:51:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/mls.te 2005-12-16 10:44:41.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/mls.te 2005-12-16 23:22:51.000000000 -0500
@@ -36,8 +36,11 @@
attribute mlsxwinreadtoclr;
attribute mlsxwinwrite;
@@ -1241,7 +1278,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.te serefpolicy-2.1.6/policy/modules/kernel/selinux.te
--- nsaserefpolicy/policy/modules/kernel/selinux.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/selinux.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/selinux.te 2005-12-16 23:22:51.000000000 -0500
@@ -18,7 +18,7 @@
type security_t;
fs_type(security_t)
@@ -1253,7 +1290,7 @@
neverallow ~can_load_policy security_t:security load_policy;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.1.6/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/storage.fc 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/storage.fc 2005-12-16 23:22:51.000000000 -0500
@@ -5,35 +5,35 @@
/dev/n?osst[0-3].* -c gen_context(system_u:object_r:tape_device_t,s0)
/dev/n?pt[0-9]+ -c gen_context(system_u:object_r:tape_device_t,s0)
@@ -1336,7 +1373,7 @@
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.1.6/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2005-12-13 15:51:49.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/automount.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/automount.te 2005-12-16 23:22:51.000000000 -0500
@@ -28,7 +28,7 @@
# Local policy
#
@@ -1376,7 +1413,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-2.1.6/policy/modules/services/cvs.fc
--- nsaserefpolicy/policy/modules/services/cvs.fc 2005-11-14 18:24:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/cvs.fc 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cvs.fc 2005-12-16 23:22:51.000000000 -0500
@@ -1,2 +1,4 @@
/usr/bin/cvs -- gen_context(system_u:object_r:cvs_exec_t,s0)
@@ -1384,7 +1421,7 @@
+/opt/cvs(/.*)? gen_context(system_u:object_r:cvs_data_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-2.1.6/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2005-12-09 23:35:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/cvs.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cvs.te 2005-12-16 23:22:51.000000000 -0500
@@ -86,6 +86,12 @@
mta_send_mail(cvs_t)
@@ -1398,9 +1435,29 @@
optional_policy(`kerberos',`
kerberos_use(cvs_t)
kerberos_read_keytab(cvs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.6/policy/modules/services/hal.te
+--- nsaserefpolicy/policy/modules/services/hal.te 2005-12-14 10:38:50.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/hal.te 2005-12-16 23:22:51.000000000 -0500
+@@ -49,6 +49,8 @@
+ kernel_read_kernel_sysctl(hald_t)
+ kernel_write_proc_file(hald_t)
+
++mls_file_read_up(hald_t)
++
+ corecmd_exec_bin(hald_t)
+ corecmd_exec_sbin(hald_t)
+
+@@ -74,6 +76,7 @@
+ dev_manage_generic_chr_file(hald_t)
+ # hal is now execing pm-suspend
+ dev_rw_sysfs(hald_t)
++dev_read_raw_memory(hald_t)
+
+ domain_use_wide_inherit_fd(hald_t)
+ domain_exec_all_entry_files(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-2.1.6/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/remotelogin.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/remotelogin.te 2005-12-16 23:22:51.000000000 -0500
@@ -106,6 +106,7 @@
logging_send_syslog_msg(remote_login_t)
@@ -1411,7 +1468,7 @@
mls_file_downgrade(remote_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.1.6/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/sasl.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/sasl.te 2005-12-16 23:22:51.000000000 -0500
@@ -88,9 +88,11 @@
')
@@ -1427,9 +1484,33 @@
optional_policy(`mysql',`
mysql_search_db_dir(saslauthd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.1.6/policy/modules/services/sendmail.te
+--- nsaserefpolicy/policy/modules/services/sendmail.te 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/sendmail.te 2005-12-16 23:22:51.000000000 -0500
+@@ -56,6 +56,7 @@
+ corenet_udp_bind_all_nodes(sendmail_t)
+ corenet_tcp_bind_smtp_port(sendmail_t)
+ corenet_tcp_connect_all_ports(sendmail_t)
++allow sendmail_t self:tcp_socket create_socket_perms;
+
+ dev_read_urand(sendmail_t)
+ dev_read_sysfs(sendmail_t)
+@@ -136,9 +137,11 @@
+ udev_read_db(sendmail_t)
+ ')
+
+-ifdef(`TODO',`
++# needed for the newaliases file to run
+ allow sendmail_t etc_mail_t:dir rw_dir_perms;
+ allow sendmail_t etc_mail_t:file create_file_perms;
++
++ifdef(`TODO',`
+ # for the start script to run make -C /etc/mail
+ allow initrc_t etc_mail_t:dir rw_dir_perms;
+ allow initrc_t etc_mail_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-2.1.6/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/ssh.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/ssh.te 2005-12-16 23:22:51.000000000 -0500
@@ -91,10 +91,6 @@
seutil_read_config(sshd_t)
@@ -1456,7 +1537,7 @@
# Relabel and access ptys created by sshd
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.1.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2005-12-08 15:57:16.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/authlogin.if 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/authlogin.if 2005-12-16 23:22:51.000000000 -0500
@@ -320,15 +320,25 @@
## </param>
#
@@ -1486,7 +1567,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.1.6/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/authlogin.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/authlogin.te 2005-12-16 23:22:51.000000000 -0500
@@ -211,6 +211,7 @@
logging_send_syslog_msg(pam_console_t)
@@ -1497,7 +1578,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/getty.te serefpolicy-2.1.6/policy/modules/system/getty.te
--- nsaserefpolicy/policy/modules/system/getty.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/getty.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/getty.te 2005-12-16 23:22:51.000000000 -0500
@@ -63,6 +63,9 @@
kernel_list_proc(getty_t)
kernel_read_proc_symlinks(getty_t)
@@ -1510,7 +1591,7 @@
fs_search_auto_mountpoints(getty_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2005-12-12 15:35:53.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/init.te 2005-12-16 11:29:46.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/init.te 2005-12-16 23:22:51.000000000 -0500
@@ -369,6 +369,7 @@
mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t)
@@ -1519,9 +1600,17 @@
modutils_read_module_conf(initrc_t)
modutils_domtrans_insmod(initrc_t)
+@@ -444,6 +445,7 @@
+ files_mountpoint(initrc_tmp_t)
+
+ # readahead asks for these
++ dontaudit initrc_t shadow_t:file { getattr read };
+ mta_read_aliases(initrc_t)
+
+ optional_policy(`bind',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.1.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2005-12-09 23:35:07.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/iptables.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/iptables.te 2005-12-16 23:22:51.000000000 -0500
@@ -43,6 +43,8 @@
kernel_read_modprobe_sysctl(iptables_t)
kernel_use_fd(iptables_t)
@@ -1533,7 +1622,7 @@
fs_getattr_xattr_fs(iptables_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.1.6/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/libraries.fc 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/libraries.fc 2005-12-16 23:22:51.000000000 -0500
@@ -11,6 +11,20 @@
/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/emul/ia32-linux/lib/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -1571,7 +1660,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.6/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/locallogin.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/locallogin.te 2005-12-16 23:22:51.000000000 -0500
@@ -152,6 +152,7 @@
miscfiles_read_localization(local_login_t)
@@ -1582,7 +1671,7 @@
mls_file_downgrade(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.1.6/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/logging.fc 2005-12-16 10:49:17.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.fc 2005-12-16 23:22:51.000000000 -0500
@@ -19,10 +19,11 @@
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
@@ -1600,7 +1689,7 @@
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.1.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/logging.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.te 2005-12-16 23:22:51.000000000 -0500
@@ -71,6 +71,8 @@
kernel_read_kernel_sysctl(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
@@ -1629,7 +1718,7 @@
optional_policy(`udev',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc 2005-12-16 13:03:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc 2005-12-16 23:22:51.000000000 -0500
@@ -9,9 +9,9 @@
/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
@@ -1645,7 +1734,7 @@
# /root
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-2.1.6/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2005-11-14 18:24:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/udev.fc 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/udev.fc 2005-12-16 23:22:51.000000000 -0500
@@ -17,3 +17,4 @@
/sbin/wait_for_sysfs -- gen_context(system_u:object_r:udev_exec_t,s0)
@@ -1653,7 +1742,7 @@
+/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.1.6/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-16 23:22:51.000000000 -0500
@@ -39,7 +39,7 @@
# Local policy
#
@@ -1673,7 +1762,7 @@
kernel_signal(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.1.6/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/unconfined.te 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/unconfined.te 2005-12-16 23:22:51.000000000 -0500
@@ -57,6 +57,10 @@
bluetooth_domtrans_helper(unconfined_t)
')
@@ -1695,7 +1784,7 @@
optional_policy(`samba',`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.fc serefpolicy-2.1.6/policy/modules/system/userdomain.fc
--- nsaserefpolicy/policy/modules/system/userdomain.fc 2005-11-15 09:13:40.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/userdomain.fc 2005-12-16 13:38:56.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/userdomain.fc 2005-12-16 23:22:51.000000000 -0500
@@ -4,6 +4,6 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
@@ -1704,9 +1793,21 @@
+HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.1.6/policy/modules/system/userdomain.te
+--- nsaserefpolicy/policy/modules/system/userdomain.te 2005-12-09 23:35:10.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/userdomain.te 2005-12-16 23:22:51.000000000 -0500
+@@ -143,6 +143,8 @@
+ domain_ptrace_all_domains(sysadm_t)
+ ')
+
++ mls_process_read_up(sysadm_t)
++
+ optional_policy(`amanda',`
+ amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.6/policy/users
--- nsaserefpolicy/policy/users 2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.1.6/policy/users 2005-12-16 09:28:14.000000000 -0500
++++ serefpolicy-2.1.6/policy/users 2005-12-16 23:22:51.000000000 -0500
@@ -26,7 +26,9 @@
ifdef(`targeted_policy',`
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -r1.56 -r1.57
--- selinux-policy.spec 16 Dec 2005 18:39:42 -0000 1.56
+++ selinux-policy.spec 17 Dec 2005 04:35:55 -0000 1.57
@@ -7,7 +7,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.1.6
-Release: 8
+Release: 9
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -243,6 +243,9 @@
%changelog
+* Fri Dec 16 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-9
+- Fix mls policy
+
* Fri Dec 16 2005 Dan Walsh <dwalsh at redhat.com> 2.1.5-8
- Update mls file from old version
- Previous message (by thread): rpms/postgresql/FC-4 .cvsignore, 1.24, 1.25 postgresql.pam, 1.1, 1.2 postgresql.spec, 1.52, 1.53 sources, 1.25, 1.26
- Next message (by thread): rpms/thunderbird/devel thunderbird.spec,1.56,1.57
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list