rpms/selinux-policy/devel modules-mls.conf, 1.4, 1.5 policy-20051208.patch, 1.24, 1.25 selinux-policy.spec, 1.61, 1.62
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Dec 21 18:07:31 UTC 2005
- Previous message (by thread): rpms/openoffice.org/FC-4 openoffice.org-2.0.1.ooo59129.vcl.readonlyentry.patch, NONE, 1.1 openoffice.org-2.0.1.oooXXXXX.config_office.nss.patch, NONE, 1.1 openoffice.org-2.0.1.oooXXXXX.vcl.animatedtheme.patch, NONE, 1.1 workspace.sb41.patch, NONE, 1.1 .cvsignore, 1.57, 1.58 openoffice.org-1.9.121.rh127576.gnomeprintui.patch, 1.2, 1.3 openoffice.org-1.9.126.ooo30380.uselibxslt.xmlhelp.patch, 1.4, 1.5 openoffice.org-1.9.129.ooo54603.fontconfig.patch, 1.3, 1.4 openoffice.org-2.0.1.ooo58798.parallel.patch, 1.1, 1.2 openoffice.org.spec, 1.232, 1.233 sources, 1.88, 1.89 workspace.cmcfixes20.patch, 1.1, 1.2 workspace.cmcfixes23.patch, 1.1, 1.2
- Next message (by thread): rpms/selinux-policy/devel policy-20051208.patch,1.25,1.26
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv3150
Modified Files:
modules-mls.conf policy-20051208.patch selinux-policy.spec
Log Message:
* Wed Dec 21 2005 Dan Walsh <dwalsh at redhat.com> 2.1.6-14
- Lots of fixes to make mls policy work
Index: modules-mls.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-mls.conf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- modules-mls.conf 16 Dec 2005 18:36:00 -0000 1.4
+++ modules-mls.conf 21 Dec 2005 18:07:27 -0000 1.5
@@ -779,7 +779,7 @@
#
# Policy for changing the system host name.
#
-hostname = off
+hostname = base
# Layer: system
# Module: getty
policy-20051208.patch:
Makefile | 2
Rules.modular | 10
config/appconfig-strict-mcs/default_type | 6
config/appconfig-strict-mls/default_type | 7
config/appconfig-strict-mls/initrc_context | 2
config/appconfig-targeted-mcs/default_type | 2
config/appconfig-targeted-mls/default_type | 2
config/appconfig-targeted-mls/initrc_context | 2
man/man8/ftpd_selinux.8 | 56 ++++
man/man8/httpd_selinux.8 | 123 ++++++++
man/man8/kerberos_selinux.8 | 31 ++
man/man8/named_selinux.8 | 29 ++
man/man8/nfs_selinux.8 | 30 ++
man/man8/nis_selinux.8 | 1
man/man8/rsync_selinux.8 | 41 ++
man/man8/samba_selinux.8 | 60 ++++
man/man8/ypbind_selinux.8 | 19 +
policy/global_tunables | 3
policy/mcs | 321 ++++-------------------
policy/mls | 372 +++++----------------------
policy/modules/admin/kudzu.te | 2
policy/modules/admin/logrotate.te | 4
policy/modules/admin/rpm.fc | 1
policy/modules/admin/rpm.te | 7
policy/modules/admin/tmpreaper.te | 3
policy/modules/apps/java.fc | 4
policy/modules/apps/java.if | 23 +
policy/modules/apps/java.te | 25 +
policy/modules/apps/webalizer.te | 1
policy/modules/kernel/corenetwork.te.in | 12
policy/modules/kernel/devices.fc | 9
policy/modules/kernel/domain.if | 1
policy/modules/kernel/files.fc | 27 +
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/kernel.te | 30 +-
policy/modules/kernel/mls.te | 9
policy/modules/kernel/selinux.te | 2
policy/modules/kernel/storage.fc | 44 +--
policy/modules/services/automount.te | 9
policy/modules/services/bluetooth.te | 1
policy/modules/services/cups.te | 1
policy/modules/services/cvs.fc | 2
policy/modules/services/cvs.te | 6
policy/modules/services/dbus.te | 1
policy/modules/services/hal.te | 4
policy/modules/services/ldap.te | 4
policy/modules/services/mta.te | 3
policy/modules/services/remotelogin.te | 1
policy/modules/services/sasl.te | 8
policy/modules/services/sendmail.te | 7
policy/modules/services/ssh.te | 10
policy/modules/system/authlogin.if | 12
policy/modules/system/authlogin.te | 1
policy/modules/system/getty.te | 3
policy/modules/system/hostname.if | 15 +
policy/modules/system/hostname.te | 37 --
policy/modules/system/init.if | 14 +
policy/modules/system/init.te | 22 +
policy/modules/system/iptables.te | 2
policy/modules/system/libraries.fc | 18 +
policy/modules/system/locallogin.if | 1
policy/modules/system/locallogin.te | 2
policy/modules/system/logging.fc | 7
policy/modules/system/logging.if | 21 +
policy/modules/system/logging.te | 5
policy/modules/system/lvm.te | 2
policy/modules/system/selinuxutil.fc | 6
policy/modules/system/selinuxutil.te | 10
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 4
policy/modules/system/unconfined.fc | 2
policy/modules/system/unconfined.te | 5
policy/modules/system/userdomain.fc | 2
policy/modules/system/userdomain.if | 18 +
policy/modules/system/userdomain.te | 16 +
policy/users | 8
76 files changed, 935 insertions(+), 681 deletions(-)
Index: policy-20051208.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20051208.patch,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- policy-20051208.patch 20 Dec 2005 22:47:39 -0000 1.24
+++ policy-20051208.patch 21 Dec 2005 18:07:27 -0000 1.25
@@ -10,14 +10,21 @@
+user_r:user_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/default_type serefpolicy-2.1.6/config/appconfig-strict-mls/default_type
--- nsaserefpolicy/config/appconfig-strict-mls/default_type 2005-11-14 18:24:05.000000000 -0500
-+++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-16 23:22:51.000000000 -0500
-@@ -1,3 +1,3 @@
++++ serefpolicy-2.1.6/config/appconfig-strict-mls/default_type 2005-12-21 10:17:10.000000000 -0500
+@@ -1,3 +1,4 @@
-sysadm_r:sysadm_t:s0
-staff_r:staff_t:s0
-user_r:user_t:s0
+sysadm_r:sysadm_t
++secadm_r:secadm_t
+staff_r:staff_t
+user_r:user_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-strict-mls/initrc_context serefpolicy-2.1.6/config/appconfig-strict-mls/initrc_context
+--- nsaserefpolicy/config/appconfig-strict-mls/initrc_context 2005-11-14 18:24:05.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-strict-mls/initrc_context 2005-12-21 13:05:59.000000000 -0500
+@@ -1 +1 @@
+-system_u:system_r:initrc_t:s0
++system_u:system_r:initrc_t:s0-s15:c0.c255
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mcs/default_type serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type
--- nsaserefpolicy/config/appconfig-targeted-mcs/default_type 2005-11-14 18:24:05.000000000 -0500
+++ serefpolicy-2.1.6/config/appconfig-targeted-mcs/default_type 2005-12-16 23:22:51.000000000 -0500
@@ -30,6 +37,12 @@
@@ -1 +1 @@
-system_r:unconfined_t:s0
+system_r:unconfined_t
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-targeted-mls/initrc_context serefpolicy-2.1.6/config/appconfig-targeted-mls/initrc_context
+--- nsaserefpolicy/config/appconfig-targeted-mls/initrc_context 2005-11-14 18:24:05.000000000 -0500
++++ serefpolicy-2.1.6/config/appconfig-targeted-mls/initrc_context 2005-12-21 13:06:16.000000000 -0500
+@@ -1 +1 @@
+-user_u:system_r:unconfined_t:s0
++user_u:system_r:unconfined_t:s0-s15:c0.c255
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.1.6/Makefile
--- nsaserefpolicy/Makefile 2005-12-09 23:35:04.000000000 -0500
+++ serefpolicy-2.1.6/Makefile 2005-12-16 23:22:51.000000000 -0500
@@ -1504,6 +1517,17 @@
/dev/pts(/.*)? <<none>>
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-2.1.6/policy/modules/kernel/domain.if
+--- nsaserefpolicy/policy/modules/kernel/domain.if 2005-12-12 15:35:53.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/domain.if 2005-12-21 10:52:19.000000000 -0500
+@@ -501,6 +501,7 @@
+ ')
+
+ dontaudit $1 domain:dir search_dir_perms;
++ dontaudit $1 domain:{ file lnk_file } r_file_perms;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-2.1.6/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2005-12-01 17:57:16.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/kernel/files.fc 2005-12-16 23:22:51.000000000 -0500
@@ -1596,9 +1620,21 @@
+/var/tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,s15:c0.c255)
/var/tmp/lost\+found/.* <<none>>
/var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-2.1.6/policy/modules/kernel/kernel.if
+--- nsaserefpolicy/policy/modules/kernel/kernel.if 2005-12-06 19:49:49.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/kernel.if 2005-12-21 10:56:37.000000000 -0500
+@@ -436,7 +436,7 @@
+ type debugfs_t;
+ ')
+
+- allow $1 debugfs_t:dir r_file_perms;
++ allow $1 debugfs_t:dir r_dir_perms;
+ allow $1 debugfs_t:file r_file_perms;
+ allow $1 debugfs_t:lnk_file { getattr read };
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.te serefpolicy-2.1.6/policy/modules/kernel/kernel.te
--- nsaserefpolicy/policy/modules/kernel/kernel.te 2005-12-09 23:35:04.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/kernel/kernel.te 2005-12-21 10:38:23.000000000 -0500
@@ -38,7 +38,7 @@
domain_base_type(kernel_t)
mls_rangetrans_source(kernel_t)
@@ -1674,6 +1710,15 @@
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
+@@ -208,6 +212,8 @@
+ # from initrd, then mounting the root filesystem
+ fs_mount_all_fs(kernel_t)
+
++init_allow_noatsecure(kernel_t)
++
+ selinux_load_policy(kernel_t)
+
+ term_use_console(kernel_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/mls.te serefpolicy-2.1.6/policy/modules/kernel/mls.te
--- nsaserefpolicy/policy/modules/kernel/mls.te 2005-12-13 15:51:49.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/kernel/mls.te 2005-12-16 23:22:51.000000000 -0500
@@ -1838,6 +1883,28 @@
miscfiles_read_localization(automount_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-2.1.6/policy/modules/services/bluetooth.te
+--- nsaserefpolicy/policy/modules/services/bluetooth.te 2005-12-09 23:35:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/bluetooth.te 2005-12-21 11:54:09.000000000 -0500
+@@ -54,6 +54,7 @@
+
+ allow bluetooth_t bluetooth_conf_t:dir rw_dir_perms;
+ allow bluetooth_t bluetooth_conf_t:file { getattr read ioctl };
++allow initrc_t bluetooth_conf_t:file { getattr read ioctl };
+
+ allow bluetooth_t bluetooth_conf_rw_t:dir create_dir_perms;
+ allow bluetooth_t bluetooth_conf_rw_t:file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-2.1.6/policy/modules/services/cups.te
+--- nsaserefpolicy/policy/modules/services/cups.te 2005-12-09 23:35:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/cups.te 2005-12-21 12:07:14.000000000 -0500
+@@ -365,6 +365,7 @@
+
+ allow initrc_t ptal_var_run_t:dir rmdir;
+ allow initrc_t ptal_var_run_t:fifo_file unlink;
++allow initrc_t cupsd_rw_etc_t:file r_file_perms;
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.fc serefpolicy-2.1.6/policy/modules/services/cvs.fc
--- nsaserefpolicy/policy/modules/services/cvs.fc 2005-11-14 18:24:07.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/services/cvs.fc 2005-12-16 23:22:51.000000000 -0500
@@ -1862,9 +1929,20 @@
optional_policy(`kerberos',`
kerberos_use(cvs_t)
kerberos_read_keytab(cvs_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.te serefpolicy-2.1.6/policy/modules/services/dbus.te
+--- nsaserefpolicy/policy/modules/services/dbus.te 2005-12-09 23:35:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/dbus.te 2005-12-21 12:06:31.000000000 -0500
+@@ -44,6 +44,7 @@
+ allow system_dbusd_t dbusd_etc_t:dir r_dir_perms;
+ allow system_dbusd_t dbusd_etc_t:file r_file_perms;
+ allow system_dbusd_t dbusd_etc_t:lnk_file { getattr read };
++allow initrc_t dbusd_etc_t:file r_file_perms;
+
+ allow system_dbusd_t system_dbusd_tmp_t:dir create_dir_perms;
+ allow system_dbusd_t system_dbusd_tmp_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.1.6/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2005-12-14 10:38:50.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/hal.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/hal.te 2005-12-21 12:29:50.000000000 -0500
@@ -49,6 +49,8 @@
kernel_read_kernel_sysctl(hald_t)
kernel_write_proc_file(hald_t)
@@ -1882,6 +1960,14 @@
domain_use_wide_inherit_fd(hald_t)
domain_exec_all_entry_files(hald_t)
+@@ -105,6 +108,7 @@
+
+ term_dontaudit_use_console(hald_t)
+ term_dontaudit_ioctl_unallocated_ttys(hald_t)
++term_dontaudit_use_unallocated_tty(hald_t)
+
+ init_use_fd(hald_t)
+ init_use_script_pty(hald_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ldap.te serefpolicy-2.1.6/policy/modules/services/ldap.te
--- nsaserefpolicy/policy/modules/services/ldap.te 2005-12-09 23:35:05.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/services/ldap.te 2005-12-20 15:43:29.000000000 -0500
@@ -1896,6 +1982,19 @@
optional_policy(`selinuxutil',`
seutil_sigchld_newrole(slapd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.1.6/policy/modules/services/mta.te
+--- nsaserefpolicy/policy/modules/services/mta.te 2005-12-09 23:35:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/mta.te 2005-12-21 12:16:27.000000000 -0500
+@@ -47,6 +47,9 @@
+ allow system_mail_t etc_mail_t:dir { getattr search };
+ allow system_mail_t etc_mail_t:file r_file_perms;
+
++allow initrc_t etc_mail_t:dir r_dir_perms;
++allow initrc_t etc_mail_t:file r_file_perms;
++
+ kernel_read_system_state(system_mail_t)
+ kernel_read_network_state(system_mail_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.te serefpolicy-2.1.6/policy/modules/services/remotelogin.te
--- nsaserefpolicy/policy/modules/services/remotelogin.te 2005-12-09 23:35:06.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/services/remotelogin.te 2005-12-16 23:22:51.000000000 -0500
@@ -1927,15 +2026,24 @@
mysql_search_db_dir(saslauthd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-2.1.6/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2005-12-09 23:35:06.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/services/sendmail.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/services/sendmail.te 2005-12-21 12:22:09.000000000 -0500
@@ -56,6 +56,7 @@
corenet_udp_bind_all_nodes(sendmail_t)
corenet_tcp_bind_smtp_port(sendmail_t)
corenet_tcp_connect_all_ports(sendmail_t)
-+allow sendmail_t self:tcp_socket create_socket_perms;
++allow sendmail_t self:tcp_socket create_stream_socket_perms;
dev_read_urand(sendmail_t)
dev_read_sysfs(sendmail_t)
+@@ -111,7 +112,7 @@
+ allow sendmail_t sendmail_tmp_t:file create_file_perms;
+ files_create_tmp_files(sendmail_t, sendmail_tmp_t, { file dir })
+
+- allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink };
++ allow sendmail_t sendmail_var_run_t:file { getattr create read write append setattr unlink lock };
+ files_create_pid(sendmail_t,sendmail_var_run_t)
+ ')
+
@@ -136,9 +137,11 @@
udev_read_db(sendmail_t)
')
@@ -2030,9 +2138,112 @@
dev_read_sysfs(getty_t)
fs_search_auto_mountpoints(getty_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.if serefpolicy-2.1.6/policy/modules/system/hostname.if
+--- nsaserefpolicy/policy/modules/system/hostname.if 2005-11-14 18:24:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/hostname.if 2005-12-21 11:33:08.000000000 -0500
+@@ -66,3 +66,18 @@
+
+ can_exec($1,hostname_exec_t)
+ ')
++
++
++########################################
++#
++# hostname_exec(domain)
++#
++interface(`hostname_exec',`
++ gen_require(`
++ type hostname_t;
++ ')
++
++ corecmd_search_bin($1)
++ can_exec($1,hostname_exec_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.1.6/policy/modules/system/hostname.te
+--- nsaserefpolicy/policy/modules/system/hostname.te 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/hostname.te 2005-12-21 12:36:31.000000000 -0500
+@@ -7,8 +7,10 @@
+ #
+
+ type hostname_t;
++domain_type(hostname_t)
++
+ type hostname_exec_t;
+-init_system_domain(hostname_t,hostname_exec_t)
++domain_entry_file(hostname_t,hostname_exec_t)
+ role system_r types hostname_t;
+
+ ########################################
+@@ -55,35 +57,6 @@
+ sysnet_read_config(hostname_t)
+ sysnet_dns_name_resolve(hostname_t)
+
+-userdom_use_all_user_fd(hostname_t)
+
+-ifdef(`distro_redhat', `
+- fs_use_tmpfs_chr_dev(hostname_t)
+-')
+-
+-ifdef(`targeted_policy', `
+- term_dontaudit_use_unallocated_tty(hostname_t)
+- term_dontaudit_use_generic_pty(hostname_t)
+- files_dontaudit_read_root_file(hostname_t)
+-')
+-
+-optional_policy(`firstboot',`
+- firstboot_use_fd(hostname_t)
+-')
+-
+-optional_policy(`hotplug',`
+- hotplug_dontaudit_use_fd(hostname_t)
+-')
+-
+-optional_policy(`nscd',`
+- nscd_use_socket(hostname_t)
+-')
+-
+-optional_policy(`selinuxutil',`
+- seutil_sigchld_newrole(hostname_t)
+-')
+-
+-optional_policy(`udev',`
+- udev_dontaudit_use_fd(hostname_t)
+- udev_read_db(hostname_t)
+-')
++
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-2.1.6/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2005-12-09 23:35:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/init.if 2005-12-21 10:58:42.000000000 -0500
+@@ -195,6 +195,19 @@
+
+ ########################################
+ #
++# init_allow_noatsecure(domain)
++# Kernel needs this to boot on MLS
++#
++interface(`init_allow_noatsecure',`
++ gen_require(`
++ type init_t;
++ class process noatsecure;
++ ')
++ allow $1 init_t:process noatsecure;
++')
++
++########################################
++#
+ # init_getattr_initctl(domain)
+ #
+ interface(`init_getattr_initctl',`
+@@ -859,3 +872,4 @@
+ dontaudit $1 initrc_var_run_t:file { getattr read write append };
+ ')
+
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-2.1.6/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2005-12-12 15:35:53.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/init.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/init.te 2005-12-21 12:15:59.000000000 -0500
@@ -369,6 +369,7 @@
mls_file_write_down(initrc_t)
mls_process_read_up(initrc_t)
@@ -2041,7 +2252,14 @@
modutils_read_module_conf(initrc_t)
modutils_domtrans_insmod(initrc_t)
-@@ -444,6 +445,7 @@
+@@ -440,10 +441,14 @@
+ files_getattr_all_file_type_sockets(initrc_t)
+ # wants to read /.fonts directory
+ files_read_default_files(initrc_t)
++ miscfiles_read_fonts(initrc_t)
++ miscfiles_read_hwdata(initrc_t)
++ storage_getattr_removable_device(initrc_t)
+
files_mountpoint(initrc_tmp_t)
# readahead asks for these
@@ -2049,6 +2267,44 @@
mta_read_aliases(initrc_t)
optional_policy(`bind',`
+@@ -679,6 +684,20 @@
+ zebra_read_config(initrc_t)
+ ')
+
++optional_policy(`hostname',`
++ hostname_exec(initrc_t)
++')
++
++ifdef(`distro_redhat', `
++ # readahead asks for these
++ # wants to delete /poweroff and other files
++ allow initrc_t root_t:file unlink;
++ allow initrc_t system_cron_spool_t:file { getattr read };
++ allow initrc_t wtmp_t:file setattr;
++ seutil_read_file_contexts(initrc_t)
++ seutil_read_default_contexts(initrc_t)
++')
++
+ ifdef(`TODO',`
+ # Set device ownerships/modes.
+ allow initrc_t xconsole_device_t:fifo_file setattr;
+@@ -693,8 +712,6 @@
+ allow initrc_t file_type:{ dir_file_class_set socket_class_set } getattr;
+ allow initrc_t device_t:dir create;
+
+- # wants to delete /poweroff and other files
+- allow initrc_t root_t:file unlink;
+ ifdef(`xserver.te', `
+ # wants to cleanup xserver log dir
+ allow initrc_t xserver_log_t:dir rw_dir_perms;
+@@ -704,7 +721,6 @@
+ optional_policy(`rpm',`
+ rpm_stub(initrc_t)
+ #read ahead wants to read this
+- allow initrc_t system_cron_spool_t:file { getattr read };
+ ')
+ ')
+ ') dnl end TODO
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.1.6/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2005-12-09 23:35:07.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/system/iptables.te 2005-12-16 23:22:51.000000000 -0500
@@ -2107,9 +2363,17 @@
/var/lib/samba/bin/.*\.so(\.[^/]*)* -l gen_context(system_u:object_r:lib_t,s0)
')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.if serefpolicy-2.1.6/policy/modules/system/locallogin.if
+--- nsaserefpolicy/policy/modules/system/locallogin.if 2005-11-14 18:24:06.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/locallogin.if 2005-12-21 09:56:58.000000000 -0500
+@@ -66,3 +66,4 @@
+
+ allow $1 local_login_t:process signull;
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.1.6/policy/modules/system/locallogin.te
--- nsaserefpolicy/policy/modules/system/locallogin.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/locallogin.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/locallogin.te 2005-12-21 09:58:37.000000000 -0500
@@ -152,6 +152,7 @@
miscfiles_read_localization(local_login_t)
@@ -2118,6 +2382,14 @@
mls_file_write_down(local_login_t)
mls_file_upgrade(local_login_t)
mls_file_downgrade(local_login_t)
+@@ -164,6 +165,7 @@
+ userdom_signal_all_users(local_login_t)
+ userdom_search_all_users_home(local_login_t)
+ userdom_use_unpriv_users_fd(local_login_t)
++userdom_all_users_sigchld(local_login_t)
+
+ # Search for mail spool file.
+ mta_getattr_spool(local_login_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-2.1.6/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2005-11-14 18:24:06.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/system/logging.fc 2005-12-16 23:22:51.000000000 -0500
@@ -2136,6 +2408,34 @@
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.1.6/policy/modules/system/logging.if
+--- nsaserefpolicy/policy/modules/system/logging.if 2005-11-14 18:24:05.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/logging.if 2005-12-21 10:24:59.000000000 -0500
+@@ -341,3 +341,24 @@
+ allow $1 var_log_t:dir rw_dir_perms;
+ allow $1 var_log_t:file create_file_perms;
+ ')
++
++########################################
++## <summary>
++## Read the auditd log files
++## </summary>
++## <param name="domain">
++## Domain allowed access.
++## </param>
++#
++interface(`logging_read_auditd_log',`
++ gen_require(`
++ type auditd_log_t;
++ class file r_file_perms;
++ class dir r_dir_perms;
++ ')
++
++ files_search_var($1)
++ allow $1 auditd_log_t:dir r_dir_perms;
++ allow $1 auditd_log_t:file r_file_perms;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.1.6/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2005-12-09 23:35:08.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/system/logging.te 2005-12-16 23:22:51.000000000 -0500
@@ -2165,6 +2465,18 @@
userdom_dontaudit_search_sysadm_home_dir(klogd_t)
optional_policy(`udev',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-2.1.6/policy/modules/system/lvm.te
+--- nsaserefpolicy/policy/modules/system/lvm.te 2005-12-09 23:35:08.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/lvm.te 2005-12-21 12:00:47.000000000 -0500
+@@ -155,6 +155,8 @@
+
+ allow lvm_t lvm_etc_t:file r_file_perms;
+ allow lvm_t lvm_etc_t:lnk_file r_file_perms;
++allow initrc_t lvm_etc_t:file r_file_perms;
++
+ # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
+ allow lvm_t lvm_etc_t:dir rw_dir_perms;
+ allow lvm_t lvm_metadata_t:file create_file_perms;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2005-11-14 18:24:05.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.fc 2005-12-16 23:22:51.000000000 -0500
@@ -2181,6 +2493,49 @@
#
# /root
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.1.6/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2005-12-09 23:35:08.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/selinuxutil.te 2005-12-21 12:59:41.000000000 -0500
+@@ -198,7 +198,6 @@
+ # cjp: temporary hack to cover
+ # up stray file descriptors.
+ dontaudit load_policy_t selinux_config_t:file write;
+-unconfined_dontaudit_read_pipe(load_policy_t)
+
+ ########################################
+ #
+@@ -217,7 +216,8 @@
+ allow newrole_t self:msg { send receive };
+ allow newrole_t self:unix_dgram_socket sendto;
+ allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow newrole_t self:netlink_audit_socket { create bind write nlmsg_read read };
++allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
++
+
+ allow newrole_t { selinux_config_t default_context_t }:dir r_dir_perms;
+ allow newrole_t { selinux_config_t default_context_t }:file r_file_perms;
+@@ -377,6 +377,10 @@
+ udev_dontaudit_rw_unix_dgram_socket(restorecon_t)
+ ')
+
++optional_policy(`unconfined',`
++ unconfined_dontaudit_read_pipe(load_policy_t)
++')
++
+ optional_policy(`hotplug',`
+ hotplug_use_fd(restorecon_t)
+ ')
+@@ -407,8 +411,10 @@
+ ifdef(`targeted_policy',`',`
+ allow run_init_t self:process setexec;
+ allow run_init_t self:capability setuid;
++ allow run_init_t self:netlink_audit_socket { create bind write nlmsg_read read };
+
+ allow run_init_t self:fifo_file rw_file_perms;
++ domain_auto_trans(run_init_t,initrc_exec_t,initrc_t)
+
+ # often the administrator runs such programs from a directory that is owned
+ # by a different user or has restrictive SE permissions, do not want to audit
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.fc serefpolicy-2.1.6/policy/modules/system/udev.fc
--- nsaserefpolicy/policy/modules/system/udev.fc 2005-11-14 18:24:06.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/system/udev.fc 2005-12-16 23:22:51.000000000 -0500
@@ -2191,7 +2546,7 @@
+/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-2.1.6/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2005-12-09 23:35:08.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-16 23:22:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/udev.te 2005-12-21 11:00:40.000000000 -0500
@@ -39,7 +39,7 @@
# Local policy
#
@@ -2209,6 +2564,14 @@
kernel_rw_unix_dgram_socket(udev_t)
kernel_sendto_unix_dgram_socket(udev_t)
kernel_signal(udev_t)
+@@ -141,6 +142,7 @@
+ sysnet_domtrans_ifconfig(udev_t)
+
+ userdom_use_sysadm_tty(udev_t)
++userdom_dontaudit_search_all_users_home(udev_t)
+
+ ifdef(`distro_redhat',`
+ fs_manage_tmpfs_dirs(udev_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-2.1.6/policy/modules/system/unconfined.fc
--- nsaserefpolicy/policy/modules/system/unconfined.fc 2005-11-14 18:24:06.000000000 -0500
+++ serefpolicy-2.1.6/policy/modules/system/unconfined.fc 2005-12-20 15:42:20.000000000 -0500
@@ -2251,18 +2614,111 @@
+HOME_DIR -d gen_context(system_u:object_r:ROLE_home_dir_t,s0-s15:c0.c255)
HOME_DIR/.+ gen_context(system_u:object_r:ROLE_home_t,s0)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.1.6/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2005-12-06 19:49:51.000000000 -0500
++++ serefpolicy-2.1.6/policy/modules/system/userdomain.if 2005-12-21 11:42:08.000000000 -0500
+@@ -568,6 +568,7 @@
+ corenet_dontaudit_tcp_bind_all_reserved_ports($1_t)
+
+ files_read_etc_files($1_t)
++ files_read_etc_runtime_files($1_t)
+ files_list_home($1_t)
+ files_read_usr_files($1_t)
+ files_exec_usr_files($1_t)
+@@ -2644,6 +2645,23 @@
+
+ ########################################
+ ## <summary>
++## Send a chld signal to local login processes.
++## </summary>
++## <param name="domain">
++## Domain allowed access.
++## </param>
++#
++interface(`userdom_all_users_sigchld',`
++ gen_require(`
++ attribute userdomain;
++ class process sigchld;
++ ')
++
++ allow userdomain $1:process sigchld;
++')
++
++########################################
++## <summary>
+ ## Send general signals to all user domains.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.1.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2005-12-09 23:35:10.000000000 -0500
-+++ serefpolicy-2.1.6/policy/modules/system/userdomain.te 2005-12-16 23:22:51.000000000 -0500
-@@ -143,6 +143,8 @@
++++ serefpolicy-2.1.6/policy/modules/system/userdomain.te 2005-12-21 11:35:10.000000000 -0500
+@@ -2,7 +2,7 @@
+ policy_module(userdomain,1.1.0)
+
+ gen_require(`
+- role sysadm_r, staff_r, user_r;
++ role sysadm_r, staff_r, user_r, secadm_r;
+ ')
+
+ ########################################
+@@ -82,10 +82,14 @@
+ # dont need to use the full role_change()
+ allow sysadm_r system_r;
+ allow sysadm_r user_r;
++ allow secadm_r system_r;
++ allow secadm_r user_r;
+ allow user_r system_r;
+ allow user_r sysadm_r;
+ allow system_r sysadm_r;
+ allow system_r sysadm_r;
++ allow user_r secadm_r;
++ allow staff_r secadm_r;
+
+ allow privhome user_home_t:dir manage_dir_perms;
+ allow privhome user_home_t:file create_file_perms;
+@@ -101,6 +105,7 @@
+ ')
+ ',`
+ admin_user_template(sysadm)
++ admin_user_template(secadm)
+ unpriv_user_template(staff)
+ unpriv_user_template(user)
+
+@@ -111,6 +116,7 @@
+
+ # only staff_r can change to sysadm_r
+ role_change(staff, sysadm)
++ role_change(staff, secadm)
+
+ # this should be tunable_policy, but
+ # currently type_change and RBAC allow
+@@ -143,6 +149,12 @@
domain_ptrace_all_domains(sysadm_t)
')
+ mls_process_read_up(sysadm_t)
+
++ optional_policy(`logging',`
++ logging_read_auditd_log(sysadm_t)
++ ')
++
optional_policy(`amanda',`
amanda_run_recover(sysadm_t,sysadm_r,admin_terminal)
')
+@@ -188,6 +200,7 @@
+
+ optional_policy(`hostname',`
+ hostname_run(sysadm_t,sysadm_r,admin_terminal)
++ hostname_exec(userdomain)
+ ')
+
+ optional_policy(`ipsec',`
+@@ -311,4 +324,5 @@
+ optional_policy(`webalizer',`
+ webalizer_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
++
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.1.6/policy/users
--- nsaserefpolicy/policy/users 2005-12-05 22:35:02.000000000 -0500
+++ serefpolicy-2.1.6/policy/users 2005-12-16 23:22:51.000000000 -0500
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -r1.61 -r1.62
--- selinux-policy.spec 20 Dec 2005 22:47:39 -0000 1.61
+++ selinux-policy.spec 21 Dec 2005 18:07:27 -0000 1.62
@@ -7,7 +7,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.1.6
-Release: 13
+Release: 14
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -258,6 +258,9 @@
%endif
%changelog
+* Wed Dec 21 2005 Dan Walsh <dwalsh at redhat.com> 2.1.6-14
+- Lots of fixes to make mls policy work
+
* Tue Dec 20 2005 Dan Walsh <dwalsh at redhat.com> 2.1.6-13
- Add dri libs to textrel_shlib_t
- Add system_r role for java
- Previous message (by thread): rpms/openoffice.org/FC-4 openoffice.org-2.0.1.ooo59129.vcl.readonlyentry.patch, NONE, 1.1 openoffice.org-2.0.1.oooXXXXX.config_office.nss.patch, NONE, 1.1 openoffice.org-2.0.1.oooXXXXX.vcl.animatedtheme.patch, NONE, 1.1 workspace.sb41.patch, NONE, 1.1 .cvsignore, 1.57, 1.58 openoffice.org-1.9.121.rh127576.gnomeprintui.patch, 1.2, 1.3 openoffice.org-1.9.126.ooo30380.uselibxslt.xmlhelp.patch, 1.4, 1.5 openoffice.org-1.9.129.ooo54603.fontconfig.patch, 1.3, 1.4 openoffice.org-2.0.1.ooo58798.parallel.patch, 1.1, 1.2 openoffice.org.spec, 1.232, 1.233 sources, 1.88, 1.89 workspace.cmcfixes20.patch, 1.1, 1.2 workspace.cmcfixes23.patch, 1.1, 1.2
- Next message (by thread): rpms/selinux-policy/devel policy-20051208.patch,1.25,1.26
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list