rpms/selinux-policy-strict/devel policy-20050706.patch, 1.4, 1.5 selinux-policy-strict.spec, 1.346, 1.347 policy-20050502.patch, 1.11, NONE policy-20050516.patch, 1.10, NONE policy-20050525.patch, 1.4, NONE
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Jul 7 12:38:32 UTC 2005
- Previous message (by thread): rpms/system-config-nfs/FC-4 .cvsignore, 1.18, 1.19 sources, 1.21, 1.22 system-config-nfs.spec, 1.23, 1.24
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050706.patch, 1.3, 1.4 selinux-policy-targeted.spec, 1.341, 1.342
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv13509
Modified Files:
policy-20050706.patch selinux-policy-strict.spec
Removed Files:
policy-20050502.patch policy-20050516.patch
policy-20050525.patch
Log Message:
* Thu Jul 7 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-5
- Allow cgi script to append to httpd_log_t
- More fixes for samba net command
policy-20050706.patch:
domains/admin.te | 5 +++++
domains/program/getty.te | 7 +++++++
domains/program/netutils.te | 2 ++
domains/program/passwd.te | 5 +++++
domains/program/unused/apache.te | 1 +
domains/program/unused/apmd.te | 7 +++++--
domains/program/unused/bluetooth.te | 3 ++-
domains/program/unused/ciped.te | 3 +--
domains/program/unused/cups.te | 7 +++++--
domains/program/unused/cyrus.te | 5 +----
domains/program/unused/dhcpc.te | 1 +
domains/program/unused/dovecot.te | 1 +
domains/program/unused/hald.te | 3 ++-
domains/program/unused/hotplug.te | 4 +++-
domains/program/unused/hwclock.te | 3 ---
domains/program/unused/nscd.te | 1 +
domains/program/unused/pppd.te | 7 ++++---
domains/program/unused/prelink.te | 3 ---
domains/program/unused/radvd.te | 3 ++-
domains/program/unused/rpcd.te | 6 +++++-
domains/program/unused/samba.te | 33 +++++++++++++++++++++++++++++++--
domains/program/unused/squid.te | 3 +++
domains/program/unused/winbind.te | 12 +++++++++++-
file_contexts/program/cups.fc | 2 ++
file_contexts/program/rpcd.fc | 3 ++-
file_contexts/program/samba.fc | 1 +
file_contexts/program/winbind.fc | 1 +
file_contexts/types.fc | 14 +++++++-------
macros/admin_macros.te | 3 ---
macros/base_user_macros.te | 4 +---
macros/global_macros.te | 1 +
macros/program/apache_macros.te | 5 ++---
macros/program/chkpwd_macros.te | 7 +++++++
macros/program/dbusd_macros.te | 2 +-
macros/program/evolution_macros.te | 6 ------
macros/program/games_domain.te | 3 ---
macros/program/java_macros.te | 2 --
macros/program/mail_client_macros.te | 10 ++++++++--
macros/program/mozilla_macros.te | 2 --
macros/program/mplayer_macros.te | 2 +-
macros/program/xserver_macros.te | 4 ----
net_contexts | 2 ++
targeted/domains/unconfined.te | 5 +++++
tunables/distro.tun | 2 +-
tunables/tunable.tun | 4 ++--
types/network.te | 1 -
46 files changed, 142 insertions(+), 69 deletions(-)
Index: policy-20050706.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050706.patch,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- policy-20050706.patch 6 Jul 2005 23:40:36 -0000 1.4
+++ policy-20050706.patch 7 Jul 2005 12:38:27 -0000 1.5
@@ -244,6 +244,34 @@
log_domain(nscd)
r_dir_file(nscd_t, cert_t)
+allow nscd_t tun_tap_device_t:chr_file { read write };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.1/domains/program/unused/pppd.te
+--- nsapolicy/domains/program/unused/pppd.te 2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.1/domains/program/unused/pppd.te 2005-07-07 07:09:25.000000000 -0400
+@@ -36,8 +36,7 @@
+ can_ypbind(pppd_t)
+
+ # Use capabilities.
+-allow pppd_t self:capability { net_admin setuid setgid fsetid };
+-
++allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+ lock_domain(pppd)
+
+ # Access secret files
+@@ -93,7 +92,7 @@
+ # for pppoe
+ can_create_pty(pppd)
+ allow pppd_t self:file { read getattr };
+-allow pppd_t self:capability { fowner net_raw };
++
+ allow pppd_t self:packet_socket create_socket_perms;
+
+ file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
+@@ -101,3 +100,5 @@
+ allow pppd_t sysctl_net_t:dir search;
+ allow pppd_t sysctl_net_t:file r_file_perms;
+ allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
++allow pppd_t initrc_var_run_t:file r_file_perms;
++dontaudit pppd_t initrc_var_run_t:file { lock write };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.25.1/domains/program/unused/prelink.te
--- nsapolicy/domains/program/unused/prelink.te 2005-04-27 10:28:52.000000000 -0400
+++ policy-1.25.1/domains/program/unused/prelink.te 2005-07-06 17:34:19.000000000 -0400
@@ -301,7 +329,7 @@
can_udp_send(portmap_t, nfsd_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.1/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/samba.te 2005-07-06 19:34:44.000000000 -0400
++++ policy-1.25.1/domains/program/unused/samba.te 2005-07-07 06:25:59.000000000 -0400
@@ -47,6 +47,8 @@
# Use the network.
@@ -311,7 +339,20 @@
allow smbd_t ipp_port_t:tcp_socket name_connect;
allow smbd_t urandom_device_t:chr_file { getattr read };
-@@ -182,3 +184,28 @@
+@@ -61,8 +63,10 @@
+
+ # Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
+ allow smbd_t var_lib_t:dir search;
+-allow smbd_t samba_var_t:dir create_dir_perms;
+-allow smbd_t samba_var_t:file create_file_perms;
++create_dir_file(smbd_t, samba_var_t)
++
++# Needed for shared printers
++allow smbd_t var_spool_t:dir search;
+
+ # Permissions to write log files.
+ allow smbd_t samba_log_t:file { create ra_file_perms };
+@@ -182,3 +186,28 @@
allow smbmount_t userdomain:fd use;
allow smbmount_t local_login_t:fd use;
')
@@ -386,6 +427,22 @@
/var/cache/foomatic(/.*)? -- system_u:object_r:cupsd_rw_etc_t
+/var/run/hp.*\.pid -- system_u:object_r:hplip_var_run_t
+/var/run/hp.*\.port -- system_u:object_r:hplip_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.25.1/file_contexts/program/rpcd.fc
+--- nsapolicy/file_contexts/program/rpcd.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.25.1/file_contexts/program/rpcd.fc 2005-07-07 08:36:47.000000000 -0400
+@@ -1,6 +1,6 @@
+ # RPC daemons
+ /sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
+-/usr/sbin/rpc\..* -- system_u:object_r:rpcd_exec_t
++/usr/sbin/rpc.idmapd -- system_u:object_r:rpcd_exec_t
+ /usr/sbin/rpc\.nfsd -- system_u:object_r:nfsd_exec_t
+ /usr/sbin/exportfs -- system_u:object_r:nfsd_exec_t
+ /usr/sbin/rpc\.gssd -- system_u:object_r:gssd_exec_t
+@@ -9,3 +9,4 @@
+ /var/run/rpc\.statd\.pid -- system_u:object_r:rpcd_var_run_t
+ /var/run/rpc\.statd(/.*)? system_u:object_r:rpcd_var_run_t
+ /etc/exports -- system_u:object_r:exports_t
++
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.25.1/file_contexts/program/samba.fc
--- nsapolicy/file_contexts/program/samba.fc 2005-02-24 14:51:08.000000000 -0500
+++ policy-1.25.1/file_contexts/program/samba.fc 2005-07-06 18:52:13.000000000 -0400
@@ -478,8 +535,18 @@
allow $1 null_device_t:chr_file rw_file_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.1/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/apache_macros.te 2005-07-06 17:29:15.000000000 -0400
-@@ -108,6 +108,7 @@
++++ policy-1.25.1/macros/program/apache_macros.te 2005-07-07 06:44:49.000000000 -0400
+@@ -78,9 +78,6 @@
+
+ allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+
+-# for nscd
+-dontaudit httpd_$1_script_t var_t:dir search;
+-
+ ###########################################################################
+ # Allow the script interpreters to run the scripts. So
+ # the perl executable will be able to run a perl script
+@@ -108,6 +105,7 @@
if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
create_dir_file(httpd_$1_script_t, httpdcontent)
@@ -487,6 +554,14 @@
}
#
+@@ -126,6 +124,7 @@
+ ############################################
+ # Allow scripts to append to http logs
+ #########################################
++allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir search;
+ allow httpd_$1_script_t httpd_log_t:file { getattr append };
+
+ # apache should set close-on-exec
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
--- nsapolicy/macros/program/chkpwd_macros.te 2005-06-01 06:11:23.000000000 -0400
+++ policy-1.25.1/macros/program/chkpwd_macros.te 2005-07-06 19:35:03.000000000 -0400
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.346
retrieving revision 1.347
diff -u -r1.346 -r1.347
--- selinux-policy-strict.spec 6 Jul 2005 23:40:36 -0000 1.346
+++ selinux-policy-strict.spec 7 Jul 2005 12:38:27 -0000 1.347
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.25.1
-Release: 4
+Release: 5
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -229,6 +229,10 @@
exit 0
%changelog
+* Thu Jul 7 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-5
+- Allow cgi script to append to httpd_log_t
+- More fixes for samba net command
+
* Wed Jul 6 2005 Dan Walsh <dwalsh at redhat.com> 1.25.1-4
- Add boolean to allow sysadm_t to ptrace
--- policy-20050502.patch DELETED ---
--- policy-20050516.patch DELETED ---
--- policy-20050525.patch DELETED ---
- Previous message (by thread): rpms/system-config-nfs/FC-4 .cvsignore, 1.18, 1.19 sources, 1.21, 1.22 system-config-nfs.spec, 1.23, 1.24
- Next message (by thread): rpms/selinux-policy-targeted/devel policy-20050706.patch, 1.3, 1.4 selinux-policy-targeted.spec, 1.341, 1.342
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list