rpms/selinux-policy-targeted/FC-3 policy-20050104.patch, 1.26, 1.27 selinux-policy-targeted.spec, 1.196, 1.197
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Mar 23 15:38:11 UTC 2005
- Previous message (by thread): rpms/redhat-artwork/devel .cvsignore, 1.50, 1.51 redhat-artwork.spec, 1.76, 1.77 sources, 1.50, 1.51
- Next message (by thread): rpms/parted/devel parted-1.6.22-mac-lvm.patch, NONE, 1.1 parted-1.6.22.tar.gz.sig, NONE, 1.1 .cvsignore, 1.18, 1.19 parted.spec, 1.47, 1.48 sources, 1.22, 1.23 parted-1.6.21-gcc4.patch, 1.1, NONE parted-1.6.21-mac-lvm.patch, 1.2, NONE parted-1.6.21.tar.gz.sig, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/dist/rpms/selinux-policy-targeted/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv29032
Modified Files:
policy-20050104.patch selinux-policy-targeted.spec
Log Message:
* Wed Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-2.93
- Allow nscd and named to write to /var/log
- Fix /var/lib/nfs/rpc_pipefs(/.*)?
- Better handling of logrotate
policy-20050104.patch:
Makefile | 47 ++++++---
attrib.te | 3
domains/program/crond.te | 7 +
domains/program/ldconfig.te | 21 +++-
domains/program/login.te | 2
domains/program/logrotate.te | 24 ++---
domains/program/mount.te | 2
domains/program/ssh.te | 7 -
domains/program/syslogd.te | 24 ++++-
domains/program/unused/acct.te | 6 +
domains/program/unused/apache.te | 113 ++++++++++++++++++-----
domains/program/unused/arpwatch.te | 26 +++++
domains/program/unused/cups.te | 55 ++++++++++-
domains/program/unused/dhcpc.te | 5 -
domains/program/unused/dhcpd.te | 16 +++
domains/program/unused/dovecot.te | 3
domains/program/unused/ftpd.te | 2
domains/program/unused/hald.te | 3
domains/program/unused/howl.te | 2
domains/program/unused/innd.te | 7 +
domains/program/unused/ipsec.te | 9 +
domains/program/unused/iptables.te | 3
domains/program/unused/mailman.te | 23 +++-
domains/program/unused/mdadm.te | 3
domains/program/unused/mta.te | 21 +++-
domains/program/unused/mysqld.te | 7 -
domains/program/unused/named.te | 25 ++---
domains/program/unused/nscd.te | 26 +++--
domains/program/unused/ntpd.te | 21 +++-
domains/program/unused/portmap.te | 3
domains/program/unused/postfix.te | 2
domains/program/unused/postgresql.te | 47 ++++++++-
domains/program/unused/procmail.te | 1
domains/program/unused/rpcd.te | 2
domains/program/unused/rpm.te | 5 -
domains/program/unused/rsync.te | 2
domains/program/unused/samba.te | 4
domains/program/unused/sendmail.te | 2
domains/program/unused/slrnpull.te | 1
domains/program/unused/snmpd.te | 10 +-
domains/program/unused/spamd.te | 2
domains/program/unused/squid.te | 21 ++--
domains/program/unused/udev.te | 5 -
domains/program/unused/updfstab.te | 1
domains/program/unused/winbind.te | 34 +++++++
domains/program/unused/xdm.te | 4
domains/program/unused/ypbind.te | 2
domains/program/unused/ypserv.te | 7 +
domains/user.te | 6 +
file_contexts/distros.fc | 76 +++++++++++-----
file_contexts/program/apache.fc | 14 ++
file_contexts/program/arpwatch.fc | 3
file_contexts/program/cups.fc | 5 -
file_contexts/program/dhcpd.fc | 2
file_contexts/program/ipsec.fc | 11 +-
file_contexts/program/mailman.fc | 15 +--
file_contexts/program/mta.fc | 5 +
file_contexts/program/mysqld.fc | 4
file_contexts/program/named.fc | 17 ++-
file_contexts/program/nscd.fc | 3
file_contexts/program/ntpd.fc | 2
file_contexts/program/postgresql.fc | 23 +---
file_contexts/program/sendmail.fc | 1
file_contexts/program/snmpd.fc | 3
file_contexts/program/squid.fc | 2
file_contexts/program/winbind.fc | 10 ++
file_contexts/types.fc | 161 +++++++++++-----------------------
macros/base_user_macros.te | 9 +
macros/core_macros.te | 2
macros/global_macros.te | 3
macros/program/apache_macros.te | 85 ++++++++++-------
macros/program/mount_macros.te | 2
macros/program/mozilla_macros.te | 2
macros/program/mta_macros.te | 5 -
macros/program/newrole_macros.te | 2
macros/program/spamassassin_macros.te | 5 -
macros/program/ssh_agent_macros.te | 2
macros/program/ssh_macros.te | 2
macros/program/su_macros.te | 2
macros/program/userhelper_macros.te | 3
macros/program/xauth_macros.te | 2
macros/program/xserver_macros.te | 4
macros/program/ypbind_macros.te | 24 +----
targeted/assert.te | 4
targeted/domains/program/hotplug.te | 4
targeted/domains/program/initrc.te | 2
targeted/domains/unconfined.te | 11 +-
tunables/distro.tun | 2
tunables/tunable.tun | 21 +---
types/device.te | 6 +
types/file.te | 19 ++--
types/network.te | 2
92 files changed, 817 insertions(+), 439 deletions(-)
Index: policy-20050104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/policy-20050104.patch,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- policy-20050104.patch 23 Mar 2005 13:48:19 -0000 1.26
+++ policy-20050104.patch 23 Mar 2005 15:38:08 -0000 1.27
@@ -952,7 +952,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.17.30/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/unused/named.te 2005-03-21 23:08:51.000000000 -0500
++++ policy-1.17.30/domains/program/unused/named.te 2005-03-23 10:31:03.000000000 -0500
@@ -19,7 +19,7 @@
file_type_auto_trans(named_t, var_run_t, named_var_run_t, sock_file)
@@ -981,7 +981,15 @@
# Use capabilities. Surplus capabilities may be allowed.
allow named_t self:capability { chown dac_override fowner setgid setuid net_bind_service sys_chroot sys_nice sys_resource };
-@@ -78,15 +81,13 @@
+@@ -56,6 +59,7 @@
+ can_udp_send(domain, named_t)
+ can_udp_send(named_t, domain)
+ can_tcp_connect(domain, named_t)
++log_domain(named)
+
+ # Bind to the named port.
+ allow named_t dns_port_t:udp_socket name_bind;
+@@ -78,15 +82,13 @@
allow named_t self:unix_stream_socket create_stream_socket_perms;
allow named_t self:unix_dgram_socket create_socket_perms;
@@ -1000,7 +1008,7 @@
# Read /dev/random.
allow named_t device_t:dir r_dir_perms;
-@@ -108,6 +109,8 @@
+@@ -108,6 +110,8 @@
# for /etc/rndc.key
ifdef(`distro_redhat', `
allow { ndc_t initrc_t } named_conf_t:dir search;
@@ -1009,7 +1017,7 @@
')
allow { ndc_t initrc_t } named_conf_t:file { getattr read };
-@@ -126,9 +129,7 @@
+@@ -126,9 +130,7 @@
allow ndc_t fs_t:filesystem getattr;
# Read sysctl kernel variables.
@@ -1020,7 +1028,7 @@
allow ndc_t self:process { fork signal_perms };
allow ndc_t self:fifo_file { read write getattr ioctl };
-@@ -150,4 +151,5 @@
+@@ -150,4 +152,5 @@
allow ndc_t named_zone_t:file getattr;
dontaudit ndc_t sysadm_home_t:dir { getattr search read };
')
@@ -1029,7 +1037,7 @@
+dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.30/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/unused/nscd.te 2005-03-21 23:08:51.000000000 -0500
++++ policy-1.17.30/domains/program/unused/nscd.te 2005-03-23 10:32:03.000000000 -0500
@@ -26,21 +26,24 @@
allow domain nscd_var_run_t:sock_file rw_file_perms;
allow domain { var_run_t var_t }:dir search;
@@ -1072,7 +1080,7 @@
# for when /etc/passwd has just been updated and has the wrong type
allow nscd_t shadow_t:file getattr;
-@@ -68,11 +70,16 @@
+@@ -68,11 +70,17 @@
#
# Handle winbind for samba, Might only be needed for targeted policy
#
@@ -1093,6 +1101,7 @@
+allow nscd_t tmp_t:lnk_file read;
+allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+r_dir_file(nscd_t, usr_t)
++log_domain(nscd)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.30/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2004-10-09 21:07:28.000000000 -0400
+++ policy-1.17.30/domains/program/unused/ntpd.te 2005-03-21 23:08:51.000000000 -0500
@@ -1876,8 +1885,8 @@
ifdef(`distro_debian', `
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.17.30/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/file_contexts/program/named.fc 2005-03-21 23:08:51.000000000 -0500
-@@ -14,11 +14,12 @@
++++ policy-1.17.30/file_contexts/program/named.fc 2005-03-23 10:33:20.000000000 -0500
+@@ -14,20 +14,23 @@
') dnl distro_debian
/etc/rndc.* -- system_u:object_r:named_conf_t
@@ -1889,9 +1898,11 @@
-/var/run/named.* system_u:object_r:named_var_run_t
+/var/run/named(/.*)? system_u:object_r:named_var_run_t
/usr/sbin/lwresd -- system_u:object_r:named_exec_t
++/var/log/named.* -- system_u:object_r:named_log_t
++
ifdef(`distro_redhat', `
/var/named/named\.ca -- system_u:object_r:named_conf_t
-@@ -26,8 +27,8 @@
+ /var/named/chroot(/.*)? system_u:object_r:named_conf_t
/var/named/chroot/dev/null -c system_u:object_r:null_device_t
/var/named/chroot/dev/random -c system_u:object_r:random_device_t
/var/named/chroot/dev/zero -c system_u:object_r:zero_device_t
@@ -1902,7 +1913,7 @@
/var/named/chroot/var/run/named.* system_u:object_r:named_var_run_t
/var/named/chroot/var/tmp(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named(/.*)? system_u:object_r:named_zone_t
-@@ -35,3 +36,11 @@
+@@ -35,3 +38,11 @@
/var/named/chroot/var/named/data(/.*)? system_u:object_r:named_cache_t
/var/named/chroot/var/named/named\.ca -- system_u:object_r:named_conf_t
') dnl distro_redhat
@@ -1916,13 +1927,14 @@
+') dnl distro_gentoo
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nscd.fc policy-1.17.30/file_contexts/program/nscd.fc
--- nsapolicy/file_contexts/program/nscd.fc 2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/file_contexts/program/nscd.fc 2005-03-21 23:08:51.000000000 -0500
-@@ -2,3 +2,5 @@
++++ policy-1.17.30/file_contexts/program/nscd.fc 2005-03-23 10:34:01.000000000 -0500
+@@ -2,3 +2,6 @@
/usr/sbin/nscd -- system_u:object_r:nscd_exec_t
/var/run/\.nscd_socket -s system_u:object_r:nscd_var_run_t
/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
+/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
+/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
++/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ntpd.fc policy-1.17.30/file_contexts/program/ntpd.fc
--- nsapolicy/file_contexts/program/ntpd.fc 2004-10-09 21:07:28.000000000 -0400
+++ policy-1.17.30/file_contexts/program/ntpd.fc 2005-03-21 23:08:51.000000000 -0500
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/selinux-policy-targeted.spec,v
retrieving revision 1.196
retrieving revision 1.197
diff -u -r1.196 -r1.197
--- selinux-policy-targeted.spec 23 Mar 2005 13:48:19 -0000 1.196
+++ selinux-policy-targeted.spec 23 Mar 2005 15:38:08 -0000 1.197
@@ -8,7 +8,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.17.30
-Release: 2.92
+Release: 2.93
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -210,7 +210,8 @@
exit 0
%changelog
-* Wed Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-2.92
+* Wed Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.17.30-2.93
+- Allow nscd and named to write to /var/log
- Fix /var/lib/nfs/rpc_pipefs(/.*)?
- Better handling of logrotate
- Previous message (by thread): rpms/redhat-artwork/devel .cvsignore, 1.50, 1.51 redhat-artwork.spec, 1.76, 1.77 sources, 1.50, 1.51
- Next message (by thread): rpms/parted/devel parted-1.6.22-mac-lvm.patch, NONE, 1.1 parted-1.6.22.tar.gz.sig, NONE, 1.1 .cvsignore, 1.18, 1.19 parted.spec, 1.47, 1.48 sources, 1.22, 1.23 parted-1.6.21-gcc4.patch, 1.1, NONE parted-1.6.21-mac-lvm.patch, 1.2, NONE parted-1.6.21.tar.gz.sig, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list