rpms/selinux-policy-strict/devel booleans, 1.7, 1.8 policy-20050322.patch, 1.6, 1.7 selinux-policy-strict.spec, 1.262, 1.263
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Mar 29 15:44:36 UTC 2005
- Previous message (by thread): rpms/libsepol/devel libsepol-rhat.patch, 1.2, 1.3 libsepol.spec, 1.21, 1.22
- Next message (by thread): rpms/selinux-policy-targeted/devel booleans, 1.9, 1.10 policy-20050322.patch, 1.6, 1.7 selinux-policy-targeted.spec, 1.260, 1.261
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv6078
Modified Files:
booleans policy-20050322.patch selinux-policy-strict.spec
Log Message:
* Thu Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.5-2
- Handle booleans.local
- Add policy to handle ssh-keysign
Index: booleans
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/booleans,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- booleans 16 Nov 2004 16:05:41 -0000 1.7
+++ booleans 29 Mar 2005 15:44:33 -0000 1.8
@@ -1,3 +1,8 @@
+# This file should not not be modified.
+# If you want to customize your booleans, make changes to booleans.local
+# or use "setsebool -P"
+# This file will be replaced with the next rpm upgrade.
+#
ftpd_is_daemon=1
ftp_home_dir=1
httpd_enable_cgi=1
policy-20050322.patch:
Makefile | 8 +++----
domains/program/ssh.te | 1
domains/program/syslogd.te | 16 ++++++--------
domains/program/unused/apache.te | 2 +
domains/program/unused/canna.te | 2 +
domains/program/unused/cups.te | 4 +--
domains/program/unused/hald.te | 1
domains/program/unused/mailman.te | 2 -
domains/program/unused/mta.te | 2 -
domains/program/unused/named.te | 3 +-
domains/program/unused/nscd.te | 1
domains/program/unused/pamconsole.te | 9 ++++++--
domains/program/unused/samba.te | 2 -
domains/program/unused/squid.te | 9 +++++---
domains/program/unused/udev.te | 3 +-
domains/program/unused/winbind.te | 7 +++---
domains/program/unused/xdm.te | 1
file_contexts/distros.fc | 13 ++++++++---
file_contexts/program/apache.fc | 1
file_contexts/program/named.fc | 2 +
file_contexts/program/nscd.fc | 1
file_contexts/program/ssh.fc | 1
macros/program/apache_macros.te | 3 +-
macros/program/games_domain.te | 20 ++++++++++++++++-
macros/program/gift_macros.te | 15 +++++++++++--
macros/program/mozilla_macros.te | 27 ++++++++++++++++++++----
macros/program/ssh_macros.te | 19 +++++++++++++++--
macros/program/tvtime_macros.te | 14 ++++++++++--
macros/program/x_client_macros.te | 39 -----------------------------------
net_contexts | 15 ++++++-------
tunables/distro.tun | 2 -
tunables/tunable.tun | 12 +++++-----
types/file.te | 3 +-
types/network.te | 20 ++++-------------
34 files changed, 164 insertions(+), 116 deletions(-)
Index: policy-20050322.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20050322.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20050322.patch 24 Mar 2005 15:15:05 -0000 1.6
+++ policy-20050322.patch 29 Mar 2005 15:44:33 -0000 1.7
@@ -1,6 +1,51 @@
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ssh.te policy-1.23.5/domains/program/ssh.te
+--- nsapolicy/domains/program/ssh.te 2005-03-24 08:58:25.000000000 -0500
++++ policy-1.23.5/domains/program/ssh.te 2005-03-28 10:21:45.000000000 -0500
+@@ -220,6 +220,7 @@
+
+ # Type for the ssh executable.
+ type ssh_exec_t, file_type, exec_type, sysadmfile;
++type ssh_keysign_exec_t, file_type, exec_type, sysadmfile;
+
+ # Everything else is in the ssh_domain macro in
+ # macros/program/ssh_macros.te.
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.5/domains/program/syslogd.te
+--- nsapolicy/domains/program/syslogd.te 2005-03-21 22:32:18.000000000 -0500
++++ policy-1.23.5/domains/program/syslogd.te 2005-03-28 10:21:45.000000000 -0500
+@@ -79,16 +79,10 @@
+ dontaudit syslogd_t initrc_var_run_t:file write;
+ allow syslogd_t ttyfile:chr_file { getattr write };
+
+-ifdef(`klogd.te', `', `
+-# Allow access to /proc/kmsg for syslog-ng
+-allow syslogd_t proc_t:dir search;
+-allow syslogd_t proc_kmsg_t:file { getattr read };
+-allow syslogd_t kernel_t:system { syslog_mod syslog_console };
+-')
+ #
+ # Special case to handle crashes
+ #
+-allow syslogd_t { device_t file_t }:sock_file unlink;
++allow syslogd_t { device_t file_t }:sock_file { getattr unlink };
+
+ # Allow syslog to a terminal
+ allow syslogd_t tty_device_t:chr_file { getattr write ioctl append };
+@@ -111,6 +105,10 @@
+ bool use_syslogng false;
+
+ if (use_syslogng) {
+-allow syslogd_t proc_kmsg_t:file write;
+-allow syslogd_t self:capability { sys_admin chown };
++# Allow access to /proc/kmsg for syslog-ng
++allow syslogd_t proc_t:dir search;
++allow syslogd_t proc_kmsg_t:file { getattr read };
++allow syslogd_t kernel_t:system { syslog_mod syslog_console };
++allow syslogd_t self:capability { sys_admin chown fsetid };
++allow syslogd_t var_log_t:dir { create setattr };
+ }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.23.5/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-03-24 08:58:25.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/apache.te 2005-03-24 09:23:15.000000000 -0500
++++ policy-1.23.5/domains/program/unused/apache.te 2005-03-28 10:21:45.000000000 -0500
@@ -152,7 +152,9 @@
allow httpd_t bin_t:lnk_file read;
@@ -11,9 +56,18 @@
can_ypbind(httpd_t)
###################
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/canna.te policy-1.23.5/domains/program/unused/canna.te
+--- nsapolicy/domains/program/unused/canna.te 2005-03-24 08:58:25.000000000 -0500
++++ policy-1.23.5/domains/program/unused/canna.te 2005-03-28 10:21:45.000000000 -0500
+@@ -42,3 +42,5 @@
+ can_unix_connect(i18n_input_t, canna_t)
+ ')
+
++dontaudit canna_t kernel_t:fd use;
++dontaudit canna_t root_t:file read;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.5/domains/program/unused/cups.te
--- nsapolicy/domains/program/unused/cups.te 2005-03-24 08:58:26.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/cups.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/cups.te 2005-03-28 10:21:45.000000000 -0500
@@ -143,8 +143,8 @@
# PTAL
daemon_domain(ptal)
@@ -25,9 +79,20 @@
allow ptal_t self:capability chown;
allow ptal_t self:{ unix_dgram_socket unix_stream_socket } create_socket_perms;
allow ptal_t self:unix_stream_socket { listen accept };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.5/domains/program/unused/hald.te
+--- nsapolicy/domains/program/unused/hald.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.5/domains/program/unused/hald.te 2005-03-29 10:38:09.000000000 -0500
+@@ -31,6 +31,7 @@
+ allow hald_t usr_t:file { getattr read };
+
+ allow hald_t bin_t:file getattr;
++allow hald_t self:netlink_socket create_netlink_socket_perms;
+ allow hald_t self:netlink_route_socket r_netlink_socket_perms;
+ allow hald_t self:capability { net_admin sys_admin dac_override dac_read_search mknod };
+ can_network_server(hald_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mailman.te policy-1.23.5/domains/program/unused/mailman.te
--- nsapolicy/domains/program/unused/mailman.te 2005-03-24 08:58:26.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/mailman.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/mailman.te 2005-03-28 10:21:45.000000000 -0500
@@ -30,7 +30,7 @@
allow mailman_$1_t mailman_lock_t:dir rw_dir_perms;
allow mailman_$1_t fs_t:filesystem getattr;
@@ -39,7 +104,7 @@
allow mailman_$1_t var_t:dir r_dir_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mta.te policy-1.23.5/domains/program/unused/mta.te
--- nsapolicy/domains/program/unused/mta.te 2005-03-21 22:32:19.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/mta.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/mta.te 2005-03-28 10:21:45.000000000 -0500
@@ -13,8 +13,6 @@
ifdef(`sendmail.te', `', `
type sendmail_exec_t, file_type, exec_type, sysadmfile;
@@ -51,7 +116,7 @@
# "mail user at domain"
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/named.te policy-1.23.5/domains/program/unused/named.te
--- nsapolicy/domains/program/unused/named.te 2005-03-24 08:58:26.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/named.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/named.te 2005-03-28 10:21:45.000000000 -0500
@@ -60,6 +60,7 @@
can_udp_send(domain, named_t)
can_udp_send(named_t, domain)
@@ -71,15 +136,48 @@
read_locale(ndc_t)
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.23.5/domains/program/unused/nscd.te
--- nsapolicy/domains/program/unused/nscd.te 2005-03-24 08:58:27.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/nscd.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/nscd.te 2005-03-28 10:21:45.000000000 -0500
@@ -73,3 +73,4 @@
allow nscd_t tmp_t:dir { search getattr };
allow nscd_t tmp_t:lnk_file read;
allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
+log_domain(nscd)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pamconsole.te policy-1.23.5/domains/program/unused/pamconsole.te
+--- nsapolicy/domains/program/unused/pamconsole.te 2005-02-24 14:51:07.000000000 -0500
++++ policy-1.23.5/domains/program/unused/pamconsole.te 2005-03-28 10:21:45.000000000 -0500
+@@ -10,6 +10,12 @@
+ allow pam_console_t etc_t:file { getattr read ioctl };
+ allow pam_console_t self:unix_stream_socket create_stream_socket_perms;
+
++# Read /etc/mtab
++allow pam_console_t etc_runtime_t:file { read getattr };
++
++# Read /proc/meminfo
++allow pam_console_t proc_t:file { read getattr };
++
+ allow pam_console_t self:capability { chown fowner fsetid };
+
+ # Allow access to /dev/console through the fd:
+@@ -24,7 +30,7 @@
+ allow pam_console_t device_t:dir { getattr read };
+ allow pam_console_t device_t:lnk_file { getattr read };
+ # mouse_device_t is for joy sticks
+-allow pam_console_t { framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
++allow pam_console_t { xserver_misc_device_t framebuf_device_t v4l_device_t apm_bios_t sound_device_t misc_device_t tty_device_t scanner_device_t mouse_device_t power_device_t removable_device_t scsi_generic_device_t }:chr_file { getattr setattr };
+ allow pam_console_t { removable_device_t fixed_disk_device_t }:blk_file { getattr setattr };
+
+ allow pam_console_t mnt_t:dir r_dir_perms;
+@@ -36,7 +42,6 @@
+ dontaudit pam_console_t hotplug_etc_t:dir search;
+ allow pam_console_t hotplug_t:fd use;
+ ')
+-allow pam_console_t proc_t:file read;
+ ifdef(`xdm.te', `
+ allow pam_console_t xdm_var_run_t:file { getattr read };
+ ')
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.23.5/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-03-24 08:58:27.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/samba.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/samba.te 2005-03-28 10:21:45.000000000 -0500
@@ -41,7 +41,6 @@
general_domain_access(smbd_t)
general_proc_read_access(smbd_t)
@@ -98,7 +196,7 @@
# Use capabilities.
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.23.5/domains/program/unused/squid.te
--- nsapolicy/domains/program/unused/squid.te 2005-03-24 08:58:27.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/squid.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/squid.te 2005-03-28 10:21:45.000000000 -0500
@@ -12,7 +12,7 @@
ifdef(`apache.te',`
can_tcp_connect(squid_t, httpd_t)
@@ -127,9 +225,29 @@
# to allow running programs from /usr/lib/squid (IE unlinkd)
# also allow exec()ing itself
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/udev.te policy-1.23.5/domains/program/unused/udev.te
+--- nsapolicy/domains/program/unused/udev.te 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.5/domains/program/unused/udev.te 2005-03-28 10:21:45.000000000 -0500
+@@ -29,7 +29,7 @@
+ type udev_tdb_t, file_type, sysadmfile, dev_fs;
+ typealias udev_tdb_t alias udev_tbl_t;
+ file_type_auto_trans(udev_t, device_t, udev_tdb_t, file)
+-allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin mknod net_raw net_admin };
++allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_nice mknod net_raw net_admin };
+ allow udev_t self:file { getattr read };
+ allow udev_t self:unix_stream_socket {connectto create_stream_socket_perms};
+ allow udev_t self:unix_dgram_socket create_socket_perms;
+@@ -71,6 +71,7 @@
+
+ allow udev_t kernel_t:fd use;
+ allow udev_t kernel_t:unix_dgram_socket { sendto ioctl read write };
++allow udev_t kernel_t:process signal;
+
+ allow udev_t initrc_var_run_t:file r_file_perms;
+ dontaudit udev_t initrc_var_run_t:file write;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.23.5/domains/program/unused/winbind.te
--- nsapolicy/domains/program/unused/winbind.te 2005-03-24 08:58:27.000000000 -0500
-+++ policy-1.23.5/domains/program/unused/winbind.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/domains/program/unused/winbind.te 2005-03-28 10:21:45.000000000 -0500
@@ -13,7 +13,9 @@
allow winbind_t etc_t:file r_file_perms;
allow winbind_t etc_t:lnk_file read;
@@ -150,9 +268,58 @@
+can_kerberos(winbind_t)
allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
allow winbind_t winbind_var_run_t:sock_file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.23.5/domains/program/unused/xdm.te
+--- nsapolicy/domains/program/unused/xdm.te 2005-03-24 08:58:27.000000000 -0500
++++ policy-1.23.5/domains/program/unused/xdm.te 2005-03-28 10:21:45.000000000 -0500
+@@ -311,6 +311,7 @@
+ allow xdm_t pam_var_run_t:dir create_dir_perms;
+ allow xdm_t pam_var_run_t:file create_file_perms;
+ allow pam_t xdm_t:fifo_file { getattr ioctl write };
++can_exec(xdm_t, pam_console_exec_t)
+ can_exec(xdm_t, pam_exec_t)
+ # For pam_console
+ rw_dir_create_file(xdm_t, pam_var_console_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc policy-1.23.5/file_contexts/distros.fc
+--- nsapolicy/file_contexts/distros.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.5/file_contexts/distros.fc 2005-03-28 10:21:45.000000000 -0500
+@@ -98,10 +98,10 @@
+ /usr/lib/valgrind/vgskin_massif\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/valgrind/vgskin_memcheck\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/valgrind/vgskin_none\.so -- system_u:object_r:texrel_shlib_t
+-/usr/lib/ooo-.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
+-/usr/lib/ooo-.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
+-/usr/lib/ooo-.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
+-/usr/lib/ooo-.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
++/usr/lib/.*/program/libicudata\.so.* -- system_u:object_r:texrel_shlib_t
++/usr/lib/.*/program/libsts645li\.so -- system_u:object_r:texrel_shlib_t
++/usr/lib/.*/program/libvclplug_gen645li\.so -- system_u:object_r:texrel_shlib_t
++/usr/lib/.*/program/libwrp645li\.so -- system_u:object_r:texrel_shlib_t
+ # Fedora Extras packages: ladspa, imlib2, ocaml
+ /usr/lib/ladspa/analogue_osc_1416\.so -- system_u:object_r:texrel_shlib_t
+ /usr/lib/ladspa/bandpass_a_iir_1893\.so -- system_u:object_r:texrel_shlib_t
+@@ -140,6 +140,11 @@
+
+ # Jai, Sun Microsystems (Jpackage SPRM)
+ /usr/lib/libmlib_jai\.so -- system_u:object_r:texrel_shlib_t
++/usr/lib/libdivxdecore.so.0 -- system_u:object_r:texrel_shlib_t
++
++/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/.*\.api -- system_u:object_r:shlib_t
++/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/AcroForm\.api -- system_u:object_r:texrel_shlib_t
++/usr(/.*)?/Acrobat5/Reader/intellinux/plug_ins/EScript\.api -- system_u:object_r:texrel_shlib_t
+
+ ')
+
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.23.5/file_contexts/program/apache.fc
+--- nsapolicy/file_contexts/program/apache.fc 2005-02-24 14:51:09.000000000 -0500
++++ policy-1.23.5/file_contexts/program/apache.fc 2005-03-29 09:07:33.000000000 -0500
+@@ -44,3 +44,4 @@
+ /usr/share/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+ /var/lib/htdig(/.*)? system_u:object_r:httpd_sys_content_t
+ /etc/htdig(/.*)? system_u:object_r:httpd_sys_content_t
++/var/spool/gosa(/.*)? system_u:object_r:httpd_sys_script_rw_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/named.fc policy-1.23.5/file_contexts/program/named.fc
--- nsapolicy/file_contexts/program/named.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.5/file_contexts/program/named.fc 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/file_contexts/program/named.fc 2005-03-28 10:21:45.000000000 -0500
@@ -21,6 +21,8 @@
/var/run/bind(/.*)? system_u:object_r:named_var_run_t
/var/run/named(/.*)? system_u:object_r:named_var_run_t
@@ -164,15 +331,25 @@
/var/named/chroot(/.*)? system_u:object_r:named_conf_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/nscd.fc policy-1.23.5/file_contexts/program/nscd.fc
--- nsapolicy/file_contexts/program/nscd.fc 2005-02-24 14:51:08.000000000 -0500
-+++ policy-1.23.5/file_contexts/program/nscd.fc 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/file_contexts/program/nscd.fc 2005-03-28 10:21:45.000000000 -0500
@@ -4,3 +4,4 @@
/var/run/nscd\.pid -- system_u:object_r:nscd_var_run_t
/var/db/nscd(/.*)? system_u:object_r:nscd_var_run_t
/var/run/nscd(/.*)? system_u:object_r:nscd_var_run_t
+/var/log/nscd\.log.* -- system_u:object_r:nscd_log_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/ssh.fc policy-1.23.5/file_contexts/program/ssh.fc
+--- nsapolicy/file_contexts/program/ssh.fc 2005-02-24 14:51:08.000000000 -0500
++++ policy-1.23.5/file_contexts/program/ssh.fc 2005-03-28 10:21:45.000000000 -0500
+@@ -1,5 +1,6 @@
+ # ssh
+ /usr/bin/ssh -- system_u:object_r:ssh_exec_t
++/usr/libexec/openssh/ssh-keysign -- system_u:object_r:ssh_keysign_exec_t
+ /usr/bin/ssh-keygen -- system_u:object_r:ssh_keygen_exec_t
+ # sshd
+ /etc/ssh/primes -- system_u:object_r:sshd_key_t
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.23.5/macros/program/apache_macros.te
--- nsapolicy/macros/program/apache_macros.te 2005-03-24 08:58:29.000000000 -0500
-+++ policy-1.23.5/macros/program/apache_macros.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/macros/program/apache_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -3,10 +3,11 @@
#This type is for webpages
@@ -186,9 +363,176 @@
# This type is used for .htaccess files
#
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/games_domain.te policy-1.23.5/macros/program/games_domain.te
+--- nsapolicy/macros/program/games_domain.te 2005-03-21 22:32:19.000000000 -0500
++++ policy-1.23.5/macros/program/games_domain.te 2005-03-28 10:21:45.000000000 -0500
+@@ -19,10 +19,18 @@
+ }
+ role $1_r types $1_games_t;
+
+-# X access, Private tmp
++# X access, /tmp files
+ x_client_domain($1, games)
+ tmp_domain($1_games)
+
++uses_shlib($1_games_t)
++read_locale($1_games_t)
++read_sysctl($1_games_t)
++access_terminal($1_games_t, $1)
++
++# Fork
++allow $1_games_t self:process { fork signal_perms getsched };
++
+ # Games seem to need this
+ if (allow_execmem) {
+ allow $1_games_t self:process execmem;
+@@ -37,7 +45,7 @@
+
+ # Access /home/user/.gnome2
+ create_dir_file($1_games_t, $1_home_t)
+-allow $1_games_t $1_home_dir_t:dir search;
++allow $1_games_t $1_home_dir_t:dir { read getattr search };
+ allow $1_games_t $1_home_t:dir { read getattr };
+
+ create_dir_file($1_games_t, $1_tmp_t)
+@@ -57,6 +65,7 @@
+
+ allow $1_games_t var_lib_t:dir search;
+ r_dir_file($1_games_t, man_t)
++allow $1_games_t proc_t:dir search;
+ allow $1_games_t proc_t:file { read getattr };
+ ifdef(`mozilla.te', `
+ dontaudit $1_games_t $1_mozilla_t:unix_stream_socket connectto;
+@@ -64,10 +73,17 @@
+ allow $1_games_t event_device_t:chr_file getattr;
+ allow $1_games_t mouse_device_t:chr_file getattr;
+ allow $1_games_t self:file { getattr read };
++allow $1_games_t self:fifo_file rw_file_perms;
+
+ # kpat spews errors
+ dontaudit $1_games_t bin_t:dir getattr;
+ dontaudit $1_games_t var_run_t:dir search;
+
++# Allow games to read /etc/mtab and /etc/nsswitch.conf
++allow $1_games_t etc_t:file { getattr read };
++allow $1_games_t etc_runtime_t:file { getattr read };
++
++#
++
+ ')dnl end macro definition
+
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.5/macros/program/gift_macros.te
+--- nsapolicy/macros/program/gift_macros.te 2005-03-24 08:58:29.000000000 -0500
++++ policy-1.23.5/macros/program/gift_macros.te 2005-03-28 10:21:45.000000000 -0500
+@@ -17,10 +17,15 @@
+ domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
+ role $1_r types $1_gift_t;
+
+-# X access, Home access
++# X access, Home files
+ x_client_domain($1, gift)
+ home_domain($1, gift)
+
++uses_shlib($1_gift_t)
++read_locale($1_gift_t)
++read_sysctl($1_gift_t)
++access_terminal($1_gift_t, $1)
++
+ # Self permissions
+ allow $1_gift_t self:process getsched;
+
+@@ -29,7 +34,8 @@
+ r_dir_file($1_gift_t, fonts_t)
+
+ # Launch gift daemon
+-allow $1_gift_t self:process fork;
++allow $1_gift_t bin_t:dir search;
++allow $1_gift_t self:process { fork signal_perms getsched };
+ domain_auto_trans($1_gift_t, giftd_exec_t, $1_giftd_t)
+
+ # Connect to gift daemon
+@@ -40,6 +46,10 @@
+ allow $1_gift_t proc_t:dir search;
+ allow $1_gift_t proc_t:file { getattr read };
+
++# Read /etc/mtab, /etc/nsswitch.conf
++allow $1_gift_t etc_t:file { getattr read };
++allow $1_gift_t etc_runtime_t:file { getattr read };
++
+ # Tmp/ORBit
+ tmp_domain($1_gift)
+ file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
+@@ -78,6 +88,7 @@
+ read_sysctl($1_giftd_t)
+ read_locale($1_giftd_t)
+ uses_shlib($1_giftd_t)
++access_terminal($1_giftd_t, $1)
+
+ # Access home domain
+ home_domain_access($1_giftd_t, $1, gift)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.5/macros/program/mozilla_macros.te
+--- nsapolicy/macros/program/mozilla_macros.te 2005-03-21 22:32:19.000000000 -0500
++++ policy-1.23.5/macros/program/mozilla_macros.te 2005-03-28 10:21:45.000000000 -0500
+@@ -24,33 +24,52 @@
+ }
+ role $1_r types $1_mozilla_t;
+
++# X access, Home files
+ home_domain($1, mozilla)
+ x_client_domain($1, mozilla)
++
++# Browse files
+ file_browse_domain($1_mozilla_t)
+
++can_network($1_mozilla_t)
++uses_shlib($1_mozilla_t)
++read_locale($1_mozilla_t)
++read_sysctl($1_mozilla_t)
++access_terminal($1_mozilla_t, $1)
++
+ allow $1_mozilla_t sound_device_t:chr_file rw_file_perms;
+
+ # Unrestricted inheritance from the caller.
+ allow $1_t $1_mozilla_t:process { noatsecure siginh rlimitinh };
+ allow $1_mozilla_t $1_t:process signull;
+
+-# Set resource limits and scheduling info.
+-allow $1_mozilla_t self:process { setrlimit setsched };
++# Fork, set resource limits and scheduling info.
++allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
+
+ allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
+ allow $1_mozilla_t var_lib_t:file { getattr read };
+ allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
+ allow $1_mozilla_t self:socket create_socket_perms;
+ allow $1_mozilla_t self:file { getattr read };
++allow $1_mozilla_t self:fifo_file rw_file_perms;
+
+-# for bash
++# for bash - old mozilla binary
++can_exec($1_mozilla_t, mozilla_exec_t)
++can_exec($1_mozilla_t, bin_t)
++allow $1_mozilla_t bin_t:lnk_file read;
+ allow $1_mozilla_t device_t:dir r_dir_perms;
+-allow $1_mozilla_t devpts_t:dir r_dir_perms;
+ allow $1_mozilla_t proc_t:file { getattr read };
++allow $1_mozilla_t proc_t:lnk_file read;
++allow $1_mozilla_t self:dir search;
++allow $1_mozilla_t self:lnk_file read;
+ r_dir_file($1_mozilla_t, proc_net_t)
+
+ allow $1_mozilla_t { var_t var_lib_t }:dir search;
+
++# Allow mozilla to read /etc/mtab, /etc/nsswitch.conf
++allow $1_mozilla_t etc_t:file { getattr read };
++allow $1_mozilla_t etc_runtime_t:file { getattr read };
++
+ # interacting with gstreamer
+ r_dir_file($1_mozilla_t, var_t)
+
diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/ssh_macros.te policy-1.23.5/macros/program/ssh_macros.te
--- nsapolicy/macros/program/ssh_macros.te 2005-03-24 08:58:29.000000000 -0500
-+++ policy-1.23.5/macros/program/ssh_macros.te 2005-03-24 09:26:14.000000000 -0500
++++ policy-1.23.5/macros/program/ssh_macros.te 2005-03-28 10:21:45.000000000 -0500
@@ -80,7 +80,7 @@
# Grant permissions needed to create TCP and UDP sockets and
# to access the network.
@@ -198,9 +542,162 @@
can_resolve($1_ssh_t)
can_ypbind($1_ssh_t)
can_kerberos($1_ssh_t)
+@@ -153,6 +153,22 @@
+ allow $1_ssh_t mnt_t:dir search;
+ r_dir_file($1_ssh_t, removable_t)
+
++type $1_ssh_keysign_t, domain, nscd_client_domain;
++role $1_r types $1_ssh_keysign_t;
++domain_auto_trans($1_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
++allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
++allow $1_ssh_keysign_t self:capability { setgid setuid };
++allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
++uses_shlib($1_ssh_keysign_t)
++dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
++dontaudit $1_ssh_keysign_t proc_t:dir search;
++dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
++allow $1_ssh_keysign_t usr_t:dir search;
++allow $1_ssh_keysign_t etc_t:file { getattr read };
++allow $1_ssh_keysign_t self:dir search;
++allow $1_ssh_keysign_t self:file { getattr read };
++allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
++
+ ifdef(`xdm.te', `
+ # should be able to remove these two later
+ allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
+@@ -164,7 +180,6 @@
+ allow $1_ssh_t xdm_t:fd use;
+ ')dnl end if xdm.te
+ ')dnl end macro definition
+-
+ ', `
+
+ define(`ssh_domain',`')
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/tvtime_macros.te policy-1.23.5/macros/program/tvtime_macros.te
+--- nsapolicy/macros/program/tvtime_macros.te 2005-03-21 22:32:20.000000000 -0500
++++ policy-1.23.5/macros/program/tvtime_macros.te 2005-03-28 10:21:45.000000000 -0500
+@@ -24,11 +24,21 @@
+ domain_auto_trans($1_t, tvtime_exec_t, $1_tvtime_t)
+ role $1_r types $1_tvtime_t;
+
+-# Home access, X access
++# X access, Home files
+ home_domain($1, tvtime)
+-tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
+ x_client_domain($1, tvtime)
+
++uses_shlib($1_tvtime_t)
++read_locale($1_tvtime_t)
++read_sysctl($1_tvtime_t)
++access_terminal($1_tvtime_t, $1)
++
++# Read /etc/tvtime
++allow $1_tvtime_t etc_t:file { getattr read };
++
++# Tmp files
++tmp_domain($1_tvtime, `', `{ file dir fifo_file }')
++
+ allow $1_tvtime_t urandom_device_t:chr_file read;
+ allow $1_tvtime_t clock_device_t:chr_file { ioctl read };
+ allow $1_tvtime_t kernel_t:system ipc_info;
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/x_client_macros.te policy-1.23.5/macros/program/x_client_macros.te
+--- nsapolicy/macros/program/x_client_macros.te 2005-03-24 08:58:29.000000000 -0500
++++ policy-1.23.5/macros/program/x_client_macros.te 2005-03-28 10:21:45.000000000 -0500
+@@ -43,54 +43,17 @@
+ #
+ define(`x_client_domain',`
+
+-# This domain is granted permissions common to most domains (including can_net)
+-can_network($1_$2_t)
+-allow $1_$2_t port_type:tcp_socket name_connect;
+-can_ypbind($1_$2_t)
+-allow $1_$2_t self:process { fork signal_perms getsched };
+ allow $1_$2_t self:unix_dgram_socket create_socket_perms;
+ allow $1_$2_t self:unix_stream_socket { connectto create_stream_socket_perms };
+-allow $1_$2_t self:fifo_file rw_file_perms;
+-allow $1_$2_t etc_runtime_t:file { getattr read };
+-allow $1_$2_t etc_t:lnk_file read;
+-allow $1_$2_t fs_t:filesystem getattr;
+-access_terminal($1_$2_t, $1)
+-read_locale($1_$2_t)
+-r_dir_file($1_$2_t, readable_t)
+-allow $1_$2_t proc_t:dir search;
+-allow $1_$2_t proc_t:lnk_file read;
+-allow $1_$2_t self:dir search;
+-allow $1_$2_t self:lnk_file read;
+-read_sysctl($1_$2_t)
+
+ ifdef(`xauth.te',`
+ allow $1_$2_t $1_xauth_home_t:file { getattr read };
+ ')
+
+ # Allow the user domain to send any signal to the $2 process.
++can_ps($1_t, $1_$2_t)
+ allow $1_t $1_$2_t:process signal_perms;
+
+-# Allow the user domain to read the /proc/PID directory for
+-# the $2 process.
+-allow $1_t $1_$2_t:dir r_dir_perms;
+-allow $1_t $1_$2_t:notdevfile_class_set r_file_perms;
+-
+-# Allow use of /dev/zero by ld.so.
+-allow $1_$2_t device_t:dir search;
+-allow $1_$2_t zero_device_t:chr_file rw_file_perms;
+-allow $1_$2_t zero_device_t:chr_file x_file_perms;
+-
+-# allow using shared libraries and running programs
+-uses_shlib($1_$2_t)
+-allow $1_$2_t { bin_t sbin_t }:dir search;
+-allow $1_$2_t bin_t:lnk_file read;
+-can_exec($1_$2_t, { shell_exec_t bin_t })
+-allow $1_$2_t etc_t:file { getattr read };
+-
+-# Inherit and use descriptors from gnome-pty-helper.
+-ifdef(`gnome-pty-helper.te', `allow $1_$2_t $1_gph_t:fd use;')
+-allow $1_$2_t privfd:fd use;
+-
+ # for .xsession-errors
+ dontaudit $1_$2_t $1_home_t:file write;
+
+diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.23.5/Makefile
+--- nsapolicy/Makefile 2005-03-15 08:02:23.000000000 -0500
++++ policy-1.23.5/Makefile 2005-03-28 14:24:52.000000000 -0500
+@@ -77,12 +77,12 @@
+
+ all: policy
+
+-tmp/valid_fc: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
++tmp/valid_fc: $(ROOTFILES) $(FCPATH) $(APPDIR)/customizable_types
+ @echo "Validating file_contexts ..."
+ $(SETFILES) -q -c $(LOADPATH) $(FCPATH)
+ @touch tmp/valid_fc
+
+-install: tmp/valid_fc $(USERPATH)/local.users
++install: tmp/valid_fc $(APPFILES) $(USERPATH)/local.users
+
+ $(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
+ @mkdir -p $(USERPATH)
+@@ -96,7 +96,7 @@
+
+ $(USERPATH)/local.users: local.users
+ @mkdir -p $(USERPATH)
+- install -C -b -m 644 $< $@
++ install -b -m 644 $< $@
+
+ $(CONTEXTPATH)/files/media: appconfig/media
+ mkdir -p $(CONTEXTPATH)/files/
+@@ -139,7 +139,7 @@
+ mkdir -p $(APPDIR)/users
+ install -m 644 $< $@
+
+-$(LOADPATH): policy.conf $(CHECKPOLICY)
++$(LOADPATH): tmp/valid_fc $(CHECKPOLICY)
+ mkdir -p $(POLICYPATH)
+ $(CHECKPOLICY) $(CHECKPOLMLS) -o $@ policy.conf
+ ifneq ($(MLS),y)
diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.5/net_contexts
--- nsapolicy/net_contexts 2005-03-24 08:58:25.000000000 -0500
-+++ policy-1.23.5/net_contexts 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/net_contexts 2005-03-28 10:21:45.000000000 -0500
@@ -44,11 +44,11 @@
')
ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
@@ -261,7 +758,7 @@
ifdef(`amanda.te', `
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.5/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.5/tunables/distro.tun 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/tunables/distro.tun 2005-03-28 10:21:45.000000000 -0500
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -273,7 +770,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.5/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.5/tunables/tunable.tun 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/tunables/tunable.tun 2005-03-28 10:21:45.000000000 -0500
@@ -1,27 +1,27 @@
# Allow users to execute the mount command
-dnl define(`user_can_mount')
@@ -310,7 +807,7 @@
# that do not have a domain transition explicitly defined.
diff --exclude-from=exclude -N -u -r nsapolicy/types/file.te policy-1.23.5/types/file.te
--- nsapolicy/types/file.te 2005-03-24 08:58:30.000000000 -0500
-+++ policy-1.23.5/types/file.te 2005-03-24 10:08:59.000000000 -0500
++++ policy-1.23.5/types/file.te 2005-03-28 10:21:45.000000000 -0500
@@ -277,8 +277,9 @@
type tmpfs_t, file_type, sysadmfile, fs_type;
@@ -324,7 +821,7 @@
type autofs_t, fs_type, noexattrfile, sysadmfile;
diff --exclude-from=exclude -N -u -r nsapolicy/types/network.te policy-1.23.5/types/network.te
--- nsapolicy/types/network.te 2005-03-24 08:58:30.000000000 -0500
-+++ policy-1.23.5/types/network.te 2005-03-24 09:17:44.000000000 -0500
++++ policy-1.23.5/types/network.te 2005-03-28 10:21:45.000000000 -0500
@@ -22,13 +22,11 @@
#
# Defines used by the te files need to be defined outside of net_constraints
Index: selinux-policy-strict.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.262
retrieving revision 1.263
diff -u -r1.262 -r1.263
--- selinux-policy-strict.spec 24 Mar 2005 15:15:05 -0000 1.262
+++ selinux-policy-strict.spec 29 Mar 2005 15:44:33 -0000 1.263
@@ -5,11 +5,12 @@
%define POLICYVER 19
%define POLICYCOREUTILSVER 1.22-2
%define CHECKPOLICYVER 1.21.4
+%define LIBSELINUXVER 1.23.2-2
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.5
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -21,7 +22,7 @@
BuildArch: noarch
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils >= %{POLICYCOREUTILSVER}
BuildRequires: python
-PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER}
+PreReq: kernel >= 2.6.4-1.300 policycoreutils >= %{POLICYCOREUTILSVER} libselinux >= %{LIBSELINUXVER}
Obsoletes: policy
%description
@@ -67,6 +68,7 @@
install -m0600 %{SOURCE1} ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/src/policy/policy.conf
touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/config
+touch ${RPM_BUILD_ROOT}%{_sysconfdir}/selinux/%{type}/booleans.local
%clean
rm -rf ${RPM_BUILD_ROOT}
@@ -81,7 +83,8 @@
%dir %{_sysconfdir}/selinux/%{type}/contexts
%dir %{_sysconfdir}/selinux/%{type}/contexts/files
%dir %{_sysconfdir}/selinux/%{type}/contexts/users
-%config (noreplace) %{_sysconfdir}/selinux/%{type}/booleans
+%config %{_sysconfdir}/selinux/%{type}/booleans
+%ghost %config(noreplace) %{_sysconfdir}/selinux/%{type}/booleans.local
%{_sysconfdir}/selinux/%{type}/policy/policy.%{POLICYVER}
%{_sysconfdir}/selinux/%{type}/policy/policy.18
%{_sysconfdir}/selinux/%{type}/contexts/files/file_contexts
@@ -150,12 +153,14 @@
fi
[ -x /usr/sbin/genhomedircon ] && /usr/sbin/genhomedircon --type %{type}
fi
+[ -f ${POLICYDIR}/booleans.rpmorig ] && [ ! -f ${POLICYDIR}/booleans.local ] && mv ${POLICYDIR}/booleans.rpmorig ${POLICYDIR}/booleans.local
+
exit 0
%package sources
Summary: SELinux example policy configuration source files
Group: System Environment/Base
-PreReq: m4 make checkpolicy >= %{CHECKPOLICYVER} policycoreutils >= %{POLICYCOREUTILSVER} kernel >= 2.6.4-1.300
+PreReq: m4 make checkpolicy >= %{CHECKPOLICYVER} policycoreutils >= %{POLICYCOREUTILSVER} kernel >= 2.6.4-1.300 libselinux >= %{LIBSELINUXVER}
PreReq: selinux-policy-%{type} = %{version}-%{release}
Requires: python
BuildRequires: checkpolicy >= %{CHECKPOLICYVER} policycoreutils
@@ -214,6 +219,10 @@
exit 0
%changelog
+* Thu Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.5-2
+- Handle booleans.local
+- Add policy to handle ssh-keysign
+
* Thu Mar 23 2005 Dan Walsh <dwalsh at redhat.com> 1.23.5-1
- Update to latest from NSA
- Previous message (by thread): rpms/libsepol/devel libsepol-rhat.patch, 1.2, 1.3 libsepol.spec, 1.21, 1.22
- Next message (by thread): rpms/selinux-policy-targeted/devel booleans, 1.9, 1.10 policy-20050322.patch, 1.6, 1.7 selinux-policy-targeted.spec, 1.260, 1.261
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list