rpms/selinux-policy-targeted/devel policy-20050502.patch, 1.6, 1.7 selinux-policy-targeted.spec, 1.296, 1.297
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon May 9 20:24:16 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv11695
Modified Files:
policy-20050502.patch selinux-policy-targeted.spec
Log Message:
* Mon May 9 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-2
- Add Russell Fixes. Add rdisc policy.
- Add some of Ivan's changes.
- remove syslog boolean
policy-20050502.patch:
assert.te | 8 -----
attrib.te | 7 ++++
domains/program/initrc.te | 2 -
domains/program/klogd.te | 2 -
domains/program/modutil.te | 1
domains/program/passwd.te | 1
domains/program/syslogd.te | 8 +----
domains/program/unused/amanda.te | 2 -
domains/program/unused/cups.te | 4 ++
domains/program/unused/hald.te | 2 -
domains/program/unused/hotplug.te | 4 +-
domains/program/unused/kudzu.te | 3 +-
domains/program/unused/mysqld.te | 2 -
domains/program/unused/rdisc.te | 13 ++++++++
file_contexts/program/rdisc.fc | 1
file_contexts/program/traceroute.fc | 1
macros/base_user_macros.te | 9 +++++-
macros/global_macros.te | 33 +++++++++++-----------
macros/program/gift_macros.te | 6 ++--
macros/program/gpg_agent_macros.te | 3 --
macros/program/mozilla_macros.te | 54 ++++++++++++++++++++++--------------
macros/program/mplayer_macros.te | 45 +++++++++++++++++++++---------
net_contexts | 2 -
targeted/domains/unconfined.te | 5 +++
tunables/distro.tun | 2 -
tunables/tunable.tun | 4 +-
26 files changed, 142 insertions(+), 82 deletions(-)
Index: policy-20050502.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050502.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- policy-20050502.patch 7 May 2005 05:02:43 -0000 1.6
+++ policy-20050502.patch 9 May 2005 20:24:13 -0000 1.7
@@ -1,6 +1,114 @@
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.14/domains/program/unused/amanda.te
---- nsapolicy/domains/program/unused/amanda.te 2005-05-02 14:06:54.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/amanda.te 2005-05-06 12:40:27.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsapolicy/assert.te policy-1.23.15/assert.te
+--- nsapolicy/assert.te 2005-04-27 10:28:48.000000000 -0400
++++ policy-1.23.15/assert.te 2005-05-09 14:00:55.713574000 -0400
+@@ -75,13 +75,7 @@
+ #
+ # Verify that /proc/kmsg is only accessible to klogd.
+ #
+-ifdef(`klogd.te', `
+-neverallow {domain -klogd_t -unrestricted } proc_kmsg_t:file ~stat_file_perms;
+-', `
+-ifdef(`syslogd.te', `
+-neverallow {domain -syslogd_t -unrestricted } proc_kmsg_t:file ~stat_file_perms;
+-')dnl end if syslogd
+-')dnl end if klogd
++neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
+
+ #
+ # Verify that /proc/kcore is inaccessible.
+diff --exclude-from=exclude -N -u -r nsapolicy/attrib.te policy-1.23.15/attrib.te
+--- nsapolicy/attrib.te 2005-05-09 10:36:38.114176000 -0400
++++ policy-1.23.15/attrib.te 2005-05-09 13:59:34.789012000 -0400
+@@ -121,6 +121,13 @@
+ # tagged with this attribute.
+ attribute privmem;
+
++# The privkmsg attribute identifies every domain that can
++# read kernel messages (/proc/kmsg)
++# This attribute is used in the TE assertions to verify
++# that such access is limited to domains that are explicitly
++# tagged with this attribute.
++attribute privkmsg;
++
+ # The privfd attribute identifies every domain that should have
+ # file handles inherited widely (IE sshd_t and getty_t).
+ attribute privfd;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.23.15/domains/program/initrc.te
+--- nsapolicy/domains/program/initrc.te 2005-05-09 10:36:38.778511000 -0400
++++ policy-1.23.15/domains/program/initrc.te 2005-05-09 11:00:37.972442000 -0400
+@@ -230,7 +230,7 @@
+ allow initrc_t home_type:file r_file_perms;
+
+ # for system start scripts
+-allow initrc_t pidfile:dir rw_dir_perms;
++allow initrc_t pidfile:dir { rmdir rw_dir_perms };
+ allow initrc_t pidfile:sock_file unlink;
+ rw_dir_create_file(initrc_t, var_lib_t)
+
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/klogd.te policy-1.23.15/domains/program/klogd.te
+--- nsapolicy/domains/program/klogd.te 2005-05-09 10:36:38.800489000 -0400
++++ policy-1.23.15/domains/program/klogd.te 2005-05-09 14:09:15.155634000 -0400
+@@ -8,7 +8,7 @@
+ #
+ # Rules for the klogd_t domain.
+ #
+-daemon_domain(klogd, `, privmem')
++daemon_domain(klogd, `, privmem, privkmsg')
+
+ tmp_domain(klogd)
+ allow klogd_t proc_t:dir r_dir_perms;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/modutil.te policy-1.23.15/domains/program/modutil.te
+--- nsapolicy/domains/program/modutil.te 2005-05-09 10:36:38.892397000 -0400
++++ policy-1.23.15/domains/program/modutil.te 2005-05-09 10:48:02.510095000 -0400
+@@ -115,6 +115,7 @@
+ allow insmod_t { var_t var_log_t }:dir search;
+ ifdef(`xserver.te', `
+ allow insmod_t xserver_log_t:file getattr;
++allow insmod_t xserver_misc_device_t:chr_file { read write };
+ ')
+ rw_dir_create_file(insmod_t, var_log_ksyms_t)
+ allow insmod_t { etc_t etc_runtime_t }:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/passwd.te policy-1.23.15/domains/program/passwd.te
+--- nsapolicy/domains/program/passwd.te 2005-04-27 10:28:49.000000000 -0400
++++ policy-1.23.15/domains/program/passwd.te 2005-05-09 10:38:25.291893000 -0400
+@@ -148,3 +148,4 @@
+ allow passwd_t userdomain:file read;
+ allow passwd_t userdomain:process getattr;
+
++allow passwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/syslogd.te policy-1.23.15/domains/program/syslogd.te
+--- nsapolicy/domains/program/syslogd.te 2005-04-27 10:28:49.000000000 -0400
++++ policy-1.23.15/domains/program/syslogd.te 2005-05-09 13:58:09.747139000 -0400
+@@ -14,9 +14,9 @@
+ # by syslogd.
+ #
+ ifdef(`klogd.te', `
+-daemon_domain(syslogd)
++daemon_domain(syslogd, `, privkmsg')
+ ', `
+-daemon_domain(syslogd, `, privmem')
++daemon_domain(syslogd, `, privmem, privkmsg')
+ ')
+
+ # can_network is for the UDP socket
+@@ -102,9 +102,6 @@
+ allow syslogd_t var_run_t:fifo_file { ioctl read write };
+ ')
+
+-bool use_syslogng false;
+-
+-if (use_syslogng) {
+ # Allow access to /proc/kmsg for syslog-ng
+ allow syslogd_t proc_t:dir search;
+ allow syslogd_t proc_kmsg_t:file { getattr read };
+@@ -113,4 +110,3 @@
+ allow syslogd_t var_log_t:dir { create setattr };
+ allow syslogd_t syslogd_port_t:tcp_socket name_bind;
+ allow syslogd_t rsh_port_t:tcp_socket name_connect;
+-}
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/amanda.te policy-1.23.15/domains/program/unused/amanda.te
+--- nsapolicy/domains/program/unused/amanda.te 2005-05-09 10:36:39.141148000 -0400
++++ policy-1.23.15/domains/program/unused/amanda.te 2005-05-09 10:35:51.998338000 -0400
@@ -303,7 +303,7 @@
allow amanda_t file_type:dir {getattr read search };
@@ -10,9 +118,9 @@
dontaudit amanda_t file_type:sock_file getattr;
logdir_domain(amanda)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.14/domains/program/unused/cups.te
---- nsapolicy/domains/program/unused/cups.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/cups.te 2005-05-06 08:31:46.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/cups.te policy-1.23.15/domains/program/unused/cups.te
+--- nsapolicy/domains/program/unused/cups.te 2005-05-09 10:36:39.366922000 -0400
++++ policy-1.23.15/domains/program/unused/cups.te 2005-05-09 10:35:52.014322000 -0400
@@ -202,6 +202,7 @@
rw_dir_create_file(cupsd_config_t, cupsd_etc_t)
rw_dir_create_file(cupsd_config_t, cupsd_rw_etc_t)
@@ -29,9 +137,9 @@
+allow { cupsd_config_t cupsd_t } unconfined_t:dbus send_msg;
+allow unconfined_t cupsd_config_t:dbus send_msg;
')
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.14/domains/program/unused/hald.te
---- nsapolicy/domains/program/unused/hald.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/hald.te 2005-05-06 08:37:26.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hald.te policy-1.23.15/domains/program/unused/hald.te
+--- nsapolicy/domains/program/unused/hald.te 2005-05-09 10:36:39.533755000 -0400
++++ policy-1.23.15/domains/program/unused/hald.te 2005-05-09 10:35:52.067269000 -0400
@@ -36,7 +36,7 @@
allow hald_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -41,9 +149,9 @@
can_network_server(hald_t)
can_ypbind(hald_t)
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.14/domains/program/unused/hotplug.te
---- nsapolicy/domains/program/unused/hotplug.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/hotplug.te 2005-05-05 23:07:49.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/hotplug.te policy-1.23.15/domains/program/unused/hotplug.te
+--- nsapolicy/domains/program/unused/hotplug.te 2005-05-09 10:36:39.568720000 -0400
++++ policy-1.23.15/domains/program/unused/hotplug.te 2005-05-09 10:35:52.072264000 -0400
@@ -29,7 +29,7 @@
# get info from /proc
@@ -62,9 +170,9 @@
allow hotplug_t sysfs_t:file { getattr read };
allow hotplug_t sysfs_t:lnk_file { getattr read };
allow hotplug_t udev_runtime_t:file rw_file_perms;
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.14/domains/program/unused/kudzu.te
---- nsapolicy/domains/program/unused/kudzu.te 2005-05-07 00:41:09.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/kudzu.te 2005-05-06 09:28:58.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/kudzu.te policy-1.23.15/domains/program/unused/kudzu.te
+--- nsapolicy/domains/program/unused/kudzu.te 2005-05-09 10:36:39.807482000 -0400
++++ policy-1.23.15/domains/program/unused/kudzu.te 2005-05-09 10:45:51.063673000 -0400
@@ -26,7 +26,6 @@
allow kudzu_t mouse_device_t:chr_file { read write };
allow kudzu_t proc_net_t:dir r_dir_perms;
@@ -73,9 +181,19 @@
allow kudzu_t { fixed_disk_device_t removable_device_t }:blk_file rw_file_perms;
allow kudzu_t scsi_generic_device_t:chr_file r_file_perms;
allow kudzu_t { bin_t sbin_t }:dir { getattr search };
-diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.14/domains/program/unused/mysqld.te
+@@ -95,7 +94,9 @@
+ ifdef(`lpd.te', `
+ allow kudzu_t printconf_t:file { getattr read };
+ ')
++ifdef(`cups.te', `
+ allow kudzu_t cupsd_rw_etc_t:dir r_dir_perms;
++')
+ dontaudit kudzu_t src_t:dir search;
+ ifdef(`xserver.te', `
+ allow kudzu_t xserver_exec_t:file getattr;
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/mysqld.te policy-1.23.15/domains/program/unused/mysqld.te
--- nsapolicy/domains/program/unused/mysqld.te 2005-04-27 10:28:51.000000000 -0400
-+++ policy-1.23.14/domains/program/unused/mysqld.te 2005-05-05 22:42:20.000000000 -0400
++++ policy-1.23.15/domains/program/unused/mysqld.te 2005-05-09 10:35:52.157179000 -0400
@@ -35,7 +35,7 @@
allow initrc_t mysqld_log_t:file { write append setattr ioctl };
@@ -85,9 +203,385 @@
allow mysqld_t proc_t:file { getattr read };
-diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.14/targeted/domains/unconfined.te
---- nsapolicy/targeted/domains/unconfined.te 2005-05-02 14:06:57.000000000 -0400
-+++ policy-1.23.14/targeted/domains/unconfined.te 2005-05-02 16:12:08.000000000 -0400
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/rdisc.te policy-1.23.15/domains/program/unused/rdisc.te
+--- nsapolicy/domains/program/unused/rdisc.te 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.23.15/domains/program/unused/rdisc.te 2005-05-09 11:01:30.847514000 -0400
+@@ -0,0 +1,13 @@
++#DESC rdisc - network router discovery daemon
++#
++# Author: Russell Coker <russell at coker.com.au>
++
++daemon_base_domain(rdisc)
++allow rdisc_t self:unix_stream_socket create_stream_socket_perms;
++allow rdisc_t self:rawip_socket create_socket_perms;
++allow rdisc_t self:udp_socket create_socket_perms;
++allow rdisc_t self:capability net_raw;
++
++can_network_udp(rdisc_t)
++
++allow rdisc_t etc_t:file { getattr read };
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rdisc.fc policy-1.23.15/file_contexts/program/rdisc.fc
+--- nsapolicy/file_contexts/program/rdisc.fc 1969-12-31 19:00:00.000000000 -0500
++++ policy-1.23.15/file_contexts/program/rdisc.fc 2005-05-09 11:01:42.649700000 -0400
+@@ -0,0 +1 @@
++/sbin/rdisc system_u:object_r:rdisc_exec_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/traceroute.fc policy-1.23.15/file_contexts/program/traceroute.fc
+--- nsapolicy/file_contexts/program/traceroute.fc 2005-05-09 10:36:42.384901000 -0400
++++ policy-1.23.15/file_contexts/program/traceroute.fc 2005-05-09 11:02:12.674645000 -0400
+@@ -1,7 +1,6 @@
+ # traceroute
+ /bin/traceroute.* -- system_u:object_r:traceroute_exec_t
+ /bin/tracepath.* -- system_u:object_r:traceroute_exec_t
+-/sbin/rdisc -- system_u:object_r:traceroute_exec_t
+ /usr/(s)?bin/traceroute.* -- system_u:object_r:traceroute_exec_t
+ /usr/bin/lft -- system_u:object_r:traceroute_exec_t
+ /usr/bin/nmap -- system_u:object_r:traceroute_exec_t
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/base_user_macros.te policy-1.23.15/macros/base_user_macros.te
+--- nsapolicy/macros/base_user_macros.te 2005-05-09 10:36:42.617668000 -0400
++++ policy-1.23.15/macros/base_user_macros.te 2005-05-09 10:52:23.547796000 -0400
+@@ -68,7 +68,14 @@
+ allow $1_t dri_device_t:chr_file getattr;
+ dontaudit $1_t dri_device_t:chr_file rw_file_perms;
+
+-file_browse_domain($1_t)
++# Supress ls denials:
++# getattr() - ls -l
++# search_dir() - symlink path resolution
++# read_dir() - deep ls: ls parent/...
++
++dontaudit_getattr($1_t)
++dontaudit_search_dir($1_t)
++dontaudit_read_dir($1_t)
+
+ # allow ptrace
+ can_ptrace($1_t, $1_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.23.15/macros/global_macros.te
+--- nsapolicy/macros/global_macros.te 2005-05-09 10:36:42.746539000 -0400
++++ policy-1.23.15/macros/global_macros.te 2005-05-09 10:52:23.561782000 -0400
+@@ -156,7 +156,6 @@
+ r_dir_file($1, locale_t)
+ ')
+
+-
+ ###################################
+ #
+ # access_terminal(domain, typeprefix)
+@@ -620,23 +619,25 @@
+ allow $1_t etc_t:dir r_dir_perms;
+ ')
+
+-# Do not flood message log, if the user does a browse
+-define(`file_browse_domain', `
++# Dontaudit macros to prevent flooding the log
+
+-# Regular files/directories that are not security sensitive
++define(`dontaudit_getattr', `
+ dontaudit $1 file_type - secure_file_type:dir_file_class_set getattr;
+-dontaudit $1 file_type - secure_file_type:dir { read search };
+-
+-# /dev
+-dontaudit $1 dev_fs:dir_file_class_set getattr;
+-dontaudit $1 dev_fs:dir { read search };
+-
+-# /proc
+-dontaudit $1 sysctl_t:dir_file_class_set getattr;
+-dontaudit $1 proc_fs:dir { read search };
+-
+-')dnl end file_browse_domain
+-
++dontaudit $1 unlabeled_t:dir_file_class_set getattr;
++dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir_file_class_set getattr;
++')dnl end dontaudit_getattr
++
++define(`dontaudit_search_dir', `
++dontaudit $1 file_type - secure_file_type:dir search;
++dontaudit $1 unlabeled_t:dir search;
++dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir search;
++')dnl end dontaudit_search_dir
++
++define(`dontaudit_read_dir', `
++dontaudit $1 file_type - secure_file_type:dir read;
++dontaudit $1 unlabeled_t:dir read;
++dontaudit $1 { fs_type proc_fs dev_fs sysctl_type }:dir read;
++')dnl end dontaudit_read_dir
+
+ # Define legacy_domain for legacy binaries (java)
+ # "legacy" binary == lacks PT_GNU_STACK header, i.e. built with an old
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gift_macros.te policy-1.23.15/macros/program/gift_macros.te
+--- nsapolicy/macros/program/gift_macros.te 2005-04-27 10:28:54.000000000 -0400
++++ policy-1.23.15/macros/program/gift_macros.te 2005-05-09 10:56:47.040040000 -0400
+@@ -17,9 +17,10 @@
+ domain_auto_trans($1_t, gift_exec_t, $1_gift_t)
+ role $1_r types $1_gift_t;
+
+-# X access, Home files
++# X access, Home files, /tmp
+ x_client_domain($1_gift, $1)
+ home_domain($1, gift)
++tmp_domain($1_gift)
+
+ uses_shlib($1_gift_t)
+ read_locale($1_gift_t)
+@@ -32,6 +33,7 @@
+
+ # Self permissions
+ allow $1_gift_t self:process getsched;
++allow $1_gift_t self:fifo_file { read write };
+
+ # Fonts, icons
+ r_dir_file($1_gift_t, usr_t)
+@@ -104,7 +106,7 @@
+ home_domain_access($1_giftd_t, $1, gift)
+
+ # Allow networking
+-allow $1_giftd_t port_t:tcp_socket name_bind;
++allow $1_giftd_t port_t:tcp_socket { name_bind name_connect };
+ allow $1_giftd_t port_t:udp_socket name_bind;
+ can_network_server($1_giftd_t)
+ can_network_client($1_giftd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/gpg_agent_macros.te policy-1.23.15/macros/program/gpg_agent_macros.te
+--- nsapolicy/macros/program/gpg_agent_macros.te 2005-04-27 10:28:54.000000000 -0400
++++ policy-1.23.15/macros/program/gpg_agent_macros.te 2005-05-09 11:04:21.841349000 -0400
+@@ -22,7 +22,6 @@
+ role $1_r types $1_gpg_agent_t;
+
+ allow $1_gpg_agent_t privfd:fd use;
+-allow $1_gpg_agent_t xdm_t:fd use;
+
+ # Write to the user domain tty.
+ access_terminal($1_gpg_agent_t, $1)
+@@ -86,7 +85,7 @@
+ allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
+ allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
+ can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
+-allow $1_gpg_pinentry_t xdm_t:fd use;
++allow { $1_gpg_agent_t $1_gpg_pinentry_t } xdm_t:fd use;
+ ')dnl end ig xdm.te
+
+ r_dir_file($1_gpg_pinentry_t, fonts_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mozilla_macros.te policy-1.23.15/macros/program/mozilla_macros.te
+--- nsapolicy/macros/program/mozilla_macros.te 2005-05-09 10:36:43.012273000 -0400
++++ policy-1.23.15/macros/program/mozilla_macros.te 2005-05-09 10:56:47.049031000 -0400
+@@ -16,7 +16,8 @@
+ # provided separately in domains/program/mozilla.te.
+ #
+ define(`mozilla_domain',`
+-type $1_mozilla_t, domain, web_client_domain, privlog;
++
++type $1_mozilla_t, domain, web_client_domain, nscd_client_domain, privlog;
+
+ # Type transition
+ if (! disable_mozilla_trans) {
+@@ -28,8 +29,12 @@
+ home_domain($1, mozilla)
+ x_client_domain($1_mozilla, $1)
+
+-# Browse files
+-file_browse_domain($1_mozilla_t)
++# GNOME Open/Save As dialogs
++dontaudit_getattr($1_mozilla_t)
++dontaudit_search_dir($1_mozilla_t)
++
++# Look for plugins
++allow $1_mozilla_t bin_t:dir { getattr read search };
+
+ can_network_client($1_mozilla_t)
+ allow $1_mozilla_t ftp_port_t:tcp_socket name_connect;
+@@ -54,6 +59,12 @@
+ allow $1_mozilla_t self:process { fork signal_perms setrlimit setsched getsched };
+
+ allow $1_mozilla_t usr_t:{ lnk_file file } { getattr read };
++
++# Access /proc
++allow $1_mozilla_t proc_t:dir search;
++allow $1_mozilla_t proc_t:file { getattr read };
++allow $1_mozilla_t proc_t:lnk_file read;
++
+ allow $1_mozilla_t var_lib_t:file { getattr read };
+ allow $1_mozilla_t { random_device_t urandom_device_t }:chr_file { getattr ioctl read };
+ allow $1_mozilla_t self:socket create_socket_perms;
+@@ -66,8 +77,6 @@
+ can_exec($1_mozilla_t, bin_t)
+ allow $1_mozilla_t bin_t:lnk_file read;
+ allow $1_mozilla_t device_t:dir r_dir_perms;
+-allow $1_mozilla_t proc_t:file { getattr read };
+-allow $1_mozilla_t proc_t:lnk_file read;
+ allow $1_mozilla_t self:dir search;
+ allow $1_mozilla_t self:lnk_file read;
+ r_dir_file($1_mozilla_t, proc_net_t)
+@@ -87,20 +96,6 @@
+ # Execute downloaded programs.
+ can_exec($1_mozilla_t, $1_mozilla_tmp_t)
+
+-# Use printer
+-ifdef(`lpr.te', `
+-domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
+-
+-# Print document
+-allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
+-
+-# Suppress history.fop denial
+-dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
+-
+-dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
+-dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
+-')
+-
+ # ORBit sockets
+ file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
+ can_unix_connect($1_t, $1_mozilla_t)
+@@ -144,6 +139,21 @@
+ javaplugin_domain($1_mozilla, $1)
+ ')
+
++
++# Use printer
++ifdef(`lpr.te', `
++domain_auto_trans($1_mozilla_t, lpr_exec_t, $1_lpr_t)
++
++# Print document
++allow $1_lpr_t $1_mozilla_tmp_t:file rw_file_perms;
++
++# Suppress history.fop denial
++dontaudit $1_lpr_t $1_mozilla_home_t:file { read write };
++
++dontaudit $1_lpr_t $1_mozilla_t:tcp_socket { read write };
++dontaudit $1_lpr_t $1_mozilla_t:unix_stream_socket { read write };
++')
++
+ # Mplayer plugin
+ ifdef(`mplayer.te', `
+ domain_auto_trans($1_mozilla_t, mplayer_exec_t, $1_mplayer_t)
+@@ -151,9 +161,10 @@
+ # Read mozilla content in /tmp
+ r_dir_file($1_mplayer_t, $1_mozilla_tmp_t);
+
+-# FIXME: why does it need this?
++# Suppress history.fop denial
+ dontaudit $1_mplayer_t $1_mozilla_home_t:file write;
+-allow $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
++
++dontaudit $1_mplayer_t $1_mozilla_t:unix_stream_socket { read write };
+ ')dnl end if mplayer.te
+
+ if (allow_execmem) {
+@@ -162,6 +173,7 @@
+ if (allow_execmod) {
+ allow $1_mozilla_t texrel_shlib_t:file execmod;
+ }
++
+ dbusd_client(system, $1_mozilla)
+ ifdef(`apache.te', `
+ ifelse($1, sysadm, `', `
+diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/mplayer_macros.te policy-1.23.15/macros/program/mplayer_macros.te
+--- nsapolicy/macros/program/mplayer_macros.te 2005-04-27 10:28:55.000000000 -0400
++++ policy-1.23.15/macros/program/mplayer_macros.te 2005-05-09 10:56:26.156945000 -0400
+@@ -6,9 +6,9 @@
+ # mplayer_domains(user) declares domains for mplayer, gmplayer,
+ # and mencoder
+
+-##############################################
+-# mplayer_common(user, mplayer domain) #
+-##############################################
++#####################################################
++# mplayer_common(role_prefix, mplayer_domain) #
++#####################################################
+
+ define(`mplayer_common',`
+
+@@ -62,28 +62,28 @@
+ }
+ ')
+
+-############################
+-# mplayer_domain(user) #
+-############################
++###################################
++# mplayer_domain(role_prefix) #
++###################################
+
+ define(`mplayer_domain',`
+
+-type $1_mplayer_t, domain;
++type $1_mplayer_t, domain, nscd_client_domain;
+
+ # Type transition
+ domain_auto_trans($1_t, mplayer_exec_t, $1_mplayer_t)
+ role $1_r types $1_mplayer_t;
+
+-# Home access, X access, Browse files
++# Home access, X access
+ home_domain($1, mplayer)
+ x_client_domain($1_mplayer, $1)
+-file_browse_domain($1_mplayer_t)
+
+ # Mplayer common stuff
+ mplayer_common($1, mplayer)
+
+ # Fork
+ allow $1_mplayer_t self:process { fork signal_perms getsched };
++allow $1_mplayer_t self:fifo_file rw_file_perms;
+
+ # Audio, alsa.conf
+ allow $1_mplayer_t sound_device_t:chr_file rw_file_perms;
+@@ -101,11 +101,30 @@
+ allow $1_mplayer_t $1_mplayer_tmpfs_t:file execute;
+ }
+
++#======gmplayer gui==========#
++# File dialogs
++dontaudit_getattr($1_mplayer_t)
++dontaudit_read_dir($1_mplayer_t)
++dontaudit_search_dir($1_mplayer_t)
++
++# Unfortunately the ancient file dialog starts in /
++allow $1_mplayer_t home_root_t:dir read;
++
++# Read /etc/mtab
++allow $1_mplayer_t etc_runtime_t:file { read getattr };
++
++# Run bash/sed (??)
++allow $1_mplayer_t bin_t:dir search;
++allow $1_mplayer_t bin_t:lnk_file read;
++can_exec($1_mplayer_t, bin_t)
++can_exec($1_mplayer_t, shell_exec_t)
++#============================#
++
+ ') dnl end mplayer_domain
+
+-############################
+-# mencoder_domain(user) #
+-############################
++###################################
++# mencoder_domain(role_prefix) #
++###################################
+
+ define(`mencoder_domain',`
+
+@@ -125,7 +144,7 @@
+ ') dnl end mencoder_domain
+
+ #############################
+-# mplayer_domains(user) #
++# mplayer_domains(role) #
+ #############################
+
+ define(`mplayer_domains', `
+diff --exclude-from=exclude -N -u -r nsapolicy/net_contexts policy-1.23.15/net_contexts
+--- nsapolicy/net_contexts 2005-05-09 10:36:38.197093000 -0400
++++ policy-1.23.15/net_contexts 2005-05-09 11:04:01.486724000 -0400
+@@ -41,7 +41,7 @@
+ portcon tcp 20 system_u:object_r:ftp_data_port_t
+ portcon tcp 21 system_u:object_r:ftp_port_t
+ ifdef(`ssh.te', `portcon tcp 22 system_u:object_r:ssh_port_t')
+-ifdef(`inetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
++ifdef(`telnetd.te', `portcon tcp 23 system_u:object_r:telnetd_port_t')
+
+ portcon tcp 25 system_u:object_r:smtp_port_t
+ portcon tcp 465 system_u:object_r:smtp_port_t
+diff --exclude-from=exclude -N -u -r nsapolicy/targeted/domains/unconfined.te policy-1.23.15/targeted/domains/unconfined.te
+--- nsapolicy/targeted/domains/unconfined.te 2005-05-09 10:36:43.272013000 -0400
++++ policy-1.23.15/targeted/domains/unconfined.te 2005-05-09 10:35:52.161175000 -0400
@@ -77,3 +77,8 @@
# allow reading of default file context
@@ -97,9 +591,9 @@
+allow domain self:process execmem;
+}
+
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.14/tunables/distro.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/distro.tun policy-1.23.15/tunables/distro.tun
--- nsapolicy/tunables/distro.tun 2005-02-24 14:51:09.000000000 -0500
-+++ policy-1.23.14/tunables/distro.tun 2005-05-02 14:57:26.000000000 -0400
++++ policy-1.23.15/tunables/distro.tun 2005-05-09 10:35:52.164173000 -0400
@@ -5,7 +5,7 @@
# appropriate ifdefs.
@@ -109,9 +603,9 @@
dnl define(`distro_suse')
-diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.14/tunables/tunable.tun
+diff --exclude-from=exclude -N -u -r nsapolicy/tunables/tunable.tun policy-1.23.15/tunables/tunable.tun
--- nsapolicy/tunables/tunable.tun 2005-04-14 15:01:54.000000000 -0400
-+++ policy-1.23.14/tunables/tunable.tun 2005-05-05 15:16:58.000000000 -0400
++++ policy-1.23.15/tunables/tunable.tun 2005-05-09 10:35:52.221116000 -0400
@@ -2,7 +2,7 @@
dnl define(`user_can_mount')
Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.296
retrieving revision 1.297
diff -u -r1.296 -r1.297
--- selinux-policy-targeted.spec 7 May 2005 04:52:46 -0000 1.296
+++ selinux-policy-targeted.spec 9 May 2005 20:24:13 -0000 1.297
@@ -11,7 +11,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.23.15
-Release: 1
+Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -234,6 +234,11 @@
exit 0
%changelog
+* Mon May 9 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-2
+- Add Russell Fixes. Add rdisc policy.
+- Add some of Ivan's changes.
+- remove syslog boolean
+
* Fri May 6 2005 Dan Walsh <dwalsh at redhat.com> 1.23.15-1
- Update from NSA
* Added tripwire and yam policy from David Hampton.
More information about the fedora-cvs-commits
mailing list