rpms/selinux-policy/devel modules-targeted.conf, 1.20, 1.21 policy-20060323.patch, 1.10, 1.11 selinux-policy.spec, 1.169, 1.170
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Apr 10 21:10:53 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv749
Modified Files:
modules-targeted.conf policy-20060323.patch
selinux-policy.spec
Log Message:
* Mon Apr 10 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-6
- Allow secadm_t ability to relabel all files
- Allow ftp to search xferlog_t directories
- Allow mysql to communicate with ldap
- Allow rsync to bind to rsync_port_t
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- modules-targeted.conf 6 Apr 2006 19:08:54 -0000 1.20
+++ modules-targeted.conf 10 Apr 2006 21:10:33 -0000 1.21
@@ -75,6 +75,13 @@
#
selinux = base
+# Layer: admin
+# Module: prelink
+#
+# Manage temporary directory sizes and file ages
+#
+prelink = base
+
# Layer: system
# Module: files
# Required in base
@@ -135,6 +142,13 @@
#
kudzu = base
+# Layer: kernel
+# Module: bootloader
+#
+# Policy for the kernel modules, kernel image, and bootloader.
+#
+bootloader = base
+
# Layer: admin
# Module: updfstab
#
@@ -150,6 +164,13 @@
netutils = base
# Layer: admin
+# Module: alsa
+#
+# Ainit ALSA configuration tool
+#
+alsa = off
+
+# Layer: admin
# Module: vpn
#
# Virtual Private Networking client
@@ -270,13 +291,6 @@
webalizer = base
# Layer: kernel
-# Module: bootloader
-#
-# Policy for the kernel modules, kernel image, and bootloader.
-#
-bootloader = base
-
-# Layer: kernel
# Module: storage
#
# Policy controlling access to storage devices
policy-20060323.patch:
admin/rpm.te | 1
apps/ada.fc | 7 +
apps/ada.if | 203 +++++++++++++++++++++++++++++++++++++++++++++
apps/ada.te | 24 +++++
apps/java.fc | 1
apps/mono.if | 23 +++++
apps/mono.te | 1
kernel/devices.fc | 1
kernel/devices.if | 40 ++++++++
kernel/files.if | 15 +++
kernel/mls.te | 1
services/apache.if | 20 ++++
services/automount.te | 1
services/avahi.te | 4
services/bluetooth.te | 7 +
services/cups.te | 2
services/dbus.te | 1
services/ftp.te | 1
services/hal.te | 13 ++
services/mysql.te | 1
services/networkmanager.te | 1
services/nscd.if | 20 ++++
services/rsync.te | 4
services/samba.te | 2
services/snmp.te | 1
services/xserver.if | 21 ++++
system/fstools.te | 1
system/getty.fc | 1
system/getty.te | 2
system/init.te | 1
system/libraries.fc | 26 ++++-
system/logging.if | 32 +++++++
system/mount.te | 4
system/unconfined.if | 17 +--
system/unconfined.te | 8 -
system/userdomain.te | 6 -
36 files changed, 485 insertions(+), 29 deletions(-)
Index: policy-20060323.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060323.patch,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- policy-20060323.patch 6 Apr 2006 19:08:54 -0000 1.10
+++ policy-20060323.patch 10 Apr 2006 21:10:33 -0000 1.11
@@ -518,6 +518,17 @@
seutil_read_config(system_dbusd_t)
seutil_read_default_contexts(system_dbusd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.2.29/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2006-03-30 10:59:02.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/ftp.te 2006-04-08 10:26:14.000000000 -0400
+@@ -62,6 +62,7 @@
+ files_pid_filetrans(ftpd_t,ftpd_var_run_t,file)
+
+ # Create and modify /var/log/xferlog.
++allow ftpd_t xferlog_t:dir search_dir_perms;
+ allow ftpd_t xferlog_t:file create_file_perms;
+ logging_log_filetrans(ftpd_t,xferlog_t,file)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-2.2.29/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2006-03-30 10:59:02.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/hal.te 2006-04-03 17:43:25.000000000 -0400
@@ -569,6 +580,17 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.te serefpolicy-2.2.29/policy/modules/services/mysql.te
+--- nsaserefpolicy/policy/modules/services/mysql.te 2006-03-24 11:09:13.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/mysql.te 2006-04-08 11:18:50.000000000 -0400
+@@ -104,6 +104,7 @@
+
+ miscfiles_read_localization(mysqld_t)
+
++sysnet_use_ldap(mysqld_t)
+ sysnet_read_config(mysqld_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(mysqld_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-2.2.29/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2006-03-24 11:09:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/networkmanager.te 2006-04-03 12:24:37.000000000 -0400
@@ -607,6 +629,34 @@
+ allow $1 nscd_t:process signal;
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-2.2.29/policy/modules/services/rsync.te
+--- nsaserefpolicy/policy/modules/services/rsync.te 2006-03-24 11:09:14.000000000 -0500
++++ serefpolicy-2.2.29/policy/modules/services/rsync.te 2006-04-08 10:31:40.000000000 -0400
+@@ -50,6 +50,8 @@
+ allow rsync_t rsync_var_run_t:dir rw_dir_perms;
+ files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+
++init_dontaudit_use_fds(rsync_t)
++
+ kernel_read_kernel_sysctls(rsync_t)
+ kernel_read_system_state(rsync_t)
+ kernel_read_network_state(rsync_t)
+@@ -65,6 +67,7 @@
+ corenet_non_ipsec_sendrecv(rsync_t)
+ corenet_tcp_bind_all_nodes(rsync_t)
+ corenet_udp_bind_all_nodes(rsync_t)
++corenet_tcp_bind_rsync_port(rsync_t)
+
+ dev_read_urand(rsync_t)
+
+@@ -77,6 +80,7 @@
+ libs_use_shared_libs(rsync_t)
+
+ logging_send_syslog_msg(rsync_t)
++logging_dontaudit_search_logs(rsync_t)
+
+ miscfiles_read_localization(rsync_t)
+ miscfiles_read_public_files(rsync_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.2.29/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2006-03-24 11:09:15.000000000 -0500
+++ serefpolicy-2.2.29/policy/modules/services/samba.te 2006-04-03 14:24:40.000000000 -0400
@@ -906,14 +956,16 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.2.29/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-03-28 12:58:49.000000000 -0500
-+++ serefpolicy-2.2.29/policy/modules/system/userdomain.te 2006-03-31 11:21:52.000000000 -0500
-@@ -179,10 +179,10 @@
++++ serefpolicy-2.2.29/policy/modules/system/userdomain.te 2006-04-10 16:46:24.000000000 -0400
+@@ -179,10 +179,12 @@
mls_file_downgrade(secadm_t)
init_exec(secadm_t)
logging_read_audit_log(secadm_t)
- logging_domtrans_auditctl(secadm_t)
+ logging_run_auditctl(secadm_t,secadm_r,admin_terminal)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
++ auth_relabel_all_files_except_shadow(secadm_t)
++ auth_relabel_shadow(secadm_t)
', `
- logging_domtrans_auditctl(sysadm_t)
+ logging_run_auditctl(sysadm_t,sysadm_r,admin_terminal)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.169
retrieving revision 1.170
diff -u -r1.169 -r1.170
--- selinux-policy.spec 10 Apr 2006 12:15:07 -0000 1.169
+++ selinux-policy.spec 10 Apr 2006 21:10:33 -0000 1.170
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.2.29
-Release: 5
+Release: 6
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -324,6 +324,12 @@
%endif
%changelog
+* Mon Apr 10 2006 Dan Walsh <dwalsh at redhat.com> 2.2.29-6
+- Allow secadm_t ability to relabel all files
+- Allow ftp to search xferlog_t directories
+- Allow mysql to communicate with ldap
+- Allow rsync to bind to rsync_port_t
+
* Mon Apr 10 2006 Russell Coker <rcoker at redhat.com> 2.2.29-5
- Fixed mailman with Postfix #183928
- Allowed semanage to create file_context files.
More information about the fedora-cvs-commits
mailing list