rpms/selinux-policy/devel policy-20061106.patch, 1.33, 1.34 selinux-policy.spec, 1.360, 1.361
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Wed Dec 6 23:27:47 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv4651
Modified Files:
policy-20061106.patch selinux-policy.spec
Log Message:
* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-8
- More Fixes polyinstatiation
Resolves: #216184
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 2
policy/global_tunables | 40 ++
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.te | 4
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 41 --
policy/modules/admin/su.if | 11
policy/modules/admin/usermanage.te | 3
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 3
policy/modules/kernel/corecommands.if | 17 +
policy/modules/kernel/corenetwork.if.in | 49 +++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 116 +++++++
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 49 ---
policy/modules/services/cron.te | 13
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 69 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.te | 22 +
policy/modules/system/iptables.te | 6
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 38 ++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 109 +++++++
policy/modules/system/selinuxutil.te | 105 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 15
policy/modules/system/userdomain.if | 483 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 52 ---
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
122 files changed, 1849 insertions(+), 424 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- policy-20061106.patch 6 Dec 2006 19:38:32 -0000 1.33
+++ policy-20061106.patch 6 Dec 2006 23:27:45 -0000 1.34
@@ -442,6 +442,62 @@
-')
-
-') dnl end TODO
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.4.6/policy/modules/admin/su.if
+--- nsaserefpolicy/policy/modules/admin/su.if 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/su.if 2006-12-06 17:54:31.000000000 -0500
+@@ -180,6 +180,7 @@
+ allow $1_su_t self:process { setexec setsched setrlimit };
+ allow $1_su_t self:fifo_file rw_file_perms;
+ allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
++ allow $1_su_t self:key { search write };
+
+ # Transition from the user domain to this domain.
+ domain_auto_trans($2, su_exec_t, $1_su_t)
+@@ -204,6 +205,8 @@
+ auth_domtrans_user_chk_passwd($1,$1_su_t)
+ auth_dontaudit_read_shadow($1_su_t)
+ auth_use_nsswitch($1_su_t)
++ auth_keyring_domain($1_su_t)
++ auth_search_key($1_su_t)
+
+ corecmd_search_bin($1_su_t)
+ corecmd_search_sbin($1_su_t)
+@@ -219,6 +222,8 @@
+ # Write to utmp.
+ init_rw_utmp($1_su_t)
+
++ mls_file_write_down($1_su_t)
++
+ libs_use_ld_so($1_su_t)
+ libs_use_shared_libs($1_su_t)
+
+@@ -229,6 +234,8 @@
+ userdom_use_user_terminals($1,$1_su_t)
+ userdom_search_user_home_dirs($1,$1_su_t)
+
++ selinux_compute_access_vector($1_su_t)
++
+ ifdef(`distro_rhel4',`
+ domain_role_change_exemption($1_su_t)
+ domain_subj_id_change_exemption($1_su_t)
+@@ -236,7 +243,6 @@
+
+ selinux_get_fs_mount($1_su_t)
+ selinux_validate_context($1_su_t)
+- selinux_compute_access_vector($1_su_t)
+ selinux_compute_create_context($1_su_t)
+ selinux_compute_relabel_context($1_su_t)
+ selinux_compute_user_contexts($1_su_t)
+@@ -301,6 +307,9 @@
+ kerberos_use($1_su_t)
+ ')
+
++ userdom_dontaudit_search_generic_user_home_dirs($1_su_t)
++ userdom_dontaudit_search_staff_home_dirs($1_su_t)
++
+ # Modify .Xauthority file (via xauth program).
+ optional_policy(`
+ # file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-11-16 17:15:26.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-05 13:19:41.000000000 -0500
@@ -833,7 +889,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.4.6/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-06 10:31:31.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/files.if 2006-12-06 18:02:26.000000000 -0500
@@ -353,8 +353,7 @@
########################################
@@ -900,7 +956,7 @@
## Do not audit attempts to get the attributes
## of non security symbolic links.
## </summary>
-@@ -4471,6 +4505,8 @@
+@@ -4471,14 +4505,16 @@
type poly_t;
')
@@ -909,8 +965,9 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
-@@ -4478,7 +4514,7 @@
- allow $1 self:capability sys_admin;
+ # Need sys_admin capability for mounting
+- allow $1 self:capability sys_admin;
++ allow $1 self:capability { chown fsetid sys_admin };
# Need to give access to the directories to be polyinstantiated
- allow $1 polydir:dir { create getattr search write add_name setattr mounton };
@@ -2593,7 +2650,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.4.6/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-06 12:48:52.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/authlogin.if 2006-12-06 17:48:50.000000000 -0500
@@ -190,6 +190,9 @@
## </param>
#
@@ -2608,7 +2665,7 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
-+ typeattribute $1 keyring_type;
++ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+
# for SSP/ProPolice
@@ -2642,7 +2699,7 @@
')
########################################
-@@ -1407,3 +1418,24 @@
+@@ -1407,3 +1418,59 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -2665,8 +2722,43 @@
+ allow $1 keyring_type:key { read search view };
+')
+
++########################################
++## <summary>
++## search login keyrings.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_search_key',`
++ gen_require(`
++ attribute keyring_type;
++ ')
++
++ allow $1 keyring_type:key { search link };
++')
++
+
+
++########################################
++## <summary>
++## Make the specified domain a keyring domain
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain type used for a login program domain.
++## </summary>
++## </param>
++#
++interface(`auth_keyring_domain',`
++ gen_require(`
++ attribute keyring_type;
++ ')
++
++ typeattribute $1 keyring_type;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.4.6/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2006-11-16 17:15:24.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/system/authlogin.te 2006-12-06 12:10:33.000000000 -0500
@@ -3771,7 +3863,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-06 11:27:19.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-06 17:47:08.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.360
retrieving revision 1.361
diff -u -r1.360 -r1.361
--- selinux-policy.spec 6 Dec 2006 19:38:32 -0000 1.360
+++ selinux-policy.spec 6 Dec 2006 23:27:45 -0000 1.361
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,9 +351,14 @@
%endif
%changelog
+* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-8
+- More Fixes polyinstatiation
+Resolves: #216184
+
* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-7
+- More Fixes polyinstatiation
- Fix handling of keyrings
-
+Resolves: #216184
* Mon Dec 4 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-6
- Fix polyinstatiation
More information about the fedora-cvs-commits
mailing list