rpms/selinux-policy/devel booleans-targeted.conf, 1.22, 1.23 policy-20061106.patch, 1.34, 1.35 selinux-policy.spec, 1.361, 1.362
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Dec 11 12:35:47 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv21312
Modified Files:
booleans-targeted.conf policy-20061106.patch
selinux-policy.spec
Log Message:
* Fri Dec 8 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-9
- More fixes for MLS
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/booleans-targeted.conf,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- booleans-targeted.conf 10 Nov 2006 20:37:08 -0000 1.22
+++ booleans-targeted.conf 11 Dec 2006 12:35:44 -0000 1.23
@@ -1,5 +1,5 @@
# Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack.
-nnn#
+#
allow_execmem = false
# Allow making a modified private filemapping executable (text relocation).
policy-20061106.patch:
Rules.modular | 10
policy/flask/access_vectors | 2
policy/global_tunables | 40 ++
policy/modules/admin/acct.te | 1
policy/modules/admin/amanda.if | 17 +
policy/modules/admin/amanda.te | 1
policy/modules/admin/bootloader.te | 4
policy/modules/admin/consoletype.te | 10
policy/modules/admin/dmesg.te | 1
policy/modules/admin/firstboot.if | 6
policy/modules/admin/logwatch.te | 1
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/quota.fc | 7
policy/modules/admin/quota.te | 20 -
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 24 +
policy/modules/admin/rpm.te | 41 --
policy/modules/admin/su.if | 11
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 4
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 2
policy/modules/apps/java.te | 2
policy/modules/apps/loadkeys.if | 17 -
policy/modules/apps/slocate.te | 2
policy/modules/kernel/corecommands.fc | 3
policy/modules/kernel/corecommands.if | 36 ++
policy/modules/kernel/corenetwork.if.in | 49 +++
policy/modules/kernel/corenetwork.te.in | 15
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 5
policy/modules/kernel/devices.te | 6
policy/modules/kernel/domain.te | 7
policy/modules/kernel/files.if | 116 ++++++-
policy/modules/kernel/filesystem.te | 6
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/terminal.fc | 1
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 10
policy/modules/services/apache.te | 16 -
policy/modules/services/apm.te | 1
policy/modules/services/automount.te | 1
policy/modules/services/avahi.if | 21 +
policy/modules/services/bind.fc | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 2
policy/modules/services/cron.if | 49 ---
policy/modules/services/cron.te | 13
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 7
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.fc | 1
policy/modules/services/dbus.if | 1
policy/modules/services/ftp.te | 12
policy/modules/services/hal.fc | 4
policy/modules/services/hal.if | 20 +
policy/modules/services/hal.te | 8
policy/modules/services/kerberos.if | 1
policy/modules/services/kerberos.te | 11
policy/modules/services/lpd.if | 52 +--
policy/modules/services/mta.if | 1
policy/modules/services/mta.te | 1
policy/modules/services/nis.fc | 1
policy/modules/services/nis.if | 8
policy/modules/services/nis.te | 10
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 15
policy/modules/services/oddjob.te | 3
policy/modules/services/pcscd.fc | 9
policy/modules/services/pcscd.if | 23 +
policy/modules/services/pcscd.te | 69 ++++
policy/modules/services/pegasus.if | 31 +
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.te | 13
policy/modules/services/procmail.te | 16 +
policy/modules/services/rlogin.te | 10
policy/modules/services/rpc.te | 1
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 2
policy/modules/services/samba.te | 8
policy/modules/services/sasl.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.te | 5
policy/modules/services/ssh.te | 7
policy/modules/services/telnet.te | 1
policy/modules/services/tftp.te | 2
policy/modules/services/uucp.fc | 1
policy/modules/services/uucp.if | 67 ++++
policy/modules/services/uucp.te | 44 ++
policy/modules/services/xserver.if | 40 ++
policy/modules/system/authlogin.if | 69 ++++
policy/modules/system/authlogin.te | 6
policy/modules/system/clock.te | 8
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 2
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 10
policy/modules/system/init.te | 22 +
policy/modules/system/iptables.te | 6
policy/modules/system/libraries.fc | 28 -
policy/modules/system/libraries.te | 6
policy/modules/system/locallogin.if | 37 ++
policy/modules/system/logging.te | 1
policy/modules/system/lvm.fc | 1
policy/modules/system/lvm.te | 48 ++-
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 38 ++
policy/modules/system/modutils.te | 5
policy/modules/system/mount.te | 20 -
policy/modules/system/raid.te | 7
policy/modules/system/selinuxutil.fc | 1
policy/modules/system/selinuxutil.if | 109 ++++++
policy/modules/system/selinuxutil.te | 106 +-----
policy/modules/system/sysnetwork.te | 3
policy/modules/system/unconfined.fc | 4
policy/modules/system/unconfined.if | 19 +
policy/modules/system/unconfined.te | 15
policy/modules/system/userdomain.if | 503 ++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 56 ---
policy/modules/system/xen.fc | 1
policy/modules/system/xen.te | 35 ++
124 files changed, 1898 insertions(+), 426 deletions(-)
Index: policy-20061106.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20061106.patch,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- policy-20061106.patch 6 Dec 2006 23:27:45 -0000 1.34
+++ policy-20061106.patch 11 Dec 2006 12:35:45 -0000 1.35
@@ -442,9 +442,33 @@
-')
-
-') dnl end TODO
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-2.4.6/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2006-11-16 17:15:26.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/sudo.if 2006-12-07 09:41:19.000000000 -0500
+@@ -71,6 +71,7 @@
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+ allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
++ allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # Enter this derived domain from the user domain
+ domain_auto_trans($2, sudo_exec_t, $1_sudo_t)
+@@ -95,10 +96,10 @@
+ fs_getattr_xattr_fs($1_sudo_t)
+
+ auth_domtrans_chk_passwd($1_sudo_t)
++ auth_read_pam_pid($1_sudo_t)
+
+- corecmd_getattr_bin_files($1_sudo_t)
+ corecmd_read_sbin_symlinks($1_sudo_t)
+- corecmd_getattr_sbin_files($1_sudo_t)
++ corecmd_getattr_all_executables($1_sudo_t)
+
+ domain_use_interactive_fds($1_sudo_t)
+ domain_sigchld_interactive_fds($1_sudo_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-2.4.6/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/su.if 2006-12-06 17:54:31.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/admin/su.if 2006-12-07 09:42:26.000000000 -0500
@@ -180,6 +180,7 @@
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_file_perms;
@@ -453,7 +477,15 @@
# Transition from the user domain to this domain.
domain_auto_trans($2, su_exec_t, $1_su_t)
-@@ -204,6 +205,8 @@
+@@ -195,6 +196,7 @@
+
+ kernel_read_system_state($1_su_t)
+ kernel_read_kernel_sysctls($1_su_t)
++ kernel_search_key($1_su_t)
+
+ # for SSP
+ dev_read_urand($1_su_t)
+@@ -204,6 +206,8 @@
auth_domtrans_user_chk_passwd($1,$1_su_t)
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
@@ -462,7 +494,7 @@
corecmd_search_bin($1_su_t)
corecmd_search_sbin($1_su_t)
-@@ -219,6 +222,8 @@
+@@ -219,6 +223,8 @@
# Write to utmp.
init_rw_utmp($1_su_t)
@@ -471,7 +503,7 @@
libs_use_ld_so($1_su_t)
libs_use_shared_libs($1_su_t)
-@@ -229,6 +234,8 @@
+@@ -229,6 +235,8 @@
userdom_use_user_terminals($1,$1_su_t)
userdom_search_user_home_dirs($1,$1_su_t)
@@ -480,7 +512,7 @@
ifdef(`distro_rhel4',`
domain_role_change_exemption($1_su_t)
domain_subj_id_change_exemption($1_su_t)
-@@ -236,7 +243,6 @@
+@@ -236,7 +244,6 @@
selinux_get_fs_mount($1_su_t)
selinux_validate_context($1_su_t)
@@ -488,20 +520,27 @@
selinux_compute_create_context($1_su_t)
selinux_compute_relabel_context($1_su_t)
selinux_compute_user_contexts($1_su_t)
-@@ -301,6 +307,9 @@
+@@ -301,6 +308,8 @@
kerberos_use($1_su_t)
')
-+ userdom_dontaudit_search_generic_user_home_dirs($1_su_t)
-+ userdom_dontaudit_search_staff_home_dirs($1_su_t)
++ userdom_search_all_users_home_dirs($1_su_t)
+
# Modify .Xauthority file (via xauth program).
optional_policy(`
# file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.te serefpolicy-2.4.6/policy/modules/admin/usermanage.te
--- nsaserefpolicy/policy/modules/admin/usermanage.te 2006-11-16 17:15:26.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-05 13:19:41.000000000 -0500
-@@ -189,7 +189,7 @@
++++ serefpolicy-2.4.6/policy/modules/admin/usermanage.te 2006-12-07 09:59:42.000000000 -0500
+@@ -112,6 +112,7 @@
+ files_manage_etc_files(chfn_t)
+ files_read_etc_runtime_files(chfn_t)
+ files_dontaudit_search_var(chfn_t)
++files_dontaudit_search_home(chfn_t)
+
+ # /usr/bin/passwd asks for w access to utmp, but it will operate
+ # correctly without it. Do not audit write denials to utmp.
+@@ -189,7 +190,7 @@
#
allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write };
@@ -510,7 +549,7 @@
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
allow groupadd_t self:fd use;
-@@ -454,6 +454,7 @@
+@@ -454,6 +455,7 @@
#
allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write };
@@ -518,6 +557,17 @@
allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow useradd_t self:process setfscreate;
allow useradd_t self:fd use;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-2.4.6/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2006-11-16 17:15:07.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/apps/gpg.if 2006-12-07 09:49:55.000000000 -0500
+@@ -87,6 +87,7 @@
+ allow $1_gpg_t $1_gpg_secret_t:dir rw_dir_perms;
+ allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
+ allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
++ userdom_user_home_dir_filetrans($1, $1_gpg_t, $1_gpg_secret_t, dir)
+
+ # transition from the userdomain to the derived domain
+ domain_auto_trans($2,gpg_exec_t,$1_gpg_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.fc serefpolicy-2.4.6/policy/modules/apps/java.fc
--- nsaserefpolicy/policy/modules/apps/java.fc 2006-11-16 17:15:07.000000000 -0500
+++ serefpolicy-2.4.6/policy/modules/apps/java.fc 2006-12-05 13:19:41.000000000 -0500
@@ -599,7 +649,7 @@
+/etc/security/namespace.init -- gen_context(system_u:object_r:bin_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-2.4.6/policy/modules/kernel/corecommands.if
--- nsaserefpolicy/policy/modules/kernel/corecommands.if 2006-11-16 17:15:04.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-12-05 13:19:41.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/kernel/corecommands.if 2006-12-07 09:40:13.000000000 -0500
@@ -928,7 +928,19 @@
type bin_t, sbin_t;
')
@@ -637,11 +687,30 @@
')
########################################
-@@ -990,4 +1004,5 @@
+@@ -990,4 +1004,24 @@
')
allow $1 exec_type:file { getattr read execute };
+ userdom_mmap_all_executables($1)
++')
++
++########################################
++## <summary>
++## getattr all executables
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corecmd_getattr_all_executables',`
++ gen_require(`
++ attribute exec_type;
++ ')
++
++ allow $1 exec_type:file getattr;
++ userdom_getattr_all_executables($1)
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-2.4.6/policy/modules/kernel/corenetwork.if.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2006-11-16 17:15:04.000000000 -0500
@@ -3572,7 +3641,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-2.4.6/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2006-12-05 14:58:53.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/selinuxutil.te 2006-12-07 09:28:20.000000000 -0500
@@ -107,6 +107,19 @@
type semanage_exec_t;
domain_entry_file(semanage_t, semanage_exec_t)
@@ -3617,7 +3686,15 @@
files_read_etc_files(newrole_t)
files_read_var_files(newrole_t)
-@@ -338,6 +354,7 @@
+@@ -313,6 +329,7 @@
+ userdom_use_unpriv_users_fds(newrole_t)
+ # for some PAM modules and for cwd
+ userdom_dontaudit_search_all_users_home_content(newrole_t)
++userdom_search_all_users_home_dirs(newrole_t)
+
+ ifdef(`strict_policy',`
+ # if secure mode is enabled, then newrole
+@@ -338,6 +355,7 @@
#
allow restorecon_t self:capability { dac_override dac_read_search fowner };
@@ -3625,7 +3702,7 @@
allow restorecon_t self:fifo_file rw_file_perms;
allow restorecon_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:dir r_dir_perms;
-@@ -362,6 +379,7 @@
+@@ -362,6 +380,7 @@
fs_getattr_xattr_fs(restorecon_t)
fs_search_auto_mountpoints(restorecon_t)
@@ -3633,7 +3710,7 @@
mls_file_read_up(restorecon_t)
mls_file_write_down(restorecon_t)
-@@ -409,12 +427,6 @@
+@@ -409,12 +428,6 @@
fs_relabel_tmpfs_chr_file(restorecon_t)
')
@@ -3646,7 +3723,7 @@
optional_policy(`
hotplug_use_fds(restorecon_t)
')
-@@ -449,6 +461,7 @@
+@@ -449,6 +462,7 @@
auth_relabel_all_files_except_shadow(restorecond_t )
auth_read_all_files_except_shadow(restorecond_t)
@@ -3654,7 +3731,7 @@
init_use_fds(restorecond_t)
init_dontaudit_use_script_ptys(restorecond_t)
-@@ -549,82 +562,11 @@
+@@ -549,82 +563,11 @@
########################################
#
@@ -3741,7 +3818,7 @@
########################################
#
-@@ -672,6 +614,7 @@
+@@ -672,6 +615,7 @@
init_use_fds(setfiles_t)
init_use_script_fds(setfiles_t)
init_use_script_ptys(setfiles_t)
@@ -3863,7 +3940,7 @@
init_dbus_chat_script(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.4.6/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-11-29 09:27:47.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-06 17:47:08.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.if 2006-12-07 15:28:22.000000000 -0500
@@ -22,9 +22,9 @@
## <rolebase/>
#
@@ -3907,7 +3984,7 @@
- files_poly($1_home_dir_t)
- files_poly_member($1_home_t)
- ')
-+ type_member $1_t $1_home_dir_t:dir $1_home_t;
++ type_member $1_t $1_home_dir_t:dir $1_home_dir_t;
+ files_poly($1_home_dir_t)
+ files_poly_parent($1_home_dir_t)
+ files_poly_parent($1_home_t)
@@ -3933,7 +4010,7 @@
- ifdef(`enable_polyinstantiation',`
- files_poly_member_tmp($1_t,$1_tmp_t)
- ')
-+ files_poly_member_tmp($1_t,$1_tmp_t)
++ files_poly_member_tmp($1_t,tmp_t)
')
#######################################
@@ -4152,7 +4229,7 @@
## Read files in generic user home directories.
## </summary>
## <param name="domain">
-@@ -5497,3 +5506,363 @@
+@@ -5497,3 +5506,383 @@
allow $1 user_home_dir_t:dir create_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -4516,9 +4593,29 @@
+ allow $1 home_type:dir { relabelfrom relabelto };
+')
+
++
++########################################
++## <summary>
++## getattr all executables
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`userdom_getattr_all_executables',`
++ gen_require(`
++ attribute user_exec_type;
++ ')
++
++ allow $1 user_exec_type:file getattr;
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.te serefpolicy-2.4.6/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2006-11-16 17:15:24.000000000 -0500
-+++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-05 13:19:42.000000000 -0500
++++ serefpolicy-2.4.6/policy/modules/system/userdomain.te 2006-12-08 09:17:52.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -4555,7 +4652,18 @@
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
-@@ -229,7 +213,6 @@
+@@ -181,6 +165,10 @@
+ ')
+
+ optional_policy(`
++ raid_domtrans_mdadm(sysadm_t)
++ ')
++
++ optional_policy(`
+ # cjp: why is this not apm_run_client
+ apm_domtrans_client(sysadm_t)
+ ')
+@@ -229,7 +217,6 @@
consoletype_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -4563,7 +4671,7 @@
consoletype_exec(auditadm_t)
')
')
-@@ -248,7 +231,6 @@
+@@ -248,7 +235,6 @@
dmesg_exec(sysadm_t)
ifdef(`enable_mls',`
@@ -4571,7 +4679,7 @@
dmesg_exec(auditadm_t)
')
')
-@@ -383,27 +365,12 @@
+@@ -383,27 +369,12 @@
seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
ifdef(`enable_mls',`
@@ -4604,7 +4712,7 @@
')
')
-@@ -428,6 +395,9 @@
+@@ -428,6 +399,9 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.361
retrieving revision 1.362
diff -u -r1.361 -r1.362
--- selinux-policy.spec 6 Dec 2006 23:27:45 -0000 1.361
+++ selinux-policy.spec 11 Dec 2006 12:35:45 -0000 1.362
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.4.6
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -351,6 +351,9 @@
%endif
%changelog
+* Fri Dec 8 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-9
+- More fixes for MLS
+
* Wed Dec 6 2006 Dan Walsh <dwalsh at redhat.com> 2.4.6-8
- More Fixes polyinstatiation
Resolves: #216184
More information about the fedora-cvs-commits
mailing list