rpms/selinux-policy/devel modules-targeted.conf, 1.12, 1.13 policy-20060104.patch, 1.18, 1.19 selinux-policy.spec, 1.88, 1.89
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jan 24 15:30:43 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv6200
Modified Files:
modules-targeted.conf policy-20060104.patch
selinux-policy.spec
Log Message:
* Mon Jan 23 2006 Dan Walsh <dwalsh at redhat.com> 2.2.4-1
- Update to upstream
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- modules-targeted.conf 19 Jan 2006 19:08:32 -0000 1.12
+++ modules-targeted.conf 24 Jan 2006 15:30:40 -0000 1.13
@@ -188,7 +188,7 @@
#
# ddcprobe retrieves monitor and graphics card information
#
-ddcprobe = module
+ddcprobe = off
# Layer: admin
# Module: quota
@@ -216,7 +216,7 @@
#
# run real-mode video BIOS code to alter hardware state
#
-vbetool = module
+vbetool = off
# Layer: admin
# Module: firstboot
@@ -329,7 +329,7 @@
#
# IIIMF htt server
#
-i18n_input = module
+i18n_input = off
# Layer: services
# Module: uucp
@@ -394,7 +394,7 @@
#
# MIDI to WAV converter and player configured as a service
#
-timidity = module
+timidity = off
# Layer: services
# Module: postgresql
@@ -408,7 +408,7 @@
#
# Service for handling smart card readers.
#
-openct = module
+openct = off
# Layer: services
# Module: snmp
@@ -605,7 +605,7 @@
#
# Smart disk monitoring daemon policy
#
-smartmon = module
+smartmon = off
# Layer: services
# Module: ftp
@@ -689,7 +689,7 @@
#
# Service for downloading news feeds the slrn newsreader.
#
-slrnpull = module
+slrnpull = off
# Layer: services
# Module: rsync
policy-20060104.patch:
modules/kernel/filesystem.if | 1 +
modules/services/dbus.fc | 2 +-
modules/services/xserver.if | 9 +++++++++
modules/system/locallogin.te | 4 ++++
modules/system/logging.te | 12 +++++-------
modules/system/userdomain.if | 3 ++-
users | 9 +++------
7 files changed, 25 insertions(+), 15 deletions(-)
Index: policy-20060104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060104.patch,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- policy-20060104.patch 19 Jan 2006 19:10:47 -0000 1.18
+++ policy-20060104.patch 24 Jan 2006 15:30:40 -0000 1.19
@@ -1,321 +1,143 @@
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Makefile serefpolicy-2.2.2/Makefile
---- nsaserefpolicy/Makefile 2006-01-19 10:00:35.000000000 -0500
-+++ serefpolicy-2.2.2/Makefile 2006-01-19 10:42:14.000000000 -0500
-@@ -92,7 +92,7 @@
-
- # enable MLS if requested.
- ifneq ($(findstring -mls,$(TYPE)),)
-- override M4PARAM += -D enable_mls
-+ override M4PARAM += -D enable_mls -D separate_secadm
- override CHECKPOLICY += -M
- override CHECKMODULE += -M
- endif
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-2.2.2/policy/global_tunables
---- nsaserefpolicy/policy/global_tunables 2006-01-13 09:48:26.000000000 -0500
-+++ serefpolicy-2.2.2/policy/global_tunables 2006-01-19 10:55:45.000000000 -0500
-@@ -22,6 +22,10 @@
-
- ## Allow making the stack executable via mprotect.
- ## Also requires allow_execmem.
-+gen_tunable(allow_execheap,false)
-+
-+## Allow making the stack executable via mprotect.
-+## Also requires allow_execmem.
- gen_tunable(allow_execstack,false)
-
- ## Allow ftp servers to modify public files
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-2.2.2/policy/modules/admin/logwatch.te
---- nsaserefpolicy/policy/modules/admin/logwatch.te 2006-01-13 17:06:02.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/admin/logwatch.te 2006-01-19 11:23:59.000000000 -0500
-@@ -38,6 +38,7 @@
- kernel_read_kernel_sysctl(logwatch_t)
- kernel_read_system_state(logwatch_t)
-
-+corecmd_read_sbin_symlink(logwatch_t)
- corecmd_read_sbin_file(logwatch_t)
- corecmd_exec_bin(logwatch_t)
- corecmd_exec_shell(logwatch_t)
-@@ -68,6 +69,8 @@
-
- miscfiles_read_localization(logwatch_t)
-
-+selinux_dontaudit_getattr_dir(logwatch_t)
-+
- userdom_dontaudit_search_sysadm_home_dir(logwatch_t)
- userdom_dontaudit_getattr_sysadm_home_dir(logwatch_t)
-
-@@ -94,6 +97,10 @@
- nscd_use_socket(logwatch_t)
- ')
-
-+optional_policy(`ntp',`
-+ ntp_domtrans(logwatch_t)
-+')
-+
- optional_policy(`rpc',`
- rpc_search_nfs_state_data(logwatch_t)
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/java.te serefpolicy-2.2.2/policy/modules/apps/java.te
---- nsaserefpolicy/policy/modules/apps/java.te 2006-01-12 18:28:45.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/java.te 2006-01-19 13:05:16.000000000 -0500
-@@ -8,3 +8,4 @@
-
- type java_exec_t;
- files_type(java_exec_t)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.fc serefpolicy-2.2.2/policy/modules/apps/mono.fc
---- nsaserefpolicy/policy/modules/apps/mono.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/mono.fc 2006-01-19 12:46:09.000000000 -0500
-@@ -0,0 +1,2 @@
-+/usr/bin/mono -- gen_context(system_u:object_r:mono_exec_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.if serefpolicy-2.2.2/policy/modules/apps/mono.if
---- nsaserefpolicy/policy/modules/apps/mono.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/mono.if 2006-01-19 12:46:09.000000000 -0500
-@@ -0,0 +1,23 @@
-+## <summary>Load keyboard mappings.</summary>
-+
-+########################################
-+## <summary>
-+## Execute the mono program in the mono domain.
-+## </summary>
-+## <param name="domain">
-+## The type of the process performing this action.
-+## </param>
-+#
-+interface(`mono_domtrans',`
-+ gen_require(`
-+ type mono_t, mono_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domain_auto_trans($1, mono_exec_t, mono_t)
-+
-+ allow $1 mono_t:fd use;
-+ allow mono_t $1:fd use;
-+ allow mono_t $1:fifo_file rw_file_perms;
-+ allow mono_t $1:process sigchld;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mono.te serefpolicy-2.2.2/policy/modules/apps/mono.te
---- nsaserefpolicy/policy/modules/apps/mono.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/mono.te 2006-01-19 13:29:46.000000000 -0500
-@@ -0,0 +1,25 @@
-+policy_module(mono,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type mono_t;
-+domain_type(mono_t)
-+
-+type mono_exec_t;
-+domain_entry_file(mono_t,mono_exec_t)
-+
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+ allow mono_t self:process execheap;
-+ unconfined_domain_template(mono_t)
-+ role system_r types mono_t;
-+')
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-2.2.2/policy/modules/apps/wine.fc
---- nsaserefpolicy/policy/modules/apps/wine.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/wine.fc 2006-01-19 10:58:16.000000000 -0500
-@@ -0,0 +1,2 @@
-+/usr/bin/wine -- gen_context(system_u:object_r:wine_exec_t,s0)
-+
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.if serefpolicy-2.2.2/policy/modules/apps/wine.if
---- nsaserefpolicy/policy/modules/apps/wine.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/wine.if 2006-01-19 10:58:17.000000000 -0500
-@@ -0,0 +1,23 @@
-+## <summary>Load keyboard mappings.</summary>
-+
-+########################################
-+## <summary>
-+## Execute the wine program in the wine domain.
-+## </summary>
-+## <param name="domain">
-+## The type of the process performing this action.
-+## </param>
-+#
-+interface(`wine_domtrans',`
-+ gen_require(`
-+ type wine_t, wine_exec_t;
-+ ')
-+
-+ corecmd_search_bin($1)
-+ domain_auto_trans($1, wine_exec_t, wine_t)
-+
-+ allow $1 wine_t:fd use;
-+ allow wine_t $1:fd use;
-+ allow wine_t $1:fifo_file rw_file_perms;
-+ allow wine_t $1:process sigchld;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te serefpolicy-2.2.2/policy/modules/apps/wine.te
---- nsaserefpolicy/policy/modules/apps/wine.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/apps/wine.te 2006-01-19 13:30:34.000000000 -0500
-@@ -0,0 +1,25 @@
-+policy_module(wine,1.0.0)
-+
-+########################################
-+#
-+# Declarations
-+#
-+
-+type wine_t;
-+domain_type(wine_t)
-+
-+type wine_exec_t;
-+domain_entry_file(wine_t,wine_exec_t)
-+
-+
-+########################################
-+#
-+# Local policy
-+#
-+
-+ifdef(`targeted_policy',`
-+ allow wine_t self:process { execstack execmem };
-+ unconfined_domain_template(wine_t)
-+ role system_r types wine_t;
-+ allow wine_t file_type:file execmod;
-+')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.2/policy/modules/kernel/filesystem.if
---- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-01-19 10:00:41.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/kernel/filesystem.if 2006-01-19 10:42:14.000000000 -0500
-@@ -1826,6 +1826,22 @@
-
- ########################################
- ## <summary>
-+## Dontaudit Search directories on a ramfs
-+## </summary>
-+## <param name="domain">
-+## Domain allowed access.
-+## </param>
-+#
-+interface(`fs_dontaudit_search_ramfs',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.2.4/policy/modules/kernel/filesystem.if
+--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2006-01-20 10:02:32.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/kernel/filesystem.if 2006-01-23 13:30:17.000000000 -0500
+@@ -2290,6 +2290,7 @@
+ ')
+
+ fs_search_tmpfs($1)
++ allow $1 tmpfs_t:lnk_file read;
+ allow $1 tmpfs_t:file rw_file_perms;
+ ')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-2.2.4/policy/modules/services/dbus.fc
+--- nsaserefpolicy/policy/modules/services/dbus.fc 2005-11-14 18:24:08.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/services/dbus.fc 2006-01-23 13:30:17.000000000 -0500
+@@ -1,5 +1,5 @@
+ /etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
+
+-/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
++/(usr/)?bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:system_dbusd_exec_t,s0)
+
+ /var/run/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_run_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-2.2.4/policy/modules/services/xserver.if
+--- nsaserefpolicy/policy/modules/services/xserver.if 2006-01-23 08:26:51.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/services/xserver.if 2006-01-23 13:50:16.000000000 -0500
+@@ -6,6 +6,9 @@
+ #
+ # Declarations
+ #
+ gen_require(`
-+ type ramfs_t;
-+ ')
-+
-+ dontaudit $1 ramfs_t:dir search;
-+')
-+
-+########################################
-+## <summary>
- ## Write to named pipe on a ramfs filesystem.
- ## </summary>
- ## <param name="domain">
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-2.2.2/policy/modules/services/bind.if
---- nsaserefpolicy/policy/modules/services/bind.if 2006-01-13 09:48:26.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/services/bind.if 2006-01-19 13:58:34.000000000 -0500
-@@ -165,6 +165,7 @@
- ')
-
- files_search_var($1)
-+ allow $1 named_conf_t:dir search_dir_perms;
- allow $1 named_zone_t:dir search_dir_perms;
- allow $1 named_cache_t:dir search_dir_perms;
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xdm.te serefpolicy-2.2.2/policy/modules/services/xdm.te
---- nsaserefpolicy/policy/modules/services/xdm.te 2006-01-19 10:00:41.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/services/xdm.te 2006-01-19 13:56:19.000000000 -0500
-@@ -74,7 +74,7 @@
- files_read_etc_runtime_files(xdm_t)
-
- ifdef(`targeted_policy',`
-- allow xdm_t self:process execmem;
-+ allow xdm_t self:process { execheap execmem };
- unconfined_domain_template(xdm_t)
- unconfined_domtrans(xdm_t)
- ',`
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.2.2/policy/modules/system/libraries.fc
---- nsaserefpolicy/policy/modules/system/libraries.fc 2006-01-17 13:22:14.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/system/libraries.fc 2006-01-19 13:00:21.000000000 -0500
-@@ -166,7 +166,7 @@
- /usr/lib(64)?/libdivxencore.so.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- # Java, Sun Microsystems (JPackage SRPM)
--/usr/.*/jre/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/usr/.*/jre.*/lib/i386/libdeploy.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-
- /usr(/.*)?/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
- /usr(/.*)?/Reader/intellinux/plug_ins/AcroForm\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.2.2/policy/modules/system/unconfined.if
---- nsaserefpolicy/policy/modules/system/unconfined.if 2006-01-17 13:22:14.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/system/unconfined.if 2006-01-19 10:56:11.000000000 -0500
-@@ -45,6 +45,12 @@
- auditallow $1 self:process execmem;
- ')
-
-+ tunable_policy(`allow_execheap',`
-+ # Allow making the stack executable via mprotect.
-+ allow $1 self:process execheap;
-+ auditallow $1 self:process execheap;
++ type xkb_var_lib_t, xserver_log_t;
+ ')
-+
- tunable_policy(`allow_execmem && allow_execstack',`
- # Allow making the stack executable via mprotect.
- allow $1 self:process execstack;
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.2.2/policy/modules/system/unconfined.te
---- nsaserefpolicy/policy/modules/system/unconfined.te 2006-01-17 17:08:57.000000000 -0500
-+++ serefpolicy-2.2.2/policy/modules/system/unconfined.te 2006-01-19 13:44:58.000000000 -0500
-@@ -97,6 +97,10 @@
- modutils_domtrans_update_mods(unconfined_t)
- ')
-+ optional_policy(`mono',`
-+ mono_domtrans(unconfined_t)
-+ ')
-+
- optional_policy(`netutils',`
- netutils_domtrans_ping(unconfined_t)
- ')
-@@ -141,11 +145,8 @@
- webalizer_domtrans(unconfined_t)
- ')
+ type $1_xserver_t;
+ domain_type($1_xserver_t)
+@@ -202,6 +205,12 @@
+ # Declarations
+ #
-- ifdef(`TODO',`
-- ifdef(`use_mcs',`
-- rw_dir_create_file(sysadm_su_t, home_dir_type)
-- ')
-- allow unconfined_t initrc_t : dbus { send_msg acquire_svc };
-- allow initrc_t unconfined_t : dbus { send_msg acquire_svc };
-- ') dnl end TODO
-+ optional_policy(`wine',`
-+ wine_domtrans(unconfined_t)
-+ ')
-+
- ')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.2/policy/users
---- nsaserefpolicy/policy/users 2005-12-05 22:35:02.000000000 -0500
-+++ serefpolicy-2.2.2/policy/users 2006-01-19 10:42:14.000000000 -0500
-@@ -26,7 +26,9 @@
- ifdef(`targeted_policy',`
++ gen_require(`
++ type xauth_exec_t;
++ type xserver_exec_t;
++ type iceauth_exec_t;
++ ')
++
+ xserver_common_domain_template($1)
+ role $3 types $1_xserver_t;
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/locallogin.te serefpolicy-2.2.4/policy/modules/system/locallogin.te
+--- nsaserefpolicy/policy/modules/system/locallogin.te 2006-01-19 10:00:41.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/system/locallogin.te 2006-01-23 13:30:17.000000000 -0500
+@@ -266,6 +266,10 @@
+ ifdef(`distro_suse', `define(`sulogin_no_pam')')
+ ifdef(`distro_debian', `define(`sulogin_no_pam')')
+
++optional_policy(`nscd',`
++ nscd_use_socket(sulogin_t)
++')
++
+ ifdef(`sulogin_no_pam', `
+ allow sulogin_t self:capability sys_tty_config;
+ init_get_process_group(sulogin_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-2.2.4/policy/modules/system/logging.te
+--- nsaserefpolicy/policy/modules/system/logging.te 2006-01-19 10:00:41.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/system/logging.te 2006-01-23 13:30:17.000000000 -0500
+@@ -98,10 +98,12 @@
+ audit_manager_domain(secadm_t)
+
+ ifdef(`targeted_policy', `', `
+-ifdef(`separate_secadm', `', `
++ifdef(`enable_mls', `
++audit_manager_domain(secadm_t)
++', `
+ audit_manager_domain(sysadm_t)
+-allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+ ')
++allow auditctl_t admin_tty_type:chr_file rw_file_perms;
+ ')
+ ') dnl end TODO
+
+@@ -272,9 +274,6 @@
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file create_file_perms;
+ files_filetrans_pid(syslogd_t,devlog_t,sock_file)
+-# cjp: I belive these are not needed:
+-allow syslogd_t devlog_t:unix_stream_socket name_bind;
+-allow syslogd_t devlog_t:unix_dgram_socket name_bind;
+
+ # create/append log files.
+ allow syslogd_t var_log_t:dir rw_dir_perms;
+@@ -325,8 +324,7 @@
+ corenet_non_ipsec_sendrecv(syslogd_t)
+ corenet_udp_bind_all_nodes(syslogd_t)
+ corenet_tcp_bind_syslogd_port(syslogd_t)
+-#cjp: why?
+-corenet_tcp_connect_rsh_port(syslogd_t)
++corenet_udp_bind_syslogd_port(syslogd_t)
+
+ fs_getattr_all_fs(syslogd_t)
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.2.4/policy/modules/system/userdomain.if
+--- nsaserefpolicy/policy/modules/system/userdomain.if 2006-01-23 08:26:51.000000000 -0500
++++ serefpolicy-2.2.4/policy/modules/system/userdomain.if 2006-01-23 13:30:17.000000000 -0500
+@@ -219,7 +219,7 @@
+ corecmd_exec_sbin($1_t)
+ corecmd_exec_ls($1_t)
+
+- domain_exec_all_entry_files($1_t)
++# domain_exec_all_entry_files($1_t)
+ domain_use_wide_inherit_fd($1_t)
+ # When the user domain runs ps, there will be a number of access
+ # denials when ps tries to search /proc. Do not audit these denials.
+@@ -533,6 +533,7 @@
+
+ typeattribute $1_t unpriv_userdomain;
+ domain_wide_inherit_fd($1_t)
++ domain_exec_all_entry_files($1_t)
+
+ typeattribute $1_devpts_t user_ptynode;
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-2.2.4/policy/users
+--- nsaserefpolicy/policy/users 2006-01-20 10:02:31.000000000 -0500
++++ serefpolicy-2.2.4/policy/users 2006-01-23 13:34:09.000000000 -0500
+@@ -27,7 +27,7 @@
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
--gen_user(user_u, user_r, s0, s0 - s15:c0.c255, c0.c255)
-+gen_user(user_u, user_r, s0, s0 - s0, c0)
-+gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
-+gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(user_u, user_r, s0, s0)
+-gen_user(staff_u, staff_r secadm_r sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
++gen_user(staff_u, staff_r ifdef(`enable_mls', `secadm_r') sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
')
- #
-@@ -40,8 +42,8 @@
+@@ -41,9 +41,6 @@
+ ifdef(`targeted_policy',`
gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
- ifdef(`direct_sysadm_daemon',`
-- gen_user(root, sysadm_r staff_r system_r, s0, s0 - s15:c0.c255, c0.c255)
-+ gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
- ',`
-- gen_user(root, sysadm_r staff_r, s0, s0 - s15:c0.c255, c0.c255)
-+ gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
- ')
+- ifdef(`direct_sysadm_daemon',`
+- gen_user(root, sysadm_r staff_r secadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+- ',`
+- gen_user(root, sysadm_r staff_r secadm_r , s0, s0 - s15:c0.c255, c0.c255)
+- ')
++
++ gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') ifdef(`direct_sysadm_daemon',`system_r'), s0, s0 - s15:c0.c255, c0.c255)
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.88
retrieving revision 1.89
diff -u -r1.88 -r1.89
--- selinux-policy.spec 19 Jan 2006 19:08:33 -0000 1.88
+++ selinux-policy.spec 24 Jan 2006 15:30:40 -0000 1.89
@@ -1,12 +1,11 @@
%define distro redhat
-%define direct_initrc y
%define monolithic n
%define POLICYVER 20
%define POLICYCOREUTILSVER 1.29.5-1
%define CHECKPOLICYVER 1.28-3
Summary: SELinux policy configuration
Name: selinux-policy
-Version: 2.2.2
+Version: 2.2.4
Release: 1
License: GPL
Group: System Environment/Base
@@ -20,6 +19,10 @@
Source6: booleans-mls.conf
Source7: seusers-mls
Source8: setrans-mls.conf
+Source9: modules-strict.conf
+Source10: booleans-strict.conf
+Source11: seusers-strict
+Source12: setrans-strict.conf
Url: http://serefpolicy.sourceforge.net
BuildRoot: %{_tmppath}/serefpolicy-buildroot
@@ -61,10 +64,6 @@
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} enableaudit \
make NAME=%1 TYPE=%2 DISTRO=%{distro} DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} base.pp \
install -m0644 base.pp ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/enableaudit.pp \
-for file in $(ls ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1 | grep -v -e base.pp -e enableaudit.pp ) \
-do \
- rm ${RPM_BUILD_ROOT}%{_usr}/share/selinux/%1/$file; \
-done; \
rm -rf $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/booleans \
touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/config \
touch $RPM_BUILD_ROOT%{_sysconfdir}/selinux/%1/seusers \
@@ -80,8 +79,7 @@
%defattr(-,root,root) \
%dir %{_usr}/share/selinux \
%dir %{_usr}/share/selinux/%1 \
-%{_usr}/share/selinux/%1/base.pp \
-%{_usr}/share/selinux/%1/enableaudit.pp \
+%{_usr}/share/selinux/%1/*.pp \
%dir %{_sysconfdir}/selinux \
%ghost %config(noreplace) %{_sysconfdir}/selinux/config \
%dir %{_sysconfdir}/selinux/%1 \
@@ -146,19 +144,25 @@
mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man8/
install -m 644 man/man8/*.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
-%installCmds targeted targeted-mcs %{direct_initrc}
-# Build mls policy
+
+# Build targeted policy
+# Commented out because only targeted ref policy currently builds
make clean
make conf
-%installCmds mls strict-mls n
-
+%installCmds targeted targeted-mcs y
# Build strict policy
# Commented out because only targeted ref policy currently builds
-# make clean
-# make conf
-#%#installCmds strict strict-mcs %{direct_initrc}
+make clean
+make conf
+%installCmds strict strict-mcs y
+
+# Build mls policy
+make clean
+make conf
+%installCmds mls strict-mls n
+
%clean
%{__rm} -fR $RPM_BUILD_ROOT
@@ -233,7 +237,6 @@
%files mls
%fileList mls
-%if 0
%package strict
Summary: SELinux strict base policy
Group: System Environment/Base
@@ -259,9 +262,14 @@
%files strict
%fileList strict
-%endif
-
%changelog
+* Mon Jan 23 2006 Dan Walsh <dwalsh at redhat.com> 2.2.4-1
+- Update to upstream
+
+* Wed Jan 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.3-1
+- Update to upstream
+- Fixes for booting and logging in on MLS machine
+
* Wed Jan 18 2006 Dan Walsh <dwalsh at redhat.com> 2.2.2-1
- Update to upstream
- Turn off execheap execstack for unconfined users
More information about the fedora-cvs-commits
mailing list