rpms/selinux-policy/devel modules-strict.conf, 1.13, 1.14 modules-targeted.conf, 1.30, 1.31 policy-20060608.patch, 1.40, 1.41 selinux-policy.spec, 1.236, 1.237
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Jul 28 17:44:20 UTC 2006
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv16403
Modified Files:
modules-strict.conf modules-targeted.conf
policy-20060608.patch selinux-policy.spec
Log Message:
* Wed Jul 26 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-13
- Add nagios policy
Index: modules-strict.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-strict.conf,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- modules-strict.conf 19 Jul 2006 18:39:31 -0000 1.13
+++ modules-strict.conf 28 Jul 2006 17:44:17 -0000 1.14
@@ -1283,3 +1283,10 @@
# Policy for the SELinux troubleshooting utility
#
setroubleshoot = base
+
+# Layer: services
+# Module: nagios
+#
+# policy for nagios Host/service/network monitoring program
+#
+nagios = module
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- modules-targeted.conf 14 Jul 2006 20:09:54 -0000 1.30
+++ modules-targeted.conf 28 Jul 2006 17:44:17 -0000 1.31
@@ -1093,6 +1093,7 @@
#
openvpn = base
+
# Layer: services
# Module: setroubleshoot
#
@@ -1100,5 +1101,11 @@
#
setroubleshoot = base
+# Layer: services
+# Module: nagios
+#
+# policy for nagios Host/service/network monitoring program
+#
+nagios = module
policy-20060608.patch:
global_booleans | 2
global_tunables | 89 ++++++++------
mcs | 3
modules/admin/bootloader.te | 6 -
modules/admin/consoletype.te | 11 +
modules/admin/firstboot.te | 5
modules/admin/netutils.te | 10 -
modules/admin/prelink.te | 1
modules/admin/rpm.fc | 2
modules/admin/rpm.if | 4
modules/admin/usermanage.te | 2
modules/kernel/corenetwork.te.in | 5
modules/kernel/devices.fc | 3
modules/kernel/files.fc | 1
modules/kernel/filesystem.if | 21 +++
modules/kernel/filesystem.te | 2
modules/kernel/kernel.if | 38 ++++++
modules/kernel/selinux.if | 18 ++-
modules/kernel/selinux.te | 4
modules/kernel/storage.fc | 1
modules/services/amavis.te | 2
modules/services/apache.te | 1
modules/services/automount.te | 8 +
modules/services/avahi.te | 1
modules/services/bind.fc | 3
modules/services/bluetooth.if | 23 +++
modules/services/bluetooth.te | 7 +
modules/services/clamav.fc | 3
modules/services/clamav.if | 22 +++
modules/services/clamav.te | 20 ---
modules/services/cups.te | 6 -
modules/services/cyrus.te | 5
modules/services/dovecot.fc | 1
modules/services/dovecot.te | 10 +
modules/services/ftp.te | 2
modules/services/hal.te | 10 +
modules/services/inetd.te | 12 +-
modules/services/ldap.fc | 1
modules/services/ldap.if | 21 +++
modules/services/ldap.te | 2
modules/services/lpd.if | 20 +--
modules/services/mailman.te | 15 ++
modules/services/nis.te | 1
modules/services/nscd.if | 20 +++
modules/services/ntp.te | 2
modules/services/openvpn.te | 8 +
modules/services/pegasus.if | 31 +++++
modules/services/pegasus.te | 5
modules/services/postfix.te | 6 -
modules/services/postgrey.fc | 2
modules/services/postgrey.if | 19 +++
modules/services/postgrey.te | 20 +++
modules/services/procmail.te | 5
modules/services/radius.fc | 1
modules/services/radius.te | 8 +
modules/services/remotelogin.te | 1
modules/services/samba.te | 6 -
modules/services/setroubleshoot.fc | 11 +
modules/services/setroubleshoot.if | 24 ++++
modules/services/setroubleshoot.te | 135 ++++++++++++++++++++++
modules/services/squid.te | 9 -
modules/services/ssh.if | 1
modules/services/tftp.te | 1
modules/services/xfs.te | 2
modules/services/xserver.if | 22 +++
modules/services/xserver.te | 3
modules/services/zebra.te | 7 +
modules/system/authlogin.if | 3
modules/system/authlogin.te | 1
modules/system/fstools.fc | 1
modules/system/getty.fc | 1
modules/system/getty.te | 3
modules/system/hostname.te | 10 +
modules/system/hotplug.te | 2
modules/system/init.if | 7 -
modules/system/libraries.fc | 2
modules/system/locallogin.te | 1
modules/system/logging.if | 6 -
modules/system/logging.te | 6 -
modules/system/lvm.te | 3
modules/system/selinuxutil.te | 29 ++++
modules/system/setrans.te | 5
modules/system/sysnetwork.te | 1
modules/system/udev.te | 4
modules/system/unconfined.fc | 1
modules/system/unconfined.if | 8 -
modules/system/unconfined.te | 8 -
modules/system/userdomain.if | 221 ++++++++++++++++++++++++-------------
modules/system/userdomain.te | 40 +++---
modules/system/xen.if | 38 ++++++
modules/system/xen.te | 4
91 files changed, 933 insertions(+), 245 deletions(-)
Index: policy-20060608.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20060608.patch,v
retrieving revision 1.40
retrieving revision 1.41
diff -u -r1.40 -r1.41
--- policy-20060608.patch 26 Jul 2006 20:17:15 -0000 1.40
+++ policy-20060608.patch 28 Jul 2006 17:44:17 -0000 1.41
@@ -220,7 +220,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-2.3.3/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2006-07-14 17:04:46.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/admin/consoletype.te 2006-07-17 11:43:02.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/admin/consoletype.te 2006-07-28 13:28:33.000000000 -0400
@@ -8,7 +8,12 @@
type consoletype_t;
@@ -235,6 +235,14 @@
mls_file_read_up(consoletype_t)
mls_file_write_down(consoletype_t)
role system_r types consoletype_t;
+@@ -114,3 +119,7 @@
+ xen_append_log(consoletype_t)
+ xen_dontaudit_rw_unix_stream_sockets(consoletype_t)
+ ')
++
++optional_policy(`
++ xen_dontaudit_use_fds(consoletype_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/firstboot.te serefpolicy-2.3.3/policy/modules/admin/firstboot.te
--- nsaserefpolicy/policy/modules/admin/firstboot.te 2006-07-14 17:04:45.000000000 -0400
+++ serefpolicy-2.3.3/policy/modules/admin/firstboot.te 2006-07-26 12:55:01.000000000 -0400
@@ -598,6 +606,17 @@
# tmp files
allow amavis_t amavis_tmp_t:file create_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.3.3/policy/modules/services/apache.te
+--- nsaserefpolicy/policy/modules/services/apache.te 2006-07-14 17:04:41.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/apache.te 2006-07-27 12:31:07.000000000 -0400
+@@ -273,7 +273,6 @@
+ sysnet_read_config(httpd_t)
+
+ userdom_use_unpriv_users_fds(httpd_t)
+-userdom_dontaudit_search_sysadm_home_dirs(httpd_t)
+
+ mta_send_mail(httpd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.3.3/policy/modules/services/automount.te
--- nsaserefpolicy/policy/modules/services/automount.te 2006-07-14 17:04:40.000000000 -0400
+++ serefpolicy-2.3.3/policy/modules/services/automount.te 2006-07-17 11:43:02.000000000 -0400
@@ -1674,7 +1693,19 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.3.3/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2006-07-14 17:04:41.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/services/squid.te 2006-07-19 11:33:04.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/services/squid.te 2006-07-28 09:12:30.000000000 -0400
+@@ -28,9 +28,9 @@
+ # Local policy
+ #
+
+-allow squid_t self:capability { setgid setuid dac_override };
++allow squid_t self:capability { setgid setuid dac_override sys_resource };
+ dontaudit squid_t self:capability sys_tty_config;
+-allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
++allow squid_t self:process ~{ ptrace setcurrent setexec setfscreate execmem execstack execheap };
+ allow squid_t self:fifo_file rw_file_perms;
+ allow squid_t self:sock_file r_file_perms;
+ allow squid_t self:fd use;
@@ -80,8 +80,10 @@
corenet_tcp_bind_all_nodes(squid_t)
corenet_udp_bind_all_nodes(squid_t)
@@ -1875,7 +1906,7 @@
init_use_script_ptys(getty_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hostname.te serefpolicy-2.3.3/policy/modules/system/hostname.te
--- nsaserefpolicy/policy/modules/system/hostname.te 2006-07-14 17:04:44.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/hostname.te 2006-07-17 11:43:02.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/hostname.te 2006-07-28 13:28:12.000000000 -0400
@@ -8,7 +8,10 @@
type hostname_t;
@@ -1888,6 +1919,16 @@
role system_r types hostname_t;
########################################
+@@ -56,6 +59,7 @@
+ sysnet_read_config(hostname_t)
+ sysnet_dns_name_resolve(hostname_t)
+
+-
+-
++optional_policy(`
++ xen_dontaudit_use_fds(hostname_t)
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-2.3.3/policy/modules/system/hotplug.te
--- nsaserefpolicy/policy/modules/system/hotplug.te 2006-07-14 17:04:43.000000000 -0400
+++ serefpolicy-2.3.3/policy/modules/system/hotplug.te 2006-07-17 11:43:02.000000000 -0400
@@ -2685,10 +2726,64 @@
', `
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.if serefpolicy-2.3.3/policy/modules/system/xen.if
+--- nsaserefpolicy/policy/modules/system/xen.if 2006-07-14 17:04:43.000000000 -0400
++++ serefpolicy-2.3.3/policy/modules/system/xen.if 2006-07-28 13:26:47.000000000 -0400
+@@ -127,3 +127,41 @@
+ allow xm_t $1:fifo_file rw_file_perms;
+ allow xm_t $1:process sigchld;
+ ')
++
++
++########################################
++## <summary>
++## Inherit and use xen file descriptors.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xen_use_fds',`
++ gen_require(`
++ type xen_t;
++ ')
++
++ allow $1 xen_t:fd use;
++')
++
++########################################
++## <summary>
++## Do not audit attempts to inherit
++## xen file descriptors.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`xen_dontaudit_use_fds',`
++ gen_require(`
++ type xen_t;
++ ')
++
++ dontaudit $1 xen_t:fd use;
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/xen.te serefpolicy-2.3.3/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2006-07-14 17:04:43.000000000 -0400
-+++ serefpolicy-2.3.3/policy/modules/system/xen.te 2006-07-17 11:43:02.000000000 -0400
-@@ -171,7 +171,7 @@
++++ serefpolicy-2.3.3/policy/modules/system/xen.te 2006-07-28 13:27:17.000000000 -0400
+@@ -70,6 +70,8 @@
+
+ allow xend_t self:capability { dac_override ipc_lock net_admin setuid sys_nice sys_tty_config net_raw };
+ allow xend_t self:process { signal sigkill };
++dontaudit xend_t self:process ptrace;
++
+ # internal communication is often done using fifo and unix sockets.
+ allow xend_t self:fifo_file rw_file_perms;
+ allow xend_t self:unix_stream_socket create_stream_socket_perms;
+@@ -171,7 +173,7 @@
netutils_domtrans(xend_t)
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.236
retrieving revision 1.237
diff -u -r1.236 -r1.237
--- selinux-policy.spec 26 Jul 2006 20:17:15 -0000 1.236
+++ selinux-policy.spec 28 Jul 2006 17:44:17 -0000 1.237
@@ -16,7 +16,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.3.3
-Release: 12
+Release: 13
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -348,11 +348,14 @@
%endif
%changelog
+* Wed Jul 26 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-13
+- Add nagios policy
+
* Wed Jul 26 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-12
- fixes for setroubleshoot
* Wed Jul 26 2006 Dan Walsh <dwalsh at redhat.com> 2.3.3-11
-- Added Paul Howorth patch to only load policy packages shipped
+- Added Paul Howarth patch to only load policy packages shipped
with this package
- Allow pidof from initrc to ptrace higher level domains
- Allow firstboot to communicate with hal via dbus
More information about the fedora-cvs-commits
mailing list