rpms/selinux-policy/devel policy-20070219.patch, 1.5, 1.6 sources, 1.108, 1.109
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Mon Feb 26 16:09:14 UTC 2007
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv28611
Modified Files:
policy-20070219.patch sources
Log Message:
* Fri Feb 23 2007 Dan Walsh <dwalsh at redhat.com> 2.5.5-1
policy-20070219.patch:
Rules.modular | 10
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 65 +++++
policy/mls | 31 ++
policy/modules/admin/acct.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/kudzu.te | 3
policy/modules/admin/netutils.te | 1
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 44 ++++
policy/modules/admin/rpm.te | 5
policy/modules/admin/su.if | 6
policy/modules/admin/sudo.fc | 2
policy/modules/admin/sudo.if | 5
policy/modules/admin/sudo.te | 1
policy/modules/admin/usermanage.te | 20 +
policy/modules/apps/games.fc | 4
policy/modules/apps/gnome.if | 25 ++
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.if | 1
policy/modules/apps/java.fc | 5
policy/modules/apps/loadkeys.if | 44 +---
policy/modules/apps/mozilla.if | 1
policy/modules/apps/wine.fc | 1
policy/modules/kernel/corecommands.fc | 5
policy/modules/kernel/corecommands.if | 52 ++++
policy/modules/kernel/corenetwork.if.in | 78 ++++++-
policy/modules/kernel/corenetwork.te.in | 15 +
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.if | 18 +
policy/modules/kernel/domain.if | 18 +
policy/modules/kernel/domain.te | 22 ++
policy/modules/kernel/files.if | 56 ++++-
policy/modules/kernel/filesystem.if | 20 +
policy/modules/kernel/kernel.if | 23 +-
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 20 +
policy/modules/kernel/mls.te | 3
policy/modules/kernel/selinux.if | 21 +
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 2
policy/modules/kernel/terminal.te | 1
policy/modules/services/apache.fc | 23 +-
policy/modules/services/apache.if | 158 ++++++++++++++
policy/modules/services/apache.te | 18 +
policy/modules/services/automount.te | 1
policy/modules/services/bluetooth.te | 3
policy/modules/services/ccs.te | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 +--
policy/modules/services/cron.te | 43 +++
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 58 +++++
policy/modules/services/dhcp.te | 2
policy/modules/services/finger.te | 1
policy/modules/services/ftp.te | 11 -
policy/modules/services/hal.fc | 4
policy/modules/services/hal.te | 46 +++-
policy/modules/services/inetd.te | 5
policy/modules/services/kerberos.if | 4
policy/modules/services/kerberos.te | 4
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.fc | 3
policy/modules/services/nis.if | 4
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 3
policy/modules/services/pegasus.if | 27 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.te | 3
policy/modules/services/procmail.te | 13 -
policy/modules/services/pyzor.if | 22 ++
policy/modules/services/pyzor.te | 7
policy/modules/services/ricci.te | 10
policy/modules/services/rpc.te | 26 ++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.if | 21 +
policy/modules/services/samba.te | 14 -
policy/modules/services/setroubleshoot.te | 4
policy/modules/services/smartmon.te | 1
policy/modules/services/spamassassin.fc | 1
policy/modules/services/spamassassin.if | 41 +++
policy/modules/services/spamassassin.te | 15 +
policy/modules/services/squid.fc | 1
policy/modules/services/squid.if | 2
policy/modules/services/squid.te | 12 +
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 39 +++
policy/modules/services/ssh.te | 5
policy/modules/services/telnet.te | 1
policy/modules/services/uucp.te | 1
policy/modules/services/xserver.if | 2
policy/modules/system/authlogin.if | 87 ++++++-
policy/modules/system/authlogin.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14 +
policy/modules/system/init.if | 63 +++++
policy/modules/system/init.te | 26 ++
policy/modules/system/ipsec.if | 100 +++++++++
policy/modules/system/iptables.te | 7
policy/modules/system/libraries.fc | 6
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 5
policy/modules/system/lvm.if | 23 ++
policy/modules/system/lvm.te | 18 +
policy/modules/system/miscfiles.fc | 2
policy/modules/system/modutils.te | 3
policy/modules/system/mount.te | 10
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 115 ++++++++++
policy/modules/system/selinuxutil.te | 127 +++--------
policy/modules/system/unconfined.fc | 1
policy/modules/system/unconfined.te | 15 +
policy/modules/system/userdomain.if | 329 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 38 ++-
policy/modules/system/xen.te | 26 ++
policy/support/obj_perm_sets.spt | 2
126 files changed, 2060 insertions(+), 368 deletions(-)
Index: policy-20070219.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070219.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- policy-20070219.patch 26 Feb 2007 15:06:22 -0000 1.5
+++ policy-20070219.patch 26 Feb 2007 16:09:11 -0000 1.6
@@ -913,7 +913,7 @@
+
+########################################
+## <summary>
-+## Define network type to be a reserved port (< 1024)
++## Define network type to be a reserved port (less than 1024)
+## </summary>
+## <param name="domain">
+## <summary>
@@ -931,7 +931,7 @@
+
+########################################
+## <summary>
-+## Define network type to be a rpc port ( 512< PORT < 1024)
++## Define network type to be a rpc port ( 512 - PORT - 1024)
+## </summary>
+## <param name="domain">
+## <summary>
@@ -1345,6 +1345,42 @@
attribute mlstrustedobject;
attribute privrangetrans;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-2.5.5/policy/modules/kernel/selinux.if
+--- nsaserefpolicy/policy/modules/kernel/selinux.if 2006-11-16 17:15:04.000000000 -0500
++++ serefpolicy-2.5.5/policy/modules/kernel/selinux.if 2007-02-26 10:37:15.000000000 -0500
+@@ -18,11 +18,32 @@
+ interface(`selinux_get_fs_mount',`
+ # read /proc/filesystems to see if selinuxfs is supported
+ # then read /proc/self/mount to see where selinuxfs is mounted
++
++ selinux_getattr_dir($1)
+ kernel_read_system_state($1)
+ ')
+
+ ########################################
+ ## <summary>
++## Allow attempts to get the
++## attributes of the selinuxfs directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`selinux_getattr_dir',`
++ gen_require(`
++ type security_t;
++ ')
++
++ allow $1 security_t:dir getattr;
++')
++
++########################################
++## <summary>
+ ## Do not audit attempts to get the
+ ## attributes of the selinuxfs directory.
+ ## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-2.5.5/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2006-11-16 17:15:04.000000000 -0500
+++ serefpolicy-2.5.5/policy/modules/kernel/storage.fc 2007-02-26 09:53:01.000000000 -0500
@@ -2069,9 +2105,20 @@
')
optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/finger.te serefpolicy-2.5.5/policy/modules/services/finger.te
+--- nsaserefpolicy/policy/modules/services/finger.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.5/policy/modules/services/finger.te 2007-02-26 10:58:21.000000000 -0500
+@@ -64,7 +64,6 @@
+
+ term_dontaudit_use_console(fingerd_t)
+ term_getattr_all_user_ttys(fingerd_t)
+-term_getattr_all_user_ptys(fingerd_t)
+
+ auth_read_lastlog(fingerd_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.5.5/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.5/policy/modules/services/ftp.te 2007-02-26 09:53:01.000000000 -0500
++++ serefpolicy-2.5.5/policy/modules/services/ftp.te 2007-02-26 10:23:08.000000000 -0500
@@ -125,7 +125,7 @@
auth_append_login_records(ftpd_t)
#kerberized ftp requires the following
@@ -2097,6 +2144,17 @@
')
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
+@@ -214,6 +219,10 @@
+ ')
+
+ optional_policy(`
++ kerberos_read_keytab(ftpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`ftp_home_dir',`
+ apache_search_sys_content(ftpd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.fc serefpolicy-2.5.5/policy/modules/services/hal.fc
--- nsaserefpolicy/policy/modules/services/hal.fc 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.5/policy/modules/services/hal.fc 2007-02-26 09:53:01.000000000 -0500
@@ -2242,7 +2300,7 @@
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-2.5.5/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.5/policy/modules/services/kerberos.if 2007-02-26 09:53:01.000000000 -0500
++++ serefpolicy-2.5.5/policy/modules/services/kerberos.if 2007-02-26 10:16:38.000000000 -0500
@@ -40,8 +40,8 @@
files_search_etc($1)
allow $1 krb5_conf_t:file { getattr read };
@@ -2350,13 +2408,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.te serefpolicy-2.5.5/policy/modules/services/nscd.te
--- nsaserefpolicy/policy/modules/services/nscd.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.5/policy/modules/services/nscd.te 2007-02-26 09:53:01.000000000 -0500
-@@ -113,10 +113,14 @@
- ifdef(`targeted_policy',`
- term_use_unallocated_ttys(nscd_t)
- term_use_generic_ptys(nscd_t)
-+ term_dontaudit_use_all_user_ptys(nscd_t)
-
++++ serefpolicy-2.5.5/policy/modules/services/nscd.te 2007-02-26 10:57:49.000000000 -0500
+@@ -117,6 +117,9 @@
term_dontaudit_use_unallocated_ttys(nscd_t)
term_dontaudit_use_generic_ptys(nscd_t)
files_dontaudit_read_root_files(nscd_t)
@@ -2430,8 +2483,8 @@
/usr/libexec/postfix/bounce -- gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.5.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-01-02 12:57:43.000000000 -0500
-+++ serefpolicy-2.5.5/policy/modules/services/postfix.te 2007-02-26 09:53:01.000000000 -0500
-@@ -173,9 +173,12 @@
++++ serefpolicy-2.5.5/policy/modules/services/postfix.te 2007-02-26 10:58:24.000000000 -0500
+@@ -173,6 +173,8 @@
mta_rw_aliases(postfix_master_t)
mta_read_sendmail_bin(postfix_master_t)
@@ -2440,11 +2493,7 @@
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(postfix_master_t)
term_dontaudit_use_generic_ptys(postfix_master_t)
-+ term_dontaudit_use_all_user_ptys(postfix_master_t)
- ')
-
- optional_policy(`
-@@ -386,6 +389,7 @@
+@@ -386,6 +388,7 @@
postfix_list_spool(postfix_pickup_t)
@@ -3042,6 +3091,17 @@
')
tunable_policy(`ssh_sysadm_login',`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/telnet.te serefpolicy-2.5.5/policy/modules/services/telnet.te
+--- nsaserefpolicy/policy/modules/services/telnet.te 2007-01-02 12:57:43.000000000 -0500
++++ serefpolicy-2.5.5/policy/modules/services/telnet.te 2007-02-26 10:23:52.000000000 -0500
+@@ -88,6 +88,7 @@
+ # for identd; cjp: this should probably only be inetd_child rules?
+ optional_policy(`
+ kerberos_use(telnetd_t)
++ kerberos_read_keytab(ftpd_t)
+ ')
+
+ optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uucp.te serefpolicy-2.5.5/policy/modules/services/uucp.te
--- nsaserefpolicy/policy/modules/services/uucp.te 2007-01-02 12:57:43.000000000 -0500
+++ serefpolicy-2.5.5/policy/modules/services/uucp.te 2007-02-26 09:53:01.000000000 -0500
@@ -3537,7 +3597,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-2.5.5/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2007-02-19 11:32:53.000000000 -0500
-+++ serefpolicy-2.5.5/policy/modules/system/iptables.te 2007-02-26 09:53:01.000000000 -0500
++++ serefpolicy-2.5.5/policy/modules/system/iptables.te 2007-02-26 10:59:31.000000000 -0500
@@ -51,7 +51,7 @@
mls_file_read_up(iptables_t)
@@ -3547,7 +3607,7 @@
domain_use_interactive_fds(iptables_t)
-@@ -77,9 +77,11 @@
+@@ -77,9 +77,10 @@
userdom_use_all_users_fds(iptables_t)
ifdef(`targeted_policy', `
@@ -3555,7 +3615,6 @@
- term_dontaudit_use_generic_ptys(iptables_t)
+ term_use_unallocated_ttys(iptables_t)
+ term_use_generic_ptys(iptables_t)
-+ term_use_all_user_ptys(iptables_t)
files_dontaudit_read_root_files(iptables_t)
+ unconfined_rw_pipes(iptables_t)
')
Index: sources
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/sources,v
retrieving revision 1.108
retrieving revision 1.109
diff -u -r1.108 -r1.109
--- sources 26 Feb 2007 15:06:22 -0000 1.108
+++ sources 26 Feb 2007 16:09:11 -0000 1.109
@@ -1 +1 @@
-a9adb3c1639a0c085a6be3913a4118c8 serefpolicy-2.5.5.tgz
+0fc9386606726b64202773fe3a0cd064 serefpolicy-2.5.5.tgz
More information about the fedora-cvs-commits
mailing list