rpms/selinux-policy/devel policy-20070703.patch, 1.33, 1.34 selinux-policy.spec, 1.496, 1.497
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Aug 15 00:55:51 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30010
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Aug 14 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-7
- allow dovecot to search mountpoints
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- policy-20070703.patch 11 Aug 2007 11:18:09 -0000 1.33
+++ policy-20070703.patch 15 Aug 2007 00:55:49 -0000 1.34
@@ -2616,7 +2616,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.0.5/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-07-03 07:05:38.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/kernel/files.if 2007-08-09 14:25:41.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/kernel/files.if 2007-08-14 08:15:36.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2667,7 +2667,41 @@
')
########################################
-@@ -3323,6 +3339,24 @@
+@@ -885,6 +901,8 @@
+ attribute file_type;
+ ')
+
++ # Have to be able to read badly labeled files like file_context and ld.so.cache
++ files_read_all_files($1)
+ allow $1 { file_type $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
+@@ -1106,6 +1124,24 @@
+
+ ########################################
+ ## <summary>
++## search all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## List the contents of the root directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -3323,6 +3359,24 @@
########################################
## <summary>
@@ -2692,7 +2726,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3381,7 +3415,7 @@
+@@ -3381,7 +3435,7 @@
########################################
## <summary>
@@ -2701,7 +2735,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3389,17 +3423,17 @@
+@@ -3389,17 +3443,17 @@
## </summary>
## </param>
#
@@ -2722,7 +2756,7 @@
## </summary>
## <param name="domain">
## <summary>
-@@ -3407,12 +3441,12 @@
+@@ -3407,12 +3461,12 @@
## </summary>
## </param>
#
@@ -2737,7 +2771,7 @@
')
########################################
-@@ -4043,7 +4077,7 @@
+@@ -4043,7 +4097,7 @@
type var_t, var_lock_t;
')
@@ -2746,7 +2780,7 @@
')
########################################
-@@ -4560,6 +4594,8 @@
+@@ -4560,6 +4614,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2755,7 +2789,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4582,6 +4618,11 @@
+@@ -4582,6 +4638,11 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2767,7 +2801,7 @@
')
########################################
-@@ -4619,3 +4660,28 @@
+@@ -4619,3 +4680,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3467,7 +3501,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-07 10:24:54.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/apache.te 2007-08-14 10:30:04.000000000 -0400
@@ -30,6 +30,13 @@
## <desc>
@@ -4156,8 +4190,8 @@
/var/log/clamav/clamav.* -- gen_context(system_u:object_r:clamd_var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-3.0.5/policy/modules/services/clamav.te
--- nsaserefpolicy/policy/modules/services/clamav.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/clamav.te 2007-08-07 09:39:49.000000000 -0400
-@@ -74,17 +74,19 @@
++++ serefpolicy-3.0.5/policy/modules/services/clamav.te 2007-08-13 19:29:14.000000000 -0400
+@@ -74,17 +74,20 @@
manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
# log files
@@ -4177,10 +4211,11 @@
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
+kernel_read_kernel_sysctls(clamd_t)
++kernel_read_system_state(clamd_t)
corenet_all_recvfrom_unlabeled(clamd_t)
corenet_all_recvfrom_netlabel(clamd_t)
-@@ -208,9 +210,12 @@
+@@ -208,9 +211,12 @@
files_tmp_filetrans(clamscan_t,clamscan_tmp_t,{ file dir })
# var/lib files together with clamd
@@ -4194,7 +4229,7 @@
kernel_read_kernel_sysctls(clamscan_t)
files_read_etc_files(clamscan_t)
-@@ -228,3 +233,7 @@
+@@ -228,3 +234,7 @@
optional_policy(`
apache_read_sys_content(clamscan_t)
')
@@ -5143,7 +5178,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.5/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/dovecot.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/dovecot.te 2007-08-14 08:15:55.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -5175,6 +5210,15 @@
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
+@@ -99,7 +105,7 @@
+ files_dontaudit_list_default(dovecot_t)
+ # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_t)
+-files_getattr_all_mountpoints(dovecot_t)
++files_search_all_mountpoints(dovecot_t)
+
+ init_getattr_utmp(dovecot_t)
+
@@ -111,9 +117,6 @@
miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -5238,7 +5282,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -185,12 +190,41 @@
+@@ -185,12 +190,46 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -5259,6 +5303,10 @@
+ postfix_search_spool(dovecot_auth_t)
+')
+
++# for gssapi (kerberos)
++userdom_list_unpriv_users_tmp(dovecot_auth_t)
++userdom_read_unpriv_users_tmp_files(dovecot_auth_t)
++userdom_read_unpriv_users_tmp_symlinks(dovecot_auth_t)
+
+########################################
+#
@@ -5283,6 +5331,7 @@
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.0.5/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/ftp.te 2007-08-07 09:39:49.000000000 -0400
@@ -5704,8 +5753,16 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.5/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/mailman.te 2007-08-07 09:39:49.000000000 -0400
-@@ -96,6 +96,7 @@
++++ serefpolicy-3.0.5/policy/modules/services/mailman.te 2007-08-13 19:39:48.000000000 -0400
+@@ -55,6 +55,7 @@
+ apache_use_fds(mailman_cgi_t)
+ apache_dontaudit_append_log(mailman_cgi_t)
+ apache_search_sys_script_state(mailman_cgi_t)
++ apache_read_config(mailman_cgi_t)
+
+ optional_policy(`
+ nscd_socket_use(mailman_cgi_t)
+@@ -96,6 +97,7 @@
kernel_read_proc_symlinks(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
@@ -6003,7 +6060,16 @@
/var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.0.5/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-10 15:24:52.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/networkmanager.te 2007-08-13 06:44:14.000000000 -0400
+@@ -20,7 +20,7 @@
+
+ # networkmanager will ptrace itself if gdb is installed
+ # and it receives a unexpected signal (rh bug #204161)
+-allow NetworkManager_t self:capability { kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
++allow NetworkManager_t self:capability { chown kill setgid setuid sys_nice dac_override net_admin net_raw net_bind_service ipc_lock };
+ dontaudit NetworkManager_t self:capability { sys_tty_config sys_ptrace };
+ allow NetworkManager_t self:process { ptrace setcap setpgid getsched signal_perms };
+ allow NetworkManager_t self:fifo_file rw_fifo_file_perms;
@@ -41,6 +41,8 @@
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
@@ -6169,8 +6235,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.fc serefpolicy-3.0.5/policy/modules/services/ntp.fc
--- nsaserefpolicy/policy/modules/services/ntp.fc 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ntp.fc 2007-08-07 09:39:49.000000000 -0400
-@@ -17,3 +17,7 @@
++++ serefpolicy-3.0.5/policy/modules/services/ntp.fc 2007-08-11 23:28:27.000000000 -0400
+@@ -17,3 +17,8 @@
/var/log/xntpd.* -- gen_context(system_u:object_r:ntpd_log_t,s0)
/var/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_var_run_t,s0)
@@ -6178,16 +6244,35 @@
+/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
+/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
+
++/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.if serefpolicy-3.0.5/policy/modules/services/ntp.if
--- nsaserefpolicy/policy/modules/services/ntp.if 2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ntp.if 2007-08-10 15:57:31.000000000 -0400
-@@ -53,3 +53,41 @@
++++ serefpolicy-3.0.5/policy/modules/services/ntp.if 2007-08-11 07:50:33.000000000 -0400
+@@ -53,3 +53,59 @@
corecmd_search_bin($1)
domtrans_pattern($1,ntpdate_exec_t,ntpd_t)
')
+
+########################################
+## <summary>
++## Execute ntp server in the ntpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`ntp_script_domtrans',`
++ gen_require(`
++ type ntpd_script_exec_t;
++ ')
++
++ init_script_domtrans_spec($1,ntpd_script_exec_t)
++')
++
++########################################
++## <summary>
+## Allow the specified domain to manage
+## ntp pid file
+## </summary>
@@ -6225,18 +6310,21 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.te serefpolicy-3.0.5/policy/modules/services/ntp.te
--- nsaserefpolicy/policy/modules/services/ntp.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ntp.te 2007-08-07 09:39:49.000000000 -0400
-@@ -25,6 +25,9 @@
++++ serefpolicy-3.0.5/policy/modules/services/ntp.te 2007-08-11 07:40:43.000000000 -0400
+@@ -25,6 +25,12 @@
type ntpdate_exec_t;
init_system_domain(ntpd_t,ntpdate_exec_t)
+type ntpd_key_t;
+files_type(ntpd_key_t)
+
++type ntpd_script_exec_t;
++init_script_type(ntpd_script_exec_t)
++
########################################
#
# Local policy
-@@ -36,6 +39,7 @@
+@@ -36,6 +42,7 @@
dontaudit ntpd_t self:capability { net_admin sys_tty_config fsetid sys_nice };
allow ntpd_t self:process { signal_perms setcap setsched setrlimit };
allow ntpd_t self:fifo_file { read write getattr };
@@ -6244,7 +6332,7 @@
allow ntpd_t self:unix_dgram_socket create_socket_perms;
allow ntpd_t self:unix_stream_socket create_socket_perms;
allow ntpd_t self:tcp_socket create_stream_socket_perms;
-@@ -49,6 +53,8 @@
+@@ -49,6 +56,8 @@
manage_files_pattern(ntpd_t,ntpd_log_t,ntpd_log_t)
logging_log_filetrans(ntpd_t,ntpd_log_t,{ file dir })
@@ -6253,7 +6341,7 @@
# for some reason it creates a file in /tmp
manage_dirs_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
manage_files_pattern(ntpd_t,ntpd_tmp_t,ntpd_tmp_t)
-@@ -82,6 +88,8 @@
+@@ -82,6 +91,8 @@
fs_getattr_all_fs(ntpd_t)
fs_search_auto_mountpoints(ntpd_t)
@@ -6262,7 +6350,7 @@
auth_use_nsswitch(ntpd_t)
-@@ -107,6 +115,8 @@
+@@ -107,6 +118,8 @@
sysnet_read_config(ntpd_t)
@@ -6271,7 +6359,7 @@
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_sysadm_home_dirs(ntpd_t)
userdom_dontaudit_list_sysadm_home_dirs(ntpd_t)
-@@ -126,9 +136,14 @@
+@@ -126,9 +139,14 @@
')
optional_policy(`
@@ -6653,7 +6741,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.5/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/postfix.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/postfix.te 2007-08-13 19:37:24.000000000 -0400
@@ -83,6 +83,12 @@
type postfix_var_run_t;
files_pid_file(postfix_var_run_t)
@@ -6697,7 +6785,16 @@
###########################################################
#
# Partially converted rules. THESE ARE ONLY TEMPORARY
-@@ -377,7 +396,7 @@
+@@ -263,6 +282,8 @@
+
+ files_read_etc_files(postfix_local_t)
+
++logging_dontaudit_search_logs(postfix_local_t)
++
+ mta_read_aliases(postfix_local_t)
+ mta_delete_spool(postfix_local_t)
+ # For reading spamassasin
+@@ -377,7 +398,7 @@
# Postfix pipe local policy
#
@@ -6706,7 +6803,7 @@
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -386,6 +405,10 @@
+@@ -386,6 +407,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -6717,7 +6814,7 @@
procmail_domtrans(postfix_pipe_t)
')
-@@ -426,6 +449,11 @@
+@@ -426,6 +451,11 @@
cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
')
@@ -6729,7 +6826,7 @@
optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
-@@ -505,8 +533,6 @@
+@@ -505,8 +535,6 @@
# Postfix smtp delivery local policy
#
@@ -6738,7 +6835,7 @@
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -514,6 +540,8 @@
+@@ -514,6 +542,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -6747,7 +6844,7 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -538,9 +566,45 @@
+@@ -538,9 +568,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -7024,7 +7121,7 @@
fs_search_auto_mountpoints($1_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.5/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/rpc.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/rpc.te 2007-08-13 07:08:48.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -7083,18 +7180,6 @@
kernel_read_network_state(gssd_t)
kernel_read_network_state_symlinks(gssd_t)
kernel_search_network_sysctl(gssd_t)
-@@ -158,6 +171,11 @@
-
- miscfiles_read_certs(gssd_t)
-
-+ifdef(`targeted_policy',`
-+ # Manage the users kerberos tgt file
-+ files_manage_generic_tmp_files(gssd_t)
-+')
-+
- tunable_policy(`allow_gssd_read_tmp',`
- userdom_list_unpriv_users_tmp(gssd_t)
- userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.5/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/services/rshd.te 2007-08-07 09:39:49.000000000 -0400
@@ -7923,7 +8008,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.5/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/services/ssh.te 2007-08-14 20:40:43.000000000 -0400
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -7933,7 +8018,16 @@
# ssh client executable.
type ssh_exec_t;
-@@ -100,6 +100,11 @@
+@@ -73,6 +73,8 @@
+ manage_sock_files_pattern(sshd_t,sshd_tmp_t,sshd_tmp_t)
+ files_tmp_filetrans(sshd_t, sshd_tmp_t, { dir file sock_file })
+
++fs_search_auto_mountpoints(sshd_t)
++
+ kernel_search_key(sshd_t)
+ kernel_link_key(sshd_t)
+
+@@ -100,6 +102,11 @@
userdom_use_unpriv_users_ptys(sshd_t)
')
@@ -7945,7 +8039,7 @@
optional_policy(`
daemontools_service_domain(sshd_t, sshd_exec_t)
')
-@@ -119,7 +124,12 @@
+@@ -119,7 +126,12 @@
')
optional_policy(`
@@ -9189,8 +9283,139 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.0.5/policy/modules/system/init.if
--- nsaserefpolicy/policy/modules/system/init.if 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/init.if 2007-08-07 09:39:49.000000000 -0400
-@@ -1250,7 +1250,7 @@
++++ serefpolicy-3.0.5/policy/modules/system/init.if 2007-08-11 23:38:19.000000000 -0400
+@@ -538,18 +538,19 @@
+ #
+ interface(`init_spec_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- spec_domtrans_pattern($1,initrc_exec_t,initrc_t)
++ spec_domtrans_pattern($1,initscript,initrc_t)
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 initscript:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 initscript:process s0 - mls_systemhigh;
+ ')
+ ')
+
+@@ -565,18 +566,46 @@
+ #
+ interface(`init_domtrans_script',`
+ gen_require(`
+- type initrc_t, initrc_exec_t;
++ type initrc_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- domtrans_pattern($1,initrc_exec_t,initrc_t)
++ domtrans_pattern($1,initscript,initrc_t)
+
+ ifdef(`enable_mcs',`
+- range_transition $1 initrc_exec_t:process s0;
++ range_transition $1 initscript:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+- range_transition $1 initrc_exec_t:process s0 - mls_systemhigh;
++ range_transition $1 initscript:process s0 - mls_systemhigh;
++ ')
++')
++
++########################################
++## <summary>
++## Execute init a specific script with an automatic domain transition.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`init_script_domtrans_spec',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ files_list_etc($1)
++ domtrans_pattern($1,$2,initrc_t)
++
++ ifdef(`enable_mcs',`
++ range_transition $1 $2:process s0;
++ ')
++
++ ifdef(`enable_mls',`
++ range_transition $1 $2:process s0 - mls_systemhigh;
+ ')
+ ')
+
+@@ -607,11 +636,11 @@
+ # cjp: added for gentoo integrated run_init
+ interface(`init_script_file_domtrans',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- domain_auto_trans($1,initrc_exec_t,$2)
++ domain_auto_trans($1,initscript,$2)
+ ')
+
+ ########################################
+@@ -682,11 +711,11 @@
+ #
+ interface(`init_getattr_script_files',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- allow $1 initrc_exec_t:file getattr;
++ allow $1 initscript:file getattr;
+ ')
+
+ ########################################
+@@ -701,11 +730,11 @@
+ #
+ interface(`init_exec_script_files',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_list_etc($1)
+- can_exec($1,initrc_exec_t)
++ can_exec($1,initscript)
+ ')
+
+ ########################################
+@@ -1028,11 +1057,11 @@
+ #
+ interface(`init_read_script_files',`
+ gen_require(`
+- type initrc_exec_t;
++ attribute initscript;
+ ')
+
+ files_search_etc($1)
+- allow $1 initrc_exec_t:file read_file_perms;
++ allow $1 initscript:file read_file_perms;
+ ')
+
+ ########################################
+@@ -1250,7 +1279,7 @@
type initrc_var_run_t;
')
@@ -9199,7 +9424,7 @@
')
########################################
-@@ -1271,3 +1271,42 @@
+@@ -1271,3 +1300,64 @@
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
@@ -9242,9 +9467,31 @@
+
+ allow $1 init_t:process ptrace;
+')
++
++########################################
++## <summary>
++## Make the specified type usable for initscripts
++## in a filesystem.
++## </summary>
++## <param name="type">
++## <summary>
++## Type to be used for files.
++## </summary>
++## </param>
++#
++interface(`init_script_type',`
++ gen_require(`
++ type initrc_t;
++ attribute initscript;
++ ')
++
++ typeattribute $1 initscript;
++ domain_entry_file(initrc_t,$1)
++
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.0.5/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/init.te 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/init.te 2007-08-11 07:48:04.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -9266,7 +9513,25 @@
# used for direct running of init scripts
# by admin domains
attribute direct_run_init;
-@@ -73,7 +87,7 @@
+@@ -19,6 +33,8 @@
+ # Mark process types as daemons
+ attribute daemon;
+
++attribute initscript;
++
+ #
+ # init_t is the domain of the init process.
+ #
+@@ -45,7 +61,7 @@
+ mls_trusted_object(initctl_t)
+
+ type initrc_t;
+-type initrc_exec_t;
++type initrc_exec_t, initscript;
+ domain_type(initrc_t)
+ domain_entry_file(initrc_t,initrc_exec_t)
+ role system_r types initrc_t;
+@@ -73,7 +89,7 @@
#
# Use capabilities. old rule:
@@ -9275,7 +9540,7 @@
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
-@@ -189,7 +203,7 @@
+@@ -189,7 +205,7 @@
#
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
@@ -9284,7 +9549,7 @@
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
-@@ -204,8 +218,7 @@
+@@ -204,10 +220,9 @@
allow initrc_t initrc_devpts_t:chr_file rw_term_perms;
term_create_pty(initrc_t,initrc_devpts_t)
@@ -9292,9 +9557,12 @@
-init_exec(initrc_t)
+init_telinit(initrc_t)
- can_exec(initrc_t,initrc_exec_t)
+-can_exec(initrc_t,initrc_exec_t)
++can_exec(initrc_t,initscript)
-@@ -501,6 +514,39 @@
+ manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
+ manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
+@@ -501,6 +516,39 @@
')
optional_policy(`
@@ -9334,7 +9602,7 @@
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
')
-@@ -636,12 +682,6 @@
+@@ -636,12 +684,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -9347,7 +9615,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -707,6 +747,9 @@
+@@ -707,6 +749,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -9474,17 +9742,28 @@
+/var/cache/ldconfig(/.*)? gen_context(system_u:object_r:ld_so_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.te serefpolicy-3.0.5/policy/modules/system/libraries.te
--- nsaserefpolicy/policy/modules/system/libraries.te 2007-08-02 08:17:28.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/libraries.te 2007-08-11 06:57:43.000000000 -0400
-@@ -46,7 +46,7 @@
++++ serefpolicy-3.0.5/policy/modules/system/libraries.te 2007-08-13 07:20:30.000000000 -0400
+@@ -44,9 +44,9 @@
+ # ldconfig local policy
+ #
- allow ldconfig_t self:capability sys_chroot;
+-allow ldconfig_t self:capability sys_chroot;
++allow ldconfig_t self:capability { dac_override sys_chroot };
-allow ldconfig_t ld_so_cache_t:file manage_file_perms;
+manage_files_pattern(ldconfig_t,ld_so_cache_t,ld_so_cache_t)
files_etc_filetrans(ldconfig_t,ld_so_cache_t,file)
manage_dirs_pattern(ldconfig_t,ldconfig_tmp_t,ldconfig_tmp_t)
-@@ -96,4 +96,11 @@
+@@ -62,6 +62,7 @@
+
+ domain_use_interactive_fds(ldconfig_t)
+
++files_search_home(ldconfig_t)
+ files_search_var_lib(ldconfig_t)
+ files_read_etc_files(ldconfig_t)
+ files_search_tmp(ldconfig_t)
+@@ -96,4 +97,11 @@
# and executes ldconfig on it. If you dont allow this kernel installs
# blow up.
rpm_manage_script_tmp_files(ldconfig_t)
@@ -9584,7 +9863,7 @@
+/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.5/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/logging.if 2007-08-07 09:39:49.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/logging.if 2007-08-13 19:36:18.000000000 -0400
@@ -33,8 +33,13 @@
## </param>
#
@@ -10693,7 +10972,7 @@
########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.te serefpolicy-3.0.5/policy/modules/system/sysnetwork.te
--- nsaserefpolicy/policy/modules/system/sysnetwork.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/sysnetwork.te 2007-08-10 16:21:05.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/sysnetwork.te 2007-08-11 07:46:16.000000000 -0400
@@ -45,7 +45,7 @@
dontaudit dhcpc_t self:capability sys_tty_config;
# for access("/etc/bashrc", X_OK) on Red Hat
@@ -10714,7 +10993,7 @@
optional_policy(`
networkmanager_dbus_chat(dhcpc_t)
')
-@@ -205,7 +209,13 @@
+@@ -205,7 +209,12 @@
optional_policy(`
# dhclient sometimes starts ntpd
init_exec_script_files(dhcpc_t)
@@ -10723,12 +11002,11 @@
+optional_policy(`
ntp_domtrans(dhcpc_t)
+ ntp_domtrans_ntpdate(dhcpc_t)
-+ ntp_manage_pid(dhcpc_t)
-+ ntp_signal(dhcpc_t)
++ ntp_script_domtrans(dhcpc_t)
')
optional_policy(`
-@@ -216,6 +226,7 @@
+@@ -216,6 +225,7 @@
optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
@@ -10736,7 +11014,7 @@
')
optional_policy(`
-@@ -280,6 +291,8 @@
+@@ -280,6 +290,8 @@
fs_getattr_xattr_fs(ifconfig_t)
fs_search_auto_mountpoints(ifconfig_t)
@@ -10849,7 +11127,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.5/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/unconfined.if 2007-08-10 15:24:16.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/unconfined.if 2007-08-14 10:30:29.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -10901,7 +11179,7 @@
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
-@@ -601,3 +604,131 @@
+@@ -601,3 +604,132 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@@ -11000,7 +11278,7 @@
+
+########################################
+## <summary>
-+## Do not audit attempts to use unconfined ttys and ptys.
++## allow attempts to use unconfined ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11008,17 +11286,17 @@
+## </summary>
+## </param>
+#
-+interface(`unconfined_dontaudit_use_terminals',`
++interface(`unconfined_use_terminals',`
+ gen_require(`
+ attribute unconfined_terminal;
+ ')
+
-+ dontaudit $1 unconfined_terminal:chr_file rw_term_perms;
++ allow $1 unconfined_terminal:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
-+## allow attempts to use unconfined ttys and ptys.
++## Do not audit attempts to use unconfined ttys and ptys.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -11026,13 +11304,14 @@
+## </summary>
+## </param>
+#
-+interface(`unconfined_use_terminals',`
++interface(`unconfined_dontaudit_use_terminals',`
+ gen_require(`
+ attribute unconfined_terminal;
+ ')
+
-+ allow $1 unconfined_terminal:chr_file rw_term_perms;
++ dontaudit $1 unconfined_terminal:chr_file rw_term_perms;
+')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.5/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.5/policy/modules/system/unconfined.te 2007-08-07 09:39:49.000000000 -0400
@@ -11230,7 +11509,7 @@
+corecmd_exec_all_executables(unconfined_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-07-03 07:06:32.000000000 -0400
-+++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-10 13:44:41.000000000 -0400
++++ serefpolicy-3.0.5/policy/modules/system/userdomain.if 2007-08-14 08:45:22.000000000 -0400
@@ -62,6 +62,10 @@
allow $1_t $1_tty_device_t:chr_file { setattr rw_chr_file_perms };
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.496
retrieving revision 1.497
diff -u -r1.496 -r1.497
--- selinux-policy.spec 11 Aug 2007 11:18:09 -0000 1.496
+++ selinux-policy.spec 15 Aug 2007 00:55:49 -0000 1.497
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.5
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -360,6 +360,9 @@
%endif
%changelog
+* Tue Aug 14 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-7
+- allow dovecot to search mountpoints
+
* Sat Aug 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.5-6
- Fix Makefile for building policy modules
More information about the fedora-extras-commits
mailing list