rpms/selinux-policy/F-8 policy-20070703.patch, 1.150, 1.151 selinux-policy.spec, 1.590, 1.591

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Thu Dec 6 21:38:37 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21535

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Thu Dec 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-66
- Allow depmod to read tmp files from rpm
- Dontaudit pam_timestamp_check access to ~.xsessions
- Allow postfix_local to transition to dovecot_deliver
- Allow postgrey to read postfix_spool


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.150
retrieving revision 1.151
diff -u -r1.150 -r1.151
--- policy-20070703.patch	5 Dec 2007 03:19:26 -0000	1.150
+++ policy-20070703.patch	6 Dec 2007 21:38:33 -0000	1.151
@@ -1884,7 +1884,7 @@
  /var/lib/alternatives(/.*)?		gen_context(system_u:object_r:rpm_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.0.8/policy/modules/admin/rpm.if
 --- nsaserefpolicy/policy/modules/admin/rpm.if	2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/rpm.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/admin/rpm.if	2007-12-06 10:00:22.000000000 -0500
 @@ -152,6 +152,24 @@
  
  ########################################
@@ -1935,11 +1935,10 @@
  ##	Create, read, write, and delete RPM
  ##	script temporary files.
  ## </summary>
-@@ -224,8 +260,29 @@
- 		type rpm_script_tmp_t;
+@@ -225,7 +261,30 @@
  	')
  
--	files_search_tmp($1)
+ 	files_search_tmp($1)
 +	manage_dirs_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
  	manage_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
 +	manage_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
@@ -1961,12 +1960,13 @@
 +		type rpm_script_tmp_t;
 +	')
 +
++	files_search_tmp($1)
 +	read_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
 +	read_lnk_files_pattern($1,rpm_script_tmp_t,rpm_script_tmp_t)
  ')
  
  ########################################
-@@ -289,3 +346,111 @@
+@@ -289,3 +348,112 @@
  	dontaudit $1 rpm_var_lib_t:file manage_file_perms;
  	dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
  ')
@@ -2011,6 +2011,7 @@
 +		type rpm_tmp_t;
 +	')
 +
++	files_search_tmp($1)
 +	allow $1 rpm_tmp_t:file rw_file_perms;
 +')
 +
@@ -7569,7 +7570,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.8/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/cups.te	2007-12-06 15:29:05.000000000 -0500
 @@ -48,9 +48,8 @@
  type hplip_t;
  type hplip_exec_t;
@@ -7582,9 +7583,12 @@
  
  type hplip_var_run_t;
  files_pid_file(hplip_var_run_t)
-@@ -81,12 +80,12 @@
+@@ -79,14 +78,14 @@
+ #
+ 
  # /usr/lib/cups/backend/serial needs sys_admin(?!)
- allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
+-allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
++allow cupsd_t self:capability { dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_admin sys_rawio sys_resource sys_tty_config };
  dontaudit cupsd_t self:capability { sys_tty_config net_admin };
 -allow cupsd_t self:process { setsched signal_perms };
 +allow cupsd_t self:process { setpgid setsched signal_perms };
@@ -8250,7 +8254,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-3.0.8/policy/modules/services/dovecot.if
 --- nsaserefpolicy/policy/modules/services/dovecot.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.if	2007-12-06 11:01:54.000000000 -0500
 @@ -18,3 +18,43 @@
  	manage_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
  	manage_lnk_files_pattern($1,dovecot_spool_t,dovecot_spool_t)
@@ -8297,7 +8301,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te	2007-12-06 11:00:50.000000000 -0500
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -9620,7 +9624,7 @@
 +files_type(mailscanner_spool_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.0.8/policy/modules/services/mta.if
 --- nsaserefpolicy/policy/modules/services/mta.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/mta.if	2007-12-06 11:03:00.000000000 -0500
 @@ -87,6 +87,8 @@
  	# It wants to check for nscd
  	files_dontaudit_search_pids($1_mail_t)
@@ -9720,7 +9724,7 @@
  ##	Modified mailserver interface for
  ##	sendmail daemon use.
  ## </summary>
-@@ -392,6 +434,7 @@
+@@ -392,11 +434,13 @@
  	allow $1 mail_spool_t:dir list_dir_perms;
  	create_files_pattern($1,mail_spool_t,mail_spool_t)
  	read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -9728,7 +9732,13 @@
  	create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  	read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
  
-@@ -447,20 +490,18 @@
+ 	optional_policy(`
+ 		dovecot_manage_spool($1)
++		dovecot_domtrans_deliver($1)
+ 	')
+ 
+ 	optional_policy(`
+@@ -447,20 +491,18 @@
  interface(`mta_send_mail',`
  	gen_require(`
  		attribute mta_user_agent;
@@ -9755,7 +9765,7 @@
  ')
  
  ########################################
-@@ -595,6 +636,25 @@
+@@ -595,6 +637,25 @@
  	files_search_etc($1)
  	allow $1 etc_aliases_t:file { rw_file_perms setattr };
  ')
@@ -10817,7 +10827,7 @@
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.0.8/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/postfix.if	2007-12-06 11:05:10.000000000 -0500
 @@ -41,6 +41,8 @@
  	allow postfix_$1_t self:unix_stream_socket connectto;
  
@@ -11372,6 +11382,33 @@
  	seutil_sigchld_newrole(postgresql_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.0.8/policy/modules/services/postgrey.te
+--- nsaserefpolicy/policy/modules/services/postgrey.te	2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgrey.te	2007-12-06 11:06:50.000000000 -0500
+@@ -68,6 +68,8 @@
+ fs_getattr_all_fs(postgrey_t)
+ fs_search_auto_mountpoints(postgrey_t)
+ 
++auth_use_nsswitch(postgrey_t)
++
+ libs_use_ld_so(postgrey_t)
+ libs_use_shared_libs(postgrey_t)
+ 
+@@ -75,13 +77,11 @@
+ 
+ miscfiles_read_localization(postgrey_t)
+ 
+-sysnet_read_config(postgrey_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(postgrey_t)
+ userdom_dontaudit_search_sysadm_home_dirs(postgrey_t)
+ 
+ optional_policy(`
+-	nis_use_ypbind(postgrey_t)
++	postfix_read_spool_files(postgrey_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-3.0.8/policy/modules/services/ppp.fc
 --- nsaserefpolicy/policy/modules/services/ppp.fc	2007-10-22 13:21:36.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/services/ppp.fc	2007-12-02 21:15:34.000000000 -0500
@@ -13170,7 +13207,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
 --- nsaserefpolicy/policy/modules/services/spamassassin.if	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if	2007-12-05 08:51:28.000000000 -0500
 @@ -286,6 +286,12 @@
  		userdom_manage_user_home_content_symlinks($1,spamd_t)
  	')
@@ -15144,7 +15181,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.0.8/policy/modules/system/authlogin.te
 --- nsaserefpolicy/policy/modules/system/authlogin.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-12-03 18:47:24.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.te	2007-12-06 10:38:14.000000000 -0500
 @@ -9,6 +9,13 @@
  attribute can_read_shadow_passwords;
  attribute can_write_shadow_passwords;
@@ -15195,11 +15232,13 @@
  term_use_all_user_ttys(pam_t)
  term_use_all_user_ptys(pam_t)
  
-@@ -111,19 +129,12 @@
+@@ -111,19 +129,14 @@
  logging_send_syslog_msg(pam_t)
  
  userdom_use_unpriv_users_fds(pam_t)
 +userdom_write_unpriv_users_tmp_files(pam_t)
++userdom_dontaudit_read_unpriv_users_home_content_files(pam_t)
++userdom_unlink_unpriv_users_tmp_files(pam_t)
  
  optional_policy(`
  	locallogin_use_fds(pam_t)
@@ -15216,7 +15255,7 @@
  ########################################
  #
  # PAM console local policy
-@@ -149,6 +160,8 @@
+@@ -149,6 +162,8 @@
  dev_setattr_apm_bios_dev(pam_console_t)
  dev_getattr_dri_dev(pam_console_t)
  dev_setattr_dri_dev(pam_console_t)
@@ -15225,7 +15264,7 @@
  dev_getattr_framebuffer_dev(pam_console_t)
  dev_setattr_framebuffer_dev(pam_console_t)
  dev_getattr_generic_usb_dev(pam_console_t)
-@@ -159,6 +172,8 @@
+@@ -159,6 +174,8 @@
  dev_setattr_mouse_dev(pam_console_t)
  dev_getattr_power_mgmt_dev(pam_console_t)
  dev_setattr_power_mgmt_dev(pam_console_t)
@@ -15234,7 +15273,7 @@
  dev_getattr_scanner_dev(pam_console_t)
  dev_setattr_scanner_dev(pam_console_t)
  dev_getattr_sound_dev(pam_console_t)
-@@ -200,6 +215,7 @@
+@@ -200,6 +217,7 @@
  
  fs_list_auto_mountpoints(pam_console_t)
  fs_list_noxattr_fs(pam_console_t)
@@ -15242,7 +15281,7 @@
  
  init_use_fds(pam_console_t)
  init_use_script_ptys(pam_console_t)
-@@ -236,7 +252,7 @@
+@@ -236,7 +254,7 @@
  
  optional_policy(`
  	xserver_read_xdm_pid(pam_console_t)
@@ -15251,7 +15290,7 @@
  ')
  
  ########################################
-@@ -256,6 +272,7 @@
+@@ -256,6 +274,7 @@
  userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
  userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
  userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
@@ -15259,7 +15298,7 @@
  
  ########################################
  #
-@@ -302,3 +319,28 @@
+@@ -302,3 +321,28 @@
  	xserver_use_xdm_fds(utempter_t)
  	xserver_rw_xdm_pipes(utempter_t)
  ')
@@ -15952,9 +15991,17 @@
  optional_policy(`
  	vmware_read_system_config(initrc_t)
  	vmware_append_system_config(initrc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.fc serefpolicy-3.0.8/policy/modules/system/ipsec.fc
+--- nsaserefpolicy/policy/modules/system/ipsec.fc	2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/ipsec.fc	2007-12-05 08:56:38.000000000 -0500
+@@ -32,3 +32,4 @@
+ /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
+ 
+ /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
++/var/run/racoon.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.0.8/policy/modules/system/ipsec.te
 --- nsaserefpolicy/policy/modules/system/ipsec.te	2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/ipsec.te	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/ipsec.te	2007-12-06 09:02:10.000000000 -0500
 @@ -55,11 +55,11 @@
  
  allow ipsec_t self:capability { net_admin dac_override dac_read_search };
@@ -16056,10 +16103,10 @@
  
  corenet_all_recvfrom_unlabeled(racoon_t)
  corenet_tcp_bind_all_nodes(racoon_t)
- corenet_udp_bind_isakmp_port(racoon_t)
 +corenet_udp_bind_all_nodes(racoon_t)
+ corenet_udp_bind_isakmp_port(racoon_t)
++corenet_udp_bind_ipsecnat_port(racoon_t)
 +corenet_udp_sendrecv_all_if(racoon_t)
-+corenet_udp_bind_ipsecnat_port(ipsec_t)
  
  dev_read_urand(racoon_t)
  
@@ -17017,7 +17064,7 @@
  ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/modutils.te	2007-12-02 21:15:34.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/modutils.te	2007-12-06 10:03:43.000000000 -0500
 @@ -42,7 +42,7 @@
  # insmod local policy
  #
@@ -17112,7 +17159,7 @@
  
  fs_getattr_xattr_fs(depmod_t)
  
-@@ -205,9 +226,12 @@
+@@ -205,13 +226,19 @@
  userdom_read_staff_home_content_files(depmod_t)
  userdom_read_sysadm_home_content_files(depmod_t)
  
@@ -17122,9 +17169,16 @@
  	# Read System.map from home directories.
  	unconfined_read_home_content_files(depmod_t)
 +	unconfined_dontaudit_use_terminals(depmod_t)
++	unconfined_domain(depmod_t)
  ')
  
  optional_policy(`
+ 	rpm_rw_pipes(depmod_t)
++	rpm_read_script_tmp_files(depmod_t)
++
+ ')
+ 
+ #################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-3.0.8/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2007-10-22 13:21:40.000000000 -0400
 +++ serefpolicy-3.0.8/policy/modules/system/mount.fc	2007-12-02 21:15:34.000000000 -0500
@@ -18754,7 +18808,7 @@
  /tmp/gconfd-USER -d	gen_context(system_u:object_r:ROLE_tmp_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-12-04 22:17:40.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if	2007-12-05 08:41:28.000000000 -0500
 @@ -29,8 +29,9 @@
  	')
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.590
retrieving revision 1.591
diff -u -r1.590 -r1.591
--- selinux-policy.spec	5 Dec 2007 03:19:26 -0000	1.590
+++ selinux-policy.spec	6 Dec 2007 21:38:33 -0000	1.591
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 65%{?dist}
+Release: 66%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,13 @@
 %endif
 
 %changelog
+* Thu Dec 6 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-66
+- Allow depmod to read tmp files from rpm
+- Dontaudit pam_timestamp_check access to ~.xsessions
+- Allow postfix_local to transition to dovecot_deliver
+- Allow postgrey to read postfix_spool
+
+
 * Tue Dec 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-65
 - Allow httpd_sys_script_t to search users homedirs
 
@@ -392,7 +399,6 @@
 - Fix unconfined_u defintion
 - Set vmware to unconfiend domain, since policy is very good yet.
 
-
 * Mon Nov 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-62
 - Allow xend to create xend_var_log_t directories
 - dontaudit setfiles relabel of /proc /sys caused by named-chroot

More information about the fedora-extras-commits mailing list