rpms/selinux-policy/devel modules-targeted.conf, 1.75, 1.76 policy-20071130.patch, 1.12, 1.13

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Dec 18 19:58:56 UTC 2007 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14822

Modified Files:
	modules-targeted.conf policy-20071130.patch 
Log Message:
* Tue Dec 18 2007 Dan Walsh <dwalsh at redhat.com> 3.2.4-4
- Allow cron to run unconfined apps



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -r1.75 -r1.76
--- modules-targeted.conf	11 Dec 2007 06:03:18 -0000	1.75
+++ modules-targeted.conf	18 Dec 2007 19:58:20 -0000	1.76
@@ -1565,3 +1565,10 @@
 # 
 bitlbee = module
 
+# Layer: services
+# Module: soundserver
+#
+# sound server for network audio server programs, nasd, yiff, etc</summary>
+# 
+soundserver = module
+

policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- policy-20071130.patch	18 Dec 2007 13:59:31 -0000	1.12
+++ policy-20071130.patch	18 Dec 2007 19:58:20 -0000	1.13
@@ -109,6 +109,7 @@
  endef
  
  # create-base-per-role-tmpl modulenames,outputfile
+Binary files nsaserefpolicy/man/ru/man8/samba_selinux.8.gz and serefpolicy-3.2.4/man/ru/man8/samba_selinux.8.gz differ
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.2.4/policy/flask/access_vectors
 --- nsaserefpolicy/policy/flask/access_vectors	2007-08-11 06:22:29.000000000 -0400
 +++ serefpolicy-3.2.4/policy/flask/access_vectors	2007-12-13 17:37:33.000000000 -0500
@@ -703,7 +704,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.te serefpolicy-3.2.4/policy/modules/admin/kudzu.te
 --- nsaserefpolicy/policy/modules/admin/kudzu.te	2007-10-12 08:56:09.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te	2007-12-13 17:37:33.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/admin/kudzu.te	2007-12-18 10:07:53.000000000 -0500
 @@ -21,8 +21,8 @@
  # Local policy
  #
@@ -732,19 +733,18 @@
  # kudzu will telinit to make init re-read
  # the inittab after configuring serial consoles
  init_telinit(kudzu_t)
-@@ -140,30 +143,3 @@
- optional_policy(`
-         udev_read_db(kudzu_t)
+@@ -142,28 +145,6 @@
  ')
--
--optional_policy(`
+ 
+ optional_policy(`
 -	# cjp: this was originally in the else block
 -	# of ifdef userhelper.te, but it seems to
 -	# make more sense here.  also, require
 -	# blocks curently do not work in the
 -	# else block of optionals
--	unconfined_domain(kudzu_t)
--')
++	unconfined_domtrans(kudzu_t)
+ 	unconfined_domain(kudzu_t)
+ ')
 -
 -ifdef(`TODO',`
 -allow kudzu_t modules_conf_t:file unlink;
@@ -3405,6 +3405,36 @@
 +optional_policy(`
 +	xserver_xdm_rw_shm(wine_t)
  ')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc
+--- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-12-12 11:35:27.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.fc	2007-12-18 11:39:23.000000000 -0500
+@@ -127,6 +127,8 @@
+ /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0)
+ ')
+ 
++/opt/gutenprint/cups/lib/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++
+ #
+ # /usr
+ #
+@@ -147,7 +149,7 @@
+ /usr/lib(64)?/cups/backend(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/cgi-bin/.*	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/cups/daemon(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+-/usr/lib(64)?/cups/filter(/.*)?		gen_context(system_u:object_r:bin_t,s0)
++/usr/lib(64)?/cups/filter(/.*)? 	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/lib(64)?/cyrus-imapd/.*	--	gen_context(system_u:object_r:bin_t,s0)
+ /usr/lib(64)?/dpkg/.+		--	gen_context(system_u:object_r:bin_t,s0)
+@@ -186,6 +188,8 @@
+ /usr/local/Printer/[^/]*/cupswrapper(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/Printer/[^/]*/lpd(/.*)?     	gen_context(system_u:object_r:bin_t,s0)
+ 
++/usr/bin/scponly		--	gen_context(system_u:object_r:shell_exec_t,s0)
++/usr/sbin/scponlyc		--	gen_context(system_u:object_r:shell_exec_t,s0)
+ /usr/sbin/sesh			--	gen_context(system_u:object_r:shell_exec_t,s0)
+ 
+ /usr/share/apr-0/build/[^/]+\.sh --	gen_context(system_u:object_r:bin_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.2.4/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2007-11-14 08:17:58.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/kernel/corecommands.if	2007-12-13 17:37:34.000000000 -0500
@@ -3418,8 +3448,16 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in
 --- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in	2007-11-29 13:29:34.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in	2007-12-13 17:37:34.000000000 -0500
-@@ -133,6 +133,7 @@
++++ serefpolicy-3.2.4/policy/modules/kernel/corenetwork.te.in	2007-12-18 14:43:53.000000000 -0500
+@@ -122,6 +122,7 @@
+ network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+ network_port(monopd, tcp,1234,s0)
+ network_port(msnp, tcp,1863,s0, udp,1863,s0)
++network_port(munin, tcp,4949,s0, udp,4949,s0)
+ network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
+ portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
+ network_port(nessus, tcp,1241,s0)
+@@ -133,6 +134,7 @@
  network_port(pegasus_http, tcp,5988,s0)
  network_port(pegasus_https, tcp,5989,s0)
  network_port(postfix_policyd, tcp,10031,s0)
@@ -3448,7 +3486,7 @@
  /dev/lp.*		-c	gen_context(system_u:object_r:printer_device_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.if serefpolicy-3.2.4/policy/modules/kernel/devices.if
 --- nsaserefpolicy/policy/modules/kernel/devices.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/kernel/devices.if	2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/kernel/devices.if	2007-12-18 10:39:31.000000000 -0500
 @@ -65,7 +65,7 @@
  
  	relabelfrom_dirs_pattern($1,device_t,device_node)
@@ -3484,7 +3522,15 @@
  ##	Delete a directory in the device directory.
  ## </summary>
  ## <param name="domain">
-@@ -667,6 +686,7 @@
+@@ -649,6 +668,7 @@
+ 	')
+ 
+ 	getattr_blk_files_pattern($1,device_t,device_node)
++
+ ')
+ 
+ ########################################
+@@ -667,6 +687,7 @@
  	')
  
  	dontaudit $1 device_node:blk_file getattr;
@@ -3492,7 +3538,7 @@
  ')
  
  ########################################
-@@ -704,6 +724,7 @@
+@@ -704,6 +725,7 @@
  	')
  
  	dontaudit $1 device_node:chr_file getattr;
@@ -3500,7 +3546,7 @@
  ')
  
  ########################################
-@@ -2787,6 +2808,97 @@
+@@ -2787,6 +2809,97 @@
  
  ########################################
  ## <summary>
@@ -4924,6 +4970,19 @@
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.te serefpolicy-3.2.4/policy/modules/services/bitlbee.te
+--- nsaserefpolicy/policy/modules/services/bitlbee.te	2007-09-17 15:56:47.000000000 -0400
++++ serefpolicy-3.2.4/policy/modules/services/bitlbee.te	2007-12-18 09:56:33.000000000 -0500
+@@ -54,6 +54,9 @@
+ corenet_tcp_connect_msnp_port(bitlbee_t)
+ corenet_tcp_sendrecv_msnp_port(bitlbee_t)
+ 
++dev_read_rand(bitlbee_t)
++dev_read_urand(bitlbee_t)
++
+ files_read_etc_files(bitlbee_t)
+ files_search_pids(bitlbee_t)
+ # grant read-only access to the user help files
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.fc serefpolicy-3.2.4/policy/modules/services/bluetooth.fc
 --- nsaserefpolicy/policy/modules/services/bluetooth.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/bluetooth.fc	2007-12-13 17:37:34.000000000 -0500
@@ -6118,7 +6177,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.2.4/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/dovecot.te	2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/dovecot.te	2007-12-18 11:01:04.000000000 -0500
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -6218,7 +6277,7 @@
 +')
 +
 +optional_policy(`
-+	postfix_manage_pivate_sockets(dovecot_auth_t)
++	postfix_manage_private_sockets(dovecot_auth_t)
 +	postfix_search_spool(dovecot_auth_t)
  ')
 +
@@ -6465,6 +6524,14 @@
 +	exim_manage_var_lib(exim_lib_update_t)
 +')
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.4/policy/modules/services/fail2ban.fc
+--- nsaserefpolicy/policy/modules/services/fail2ban.fc	2007-10-12 08:56:07.000000000 -0400
++++ serefpolicy-3.2.4/policy/modules/services/fail2ban.fc	2007-12-18 11:18:22.000000000 -0500
+@@ -1,3 +1,4 @@
+ /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
++/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+ /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+ /var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.2.4/policy/modules/services/ftp.if
 --- nsaserefpolicy/policy/modules/services/ftp.if	2007-10-12 08:56:07.000000000 -0400
 +++ serefpolicy-3.2.4/policy/modules/services/ftp.if	2007-12-13 17:37:34.000000000 -0500
@@ -6931,6 +6998,17 @@
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.2.4/policy/modules/services/mailman.if
+--- nsaserefpolicy/policy/modules/services/mailman.if	2007-12-04 11:02:50.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/mailman.if	2007-12-18 11:04:17.000000000 -0500
+@@ -211,6 +211,7 @@
+ 		type mailman_data_t;
+ 	')
+ 
++	manage_dirs_pattern($1,mailman_data_t,mailman_data_t)
+ 	manage_files_pattern($1,mailman_data_t,mailman_data_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.2.4/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2007-12-04 11:02:50.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/mailman.te	2007-12-13 17:37:34.000000000 -0500
@@ -7274,6 +7352,47 @@
  	smartmon_read_tmp_files(system_mail_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.4/policy/modules/services/munin.fc
+--- nsaserefpolicy/policy/modules/services/munin.fc	2007-04-30 10:41:38.000000000 -0400
++++ serefpolicy-3.2.4/policy/modules/services/munin.fc	2007-12-18 14:51:15.000000000 -0500
+@@ -8,4 +8,5 @@
+ /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
+ /var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
+ /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
+-/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
++/var/www/html/munin(/.*)?		gen_context(system_u:object_r:http_munin_content_t,s0)
++/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:http_munin_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.4/policy/modules/services/munin.te
+--- nsaserefpolicy/policy/modules/services/munin.te	2007-11-15 13:40:14.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/munin.te	2007-12-18 14:50:13.000000000 -0500
+@@ -37,6 +37,9 @@
+ allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow munin_t self:tcp_socket create_stream_socket_perms;
+ allow munin_t self:udp_socket create_socket_perms;
++allow munin_t self:fifo_file create_fifo_file_perms;
++
++can_exec(munin_t, munin_exec_t)
+ 
+ allow munin_t munin_etc_t:dir list_dir_perms;
+ read_files_pattern(munin_t,munin_etc_t,munin_etc_t)
+@@ -73,6 +76,7 @@
+ corenet_udp_sendrecv_all_nodes(munin_t)
+ corenet_tcp_sendrecv_all_ports(munin_t)
+ corenet_udp_sendrecv_all_ports(munin_t)
++corenet_tcp_connect_munin_port(munin_t)
+ 
+ dev_read_sysfs(munin_t)
+ dev_read_urand(munin_t)
+@@ -118,3 +122,9 @@
+ optional_policy(`
+ 	udev_read_db(munin_t)
+ ')
++
++#============= http munin policy ==============
++apache_content_template(munin)
++
++manage_dirs_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
++manage_files_pattern(munin_t, httpd_munin_content_t, httpd_munin_content_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mysql.fc serefpolicy-3.2.4/policy/modules/services/mysql.fc
 --- nsaserefpolicy/policy/modules/services/mysql.fc	2006-11-16 17:15:20.000000000 -0500
 +++ serefpolicy-3.2.4/policy/modules/services/mysql.fc	2007-12-13 17:37:34.000000000 -0500
@@ -8222,7 +8341,16 @@
  /usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.2.4/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/postfix.if	2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/postfix.if	2007-12-18 11:00:59.000000000 -0500
+@@ -416,7 +416,7 @@
+ ##	</summary>
+ ## </param>
+ #
+-interface(`postfix_create_pivate_sockets',`
++interface(`postfix_create_private_sockets',`
+ 	gen_require(`
+ 		type postfix_private_t;
+ 	')
 @@ -427,6 +427,26 @@
  
  ########################################
@@ -8235,7 +8363,7 @@
 +##	</summary>
 +## </param>
 +#
-+interface(`postfix_manage_pivate_sockets',`
++interface(`postfix_manage_private_sockets',`
 +	gen_require(`
 +		type postfix_private_t;
 +	')
@@ -8252,7 +8380,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.2.4/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/postfix.te	2007-12-13 17:37:34.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/services/postfix.te	2007-12-18 10:58:24.000000000 -0500
 @@ -6,6 +6,14 @@
  # Declarations
  #
@@ -8303,7 +8431,18 @@
  
  optional_policy(`
  	cyrus_stream_connect(postfix_master_t)
-@@ -273,6 +288,8 @@
+@@ -248,6 +263,10 @@
+ 
+ corecmd_exec_bin(postfix_cleanup_t)
+ 
++optional_policy(`
++	mailman_read_data_files(postfix_cleanup_t)
++')
++
+ ########################################
+ #
+ # Postfix local local policy
+@@ -273,6 +292,8 @@
  
  files_read_etc_files(postfix_local_t)
  
@@ -8312,7 +8451,7 @@
  mta_read_aliases(postfix_local_t)
  mta_delete_spool(postfix_local_t)
  # For reading spamassasin
-@@ -285,6 +302,7 @@
+@@ -285,6 +306,7 @@
  optional_policy(`
  #	for postalias
  	mailman_manage_data_files(postfix_local_t)
@@ -8320,7 +8459,17 @@
  ')
  
  optional_policy(`
-@@ -346,8 +364,6 @@
+@@ -295,8 +317,7 @@
+ #
+ # Postfix map local policy
+ #
+-
+-allow postfix_map_t self:capability setgid;
++allow postfix_map_t self:capability { dac_override setgid setuid };
+ allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+ allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+ allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+@@ -346,8 +367,6 @@
  
  miscfiles_read_localization(postfix_map_t)
  
@@ -8329,7 +8478,19 @@
  tunable_policy(`read_default_t',`
  	files_list_default(postfix_map_t)
  	files_read_default_files(postfix_map_t)
-@@ -392,6 +408,10 @@
+@@ -360,6 +379,11 @@
+ 	locallogin_dontaudit_use_fds(postfix_map_t)
+ ')
+ 
++optional_policy(`
++#	for postalias
++	mailman_manage_data_files(postfix_map_t)
++')
++
+ ########################################
+ #
+ # Postfix pickup local policy
+@@ -392,6 +416,10 @@
  rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
  
  optional_policy(`
@@ -8340,7 +8501,7 @@
  	procmail_domtrans(postfix_pipe_t)
  ')
  
-@@ -400,6 +420,10 @@
+@@ -400,6 +428,10 @@
  ')
  
  optional_policy(`
@@ -8351,7 +8512,7 @@
  	uucp_domtrans_uux(postfix_pipe_t)
  ')
  
-@@ -532,9 +556,6 @@
+@@ -532,9 +564,6 @@
  # connect to master process
  stream_connect_pattern(postfix_smtpd_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
  
@@ -8361,7 +8522,7 @@
  # for prng_exch
  allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
  allow postfix_smtpd_t postfix_prng_t:file rw_file_perms;
-@@ -557,6 +578,10 @@
+@@ -557,6 +586,10 @@
  	sasl_connect(postfix_smtpd_t)
  ')
  
@@ -13821,7 +13982,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.2.4/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/system/unconfined.te	2007-12-17 17:05:56.000000000 -0500
++++ serefpolicy-3.2.4/policy/modules/system/unconfined.te	2007-12-18 13:42:58.000000000 -0500
 @@ -9,32 +9,48 @@
  # usage in this module of types created by these
  # calls is not correct, however we dont currently

More information about the fedora-extras-commits mailing list