rpms/selinux-policy/devel policy-20070525.patch,1.6,1.7

Wed Jun 27 18:12:09 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv2655

Modified Files:
	policy-20070525.patch 
Log Message:
* Wed Jun 26 2007 Dan Walsh <dwalsh at redhat.com> 3.0.1-2
- Allow avahi to access inotify
- Remove a lot of bogus security_t:filesystem avcs


policy-20070525.patch:

Index: policy-20070525.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070525.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7

--- policy-20070525.patch	27 Jun 2007 18:11:43 -0000	1.6
+++ policy-20070525.patch	27 Jun 2007 18:12:03 -0000	1.7
@@ -6602,7 +6602,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.1/policy/modules/services/samba.te
 --- nsaserefpolicy/policy/modules/services/samba.te	2007-06-19 16:23:35.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/samba.te	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/services/samba.te	2007-06-27 11:39:37.000000000 -0400
 @@ -189,6 +189,8 @@
  
  miscfiles_read_localization(samba_net_t) 
@@ -6678,6 +6678,14 @@
  
  domain_use_interactive_fds(winbind_t)
  
+@@ -767,6 +782,7 @@
+ #
+ # Winbind helper local policy
+ #
++corecmd_exec_bin(winbind_t)
+ 
+ allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
+ allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.0.1/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2007-05-29 14:10:57.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/sasl.te	2007-06-19 17:06:27.000000000 -0400
@@ -7442,7 +7450,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.1/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/authlogin.if	2007-06-21 10:33:53.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/authlogin.if	2007-06-27 10:19:29.000000000 -0400
 @@ -27,7 +27,8 @@
  	domain_type($1_chkpwd_t)
  	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@@ -8318,7 +8326,15 @@
  # Sulogin local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.1/policy/modules/system/logging.fc
 --- nsaserefpolicy/policy/modules/system/logging.fc	2007-05-29 14:10:58.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.fc	2007-06-20 07:06:30.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/logging.fc	2007-06-27 10:17:24.000000000 -0400
+@@ -1,6 +1,6 @@
+-
+ /dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+ 
++/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
+ /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+ 
+ /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 @@ -43,3 +43,5 @@
  /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
  
@@ -8327,7 +8343,7 @@
 +/var/log/syslog-ng(/.*)?	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.1/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.if	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/logging.if	2007-06-27 10:20:58.000000000 -0400
 @@ -33,8 +33,13 @@
  ## </param>
  #
@@ -8343,10 +8359,48 @@
  ')
  
  ########################################
-@@ -238,6 +243,25 @@
+@@ -238,6 +243,63 @@
  
  ########################################
  ## <summary>
++##	Manage the syslogd configuration files.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_manage_syslog_config',`
++	gen_require(`
++		type syslogd_etc_t;
++	')
++
++	files_search_etc($1)
++	manage_files_pattern($1,syslog_conf_t,syslog_conf_t)
++')
++
++#######################################
++## <summary>
++##	Automatic transition from etc to syslog_conf_t.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`logging_etc_filetrans_syslog_conf',`
++	gen_require(`
++		type syslog_conf_t;
++	')
++
++	files_etc_filetrans($1,syslog_conf_t,file)
++')
++
++########################################
++## <summary>
 +##	Execute klogd in the klog domain.
 +## </summary>
 +## <param name="domain">
@@ -8369,7 +8423,7 @@
  ##	Create an object in the log directory, with a private
  ##	type using a type transition.
  ## </summary>
-@@ -317,6 +341,25 @@
+@@ -317,6 +379,25 @@
  
  ########################################
  ## <summary>
@@ -8395,7 +8449,7 @@
  ##	Allows the domain to open a file in the
  ##	log directory, but does not allow the listing
  ##	of the contents of the log directory.
-@@ -451,7 +494,7 @@
+@@ -451,7 +532,7 @@
  
  	files_search_var($1)
  	allow $1 var_log_t:dir list_dir_perms;
@@ -8404,7 +8458,7 @@
  ')
  
  ########################################
-@@ -495,6 +538,8 @@
+@@ -495,6 +576,8 @@
  	files_search_var($1)
  	manage_files_pattern($1,logfile,logfile)
  	read_lnk_files_pattern($1,logfile,logfile)
@@ -8413,7 +8467,7 @@
  ')
  
  ########################################
-@@ -578,3 +623,101 @@
+@@ -578,3 +661,101 @@
  	files_search_var($1)
  	manage_files_pattern($1,var_log_t,var_log_t)
  ')
@@ -8517,7 +8571,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.1/policy/modules/system/logging.te
 --- nsaserefpolicy/policy/modules/system/logging.te	2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/logging.te	2007-06-20 07:06:09.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/system/logging.te	2007-06-27 10:16:37.000000000 -0400
 @@ -7,10 +7,15 @@
  #
  
@@ -8534,7 +8588,13 @@
  role system_r types auditctl_t;
  
  type auditd_etc_t;
-@@ -48,6 +53,9 @@
+@@ -45,9 +50,15 @@
+ type syslogd_exec_t;
+ init_daemon_domain(syslogd_t,syslogd_exec_t)
+ 
++type syslog_conf_t;
++files_type(syslog_conf_t)
++
  type syslogd_tmp_t;
  files_tmp_file(syslogd_tmp_t)
  
@@ -8544,7 +8604,7 @@
  type syslogd_var_run_t;
  files_pid_file(syslogd_var_run_t)
  
-@@ -59,14 +67,17 @@
+@@ -59,14 +70,17 @@
  	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
  ')
  
@@ -8565,7 +8625,7 @@
  read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
  allow auditctl_t auditd_etc_t:dir list_dir_perms;
  
-@@ -91,6 +102,7 @@
+@@ -91,6 +105,7 @@
  
  locallogin_dontaudit_use_fds(auditctl_t)
  
@@ -8573,7 +8633,7 @@
  logging_send_syslog_msg(auditctl_t)
  
  ########################################
-@@ -98,12 +110,11 @@
+@@ -98,12 +113,11 @@
  # Auditd local policy
  #
  
@@ -8587,7 +8647,7 @@
  allow auditd_t self:fifo_file rw_file_perms;
  
  allow auditd_t auditd_etc_t:dir list_dir_perms;
-@@ -141,6 +152,7 @@
+@@ -141,6 +155,7 @@
  
  init_telinit(auditd_t)
  
@@ -8595,7 +8655,7 @@
  logging_send_syslog_msg(auditd_t)
  
  libs_use_ld_so(auditd_t)
-@@ -157,6 +169,8 @@
+@@ -157,6 +172,8 @@
  
  userdom_dontaudit_use_unpriv_user_fds(auditd_t)
  userdom_dontaudit_search_sysadm_home_dirs(auditd_t)
@@ -8604,7 +8664,15 @@
  
  optional_policy(`
  	seutil_sigchld_newrole(auditd_t)
-@@ -249,6 +263,10 @@
+@@ -243,12 +260,18 @@
+ allow syslogd_t self:udp_socket create_socket_perms;
+ allow syslogd_t self:tcp_socket create_stream_socket_perms;
+ 
++allow syslogd_t syslog_conf_t:file read;
++
+ # Create and bind to /dev/log or /var/run/log.
+ allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
  
  # create/append log files.
  manage_files_pattern(syslogd_t,var_log_t,var_log_t)
@@ -8615,7 +8683,7 @@
  # Allow access for syslog-ng
  allow syslogd_t var_log_t:dir { create setattr };
  
-@@ -257,6 +275,9 @@
+@@ -257,6 +280,9 @@
  manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
  files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
  
@@ -8625,7 +8693,7 @@
  allow syslogd_t syslogd_var_run_t:file manage_file_perms;
  files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
  
-@@ -313,6 +334,7 @@
+@@ -313,6 +339,7 @@
  domain_use_interactive_fds(syslogd_t)
  
  files_read_etc_files(syslogd_t)
@@ -10902,9 +10970,9 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.fc serefpolicy-3.0.1/policy/modules/users/logadm.fc
 --- nsaserefpolicy/policy/modules/users/logadm.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/logadm.fc	2007-06-19 17:06:27.000000000 -0400
++++ serefpolicy-3.0.1/policy/modules/users/logadm.fc	2007-06-27 10:17:08.000000000 -0400
 @@ -0,0 +1 @@
-+/etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
++# No logadm file contexts.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.if serefpolicy-3.0.1/policy/modules/users/logadm.if
 --- nsaserefpolicy/policy/modules/users/logadm.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.1/policy/modules/users/logadm.if	2007-06-19 17:06:27.000000000 -0400
@@ -10912,8 +10980,8 @@
 +## <summary>Policy for logadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/logadm.te serefpolicy-3.0.1/policy/modules/users/logadm.te
 --- nsaserefpolicy/policy/modules/users/logadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.1/policy/modules/users/logadm.te	2007-06-19 17:06:27.000000000 -0400
-@@ -0,0 +1,35 @@
++++ serefpolicy-3.0.1/policy/modules/users/logadm.te	2007-06-27 10:21:24.000000000 -0400
+@@ -0,0 +1,37 @@
 +policy_module(logadm,1.0.0)
 +
 +########################################
@@ -10925,13 +10993,15 @@
 +files_type(syslog_conf_t)
 +
 +userdom_base_user_template(logadm)
-+allow logadm_t syslog_conf_t:file manage_file_perms;
-+files_etc_filetrans(logadm_t, syslog_conf_t, file)
 +
 +allow logadm_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
 +
++logging_etc_filetrans_syslog_conf(logadm_t)
++logging_manage_syslog_config(logadm_t)
 +logging_manage_all_logs(logadm_t)
++
 +seutil_run_runinit(logadm_t, logadm_r, { logadm_tty_device_t logadm_devpts_t })
++
 +domain_kill_all_domains(logadm_t)
 +seutil_read_bin_policy(logadm_t)
 +corecmd_exec_shell(logadm_t)


