[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy/F-7 policy-20070501.patch, 1.13, 1.14 selinux-policy.spec, 1.459, 1.460



Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv16491

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Tue May 22 2007 Dan Walsh <dwalsh redhat com> 2.6.4-10
- Fixes for avahi, procmail, postfix


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- policy-20070501.patch	23 May 2007 18:35:24 -0000	1.13
+++ policy-20070501.patch	29 May 2007 17:18:01 -0000	1.14
@@ -1196,7 +1196,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc
 --- nsaserefpolicy/policy/modules/kernel/corecommands.fc	2007-05-07 14:51:04.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corecommands.fc	2007-05-29 11:35:27.000000000 -0400
 @@ -36,6 +36,11 @@
  /etc/cipe/ip-up.*		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/cipe/ip-down.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -1209,7 +1209,15 @@
  /etc/hotplug/.*agent		--	gen_context(system_u:object_r:bin_t,s0)
  /etc/hotplug/.*rc		-- 	gen_context(system_u:object_r:bin_t,s0)
  /etc/hotplug/hotplug\.functions --	gen_context(system_u:object_r:bin_t,s0)
-@@ -256,3 +261,5 @@
+@@ -248,6 +253,7 @@
+ /var/ftp/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+ 
+ /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
++/usr/lib64/yp/.+		--	gen_context(system_u:object_r:bin_t,s0)
+ 
+ /var/qmail/bin                  -d      gen_context(system_u:object_r:bin_t,s0)
+ /var/qmail/bin(/.*)?                    gen_context(system_u:object_r:bin_t,s0)
+@@ -256,3 +262,5 @@
  ifdef(`distro_suse',`
  /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
  ')
@@ -2704,6 +2712,35 @@
 +corenet_udp_sendrecv_all_nodes(httpd_apcupsd_cgi_script_t)
 +corenet_udp_sendrecv_all_ports(httpd_apcupsd_cgi_script_t)
 +
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-2.6.4/policy/modules/services/arpwatch.te
+--- nsaserefpolicy/policy/modules/services/arpwatch.te	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/arpwatch.te	2007-05-29 09:01:26.000000000 -0400
+@@ -28,7 +28,6 @@
+ allow arpwatch_t self:process signal_perms;
+ allow arpwatch_t self:unix_dgram_socket create_socket_perms;
+ allow arpwatch_t self:unix_stream_socket create_stream_socket_perms;
+-allow arpwatch_t self:netlink_route_socket r_netlink_socket_perms;
+ allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
+ allow arpwatch_t self:udp_socket create_socket_perms;
+ allow arpwatch_t self:packet_socket create_socket_perms;
+@@ -78,8 +77,6 @@
+ 
+ miscfiles_read_localization(arpwatch_t)
+ 
+-sysnet_read_config(arpwatch_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(arpwatch_t)
+ userdom_dontaudit_search_sysadm_home_dirs(arpwatch_t)
+ 
+@@ -92,7 +89,7 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(arpwatch_t)
++	auth_use_nsswitch(arpwatch_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.6.4/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/automount.te	2007-05-21 10:46:53.000000000 -0400
@@ -2725,7 +2762,7 @@
  domain_use_interactive_fds(automount_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-2.6.4/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/avahi.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/avahi.te	2007-05-29 09:12:19.000000000 -0400
 @@ -18,7 +18,7 @@
  # Local policy
  #
@@ -2735,6 +2772,33 @@
  dontaudit avahi_t self:capability sys_tty_config;
  allow avahi_t self:process { setrlimit signal_perms setcap };
  allow avahi_t self:fifo_file { read write };
+@@ -32,6 +32,8 @@
+ allow avahi_t avahi_var_run_t:dir setattr;
+ files_pid_filetrans(avahi_t,avahi_var_run_t,file)
+ 
++auth_use_nsswitch(avahi_t)
++
+ kernel_read_kernel_sysctls(avahi_t)
+ kernel_list_proc(avahi_t)
+ kernel_read_proc_symlinks(avahi_t)
+@@ -63,8 +65,6 @@
+ files_read_etc_runtime_files(avahi_t)
+ files_read_usr_files(avahi_t)
+ 
+-auth_use_nsswitch(avahi_t)
+-
+ init_signal_script(avahi_t)
+ init_signull_script(avahi_t)
+ 
+@@ -75,8 +75,6 @@
+ 
+ miscfiles_read_localization(avahi_t)
+ 
+-sysnet_read_config(avahi_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(avahi_t)
+ userdom_dontaudit_search_sysadm_home_dirs(avahi_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-2.6.4/policy/modules/services/bind.te
 --- nsaserefpolicy/policy/modules/services/bind.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/bind.te	2007-05-21 10:46:53.000000000 -0400
@@ -2759,7 +2823,7 @@
  ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-2.6.4/policy/modules/services/consolekit.te
 --- nsaserefpolicy/policy/modules/services/consolekit.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/consolekit.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/consolekit.te	2007-05-29 11:04:09.000000000 -0400
 @@ -10,7 +10,6 @@
  type consolekit_exec_t;
  init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -2776,7 +2840,7 @@
  manage_files_pattern(consolekit_t,consolekit_var_run_t,consolekit_var_run_t)
  files_pid_filetrans(consolekit_t,consolekit_var_run_t, file)
  
-@@ -50,8 +48,15 @@
+@@ -50,8 +48,16 @@
  libs_use_ld_so(consolekit_t)
  libs_use_shared_libs(consolekit_t)
  
@@ -2788,13 +2852,16 @@
 +userdom_ptrace_all_users(consolekit_t)
 +hal_ptrace(consolekit_t)
 +mcs_ptrace_all(consolekit_t)
++domain_dontaudit_ptrace_all_domains(consolekit_t)
 +
  optional_policy(`
  	dbus_system_bus_client_template(consolekit, consolekit_t)
  	dbus_send_system_bus(consolekit_t)
-@@ -68,3 +73,9 @@
+@@ -67,4 +73,11 @@
+ optional_policy(`
  	xserver_read_all_users_xauth(consolekit_t)
  	xserver_stream_connect_xdm_xserver(consolekit_t)
++	xserver_stream_connect_xdm(consolekit_t)
  ')
 +
 +ifdef(`targeted_policy',`
@@ -3406,7 +3473,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
 --- nsaserefpolicy/policy/modules/services/dovecot.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te	2007-05-22 14:42:12.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te	2007-05-29 09:07:20.000000000 -0400
 @@ -15,6 +15,12 @@
  domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
  role system_r types dovecot_auth_t;
@@ -3420,29 +3487,46 @@
  type dovecot_cert_t;
  files_type(dovecot_cert_t)
  
-@@ -111,7 +117,6 @@
+@@ -46,8 +52,6 @@
+ allow dovecot_t self:tcp_socket create_stream_socket_perms;
+ allow dovecot_t self:unix_dgram_socket create_socket_perms;
+ allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow dovecot_t self:netlink_route_socket r_netlink_socket_perms;
+-
+ domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
+ 
+ allow dovecot_t dovecot_cert_t:dir list_dir_perms;
+@@ -67,6 +71,8 @@
+ manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
+ files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
+ 
++auth_use_nsswitch(dovecot_t)
++
+ kernel_read_kernel_sysctls(dovecot_t)
+ kernel_read_system_state(dovecot_t)
+ 
+@@ -110,9 +116,6 @@
+ miscfiles_read_certs(dovecot_t)
  miscfiles_read_localization(dovecot_t)
  
- sysnet_read_config(dovecot_t)
+-sysnet_read_config(dovecot_t)
 -sysnet_use_ldap(dovecot_auth_t)
- 
+-
  userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
  userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
-@@ -138,11 +143,11 @@
- ')
- 
- optional_policy(`
--	squid_dontaudit_search_cache(dovecot_t)
-+	udev_read_db(dovecot_t)
+ userdom_priveleged_home_dir_manager(dovecot_t)
+@@ -130,10 +133,6 @@
  ')
  
  optional_policy(`
--	udev_read_db(dovecot_t)
-+	squid_dontaudit_search_cache(dovecot_t)
+-	nis_use_ypbind(dovecot_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(dovecot_t)
  ')
  
- ########################################
-@@ -150,19 +155,20 @@
+@@ -150,25 +149,29 @@
  # dovecot auth local policy
  #
  
@@ -3465,7 +3549,16 @@
  
  allow dovecot_auth_t dovecot_var_run_t:dir r_dir_perms;
  
-@@ -177,6 +183,7 @@
+ kernel_read_all_sysctls(dovecot_auth_t)
+ kernel_read_system_state(dovecot_auth_t)
+ 
++logging_send_syslog_msg(dovecot_auth_t)
++logging_send_audit_msg(dovecot_auth_t)
++
+ dev_read_urand(dovecot_auth_t)
+ 
+ auth_domtrans_chk_passwd(dovecot_auth_t)
+@@ -177,6 +180,7 @@
  files_read_etc_files(dovecot_auth_t)
  files_read_etc_runtime_files(dovecot_auth_t)
  files_search_pids(dovecot_auth_t)
@@ -3473,26 +3566,23 @@
  files_read_usr_symlinks(dovecot_auth_t)
  files_search_tmp(dovecot_auth_t)
  files_read_var_lib_files(dovecot_t)
-@@ -191,11 +198,51 @@
- seutil_dontaudit_search_config(dovecot_auth_t)
+@@ -190,12 +194,46 @@
  
- sysnet_dns_name_resolve(dovecot_auth_t)
-+sysnet_use_ldap(dovecot_auth_t)
+ seutil_dontaudit_search_config(dovecot_auth_t)
  
+-sysnet_dns_name_resolve(dovecot_auth_t)
+-
  optional_policy(`
  	kerberos_use(dovecot_auth_t)
  ')
  
-+logging_send_syslog_msg(dovecot_auth_t)
-+logging_send_audit_msg(dovecot_auth_t)
-+
-+optional_policy(`
+ optional_policy(`
+-	logging_send_syslog_msg(dovecot_auth_t)
 +	mysql_search_db(dovecot_auth_t)
 +	mysql_stream_connect(dovecot_auth_t)
 +')
 +
- optional_policy(`
--	logging_send_syslog_msg(dovecot_auth_t)
++optional_policy(`
 +	postfix_create_pivate_sockets(dovecot_auth_t)
 +	postfix_search_spool(dovecot_auth_t)
 +')
@@ -4062,6 +4152,38 @@
  
  	# apache should set close-on-exec
  	apache_dontaudit_append_log(system_mail_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te
+--- nsaserefpolicy/policy/modules/services/nagios.te	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/nagios.te	2007-05-29 09:04:20.000000000 -0400
+@@ -73,8 +73,10 @@
+ corenet_udp_sendrecv_all_nodes(nagios_t)
+ corenet_tcp_sendrecv_all_ports(nagios_t)
+ corenet_udp_sendrecv_all_ports(nagios_t)
++corenet_tcp_connect_all_ports(nagios_t)
+ 
+ dev_read_sysfs(nagios_t)
++dev_read_urand(nagios_t)
+ 
+ domain_use_interactive_fds(nagios_t)
+ # for ps
+@@ -97,8 +99,6 @@
+ 
+ miscfiles_read_localization(nagios_t)
+ 
+-sysnet_read_config(nagios_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(nagios_t)
+ userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
+ 
+@@ -121,7 +121,7 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(nagios_t)
++	auth_use_nsswitch(nagios_t)
+ ')
+ 
+ optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-2.6.4/policy/modules/services/networkmanager.if
 --- nsaserefpolicy/policy/modules/services/networkmanager.if	2007-05-07 14:50:57.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/networkmanager.if	2007-05-21 10:46:53.000000000 -0400
@@ -4088,6 +4210,17 @@
 +	domtrans_pattern($1,NetworkManager_exec_t,NetworkManager_t)
 +
 +')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.fc serefpolicy-2.6.4/policy/modules/services/nis.fc
+--- nsaserefpolicy/policy/modules/services/nis.fc	2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/nis.fc	2007-05-29 11:39:06.000000000 -0400
+@@ -4,6 +4,7 @@
+ /sbin/ypbind		--	gen_context(system_u:object_r:ypbind_exec_t,s0)
+ 
+ /usr/lib/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
++/usr/lib64/yp/ypxfr	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
+ 
+ /usr/sbin/rpc\.yppasswdd --	gen_context(system_u:object_r:yppasswdd_exec_t,s0)
+ /usr/sbin/rpc\.ypxfrd	--	gen_context(system_u:object_r:ypxfr_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-2.6.4/policy/modules/services/nis.if
 --- nsaserefpolicy/policy/modules/services/nis.if	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/nis.if	2007-05-21 10:46:53.000000000 -0400
@@ -4434,16 +4567,31 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.6.4/policy/modules/services/postfix.if
 --- nsaserefpolicy/policy/modules/services/postfix.if	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.if	2007-05-21 10:46:53.000000000 -0400
-@@ -122,6 +122,7 @@
- 	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
- 	allow postfix_$1_t self:tcp_socket create_socket_perms;
- 	allow postfix_$1_t self:udp_socket create_socket_perms;
-+	allow postfix_$1_t self:netlink_route_socket r_netlink_socket_perms;
++++ serefpolicy-2.6.4/policy/modules/services/postfix.if	2007-05-29 09:03:07.000000000 -0400
+@@ -116,6 +116,10 @@
+ ## </param>
+ #
+ template(`postfix_server_domain_template',`
++	gen_require(`
++		type postfix_master_t;
++	')
++
+ 	postfix_domain_template($1)
  
- 	domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+ 	allow postfix_$1_t self:capability { setuid setgid dac_override };
+@@ -137,10 +141,8 @@
+ 	corenet_tcp_connect_all_ports(postfix_$1_t)
+ 	corenet_sendrecv_all_client_packets(postfix_$1_t)
  
-@@ -455,3 +456,22 @@
+-	sysnet_read_config(postfix_$1_t)
+-
+ 	optional_policy(`
+-		nis_use_ypbind(postfix_$1_t)
++		auth_use_nsswitch(postfix_$1_t)
+ 	')
+ ')
+ 
+@@ -455,3 +457,22 @@
  
  	typeattribute $1 postfix_user_domtrans;
  ')
@@ -4468,8 +4616,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-2.6.4/policy/modules/services/postfix.te
 --- nsaserefpolicy/policy/modules/services/postfix.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.te	2007-05-21 10:46:53.000000000 -0400
-@@ -169,6 +169,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/postfix.te	2007-05-29 11:49:32.000000000 -0400
+@@ -169,12 +169,18 @@
  mta_rw_aliases(postfix_master_t)
  mta_read_sendmail_bin(postfix_master_t)
  
@@ -4478,7 +4626,17 @@
  ifdef(`targeted_policy',`
  	term_dontaudit_use_unallocated_ttys(postfix_master_t)
  	term_dontaudit_use_generic_ptys(postfix_master_t)
-@@ -184,6 +186,10 @@
+ ')
+ 
+ optional_policy(`
++	auth_use_nsswitch(postfix_master_t)
++')
++
++optional_policy(`
+ 	cyrus_stream_connect(postfix_master_t)
+ ')
+ 
+@@ -184,6 +190,10 @@
  ')
  
  optional_policy(`
@@ -4489,7 +4647,7 @@
  	nis_use_ypbind(postfix_master_t)
  ')
  
-@@ -210,6 +216,7 @@
+@@ -210,6 +220,7 @@
  
  allow postfix_bounce_t self:capability dac_read_search;
  allow postfix_bounce_t self:tcp_socket create_socket_perms;
@@ -4497,7 +4655,7 @@
  
  allow postfix_bounce_t postfix_public_t:sock_file write;
  allow postfix_bounce_t postfix_public_t:dir search;
-@@ -228,6 +235,7 @@
+@@ -228,6 +239,7 @@
  #
  
  allow postfix_cleanup_t self:process setrlimit;
@@ -4505,7 +4663,7 @@
  
  # connect to master process
  stream_connect_pattern(postfix_cleanup_t,postfix_private_t,postfix_private_t,postfix_master_t)
-@@ -250,6 +258,7 @@
+@@ -250,6 +262,7 @@
  
  allow postfix_local_t self:fifo_file rw_fifo_file_perms;
  allow postfix_local_t self:process { setsched setrlimit };
@@ -4513,7 +4671,7 @@
  
  manage_dirs_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
  manage_files_pattern(postfix_local_t,postfix_local_tmp_t,postfix_local_tmp_t)
-@@ -369,6 +378,7 @@
+@@ -369,6 +382,7 @@
  #
  
  allow postfix_pickup_t self:tcp_socket create_socket_perms;
@@ -4521,7 +4679,7 @@
  
  stream_connect_pattern(postfix_pickup_t,postfix_private_t,postfix_private_t,postfix_master_t)
  
-@@ -386,7 +396,7 @@
+@@ -386,7 +400,7 @@
  # Postfix pipe local policy
  #
  
@@ -4530,7 +4688,7 @@
  
  write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
  
-@@ -395,6 +405,10 @@
+@@ -395,6 +409,10 @@
  rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
  
  optional_policy(`
@@ -4541,7 +4699,18 @@
  	procmail_domtrans(postfix_pipe_t)
  ')
  
-@@ -475,6 +489,8 @@
+@@ -441,6 +459,10 @@
+ ')
+ 
+ optional_policy(`
++	fstools_read_pipes(postfix_postdrop_t)
++')
++
++optional_policy(`
+ 	ppp_use_fds(postfix_postqueue_t)
+ 	ppp_sigchld(postfix_postqueue_t)
+ ')
+@@ -475,6 +497,8 @@
  # Postfix qmgr local policy
  #
  
@@ -4550,7 +4719,7 @@
  stream_connect_pattern(postfix_qmgr_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
  
  rw_fifo_files_pattern(postfix_qmgr_t,postfix_public_t,postfix_public_t)
-@@ -519,8 +535,6 @@
+@@ -519,8 +543,6 @@
  # Postfix smtp delivery local policy
  #
  
@@ -4559,7 +4728,7 @@
  # connect to master process
  stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
  
-@@ -552,9 +566,18 @@
+@@ -552,9 +574,18 @@
  mta_read_aliases(postfix_smtpd_t)
  
  optional_policy(`
@@ -5426,7 +5595,7 @@
 +unconfined_domain(samba_unconfined_script_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te
 --- nsaserefpolicy/policy/modules/services/sasl.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/sasl.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/sasl.te	2007-05-29 10:35:15.000000000 -0400
 @@ -63,6 +63,7 @@
  selinux_compute_access_vector(saslauthd_t)
  
@@ -5435,6 +5604,14 @@
  auth_use_nsswitch(saslauthd_t)
  
  domain_use_interactive_fds(saslauthd_t)
+@@ -79,6 +80,7 @@
+ libs_use_shared_libs(saslauthd_t)
+ 
+ logging_send_syslog_msg(saslauthd_t)
++logging_send_audit_msg(saslauthd_t)
+ 
+ miscfiles_read_localization(saslauthd_t)
+ miscfiles_read_certs(saslauthd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-2.6.4/policy/modules/services/sendmail.if
 --- nsaserefpolicy/policy/modules/services/sendmail.if	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/sendmail.if	2007-05-21 10:46:53.000000000 -0400
@@ -5565,6 +5742,17 @@
  ')
  
  optional_policy(`
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-2.6.4/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/spamassassin.if	2007-05-29 10:25:34.000000000 -0400
+@@ -466,6 +466,7 @@
+ 	')
+ 
+ 	files_search_var_lib($1)
++	list_dirs_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+ 	read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-2.6.4/policy/modules/services/spamassassin.te
 --- nsaserefpolicy/policy/modules/services/spamassassin.te	2007-05-07 14:50:57.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/spamassassin.te	2007-05-21 10:46:53.000000000 -0400
@@ -5929,13 +6117,13 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if	2007-05-29 09:10:31.000000000 -0400
 @@ -27,11 +27,9 @@
  	domain_type($1_chkpwd_t)
  	domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
  
 -	allow $1_chkpwd_t self:capability { audit_control setuid };
-+	allow $1_chkpwd_t self:capability setuid;
++	allow $1_chkpwd_t self:capability { dac_override setuid };
  	allow $1_chkpwd_t self:process getattr;
  
 -	send_audit_msgs_pattern($1_chkpwd_t)
@@ -5951,16 +6139,17 @@
  
  	miscfiles_read_localization($1_chkpwd_t)
  
-@@ -109,7 +108,7 @@
+@@ -109,7 +108,8 @@
  	role $3 types system_chkpwd_t;
  
  	# cjp: is this really needed?
 -	allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 +	logging_send_audit_msg($2)
++	logging_set_loginuid($1)
  
  	dontaudit $2 shadow_t:file { getattr read };
  
-@@ -152,21 +151,12 @@
+@@ -152,21 +152,12 @@
  ## </param>
  #
  template(`auth_domtrans_user_chk_passwd',`
@@ -5987,7 +6176,7 @@
  ')
  
  ########################################
-@@ -180,6 +170,9 @@
+@@ -180,6 +171,9 @@
  ## </param>
  #
  interface(`auth_login_pgm_domain',`
@@ -5997,17 +6186,19 @@
  
  	domain_type($1)
  	domain_subj_id_change_exemption($1)
-@@ -187,6 +180,9 @@
+@@ -187,6 +181,11 @@
  	domain_obj_id_change_exemption($1)
  	role system_r types $1;
  
 +	auth_keyring_domain($1)
 +	allow $1 keyring_type:key { search link };
 +
++	logging_send_audit_msg($1)
++
  	# for SSP/ProPolice
  	dev_read_urand($1)
  
-@@ -211,9 +207,11 @@
+@@ -211,9 +210,11 @@
  	auth_read_login_records($1)
  	auth_append_login_records($1)
  	auth_rw_lastlog($1)
@@ -6020,7 +6211,7 @@
  	init_rw_utmp($1)
  
  	logging_send_syslog_msg($1)
-@@ -221,6 +219,7 @@
+@@ -221,6 +222,7 @@
  	seutil_read_config($1)
  	seutil_read_default_contexts($1)
  
@@ -6028,7 +6219,7 @@
  	tunable_policy(`allow_polyinstantiation',`
  		files_polyinstantiate_all($1)
  	')
-@@ -320,10 +319,6 @@
+@@ -320,10 +322,6 @@
  		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
  	')
  
@@ -6039,7 +6230,7 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
  
-@@ -357,6 +352,37 @@
+@@ -357,6 +355,37 @@
  
  ########################################
  ## <summary>
@@ -6077,7 +6268,7 @@
  ##	Get the attributes of the shadow passwords file.
  ## </summary>
  ## <param name="domain">
-@@ -1391,3 +1417,114 @@
+@@ -1391,3 +1420,114 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -6288,6 +6479,32 @@
  /sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-2.6.4/policy/modules/system/fstools.if
+--- nsaserefpolicy/policy/modules/system/fstools.if	2007-05-07 14:51:02.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/fstools.if	2007-05-29 11:48:37.000000000 -0400
+@@ -124,3 +124,22 @@
+ 
+ 	allow $1 swapfile_t:file getattr;
+ ')
++
++########################################
++## <summary>
++##	Read fstools unnamed pipes.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`fstools_read_pipes',`
++	gen_require(`
++		type fsdaemon_t;
++	')
++
++	allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
++')
++
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.te serefpolicy-2.6.4/policy/modules/system/fstools.te
 --- nsaserefpolicy/policy/modules/system/fstools.te	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/fstools.te	2007-05-21 10:46:53.000000000 -0400
@@ -6779,8 +6996,34 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-2.6.4/policy/modules/system/logging.if
 --- nsaserefpolicy/policy/modules/system/logging.if	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/logging.if	2007-05-21 10:46:53.000000000 -0400
-@@ -302,6 +302,25 @@
++++ serefpolicy-2.6.4/policy/modules/system/logging.if	2007-05-29 09:11:30.000000000 -0400
+@@ -223,6 +223,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Execute klogd in the klog domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`logging_domtrans_klog',`
++	gen_require(`
++		type klogd_t, klogd_exec_t;
++	')
++
++	corecmd_search_bin($1)
++	domtrans_pattern($1,klogd_exec_t,klogd_t)
++')
++
++########################################
++## <summary>
+ ##	Create an object in the log directory, with a private
+ ##	type using a type transition.
+ ## </summary>
+@@ -302,6 +321,25 @@
  
  ########################################
  ## <summary>
@@ -6806,7 +7049,7 @@
  ##	Allows the domain to open a file in the
  ##	log directory, but does not allow the listing
  ##	of the contents of the log directory.
-@@ -436,7 +455,7 @@
+@@ -436,7 +474,7 @@
  
  	files_search_var($1)
  	allow $1 var_log_t:dir list_dir_perms;
@@ -6815,7 +7058,7 @@
  ')
  
  ########################################
-@@ -480,6 +499,8 @@
+@@ -480,6 +518,8 @@
  	files_search_var($1)
  	manage_files_pattern($1,logfile,logfile)
  	read_lnk_files_pattern($1,logfile,logfile)
@@ -6824,7 +7067,7 @@
  ')
  
  ########################################
-@@ -563,3 +584,121 @@
+@@ -563,3 +603,121 @@
  	files_search_var($1)
  	manage_files_pattern($1,var_log_t,var_log_t)
  ')
@@ -6868,7 +7111,7 @@
 +	typeattribute $1 can_set_loginuid, can_send_audit_msg;
 +
 +	allow $1 self:capability audit_control;
-+	allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlsms_relay };
++	allow $1 self:netlink_audit_socket { create_socket_perms nlmsg_read nlmsg_relay };
 +')
 +
 +########################################
@@ -7101,7 +7344,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-2.6.4/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/modutils.te	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/modutils.te	2007-05-29 11:16:14.000000000 -0400
 @@ -102,6 +102,7 @@
  init_use_fds(insmod_t)
  init_use_script_fds(insmod_t)
@@ -7110,7 +7353,7 @@
  
  libs_use_ld_so(insmod_t)
  libs_use_shared_libs(insmod_t)
-@@ -123,6 +124,14 @@
+@@ -123,6 +124,18 @@
  ')
  
  optional_policy(`
@@ -7118,6 +7361,10 @@
 +')
 +
 +optional_policy(`
++	firstboot_dontaudit_rw_pipes(insmod_t)
++')
++
++optional_policy(`
 +	hal_write_log(insmod_t)
 +')
 +
@@ -7125,7 +7372,7 @@
  	hotplug_search_config(insmod_t)
  ')
  
-@@ -155,6 +164,7 @@
+@@ -155,6 +168,7 @@
  
  optional_policy(`
  	rpm_rw_pipes(insmod_t)
@@ -7133,7 +7380,7 @@
  ')
  
  optional_policy(`
-@@ -185,6 +195,7 @@
+@@ -185,6 +199,7 @@
  
  files_read_kernel_symbol_table(depmod_t)
  files_read_kernel_modules(depmod_t)
@@ -7684,7 +7931,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-2.6.4/policy/modules/system/unconfined.if
 --- nsaserefpolicy/policy/modules/system/unconfined.if	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.if	2007-05-21 10:46:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.if	2007-05-29 11:47:34.000000000 -0400
 @@ -18,7 +18,7 @@
  	')
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.459
retrieving revision 1.460
diff -u -r1.459 -r1.460
--- selinux-policy.spec	23 May 2007 18:35:24 -0000	1.459
+++ selinux-policy.spec	29 May 2007 17:18:01 -0000	1.460
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -359,6 +359,9 @@
 %endif
 
 %changelog
+* Tue May 22 2007 Dan Walsh <dwalsh redhat com> 2.6.4-10
+- Fixes for avahi, procmail, postfix
+
 * Tue May 22 2007 Dan Walsh <dwalsh redhat com> 2.6.4-9
 - Allow dovecot-auth to send audit messages
 - Fix for amands


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]