rpms/selinux-policy/F-7 policy-20070501.patch, 1.73, 1.74 selinux-policy.spec, 1.503, 1.504
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Nov 8 21:07:48 UTC 2007
- Previous message (by thread): rpms/libggz/devel libggz.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/libggz/F-7 libggz.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27186
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Tue Nov 6 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-55
- Add policy.xml
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.73
retrieving revision 1.74
diff -u -r1.73 -r1.74
--- policy-20070501.patch 1 Nov 2007 18:15:45 -0000 1.73
+++ policy-20070501.patch 8 Nov 2007 21:07:44 -0000 1.74
@@ -2054,7 +2054,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-09-11 15:52:36.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/corenetwork.te.in 2007-11-07 08:37:43.000000000 -0500
@@ -48,6 +48,11 @@
type reserved_port_t, port_type, reserved_port_type;
@@ -2093,7 +2093,15 @@
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
network_port(lmtp, tcp,24,s0, udp,24,s0)
network_port(mail, tcp,2000,s0)
-@@ -152,13 +158,18 @@
+@@ -114,6 +120,7 @@
+ network_port(openvpn, tcp,1194,s0, udp,1194,s0)
+ network_port(pegasus_http, tcp,5988,s0)
+ network_port(pegasus_https, tcp,5989,s0)
++network_port(pgpkeyserver, udp, 11371,s0, tcp,11371,s0)
+ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tcp,993,s0, tcp,995,s0, tcp,1109,s0)
+ network_port(portmap, udp,111,s0, tcp,111,s0)
+ network_port(postgresql, tcp,5432,s0)
+@@ -152,13 +159,18 @@
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
@@ -5513,8 +5521,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-2.6.4/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-08-07 09:42:35.000000000 -0400
-@@ -17,16 +17,19 @@
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.fc 2007-11-06 10:59:31.000000000 -0500
+@@ -17,21 +17,22 @@
ifdef(`distro_debian', `
/usr/lib/dovecot/dovecot-auth -- gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
@@ -5534,6 +5542,13 @@
/var/lib/dovecot(/.*)? gen_context(system_u:object_r:dovecot_var_lib_t,s0)
+-/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
+-
+-
+-
++/var/log/dovecot\.log.* gen_context(system_u:object_r:dovecot_var_log_t,s0)
+
++/var/spool/dovecot(/.*)? gen_context(system_u:object_r:dovecot_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.if serefpolicy-2.6.4/policy/modules/services/dovecot.if
--- nsaserefpolicy/policy/modules/services/dovecot.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/dovecot.if 2007-08-07 09:42:35.000000000 -0400
@@ -5583,7 +5598,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-10-09 10:28:10.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-11-06 11:00:24.000000000 -0500
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -5597,7 +5612,17 @@
type dovecot_cert_t;
files_type(dovecot_cert_t)
-@@ -46,8 +52,6 @@
+@@ -31,6 +37,9 @@
+ type dovecot_var_lib_t;
+ files_type(dovecot_var_lib_t)
+
++type dovecot_var_log_t;
++logging_log_file(dovecot_var_log_t)
++
+ type dovecot_var_run_t;
+ files_pid_file(dovecot_var_run_t)
+
+@@ -46,8 +55,6 @@
allow dovecot_t self:tcp_socket create_stream_socket_perms;
allow dovecot_t self:unix_dgram_socket create_socket_perms;
allow dovecot_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -5606,7 +5631,7 @@
domtrans_pattern(dovecot_t, dovecot_auth_exec_t, dovecot_auth_t)
allow dovecot_t dovecot_cert_t:dir list_dir_perms;
-@@ -67,6 +71,8 @@
+@@ -67,6 +74,8 @@
manage_sock_files_pattern(dovecot_t,dovecot_var_run_t,dovecot_var_run_t)
files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
@@ -5615,7 +5640,7 @@
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-@@ -98,7 +104,7 @@
+@@ -98,7 +107,7 @@
files_dontaudit_list_default(dovecot_t)
# Dovecot now has quota support and it uses getmntent() to find the mountpoints.
files_read_etc_runtime_files(dovecot_t)
@@ -5624,7 +5649,7 @@
init_getattr_utmp(dovecot_t)
-@@ -110,9 +116,6 @@
+@@ -110,9 +119,6 @@
miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -5634,7 +5659,7 @@
userdom_dontaudit_use_unpriv_user_fds(dovecot_t)
userdom_dontaudit_search_sysadm_home_dirs(dovecot_t)
userdom_priveleged_home_dir_manager(dovecot_t)
-@@ -130,10 +133,6 @@
+@@ -130,10 +136,6 @@
')
optional_policy(`
@@ -5645,7 +5670,7 @@
seutil_sigchld_newrole(dovecot_t)
')
-@@ -150,33 +149,39 @@
+@@ -150,33 +152,43 @@
# dovecot auth local policy
#
@@ -5661,6 +5686,10 @@
allow dovecot_auth_t dovecot_passwd_t:file { getattr read };
++# log files
++manage_files_pattern(dovecot_t, dovecot_var_log_t, dovecot_var_log_t)
++logging_log_filetrans(dovecot_t, dovecot_var_log_t, file)
++
# Allow dovecot to create and read SSL parameters file
manage_files_pattern(dovecot_t,dovecot_var_lib_t,dovecot_var_lib_t)
files_search_var_lib(dovecot_t)
@@ -5687,7 +5716,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -190,12 +195,58 @@
+@@ -190,12 +202,58 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -6890,8 +6919,35 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-2.6.4/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-10-31 07:39:32.000000000 -0400
-@@ -226,6 +226,15 @@
++++ serefpolicy-2.6.4/policy/modules/services/mta.if 2007-11-06 10:44:21.000000000 -0500
+@@ -87,6 +87,8 @@
+ # It wants to check for nscd
+ files_dontaudit_search_pids($1_mail_t)
+
++ auth_use_nsswitch($1_mail_t)
++
+ libs_use_ld_so($1_mail_t)
+ libs_use_shared_libs($1_mail_t)
+
+@@ -94,17 +96,6 @@
+
+ miscfiles_read_localization($1_mail_t)
+
+- sysnet_read_config($1_mail_t)
+- sysnet_dns_name_resolve($1_mail_t)
+-
+- optional_policy(`
+- nis_use_ypbind($1_mail_t)
+- ')
+-
+- optional_policy(`
+- nscd_socket_use($1_mail_t)
+- ')
+-
+ optional_policy(`
+ postfix_domtrans_user_mail_handler($1_mail_t)
+ ')
+@@ -226,6 +217,15 @@
tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_files($1_mail_t)
fs_manage_cifs_symlinks($1_mail_t)
@@ -6907,7 +6963,7 @@
')
optional_policy(`
-@@ -316,6 +325,42 @@
+@@ -316,6 +316,42 @@
########################################
## <summary>
@@ -6950,7 +7006,7 @@
## Modified mailserver interface for
## sendmail daemon use.
## </summary>
-@@ -394,6 +439,7 @@
+@@ -394,6 +430,7 @@
allow $1 mail_spool_t:dir list_dir_perms;
create_files_pattern($1,mail_spool_t,mail_spool_t)
read_files_pattern($1,mail_spool_t,mail_spool_t)
@@ -6958,7 +7014,7 @@
create_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
read_lnk_files_pattern($1,mail_spool_t,mail_spool_t)
-@@ -449,11 +495,12 @@
+@@ -449,11 +486,12 @@
interface(`mta_send_mail',`
gen_require(`
attribute mta_user_agent;
@@ -6974,7 +7030,7 @@
allow $1 system_mail_t:fd use;
allow system_mail_t $1:fd use;
-@@ -847,6 +894,25 @@
+@@ -847,6 +885,25 @@
manage_files_pattern($1,mqueue_spool_t,mqueue_spool_t)
')
@@ -7002,7 +7058,7 @@
## Read sendmail binary.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-31 07:38:22.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-11-02 09:53:09.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -10376,8 +10432,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.6.4/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-09-04 13:40:38.000000000 -0400
-@@ -91,6 +91,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-11-07 10:42:09.000000000 -0500
+@@ -91,10 +91,12 @@
corenet_udp_bind_gopher_port(squid_t)
corenet_tcp_bind_squid_port(squid_t)
corenet_udp_bind_squid_port(squid_t)
@@ -10385,7 +10441,12 @@
corenet_tcp_connect_ftp_port(squid_t)
corenet_tcp_connect_gopher_port(squid_t)
corenet_tcp_connect_http_port(squid_t)
-@@ -108,6 +109,8 @@
+ corenet_tcp_connect_http_cache_port(squid_t)
++corenet_tcp_connect_pgpkeyserver_port(squid_t)
+ corenet_sendrecv_http_client_packets(squid_t)
+ corenet_sendrecv_ftp_client_packets(squid_t)
+ corenet_sendrecv_gopher_client_packets(squid_t)
+@@ -108,6 +110,8 @@
fs_getattr_all_fs(squid_t)
fs_search_auto_mountpoints(squid_t)
@@ -10394,7 +10455,7 @@
selinux_dontaudit_getattr_dir(squid_t)
-@@ -181,7 +184,11 @@
+@@ -181,7 +185,11 @@
udev_read_db(squid_t)
')
@@ -12193,8 +12254,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-08-07 09:42:35.000000000 -0400
-@@ -81,8 +81,9 @@
++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-11-08 16:05:30.000000000 -0500
+@@ -81,8 +81,10 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12202,10 +12263,11 @@
+/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/Adobe(/.*?)/nppdf\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -132,13 +133,16 @@
+@@ -132,13 +134,16 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12223,7 +12285,7 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -157,6 +161,8 @@
+@@ -157,6 +162,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -12232,7 +12294,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -254,6 +260,8 @@
+@@ -254,6 +261,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -13346,7 +13408,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-2.6.4/policy/modules/system/sysnetwork.if
--- nsaserefpolicy/policy/modules/system/sysnetwork.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/sysnetwork.if 2007-11-06 16:35:34.000000000 -0500
@@ -520,6 +520,9 @@
files_search_etc($1)
@@ -13760,7 +13822,7 @@
dbus_stub(unconfined_execmem_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-2.6.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-10-09 17:05:07.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/userdomain.if 2007-11-02 11:13:10.000000000 -0400
@@ -114,6 +114,22 @@
# Allow making the stack executable via mprotect.
allow $1_t self:process execstack;
@@ -13784,6 +13846,15 @@
')
#######################################
+@@ -744,7 +760,7 @@
+
+ fs_get_all_fs_quotas($1_t)
+ fs_getattr_all_fs($1_t)
+- fs_getattr_all_dirs($1_t)
++ fs_search_all($1_t)
+ fs_search_auto_mountpoints($1_t)
+ fs_list_inotifyfs($1_t)
+
@@ -764,6 +780,8 @@
auth_search_pam_console_data($1_t)
auth_run_pam($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.503
retrieving revision 1.504
diff -u -r1.503 -r1.504
--- selinux-policy.spec 1 Nov 2007 18:15:45 -0000 1.503
+++ selinux-policy.spec 8 Nov 2007 21:07:44 -0000 1.504
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 53%{?dist}
+Release: 55%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -71,6 +71,7 @@
%{_usr}/share/selinux/devel/Makefile
%{_usr}/share/selinux/devel/policygentool
%{_usr}/share/selinux/devel/example.*
+%{_usr}/share/selinux/devel/policy.*
%attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp
%post devel
@@ -217,6 +218,7 @@
install -m 755 ${RPM_SOURCE_DIR}/policygentool %{buildroot}%{_usr}/share/selinux/devel/
install -m 644 ${RPM_SOURCE_DIR}/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile
install -m 644 doc/example.* %{buildroot}%{_usr}/share/selinux/devel/
+install -m 644 doc/policy.* %{buildroot}%{_usr}/share/selinux/devel/
echo "htmlview file:///usr/share/doc/selinux-policy-%{version}/html/index.html"> %{buildroot}%{_usr}/share/selinux/devel/policyhelp
chmod +x %{buildroot}%{_usr}/share/selinux/devel/policyhelp
@@ -361,6 +363,12 @@
%endif
%changelog
+* Tue Nov 6 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-55
+- Add policy.xml
+
+* Tue Nov 6 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-54
+- Allow dovecot to write log files
+
* Thu Nov 1 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-53
- Allow spamd to create nfs/cifs files
- Previous message (by thread): rpms/libggz/devel libggz.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Next message (by thread): rpms/libggz/F-7 libggz.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list