rpms/selinux-policy/F-8 policy-20070703.patch, 1.135, 1.136 selinux-policy.spec, 1.577, 1.578
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Nov 15 15:39:47 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6017
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Wed Nov 14 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-55
- Allow spamd to manage razor files
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.135
retrieving revision 1.136
diff -u -r1.135 -r1.136
--- policy-20070703.patch 14 Nov 2007 17:29:28 -0000 1.135
+++ policy-20070703.patch 15 Nov 2007 15:39:43 -0000 1.136
@@ -1708,7 +1708,16 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.0.8/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/netutils.te 2007-11-15 10:23:21.000000000 -0500
+@@ -40,7 +40,7 @@
+ allow netutils_t self:capability { net_admin net_raw setuid setgid };
+ dontaudit netutils_t self:capability sys_tty_config;
+ allow netutils_t self:process { sigkill sigstop signull signal };
+-allow netutils_t self:netlink_route_socket { bind create getattr nlmsg_read nlmsg_write read write };
++allow netutils_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow netutils_t self:packet_socket create_socket_perms;
+ allow netutils_t self:udp_socket create_socket_perms;
+ allow netutils_t self:tcp_socket create_stream_socket_perms;
@@ -94,9 +94,22 @@
')
@@ -1732,7 +1741,14 @@
########################################
#
# Ping local policy
-@@ -113,6 +126,7 @@
+@@ -107,12 +120,14 @@
+ allow ping_t self:tcp_socket create_socket_perms;
+ allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+ allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
++allow ping_t self:netlink_route_socket r_netlink_socket_perms;
+
+ corenet_all_recvfrom_unlabeled(ping_t)
+ corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
@@ -1740,6 +1756,15 @@
corenet_tcp_sendrecv_all_nodes(ping_t)
corenet_tcp_sendrecv_all_ports(ping_t)
+@@ -166,7 +181,7 @@
+ allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+ allow traceroute_t self:rawip_socket create_socket_perms;
+ allow traceroute_t self:packet_socket create_socket_perms;
+-allow traceroute_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
++allow traceroute_t self:netlink_route_socket rw_netlink_socket_perms;
+ allow traceroute_t self:udp_socket create_socket_perms;
+
+ kernel_read_system_state(traceroute_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/portage.if serefpolicy-3.0.8/policy/modules/admin/portage.if
--- nsaserefpolicy/policy/modules/admin/portage.if 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/portage.if 2007-10-29 23:59:29.000000000 -0400
@@ -2380,7 +2405,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-11-14 15:02:28.000000000 -0500
@@ -22,7 +22,7 @@
# Local policy
#
@@ -2409,7 +2434,14 @@
corenet_tcp_connect_all_ports(vpnc_t)
corenet_sendrecv_all_client_packets(vpnc_t)
corenet_sendrecv_isakmp_server_packets(vpnc_t)
-@@ -96,7 +98,7 @@
+@@ -90,13 +92,14 @@
+ locallogin_use_fds(vpnc_t)
+
+ logging_send_syslog_msg(vpnc_t)
++logging_dontaudit_search_logs(vpnc_t)
+
+ miscfiles_read_localization(vpnc_t)
+
seutil_dontaudit_search_config(vpnc_t)
seutil_use_newrole_fds(vpnc_t)
@@ -11253,6 +11285,51 @@
corecmd_exec_bin(radiusd_t)
corecmd_exec_shell(radiusd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.0.8/policy/modules/services/razor.if
+--- nsaserefpolicy/policy/modules/services/razor.if 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/razor.if 2007-11-14 14:07:58.000000000 -0500
+@@ -218,3 +218,41 @@
+
+ domtrans_pattern($1, razor_exec_t, razor_t)
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete razor files
++## in a user home subdirectory.
++## </summary>
++## <desc>
++## <p>
++## Create, read, write, and delete razor files
++## in a user home subdirectory.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`razor_manage_user_home_files',`
++ gen_require(`
++ type $1_home_dir_t, $1_razor_home_t;
++ ')
++
++ files_search_home($2)
++ allow $2 $1_home_dir_t:dir search_dir_perms;
++ manage_files_pattern($2,$1_razor_home_t,$1_razor_home_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/remotelogin.if serefpolicy-3.0.8/policy/modules/services/remotelogin.if
--- nsaserefpolicy/policy/modules/services/remotelogin.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/remotelogin.if 2007-10-29 23:59:29.000000000 -0400
@@ -12709,9 +12786,25 @@
seutil_sigchld_newrole(soundd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if
+--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2007-11-14 14:47:36.000000000 -0500
+@@ -286,6 +286,12 @@
+ userdom_manage_user_home_content_symlinks($1,spamd_t)
+ ')
+
++ optional_policy(`
++ tunable_policy(`spamd_enable_home_dirs',`
++ razor_manage_user_home_files($1,spamd_t)
++ ')
++ ')
++
+ tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs($1_spamassassin_t)
+ fs_manage_nfs_files($1_spamassassin_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.0.8/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-11-01 13:43:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.te 2007-11-14 14:09:01.000000000 -0500
@@ -81,7 +81,7 @@
# var/lib files for spamd
@@ -14158,7 +14251,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.0.8/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.fc 2007-11-15 10:15:01.000000000 -0500
@@ -14,6 +14,7 @@
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
/sbin/unix_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
@@ -14167,15 +14260,16 @@
ifdef(`distro_suse', `
/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
-@@ -40,3 +41,5 @@
+@@ -40,3 +41,6 @@
/var/run/console(/.*)? gen_context(system_u:object_r:pam_var_console_t,s0)
/var/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
++/var/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
+
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-10 09:11:11.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-11-15 10:20:36.000000000 -0500
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -15737,7 +15831,7 @@
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2007-11-14 15:02:16.000000000 -0500
@@ -33,8 +33,27 @@
## </param>
#
@@ -18235,7 +18329,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-14 12:20:47.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-14 14:05:33.000000000 -0500
@@ -29,8 +29,9 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.577
retrieving revision 1.578
diff -u -r1.577 -r1.578
--- selinux-policy.spec 14 Nov 2007 17:16:05 -0000 1.577
+++ selinux-policy.spec 15 Nov 2007 15:39:43 -0000 1.578
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 54%{?dist}
+Release: 55%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,9 @@
%endif
%changelog
+* Wed Nov 14 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-55
+- Allow spamd to manage razor files
+
* Mon Nov 12 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-54
- Allow cyrus to authenticate via sasl
- Allow sshd to work in tunnel mode
More information about the fedora-extras-commits
mailing list