rpms/selinux-policy/F-8 policy-20070703.patch, 1.139, 1.140 selinux-policy.spec, 1.580, 1.581
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Nov 19 21:39:21 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv7958
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Nov 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-58
- Allow nmbd to list inotifyfs_t
- Dontaudit consolekit access to user homedir
- dontaudit nscd getserv and shmemserv
- Allow rsync_t dac overrides
- Allow xfs_t to listen to sockets
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.139
retrieving revision 1.140
diff -u -r1.139 -r1.140
--- policy-20070703.patch 17 Nov 2007 12:26:40 -0000 1.139
+++ policy-20070703.patch 19 Nov 2007 21:39:18 -0000 1.140
@@ -3995,7 +3995,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-16 13:24:55.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-11-19 14:58:40.000000000 -0500
@@ -4,6 +4,7 @@
/dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4004,7 +4004,7 @@
/dev/(misc/)?agpgart -c gen_context(system_u:object_r:agp_device_t,s0)
/dev/aload.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/amidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -14,22 +15,29 @@
+@@ -14,22 +15,30 @@
/dev/beep -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0)
@@ -4031,10 +4031,11 @@
+/dev/mergemem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
+/dev/kvm -c gen_context(system_u:object_r:kvm_device_t,mls_systemhigh)
++/dev/lircm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/logibm -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/mcelog -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
-@@ -41,6 +49,11 @@
+@@ -41,6 +50,11 @@
/dev/mmetfgrab -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/mpu401.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/null -c gen_context(system_u:object_r:null_device_t,s0)
@@ -4046,7 +4047,7 @@
/dev/nvidia.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
/dev/nvram -c gen_context(system_u:object_r:nvram_device_t,mls_systemhigh)
/dev/oldmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
-@@ -49,6 +62,9 @@
+@@ -49,6 +63,9 @@
/dev/pmu -c gen_context(system_u:object_r:power_device_t,s0)
/dev/port -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/(misc/)?psaux -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -4056,7 +4057,7 @@
/dev/rmidi.* -c gen_context(system_u:object_r:sound_device_t,s0)
/dev/radeon -c gen_context(system_u:object_r:dri_device_t,s0)
/dev/radio.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -65,9 +81,11 @@
+@@ -65,9 +82,11 @@
/dev/sonypi -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/tlk[0-3] -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/urandom -c gen_context(system_u:object_r:urandom_device_t,s0)
@@ -4068,7 +4069,7 @@
/dev/usblp.* -c gen_context(system_u:object_r:printer_device_t,s0)
ifdef(`distro_suse', `
/dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -95,11 +113,21 @@
+@@ -95,11 +114,21 @@
/dev/dvb/.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/input/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -6850,7 +6851,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.te serefpolicy-3.0.8/policy/modules/services/consolekit.te
--- nsaserefpolicy/policy/modules/services/consolekit.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/consolekit.te 2007-11-19 15:22:07.000000000 -0500
@@ -10,7 +10,6 @@
type consolekit_exec_t;
init_daemon_domain(consolekit_t, consolekit_exec_t)
@@ -6877,7 +6878,7 @@
files_read_etc_files(consolekit_t)
# needs to read /var/lib/dbus/machine-id
-@@ -50,8 +51,15 @@
+@@ -50,8 +51,16 @@
libs_use_ld_so(consolekit_t)
libs_use_shared_libs(consolekit_t)
@@ -6887,13 +6888,14 @@
+# consolekit needs to be able to ptrace all logged in users
+userdom_ptrace_all_users(consolekit_t)
++userdom_dontaudit_read_unpriv_users_home_content_files(consolekit_t)
+hal_ptrace(consolekit_t)
+mcs_ptrace_all(consolekit_t)
+
optional_policy(`
dbus_system_bus_client_template(consolekit, consolekit_t)
dbus_send_system_bus(consolekit_t)
-@@ -62,9 +70,16 @@
+@@ -62,9 +71,16 @@
optional_policy(`
unconfined_dbus_chat(consolekit_t)
')
@@ -10196,7 +10198,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.0.8/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2007-11-19 16:32:18.000000000 -0500
+@@ -77,7 +77,7 @@
+
+ allow $1 nscd_t:nscd { getpwd getgrp gethost };
+ dontaudit $1 nscd_t:fd use;
+- dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost };
++ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv };
+
+ files_search_pids($1)
+ stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t)
@@ -204,3 +204,22 @@
role $2 types nscd_t;
dontaudit nscd_t $3:chr_file rw_term_perms;
@@ -11763,7 +11774,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-11-08 13:36:23.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-11-19 14:03:34.000000000 -0500
@@ -8,6 +8,13 @@
## <desc>
@@ -11786,7 +11797,24 @@
role system_r types rsync_t;
type rsync_data_t;
-@@ -57,6 +65,8 @@
+@@ -33,7 +41,7 @@
+ # Local policy
+ #
+
+-allow rsync_t self:capability sys_chroot;
++allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
+ allow rsync_t self:process signal_perms;
+ allow rsync_t self:fifo_file rw_fifo_file_perms;
+ allow rsync_t self:tcp_socket create_stream_socket_perms;
+@@ -43,7 +51,6 @@
+ # cjp: this should probably only be inetd_child_t rules?
+ # search home and kerberos also.
+ allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+-allow rsync_t self:capability { setuid setgid };
+ #end for identd
+
+ allow rsync_t rsync_data_t:dir list_dir_perms;
+@@ -57,6 +64,8 @@
manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
files_pid_filetrans(rsync_t,rsync_var_run_t,file)
@@ -11795,7 +11823,7 @@
kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-@@ -80,6 +90,8 @@
+@@ -80,6 +89,8 @@
files_read_etc_files(rsync_t)
files_search_home(rsync_t)
@@ -11804,7 +11832,7 @@
libs_use_ld_so(rsync_t)
libs_use_shared_libs(rsync_t)
-@@ -89,8 +101,6 @@
+@@ -89,8 +100,6 @@
miscfiles_read_localization(rsync_t)
miscfiles_read_public_files(rsync_t)
@@ -11813,7 +11841,7 @@
tunable_policy(`allow_rsync_anon_write',`
miscfiles_manage_public_files(rsync_t)
')
-@@ -107,10 +117,8 @@
+@@ -107,10 +116,7 @@
inetd_service_domain(rsync_t,rsync_exec_t)
')
@@ -11824,7 +11852,6 @@
-optional_policy(`
- nscd_socket_use(rsync_t)
+tunable_policy(`rsync_export_all_ro',`
-+ allow rsync_t self:capability dac_override;
+ fs_read_noxattr_fs_files(rsync_t)
+ auth_read_all_files_except_shadow(rsync_t)
')
@@ -11990,7 +12017,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-09 12:27:28.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2007-11-19 10:25:59.000000000 -0500
@@ -137,6 +137,11 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -12073,11 +12100,19 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -298,6 +296,7 @@
+@@ -292,12 +290,13 @@
- auth_use_nsswitch(smbd_t)
+ fs_getattr_all_fs(smbd_t)
+ fs_get_xattr_fs_quotas(smbd_t)
+-fs_search_auto_mountpoints(smbd_t)
+ fs_getattr_rpc_dirs(smbd_t)
+ fs_list_inotifyfs(smbd_t)
++fs_search_auto_mountpoints(smbd_t)
+
+-auth_use_nsswitch(smbd_t)
auth_domtrans_chk_passwd(smbd_t)
+auth_domtrans_upd_passwd(smbd_t)
++auth_use_nsswitch(smbd_t)
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
@@ -12136,7 +12171,15 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -462,17 +471,11 @@
+@@ -446,6 +455,7 @@
+ dev_getattr_mtrr_dev(nmbd_t)
+
+ fs_getattr_all_fs(nmbd_t)
++fs_list_inotifyfs(nmbd_t)
+ fs_search_auto_mountpoints(nmbd_t)
+
+ domain_use_interactive_fds(nmbd_t)
+@@ -462,17 +472,11 @@
miscfiles_read_localization(nmbd_t)
@@ -12154,7 +12197,7 @@
seutil_sigchld_newrole(nmbd_t)
')
-@@ -506,6 +509,8 @@
+@@ -506,6 +510,8 @@
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)
@@ -12163,7 +12206,7 @@
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
-@@ -533,6 +538,7 @@
+@@ -533,6 +539,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -12171,7 +12214,7 @@
corecmd_list_bin(smbmount_t)
-@@ -553,16 +559,11 @@
+@@ -553,16 +560,11 @@
logging_search_logs(smbmount_t)
@@ -12190,7 +12233,7 @@
')
########################################
-@@ -570,24 +571,28 @@
+@@ -570,24 +572,28 @@
# SWAT Local policy
#
@@ -12227,7 +12270,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -597,7 +602,11 @@
+@@ -597,7 +603,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -12240,7 +12283,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,23 +631,24 @@
+@@ -622,23 +632,24 @@
dev_read_urand(swat_t)
@@ -12267,7 +12310,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -652,13 +662,16 @@
+@@ -652,13 +663,16 @@
kerberos_use(swat_t)
')
@@ -12290,7 +12333,7 @@
########################################
#
-@@ -672,7 +685,6 @@
+@@ -672,7 +686,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -12298,7 +12341,7 @@
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +721,8 @@
+@@ -709,6 +722,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -12307,7 +12350,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +747,9 @@
+@@ -733,7 +748,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -12317,7 +12360,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -746,9 +762,6 @@
+@@ -746,9 +763,6 @@
miscfiles_read_localization(winbind_t)
@@ -12327,7 +12370,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +771,6 @@
+@@ -758,10 +772,6 @@
')
optional_policy(`
@@ -12338,7 +12381,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -784,6 +793,8 @@
+@@ -784,6 +794,8 @@
allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)
@@ -12347,7 +12390,7 @@
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
-@@ -804,6 +815,7 @@
+@@ -804,6 +816,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -12355,7 +12398,7 @@
')
########################################
-@@ -828,3 +840,37 @@
+@@ -828,3 +841,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -13504,8 +13547,16 @@
+miscfiles_read_certs(httpd_w3c_validator_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xfs.te serefpolicy-3.0.8/policy/modules/services/xfs.te
--- nsaserefpolicy/policy/modules/services/xfs.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xfs.te 2007-10-29 23:59:29.000000000 -0400
-@@ -37,6 +37,15 @@
++++ serefpolicy-3.0.8/policy/modules/services/xfs.te 2007-11-19 15:03:17.000000000 -0500
+@@ -26,6 +26,7 @@
+ allow xfs_t self:process { signal_perms setpgid };
+ allow xfs_t self:unix_stream_socket create_stream_socket_perms;
+ allow xfs_t self:unix_dgram_socket create_socket_perms;
++allow xfs_t self:tcp_socket create_stream_socket_perms;
+
+ manage_dirs_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t)
+ manage_sock_files_pattern(xfs_t,xfs_tmp_t,xfs_tmp_t)
+@@ -37,6 +38,15 @@
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
@@ -18304,7 +18355,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-17 07:03:58.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-19 15:21:25.000000000 -0500
@@ -29,8 +29,9 @@
')
@@ -19412,7 +19463,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5559,3 +5756,379 @@
+@@ -5559,3 +5756,402 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -19727,6 +19778,29 @@
+
+########################################
+## <summary>
++## dontaudit Read all unprivileged users home directory
++## files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_dontaudit_read_unpriv_users_home_content_files',`
++ gen_require(`
++ attribute user_home_dir_type, user_home_type;
++ ')
++
++ files_search_home($1)
++ dontaudit $1 user_home_type:dir list_dir_perms;
++ dontaudit $1 user_home_type:file read_file_perms;
++ dontaudit $1 user_home_type:file read_lnk_file_perms;
++')
++
++
++########################################
++## <summary>
+## dontaudit attempts to write to user home dir files
+## </summary>
+## <param name="domain">
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.580
retrieving revision 1.581
diff -u -r1.580 -r1.581
--- selinux-policy.spec 17 Nov 2007 11:30:22 -0000 1.580
+++ selinux-policy.spec 19 Nov 2007 21:39:18 -0000 1.581
@@ -380,6 +380,13 @@
%endif
%changelog
+* Fri Nov 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-58
+- Allow nmbd to list inotifyfs_t
+- Dontaudit consolekit access to user homedir
+- dontaudit nscd getserv and shmemserv
+- Allow rsync_t dac overrides
+- Allow xfs_t to listen to sockets
+
* Fri Nov 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-57
- Allow lvm to search mnt
- Add booleans for xguest account
More information about the fedora-extras-commits
mailing list