rpms/selinux-policy/devel policy-20070703.patch, 1.82, 1.83 selinux-policy.spec, 1.541, 1.542
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Oct 8 15:32:22 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv6457
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Oct 8 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-19
- Dontaudit consoletype talking to unconfined_t
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.82
retrieving revision 1.83
diff -u -r1.82 -r1.83
--- policy-20070703.patch 5 Oct 2007 19:47:10 -0000 1.82
+++ policy-20070703.patch 8 Oct 2007 15:32:18 -0000 1.83
@@ -586,7 +586,7 @@
# Init script handling
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/consoletype.te serefpolicy-3.0.8/policy/modules/admin/consoletype.te
--- nsaserefpolicy/policy/modules/admin/consoletype.te 2007-08-22 07:14:14.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-03 16:57:13.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/consoletype.te 2007-10-08 10:28:20.000000000 -0400
@@ -8,9 +8,11 @@
type consoletype_t;
@@ -3086,7 +3086,7 @@
#
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.8/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-05 10:23:56.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.if 2007-10-06 08:52:10.000000000 -0400
@@ -271,45 +271,6 @@
########################################
@@ -3229,7 +3229,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-05 13:59:53.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-08 11:25:43.000000000 -0400
@@ -80,6 +80,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
@@ -3238,7 +3238,15 @@
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
-@@ -133,6 +134,11 @@
+@@ -116,6 +117,7 @@
+
+ type ramfs_t;
+ fs_type(ramfs_t)
++files_mountpoint(ramfs_t)
+ genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
+
+ type romfs_t;
+@@ -133,6 +135,11 @@
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -5841,7 +5849,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-08 11:24:32.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -5903,7 +5911,7 @@
seutil_sigchld_newrole(dovecot_t)
')
-@@ -145,33 +144,40 @@
+@@ -145,33 +144,43 @@
# dovecot auth local policy
#
@@ -5939,6 +5947,9 @@
+auth_domtrans_upd_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
++optional_policy
++nis_authenticate(dovecot_auth_t)
++
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
@@ -5946,7 +5957,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -185,12 +191,46 @@
+@@ -185,12 +194,46 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -5960,7 +5971,7 @@
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
-+')
+ ')
+
+optional_policy(`
+ postfix_create_pivate_sockets(dovecot_auth_t)
@@ -5994,7 +6005,7 @@
+
+optional_policy(`
+ mta_manage_spool(dovecot_deliver_t)
- ')
++')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
@@ -7070,7 +7081,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.0.8/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mta.te 2007-10-06 08:52:41.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -7087,7 +7098,7 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -44,6 +46,7 @@
+@@ -44,23 +46,29 @@
kernel_read_system_state(system_mail_t)
kernel_read_network_state(system_mail_t)
@@ -7095,7 +7106,9 @@
dev_read_rand(system_mail_t)
dev_read_urand(system_mail_t)
-@@ -51,16 +54,19 @@
++fs_rw_anon_inodefs_files(system_mail_t)
++
+ init_use_script_ptys(system_mail_t)
userdom_use_sysadm_terms(system_mail_t)
userdom_dontaudit_search_sysadm_home_dirs(system_mail_t)
@@ -7115,7 +7128,7 @@
')
optional_policy(`
-@@ -73,6 +79,7 @@
+@@ -73,6 +81,7 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -7497,7 +7510,7 @@
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-08 11:06:33.000000000 -0400
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -7509,6 +7522,32 @@
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
+@@ -87,6 +87,25 @@
+
+ ########################################
+ ## <summary>
++## Use the ypbind service to access NIS services.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`nis_authenticate',`
++ tunable_policy(`allow_ypbind',`
++ nis_use_ypbind_uncond($1)
++ corenet_tcp_bind_all_rpc_ports($1)
++ corenet_udp_bind_all_rpc_ports($1)
++ ')
++')
++
++########################################
++## <summary>
+ ## Execute ypbind in the ypbind domain.
+ ## </summary>
+ ## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.8/policy/modules/services/nis.te
--- nsaserefpolicy/policy/modules/services/nis.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/nis.te 2007-10-03 11:10:24.000000000 -0400
@@ -9470,7 +9509,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te
--- nsaserefpolicy/policy/modules/services/sendmail.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-10-06 08:52:21.000000000 -0400
@@ -20,19 +20,22 @@
mta_mailserver_delivery(sendmail_t)
mta_mailserver_sender(sendmail_t)
@@ -10088,6 +10127,18 @@
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ucspitcp.if serefpolicy-3.0.8/policy/modules/services/ucspitcp.if
+--- nsaserefpolicy/policy/modules/services/ucspitcp.if 2007-05-29 14:10:57.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ucspitcp.if 2007-10-08 07:47:57.000000000 -0400
+@@ -20,7 +20,7 @@
+ ## </summary>
+ ## </param>
+ #
+-interface(`ucspitcp_service_domain', `
++interface(`ucspitcp_service_domain',`
+ gen_require(`
+ type ucspitcp_t;
+ role system_r;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/uwimap.te serefpolicy-3.0.8/policy/modules/services/uwimap.te
--- nsaserefpolicy/policy/modules/services/uwimap.te 2007-07-25 10:37:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/uwimap.te 2007-10-03 11:10:25.000000000 -0400
@@ -10800,7 +10851,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-08 11:03:54.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10865,7 +10916,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +219,33 @@
+@@ -196,22 +219,36 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -10878,6 +10929,9 @@
+ auth_rw_faillog($1)
auth_exec_pam($1)
+ auth_use_nsswitch($1)
++
++ corenet_tcp_bind_all_rpc_ports($1)
++ corenet_udp_bind_all_rpc_ports($1)
init_rw_utmp($1)
@@ -10900,7 +10954,7 @@
')
')
-@@ -309,9 +343,6 @@
+@@ -309,9 +346,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10910,7 +10964,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +360,8 @@
+@@ -329,6 +363,8 @@
optional_policy(`
kerberos_use($1)
@@ -10919,7 +10973,7 @@
')
optional_policy(`
-@@ -347,6 +380,37 @@
+@@ -347,6 +383,37 @@
########################################
## <summary>
@@ -10957,7 +11011,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +759,24 @@
+@@ -695,6 +762,24 @@
########################################
## <summary>
@@ -10982,7 +11036,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,14 +1400,9 @@
+@@ -1318,14 +1403,9 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -10997,7 +11051,7 @@
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1347,6 +1424,8 @@
+@@ -1347,6 +1427,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -11006,7 +11060,7 @@
')
')
-@@ -1381,3 +1460,163 @@
+@@ -1381,3 +1463,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -13168,7 +13222,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.if serefpolicy-3.0.8/policy/modules/system/selinuxutil.if
--- nsaserefpolicy/policy/modules/system/selinuxutil.if 2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-05 07:42:17.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.if 2007-10-07 07:59:48.000000000 -0400
@@ -432,6 +432,7 @@
role $2 types run_init_t;
allow run_init_t $3:chr_file rw_term_perms;
@@ -13308,7 +13362,7 @@
## Full management of the semanage
## module store.
## </summary>
-@@ -1058,3 +1135,133 @@
+@@ -1058,3 +1135,138 @@
files_search_etc($1)
rw_files_pattern($1,selinux_config_t,semanage_trans_lock_t)
')
@@ -13441,10 +13495,15 @@
+ seutil_manage_module_store($1)
+ seutil_get_semanage_trans_lock($1)
+ seutil_get_semanage_read_lock($1)
++
++ optional_policy(`
++ rpm_dontaudit_rw_tmp_files($1)
++ rpm_dontaudit_rw_pipes($1)
++ ')
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-10-07 07:59:32.000000000 -0400
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -13574,7 +13633,7 @@
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -423,77 +426,54 @@
+@@ -423,77 +426,49 @@
nscd_socket_use(run_init_t)
')
@@ -13674,15 +13733,10 @@
+ init_spec_domtrans_script(semanage_t)
+')
+
-+optional_policy(`
-+ rpm_dontaudit_rw_tmp_files(semanage_t)
-+ rpm_dontaudit_rw_pipes(semanage_t)
-+')
-+
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -521,6 +501,8 @@
+@@ -521,6 +496,8 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -13691,7 +13745,7 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -537,6 +519,7 @@
+@@ -537,6 +514,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -13699,7 +13753,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -590,8 +573,16 @@
+@@ -590,8 +568,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
@@ -13849,11 +13903,12 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.8/policy/modules/system/udev.te
--- nsaserefpolicy/policy/modules/system/udev.te 2007-09-12 10:34:51.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-03 11:10:25.000000000 -0400
-@@ -184,6 +184,11 @@
++++ serefpolicy-3.0.8/policy/modules/system/udev.te 2007-10-08 11:25:00.000000000 -0400
+@@ -184,6 +184,12 @@
')
optional_policy(`
++ alsa_domtrans(udev_t)
+ alsa_search_lib(udev_t)
+ alsa_read_lib(udev_t)
+')
@@ -13873,7 +13928,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-04 17:36:52.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-08 10:26:34.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -13919,6 +13974,33 @@
nscd_unconfined($1)
')
+@@ -399,12 +403,11 @@
+
+ ########################################
+ ## <summary>
+-## Do not audit attempts to read and write
+-## unconfined domain unnamed pipes.
++## dontaudit Read and write unconfined domain unnamed pipes.
+ ## </summary>
+ ## <param name="domain">
+ ## <summary>
+-## Domain to not audit.
++## Domain allowed access.
+ ## </summary>
+ ## </param>
+ #
+@@ -413,9 +416,10 @@
+ type unconfined_t;
+ ')
+
+- dontaudit $1 unconfined_t:fifo_file rw_file_perms;
++ dontaudit $1 unconfined_t:fifo_file rw_fifo_file_perms;
+ ')
+
++
+ ########################################
+ ## <summary>
+ ## Connect to the unconfined domain using
@@ -558,7 +562,7 @@
')
@@ -13928,7 +14010,7 @@
read_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
read_lnk_files_pattern($1,{ unconfined_home_dir_t unconfined_home_t },unconfined_home_t)
')
-@@ -601,3 +605,175 @@
+@@ -601,3 +605,179 @@
allow $1 unconfined_tmp_t:file { getattr write append };
')
@@ -14037,10 +14119,12 @@
+#
+interface(`unconfined_use_terminals',`
+ gen_require(`
-+ attribute unconfined_terminal;
++ type unconfined_devpts_t;
++ type unconfined_tty_device_t;
+ ')
+
-+ allow $1 unconfined_terminal:chr_file rw_term_perms;
++ allow $1 unconfined_tty_device_t:chr_file rw_term_perms;
++ allow $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
@@ -14055,10 +14139,12 @@
+#
+interface(`unconfined_dontaudit_use_terminals',`
+ gen_require(`
-+ attribute unconfined_terminal;
++ type unconfined_devpts_t;
++ type unconfined_tty_device_t;
+ ')
+
-+ dontaudit $1 unconfined_terminal:chr_file rw_term_perms;
++ dontaudit $1 unconfined_tty_device_t:chr_file rw_term_perms;
++ dontaudit $1 unconfined_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
@@ -14106,7 +14192,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-05 14:12:30.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-08 10:08:01.000000000 -0400
@@ -5,28 +5,38 @@
#
# Declarations
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.541
retrieving revision 1.542
diff -u -r1.541 -r1.542
--- selinux-policy.spec 5 Oct 2007 19:47:10 -0000 1.541
+++ selinux-policy.spec 8 Oct 2007 15:32:19 -0000 1.542
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 18%{?dist}
+Release: 19%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -371,6 +371,9 @@
%endif
%changelog
+* Mon Oct 8 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-19
+- Dontaudit consoletype talking to unconfined_t
+
* Thu Oct 4 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-18
- Remove homedir_template
More information about the fedora-extras-commits
mailing list