rpms/selinux-policy/devel policy-20070703.patch,1.83,1.84
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Oct 9 14:51:28 UTC 2007
- Previous message (by thread): rpms/dhcpv6/devel dhcpv6-0.10-lsb.patch, 1.1, 1.2 dhcpv6.spec, 1.65, 1.66
- Next message (by thread): rpms/kudzu/devel .cvsignore, 1.157, 1.158 kudzu.spec, 1.179, 1.180 sources, 1.176, 1.177
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24188
Modified Files:
policy-20070703.patch
Log Message:
* Mon Oct 8 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-19
- Dontaudit consoletype talking to unconfined_t
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.83
retrieving revision 1.84
diff -u -r1.83 -r1.84
--- policy-20070703.patch 8 Oct 2007 15:32:18 -0000 1.83
+++ policy-20070703.patch 9 Oct 2007 14:51:25 -0000 1.84
@@ -280,7 +280,7 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables serefpolicy-3.0.8/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-05-29 14:10:59.000000000 -0400
-+++ serefpolicy-3.0.8/policy/global_tunables 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/global_tunables 2007-10-08 11:41:21.000000000 -0400
@@ -133,3 +133,18 @@
## </desc>
gen_tunable(write_untrusted_content,false)
@@ -2581,7 +2581,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.0.8/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/devices.fc 2007-10-08 11:30:10.000000000 -0400
@@ -20,6 +20,7 @@
/dev/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
/dev/fb[0-9]* -c gen_context(system_u:object_r:framebuf_device_t,s0)
@@ -3462,8 +3462,16 @@
neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.0.8/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-03 11:10:24.000000000 -0400
-@@ -52,7 +52,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/storage.fc 2007-10-08 11:31:31.000000000 -0400
+@@ -39,6 +39,7 @@
+ ')
+ /dev/s(cd|r)[^/]* -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sbpcd.* -b gen_context(system_u:object_r:removable_device_t,s0)
++/dev/bsg/.+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/sg[0-9]+ -c gen_context(system_u:object_r:scsi_generic_device_t,s0)
+ /dev/sjcd -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/sonycd -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -52,7 +53,7 @@
/dev/cciss/[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -5849,7 +5857,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-3.0.8/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-08 11:24:32.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dovecot.te 2007-10-09 10:31:36.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -5911,7 +5919,7 @@
seutil_sigchld_newrole(dovecot_t)
')
-@@ -145,33 +144,43 @@
+@@ -145,33 +144,40 @@
# dovecot auth local policy
#
@@ -5947,9 +5955,6 @@
+auth_domtrans_upd_passwd(dovecot_auth_t)
auth_use_nsswitch(dovecot_auth_t)
-+optional_policy
-+nis_authenticate(dovecot_auth_t)
-+
files_read_etc_files(dovecot_auth_t)
files_read_etc_runtime_files(dovecot_auth_t)
files_search_pids(dovecot_auth_t)
@@ -5957,7 +5962,7 @@
files_read_usr_symlinks(dovecot_auth_t)
files_search_tmp(dovecot_auth_t)
files_read_var_lib_files(dovecot_t)
-@@ -185,12 +194,46 @@
+@@ -185,12 +191,50 @@
seutil_dontaudit_search_config(dovecot_auth_t)
@@ -5971,12 +5976,16 @@
- logging_send_syslog_msg(dovecot_auth_t)
+ mysql_search_db(dovecot_auth_t)
+ mysql_stream_connect(dovecot_auth_t)
- ')
++')
++
++optional_policy(`
++ nis_authenticate(dovecot_auth_t)
++')
+
+optional_policy(`
+ postfix_create_pivate_sockets(dovecot_auth_t)
+ postfix_search_spool(dovecot_auth_t)
-+')
+ ')
+
+# for gssapi (kerberos)
+userdom_list_unpriv_users_tmp(dovecot_auth_t)
@@ -6533,7 +6542,7 @@
/var/run/vbestate -- gen_context(system_u:object_r:hald_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/hal.te serefpolicy-3.0.8/policy/modules/services/hal.te
--- nsaserefpolicy/policy/modules/services/hal.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-05 11:48:00.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/hal.te 2007-10-08 11:29:21.000000000 -0400
@@ -49,6 +49,9 @@
type hald_var_lib_t;
files_type(hald_var_lib_t)
@@ -7510,7 +7519,7 @@
/usr/sbin/rpc\.ypxfrd -- gen_context(system_u:object_r:ypxfr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.0.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2007-07-03 07:06:27.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-08 11:06:33.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/nis.if 2007-10-09 10:30:46.000000000 -0400
@@ -49,8 +49,8 @@
corenet_udp_bind_all_nodes($1)
corenet_tcp_bind_generic_port($1)
@@ -7522,11 +7531,11 @@
corenet_dontaudit_tcp_bind_all_ports($1)
corenet_dontaudit_udp_bind_all_ports($1)
corenet_tcp_connect_portmap_port($1)
-@@ -87,6 +87,25 @@
+@@ -87,6 +87,27 @@
########################################
## <summary>
-+## Use the ypbind service to access NIS services.
++## Use the nis to authenticate passwords
+## </summary>
+## <param name="domain">
+## <summary>
@@ -7538,6 +7547,8 @@
+interface(`nis_authenticate',`
+ tunable_policy(`allow_ypbind',`
+ nis_use_ypbind_uncond($1)
++ # Needs to bind to a port < 1024
++ allow $1 self:capability net_bind_service;
+ corenet_tcp_bind_all_rpc_ports($1)
+ corenet_udp_bind_all_rpc_ports($1)
+ ')
@@ -8670,7 +8681,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.0.8/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpc.te 2007-10-08 11:39:31.000000000 -0400
@@ -59,10 +59,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
@@ -8836,8 +8847,22 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.0.8/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-10-03 11:10:24.000000000 -0400
-@@ -17,6 +17,7 @@
++++ serefpolicy-3.0.8/policy/modules/services/rsync.te 2007-10-08 11:44:11.000000000 -0400
+@@ -8,6 +8,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow rsync export files read only
++## </p>
++## </desc>
++gen_tunable(rsync_export_all_ro,false)
++
++## <desc>
++## <p>
+ ## Allow rsync to modify public files
+ ## used for public file transfer services.
+ ## </p>
+@@ -17,6 +24,7 @@
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t)
@@ -8845,6 +8870,39 @@
role system_r types rsync_t;
type rsync_data_t;
+@@ -57,6 +65,8 @@
+ manage_files_pattern(rsync_t,rsync_var_run_t,rsync_var_run_t)
+ files_pid_filetrans(rsync_t,rsync_var_run_t,file)
+
++auth_use_nsswitch(rsync_t)
++
+ kernel_read_kernel_sysctls(rsync_t)
+ kernel_read_system_state(rsync_t)
+ kernel_read_network_state(rsync_t)
+@@ -89,8 +99,6 @@
+ miscfiles_read_localization(rsync_t)
+ miscfiles_read_public_files(rsync_t)
+
+-sysnet_read_config(rsync_t)
+-
+ tunable_policy(`allow_rsync_anon_write',`
+ miscfiles_manage_public_files(rsync_t)
+ ')
+@@ -107,10 +115,8 @@
+ inetd_service_domain(rsync_t,rsync_exec_t)
+ ')
+
+-optional_policy(`
+- nis_use_ypbind(rsync_t)
+-')
+-
+-optional_policy(`
+- nscd_socket_use(rsync_t)
++tunable_policy(`rsync_export_all_ro',`
++ allow rsync_t self:capability dac_override;
++ fs_read_noxattr_fs_files(rsync_t)
++ auth_read_all_files_except_shadow(rsync_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.fc serefpolicy-3.0.8/policy/modules/services/samba.fc
--- nsaserefpolicy/policy/modules/services/samba.fc 2007-06-19 16:23:34.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/samba.fc 2007-10-03 11:10:24.000000000 -0400
@@ -10200,7 +10258,7 @@
dev_read_sysfs(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-08-22 07:14:07.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-08 13:25:36.000000000 -0400
@@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -10213,7 +10271,7 @@
#
# /opt
#
-@@ -92,13 +87,15 @@
+@@ -92,13 +87,16 @@
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
@@ -10222,6 +10280,7 @@
/var/log/gdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0)
++/var/log/nvidia-installer\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/run/gdm_socket -s gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
@@ -10851,7 +10910,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-08 11:03:54.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-09 10:32:37.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -10916,7 +10975,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +219,36 @@
+@@ -196,22 +219,40 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -10945,6 +11004,10 @@
+ userdom_set_rlimitnh($1)
+
+ optional_policy(`
++ nis_authenticate($1)
++ ')
++
++ optional_policy(`
+ unconfined_set_rlimitnh($1)
+ ')
+
@@ -10954,7 +11017,7 @@
')
')
-@@ -309,9 +346,6 @@
+@@ -309,9 +350,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -10964,7 +11027,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +363,8 @@
+@@ -329,6 +367,8 @@
optional_policy(`
kerberos_use($1)
@@ -10973,7 +11036,7 @@
')
optional_policy(`
-@@ -347,6 +383,37 @@
+@@ -347,6 +387,37 @@
########################################
## <summary>
@@ -11011,7 +11074,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +762,24 @@
+@@ -695,6 +766,24 @@
########################################
## <summary>
@@ -11036,7 +11099,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,14 +1403,9 @@
+@@ -1318,14 +1407,9 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -11051,7 +11114,7 @@
files_list_var_lib($1)
miscfiles_read_certs($1)
-@@ -1347,6 +1427,8 @@
+@@ -1347,6 +1431,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -11060,7 +11123,7 @@
')
')
-@@ -1381,3 +1463,163 @@
+@@ -1381,3 +1467,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -13928,7 +13991,7 @@
+/usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.0.8/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2007-06-15 14:54:34.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-08 10:26:34.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.if 2007-10-09 10:33:22.000000000 -0400
@@ -12,14 +12,13 @@
#
interface(`unconfined_domain_noaudit',`
@@ -14421,7 +14484,7 @@
/tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-08-27 09:18:17.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-05 14:11:08.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-10-09 10:33:10.000000000 -0400
@@ -29,8 +29,9 @@
')
- Previous message (by thread): rpms/dhcpv6/devel dhcpv6-0.10-lsb.patch, 1.1, 1.2 dhcpv6.spec, 1.65, 1.66
- Next message (by thread): rpms/kudzu/devel .cvsignore, 1.157, 1.158 kudzu.spec, 1.179, 1.180 sources, 1.176, 1.177
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list