rpms/selinux-policy/devel policy-20070703.patch, 1.99, 1.100 selinux-policy.spec, 1.549, 1.550
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Fri Oct 19 15:02:06 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19707
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-27
- Fix dnsmasq
- Allow rshd full login privs
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100
--- policy-20070703.patch 18 Oct 2007 22:33:41 -0000 1.99
+++ policy-20070703.patch 19 Oct 2007 15:01:30 -0000 1.100
@@ -2198,7 +2198,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
--- nsaserefpolicy/policy/modules/admin/vpn.te 2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-18 13:19:26.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te 2007-10-19 10:15:22.000000000 -0400
@@ -22,7 +22,7 @@
# Local policy
#
@@ -3650,7 +3650,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
--- nsaserefpolicy/policy/modules/kernel/domain.te 2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te 2007-10-19 11:01:04.000000000 -0400
@@ -6,6 +6,22 @@
# Declarations
#
@@ -3674,7 +3674,16 @@
# Mark process types as domains
attribute domain;
-@@ -134,3 +150,22 @@
+@@ -80,6 +96,8 @@
+ allow domain self:lnk_file r_file_perms;
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++# Every domain gets the key ring, so we should default to no one allowed to look at it
++kernel_dontaudit_search_key(domain)
+
+ # create child processes in the domain
+ allow domain self:process { fork sigchld };
+@@ -134,3 +152,22 @@
# act on all domains keys
allow unconfined_domain_type domain:key *;
@@ -4264,8 +4273,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-08 11:25:43.000000000 -0400
-@@ -80,6 +80,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te 2007-10-19 10:04:10.000000000 -0400
+@@ -29,6 +29,7 @@
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -80,6 +81,7 @@
type fusefs_t;
fs_noxattr_type(fusefs_t)
allow fusefs_t self:filesystem associate;
@@ -4273,7 +4290,7 @@
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
-@@ -116,6 +117,7 @@
+@@ -116,6 +118,7 @@
type ramfs_t;
fs_type(ramfs_t)
@@ -4281,7 +4298,7 @@
genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
type romfs_t;
-@@ -133,6 +135,11 @@
+@@ -133,6 +136,11 @@
genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
files_mountpoint(spufs_t)
@@ -4295,7 +4312,7 @@
files_mountpoint(vxfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if 2007-10-19 11:00:20.000000000 -0400
@@ -352,6 +352,24 @@
########################################
@@ -6882,14 +6899,14 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
--- nsaserefpolicy/policy/modules/services/dnsmasq.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te 2007-10-19 10:47:35.000000000 -0400
@@ -94,3 +94,7 @@
optional_policy(`
udev_read_db(dnsmasq_t)
')
+
+optional_policy(`
-+ virt_rw_lib_files(dnsmasq_t)
++ virt_manage_lib_files(dnsmasq_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
--- nsaserefpolicy/policy/modules/services/dovecot.fc 2007-05-29 14:10:57.000000000 -0400
@@ -7703,7 +7720,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-10-10 09:28:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-10-19 10:51:35.000000000 -0400
@@ -53,6 +53,8 @@
allow inetd_t inetd_var_run_t:file manage_file_perms;
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
@@ -7713,7 +7730,7 @@
kernel_read_kernel_sysctls(inetd_t)
kernel_list_proc(inetd_t)
kernel_read_proc_symlinks(inetd_t)
-@@ -80,16 +82,21 @@
+@@ -80,16 +82,22 @@
corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
@@ -7721,6 +7738,7 @@
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
+corenet_udp_bind_inetd_child_port(inetd_t)
++corenet_tcp_bind_ircd_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
+corenet_udp_bind_rlogind_port(inetd_t)
@@ -7735,7 +7753,7 @@
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
-@@ -132,8 +139,10 @@
+@@ -132,8 +140,10 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
@@ -7746,19 +7764,19 @@
mls_process_set_level(inetd_t)
sysnet_read_config(inetd_t)
-@@ -141,6 +150,11 @@
+@@ -141,6 +151,11 @@
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
+ifdef(`enable_mls',`
-+ corenet_tcp_recv_netlabel(inetd_t)
-+ corenet_udp_recv_netlabel(inetd_t)
++ corenet_tcp_recvfrom_netlabel(inetd_t)
++ corenet_udp_recvfrom_netlabel(inetd_t)
+')
+
optional_policy(`
amanda_search_lib(inetd_t)
')
-@@ -170,6 +184,9 @@
+@@ -170,6 +185,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -7768,7 +7786,7 @@
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -212,13 +229,10 @@
+@@ -212,13 +230,10 @@
')
optional_policy(`
@@ -9999,7 +10017,7 @@
userdom_read_unpriv_users_tmp_files(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-18 18:33:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2007-10-19 10:15:23.000000000 -0400
@@ -16,10 +16,11 @@
#
# Local policy
@@ -10023,13 +10041,12 @@
corenet_sendrecv_rsh_server_packets(rshd_t)
dev_read_urand(rshd_t)
-@@ -44,28 +48,44 @@
+@@ -44,28 +48,42 @@
selinux_compute_relabel_context(rshd_t)
selinux_compute_user_contexts(rshd_t)
-+auth_use_nsswitch(rshd_t)
- auth_domtrans_chk_passwd(rshd_t)
-+auth_domtrans_upd_passwd_chk(rshd_t)
+-auth_domtrans_chk_passwd(rshd_t)
++auth_login_pgm_domain(rshd_t)
+auth_search_key(rshd_t)
+auth_write_login_records(rshd_t)
@@ -10071,7 +10088,7 @@
tunable_policy(`use_nfs_home_dirs',`
fs_read_nfs_files(rshd_t)
fs_read_nfs_symlinks(rshd_t)
-@@ -76,15 +96,3 @@
+@@ -76,15 +94,3 @@
fs_read_cifs_symlinks(rshd_t)
')
@@ -12190,7 +12207,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-18 17:06:56.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if 2007-10-19 08:20:05.000000000 -0400
@@ -26,7 +26,8 @@
type $1_chkpwd_t, can_read_shadow_passwords;
application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -12222,14 +12239,13 @@
domain_type($1)
domain_subj_id_change_exemption($1)
-@@ -176,11 +178,32 @@
+@@ -176,11 +178,31 @@
domain_obj_id_change_exemption($1)
role system_r types $1;
+ # needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
+ kernel_write_proc_files($1)
+
-+
+ auth_keyring_domain($1)
+ allow $1 keyring_type:key { search link };
+
@@ -12255,7 +12271,7 @@
selinux_get_fs_mount($1)
selinux_validate_context($1)
selinux_compute_access_vector($1)
-@@ -196,22 +219,40 @@
+@@ -196,22 +218,40 @@
mls_fd_share_all_levels($1)
auth_domtrans_chk_passwd($1)
@@ -12297,7 +12313,7 @@
')
')
-@@ -309,9 +350,6 @@
+@@ -309,9 +349,6 @@
type system_chkpwd_t, chkpwd_exec_t, shadow_t;
')
@@ -12307,7 +12323,7 @@
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
-@@ -329,6 +367,8 @@
+@@ -329,6 +366,8 @@
optional_policy(`
kerberos_use($1)
@@ -12316,7 +12332,7 @@
')
optional_policy(`
-@@ -347,6 +387,37 @@
+@@ -347,6 +386,37 @@
########################################
## <summary>
@@ -12354,7 +12370,7 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -695,6 +766,24 @@
+@@ -695,6 +765,24 @@
########################################
## <summary>
@@ -12379,7 +12395,7 @@
## Execute pam programs in the PAM domain.
## </summary>
## <param name="domain">
-@@ -1318,16 +1407,14 @@
+@@ -1318,16 +1406,14 @@
## </param>
#
interface(`auth_use_nsswitch',`
@@ -12399,7 +12415,7 @@
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)
-@@ -1347,6 +1434,8 @@
+@@ -1347,6 +1433,8 @@
optional_policy(`
samba_stream_connect_winbind($1)
@@ -12408,7 +12424,7 @@
')
')
-@@ -1381,3 +1470,163 @@
+@@ -1381,3 +1469,163 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -15668,7 +15684,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-18 16:48:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-10-19 10:29:16.000000000 -0400
@@ -5,36 +5,48 @@
#
# Declarations
@@ -15725,7 +15741,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +54,30 @@
+@@ -42,37 +54,29 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15738,7 +15754,6 @@
-unconfined_domain(unconfined_t)
-
-+userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
optional_policy(`
@@ -15771,7 +15786,7 @@
')
optional_policy(`
-@@ -107,6 +112,10 @@
+@@ -107,6 +111,10 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -15782,7 +15797,7 @@
')
optional_policy(`
-@@ -118,11 +127,11 @@
+@@ -118,11 +126,11 @@
')
optional_policy(`
@@ -15796,7 +15811,7 @@
')
optional_policy(`
-@@ -134,11 +143,7 @@
+@@ -134,11 +142,7 @@
')
optional_policy(`
@@ -15809,7 +15824,7 @@
')
optional_policy(`
-@@ -155,32 +160,23 @@
+@@ -155,32 +159,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15846,7 +15861,7 @@
')
optional_policy(`
-@@ -205,11 +201,22 @@
+@@ -205,11 +200,22 @@
')
optional_policy(`
@@ -15871,7 +15886,7 @@
')
########################################
-@@ -225,8 +232,21 @@
+@@ -225,8 +231,21 @@
init_dbus_chat_script(unconfined_execmem_t)
unconfined_dbus_chat(unconfined_execmem_t)
@@ -17456,8 +17471,8 @@
+/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.8/policy/modules/system/virt.if
--- nsaserefpolicy/policy/modules/system/virt.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/system/virt.if 2007-10-03 11:10:25.000000000 -0400
-@@ -0,0 +1,58 @@
++++ serefpolicy-3.0.8/policy/modules/system/virt.if 2007-10-19 10:47:26.000000000 -0400
+@@ -0,0 +1,78 @@
+## <summary>Virtualization </summary>
+
+########################################
@@ -17516,6 +17531,26 @@
+ files_list_var_lib($1)
+ rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
+')
++
++########################################
++## <summary>
++## Allow the specified domain to manage
++## virt library files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`virt_manage_lib_files',`
++ gen_require(`
++ type virt_var_lib_t;
++ ')
++
++ files_list_var_lib($1)
++ manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.8/policy/modules/system/virt.te
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/policy/modules/system/virt.te 2007-10-03 11:10:25.000000000 -0400
@@ -17775,7 +17810,7 @@
+## <summary>Policy for webadm user</summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te
--- nsaserefpolicy/policy/modules/users/webadm.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/webadm.te 2007-10-19 10:27:46.000000000 -0400
@@ -0,0 +1,42 @@
+policy_module(webadm,1.0.0)
+
@@ -17805,7 +17840,7 @@
+files_manage_generic_locks(webadm_t)
+files_list_var(webadm_t)
+selinux_get_enforce_mode(webadm_t)
-+seutil_domtrans_restorecon(webadm_t)
++seutil_domtrans_setfiles(webadm_t)
+
+logging_send_syslog_msg(webadm_t)
+
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.549
retrieving revision 1.550
diff -u -r1.549 -r1.550
--- selinux-policy.spec 18 Oct 2007 22:33:41 -0000 1.549
+++ selinux-policy.spec 19 Oct 2007 15:01:30 -0000 1.550
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 26%{?dist}
+Release: 27%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,10 @@
%endif
%changelog
+* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-27
+- Fix dnsmasq
+- Allow rshd full login privs
+
* Thu Oct 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-26
- Allow rshd to connect to ports > 1023
More information about the fedora-extras-commits
mailing list