rpms/selinux-policy/devel policy-20070703.patch, 1.99, 1.100 selinux-policy.spec, 1.549, 1.550

Fri Oct 19 15:02:06 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19707

Modified Files:
	policy-20070703.patch selinux-policy.spec 
Log Message:
* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-27
- Fix dnsmasq
- Allow rshd full login privs


policy-20070703.patch:

Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20070703.patch,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100

--- policy-20070703.patch	18 Oct 2007 22:33:41 -0000	1.99
+++ policy-20070703.patch	19 Oct 2007 15:01:30 -0000	1.100
@@ -2198,7 +2198,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/vpn.te serefpolicy-3.0.8/policy/modules/admin/vpn.te
 --- nsaserefpolicy/policy/modules/admin/vpn.te	2007-07-25 10:37:43.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/vpn.te	2007-10-18 13:19:26.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/vpn.te	2007-10-19 10:15:22.000000000 -0400
 @@ -22,7 +22,7 @@
  # Local policy
  #
@@ -3650,7 +3650,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.0.8/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2007-07-25 10:37:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/domain.te	2007-10-19 11:01:04.000000000 -0400
 @@ -6,6 +6,22 @@
  # Declarations
  #
@@ -3674,7 +3674,16 @@
  # Mark process types as domains
  attribute domain;
  
-@@ -134,3 +150,22 @@
+@@ -80,6 +96,8 @@
+ allow domain self:lnk_file r_file_perms;
+ allow domain self:file rw_file_perms;
+ kernel_read_proc_symlinks(domain)
++# Every domain gets the key ring, so we should default to no one allowed to look at it
++kernel_dontaudit_search_key(domain)
+ 
+ # create child processes in the domain
+ allow domain self:process { fork sigchld };
+@@ -134,3 +152,22 @@
  
  # act on all domains keys
  allow unconfined_domain_type domain:key *;
@@ -4264,8 +4273,16 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.0.8/policy/modules/kernel/filesystem.te
 --- nsaserefpolicy/policy/modules/kernel/filesystem.te	2007-09-12 10:34:49.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te	2007-10-08 11:25:43.000000000 -0400
-@@ -80,6 +80,7 @@
++++ serefpolicy-3.0.8/policy/modules/kernel/filesystem.te	2007-10-19 10:04:10.000000000 -0400
+@@ -29,6 +29,7 @@
+ fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
+ fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
++fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+ 
+ # Use the allocating task SID to label inodes in the following filesystem
+ # types, and label the filesystem itself with the specified context.
+@@ -80,6 +81,7 @@
  type fusefs_t;
  fs_noxattr_type(fusefs_t)
  allow fusefs_t self:filesystem associate;
@@ -4273,7 +4290,7 @@
  genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
  genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
  
-@@ -116,6 +117,7 @@
+@@ -116,6 +118,7 @@
  
  type ramfs_t;
  fs_type(ramfs_t)
@@ -4281,7 +4298,7 @@
  genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
  
  type romfs_t;
-@@ -133,6 +135,11 @@
+@@ -133,6 +136,11 @@
  genfscon spufs / gen_context(system_u:object_r:spufs_t,s0)
  files_mountpoint(spufs_t)
  
@@ -4295,7 +4312,7 @@
  files_mountpoint(vxfs_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.0.8/policy/modules/kernel/kernel.if
 --- nsaserefpolicy/policy/modules/kernel/kernel.if	2007-08-22 07:14:06.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/kernel.if	2007-10-19 11:00:20.000000000 -0400
 @@ -352,6 +352,24 @@
  
  ########################################
@@ -6882,14 +6899,14 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dnsmasq.te serefpolicy-3.0.8/policy/modules/services/dnsmasq.te
 --- nsaserefpolicy/policy/modules/services/dnsmasq.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te	2007-10-03 11:10:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dnsmasq.te	2007-10-19 10:47:35.000000000 -0400
 @@ -94,3 +94,7 @@
  optional_policy(`
  	udev_read_db(dnsmasq_t)
  ')
 +
 +optional_policy(`
-+	virt_rw_lib_files(dnsmasq_t)
++	virt_manage_lib_files(dnsmasq_t)
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.fc serefpolicy-3.0.8/policy/modules/services/dovecot.fc
 --- nsaserefpolicy/policy/modules/services/dovecot.fc	2007-05-29 14:10:57.000000000 -0400
@@ -7703,7 +7720,7 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
 --- nsaserefpolicy/policy/modules/services/inetd.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/inetd.te	2007-10-10 09:28:59.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/inetd.te	2007-10-19 10:51:35.000000000 -0400
 @@ -53,6 +53,8 @@
  allow inetd_t inetd_var_run_t:file manage_file_perms;
  files_pid_filetrans(inetd_t,inetd_var_run_t,file)
@@ -7713,7 +7730,7 @@
  kernel_read_kernel_sysctls(inetd_t)
  kernel_list_proc(inetd_t)
  kernel_read_proc_symlinks(inetd_t)
-@@ -80,16 +82,21 @@
+@@ -80,16 +82,22 @@
  corenet_udp_bind_comsat_port(inetd_t)
  corenet_tcp_bind_dbskkd_port(inetd_t)
  corenet_udp_bind_dbskkd_port(inetd_t)
@@ -7721,6 +7738,7 @@
  corenet_udp_bind_ftp_port(inetd_t)
  corenet_tcp_bind_inetd_child_port(inetd_t)
 +corenet_udp_bind_inetd_child_port(inetd_t)
++corenet_tcp_bind_ircd_port(inetd_t)
  corenet_udp_bind_ktalkd_port(inetd_t)
  corenet_tcp_bind_printer_port(inetd_t)
 +corenet_udp_bind_rlogind_port(inetd_t)
@@ -7735,7 +7753,7 @@
  corenet_udp_bind_tftp_port(inetd_t)
  corenet_tcp_bind_ssh_port(inetd_t)
  
-@@ -132,8 +139,10 @@
+@@ -132,8 +140,10 @@
  miscfiles_read_localization(inetd_t)
  
  # xinetd needs MLS override privileges to work
@@ -7746,19 +7764,19 @@
  mls_process_set_level(inetd_t)
  
  sysnet_read_config(inetd_t)
-@@ -141,6 +150,11 @@
+@@ -141,6 +151,11 @@
  userdom_dontaudit_use_unpriv_user_fds(inetd_t)
  userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
  
 +ifdef(`enable_mls',`
-+ 	corenet_tcp_recv_netlabel(inetd_t)
-+  	corenet_udp_recv_netlabel(inetd_t)
++ 	corenet_tcp_recvfrom_netlabel(inetd_t)
++  	corenet_udp_recvfrom_netlabel(inetd_t)
 +')
 +
  optional_policy(`
  	amanda_search_lib(inetd_t)
  ')
-@@ -170,6 +184,9 @@
+@@ -170,6 +185,9 @@
  # for identd
  allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
  allow inetd_child_t self:capability { setuid setgid };
@@ -7768,7 +7786,7 @@
  files_search_home(inetd_child_t)
  
  manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -212,13 +229,10 @@
+@@ -212,13 +230,10 @@
  ')
  
  optional_policy(`
@@ -9999,7 +10017,7 @@
  	userdom_read_unpriv_users_tmp_files(gssd_t) 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
 --- nsaserefpolicy/policy/modules/services/rshd.te	2007-09-12 10:34:50.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rshd.te	2007-10-18 18:33:05.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rshd.te	2007-10-19 10:15:23.000000000 -0400
 @@ -16,10 +16,11 @@
  #
  # Local policy
@@ -10023,13 +10041,12 @@
  corenet_sendrecv_rsh_server_packets(rshd_t)
  
  dev_read_urand(rshd_t)
-@@ -44,28 +48,44 @@
+@@ -44,28 +48,42 @@
  selinux_compute_relabel_context(rshd_t)
  selinux_compute_user_contexts(rshd_t)
  
-+auth_use_nsswitch(rshd_t)
- auth_domtrans_chk_passwd(rshd_t)
-+auth_domtrans_upd_passwd_chk(rshd_t)
+-auth_domtrans_chk_passwd(rshd_t)
++auth_login_pgm_domain(rshd_t)
 +auth_search_key(rshd_t)
 +auth_write_login_records(rshd_t)
  
@@ -10071,7 +10088,7 @@
  tunable_policy(`use_nfs_home_dirs',`
  	fs_read_nfs_files(rshd_t)
  	fs_read_nfs_symlinks(rshd_t)
-@@ -76,15 +96,3 @@
+@@ -76,15 +94,3 @@
  	fs_read_cifs_symlinks(rshd_t)
  ')
  
@@ -12190,7 +12207,7 @@
 +/var/cache/coolkey(/.*)?	gen_context(system_u:object_r:auth_cache_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.0.8/policy/modules/system/authlogin.if
 --- nsaserefpolicy/policy/modules/system/authlogin.if	2007-08-22 07:14:13.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-18 17:06:56.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/authlogin.if	2007-10-19 08:20:05.000000000 -0400
 @@ -26,7 +26,8 @@
  	type $1_chkpwd_t, can_read_shadow_passwords;
  	application_domain($1_chkpwd_t,chkpwd_exec_t)
@@ -12222,14 +12239,13 @@
  
  	domain_type($1)
  	domain_subj_id_change_exemption($1)
-@@ -176,11 +178,32 @@
+@@ -176,11 +178,31 @@
  	domain_obj_id_change_exemption($1)
  	role system_r types $1;
  
 +	# needed for afs - https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=253321
 +	kernel_write_proc_files($1)
 +
-+
 +	auth_keyring_domain($1)
 +	allow $1 keyring_type:key { search link };
 +
@@ -12255,7 +12271,7 @@
  	selinux_get_fs_mount($1)
  	selinux_validate_context($1)
  	selinux_compute_access_vector($1)
-@@ -196,22 +219,40 @@
+@@ -196,22 +218,40 @@
  	mls_fd_share_all_levels($1)
  
  	auth_domtrans_chk_passwd($1)
@@ -12297,7 +12313,7 @@
  	')
  ')
  
-@@ -309,9 +350,6 @@
+@@ -309,9 +349,6 @@
  		type system_chkpwd_t, chkpwd_exec_t, shadow_t;
  	')
  
@@ -12307,7 +12323,7 @@
  	corecmd_search_bin($1)
  	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
  
-@@ -329,6 +367,8 @@
+@@ -329,6 +366,8 @@
  
  	optional_policy(`
  		kerberos_use($1)
@@ -12316,7 +12332,7 @@
  	')
  
  	optional_policy(`
-@@ -347,6 +387,37 @@
+@@ -347,6 +386,37 @@
  
  ########################################
  ## <summary>
@@ -12354,7 +12370,7 @@
  ##	Get the attributes of the shadow passwords file.
  ## </summary>
  ## <param name="domain">
-@@ -695,6 +766,24 @@
+@@ -695,6 +765,24 @@
  
  ########################################
  ## <summary>
@@ -12379,7 +12395,7 @@
  ##	Execute pam programs in the PAM domain.
  ## </summary>
  ## <param name="domain">
-@@ -1318,16 +1407,14 @@
+@@ -1318,16 +1406,14 @@
  ## </param>
  #
  interface(`auth_use_nsswitch',`
@@ -12399,7 +12415,7 @@
  	miscfiles_read_certs($1)
  
  	sysnet_dns_name_resolve($1)
-@@ -1347,6 +1434,8 @@
+@@ -1347,6 +1433,8 @@
  
  	optional_policy(`
  		samba_stream_connect_winbind($1)
@@ -12408,7 +12424,7 @@
  	')
  ')
  
-@@ -1381,3 +1470,163 @@
+@@ -1381,3 +1469,163 @@
  	typeattribute $1 can_write_shadow_passwords;
  	typeattribute $1 can_relabelto_shadow_passwords;
  ')
@@ -15668,7 +15684,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
 --- nsaserefpolicy/policy/modules/system/unconfined.te	2007-07-25 10:37:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-18 16:48:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te	2007-10-19 10:29:16.000000000 -0400
 @@ -5,36 +5,48 @@
  #
  # Declarations
@@ -15725,7 +15741,7 @@
  
  libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
-@@ -42,37 +54,30 @@
+@@ -42,37 +54,29 @@
  logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
  
  mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15738,7 +15754,6 @@
  
 -unconfined_domain(unconfined_t)
 -
-+userdom_unconfined(unconfined_t)
  userdom_priveleged_home_dir_manager(unconfined_t)
  
  optional_policy(`
@@ -15771,7 +15786,7 @@
  ')
  
  optional_policy(`
-@@ -107,6 +112,10 @@
+@@ -107,6 +111,10 @@
  	optional_policy(`
  		oddjob_dbus_chat(unconfined_t)
  	')
@@ -15782,7 +15797,7 @@
  ')
  
  optional_policy(`
-@@ -118,11 +127,11 @@
+@@ -118,11 +126,11 @@
  ')
  
  optional_policy(`
@@ -15796,7 +15811,7 @@
  ')
  
  optional_policy(`
-@@ -134,11 +143,7 @@
+@@ -134,11 +142,7 @@
  ')
  
  optional_policy(`
@@ -15809,7 +15824,7 @@
  ')
  
  optional_policy(`
-@@ -155,32 +160,23 @@
+@@ -155,32 +159,23 @@
  
  optional_policy(`
  	postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -15846,7 +15861,7 @@
  ')
  
  optional_policy(`
-@@ -205,11 +201,22 @@
+@@ -205,11 +200,22 @@
  ')
  
  optional_policy(`
@@ -15871,7 +15886,7 @@
  ')
  
  ########################################
-@@ -225,8 +232,21 @@
+@@ -225,8 +231,21 @@
  
  	init_dbus_chat_script(unconfined_execmem_t)
  	unconfined_dbus_chat(unconfined_execmem_t)
@@ -17456,8 +17471,8 @@
 +/var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.if serefpolicy-3.0.8/policy/modules/system/virt.if
 --- nsaserefpolicy/policy/modules/system/virt.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/system/virt.if	2007-10-03 11:10:25.000000000 -0400
-@@ -0,0 +1,58 @@
++++ serefpolicy-3.0.8/policy/modules/system/virt.if	2007-10-19 10:47:26.000000000 -0400
+@@ -0,0 +1,78 @@
 +## <summary>Virtualization </summary>
 +
 +########################################
@@ -17516,6 +17531,26 @@
 +	files_list_var_lib($1)
 +	rw_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
 +')
++
++########################################
++## <summary>
++##	Allow the specified domain to manage
++##	virt library files.
++## </summary>
++## <param name="domain">
++## 	<summary>
++##	Domain allowed to transition.
++## 	</summary>
++## </param>
++#
++interface(`virt_manage_lib_files',`
++	gen_require(`
++		type virt_var_lib_t;
++	')
++
++	files_list_var_lib($1)
++	manage_files_pattern($1,virt_var_lib_t,virt_var_lib_t)
++')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.0.8/policy/modules/system/virt.te
 --- nsaserefpolicy/policy/modules/system/virt.te	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.0.8/policy/modules/system/virt.te	2007-10-03 11:10:25.000000000 -0400
@@ -17775,7 +17810,7 @@
 +## <summary>Policy for webadm user</summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/webadm.te serefpolicy-3.0.8/policy/modules/users/webadm.te
 --- nsaserefpolicy/policy/modules/users/webadm.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/users/webadm.te	2007-10-03 11:10:25.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/users/webadm.te	2007-10-19 10:27:46.000000000 -0400
 @@ -0,0 +1,42 @@
 +policy_module(webadm,1.0.0)
 +
@@ -17805,7 +17840,7 @@
 +files_manage_generic_locks(webadm_t)
 +files_list_var(webadm_t)
 +selinux_get_enforce_mode(webadm_t)
-+seutil_domtrans_restorecon(webadm_t)
++seutil_domtrans_setfiles(webadm_t)
 +
 +logging_send_syslog_msg(webadm_t)
 +


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.549
retrieving revision 1.550
diff -u -r1.549 -r1.550
--- selinux-policy.spec	18 Oct 2007 22:33:41 -0000	1.549
+++ selinux-policy.spec	19 Oct 2007 15:01:30 -0000	1.550
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.0.8
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -373,6 +373,10 @@
 %endif
 
 %changelog
+* Fri Oct 17 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-27
+- Fix dnsmasq
+- Allow rshd full login privs
+
 * Thu Oct 16 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-26
 - Allow rshd to connect to ports > 1023
 


