rpms/selinux-policy/F-7 policy-20070501.patch, 1.69, 1.70 selinux-policy.spec, 1.500, 1.501
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Sat Oct 27 11:44:05 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12153
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-50
- Fixes for exim to run from cron
- Fix /var/run/ppp* spec
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.69
retrieving revision 1.70
diff -u -r1.69 -r1.70
--- policy-20070501.patch 18 Oct 2007 21:56:00 -0000 1.69
+++ policy-20070501.patch 27 Oct 2007 11:44:01 -0000 1.70
@@ -5899,8 +5899,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-2.6.4/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-05 09:28:22.000000000 -0400
-@@ -0,0 +1,229 @@
++++ serefpolicy-2.6.4/policy/modules/services/exim.te 2007-10-22 11:12:46.000000000 -0400
+@@ -0,0 +1,230 @@
+# $Id$
+# Draft SELinux refpolicy module for the Exim MTA
+#
@@ -6014,13 +6014,14 @@
+
+kernel_read_kernel_sysctls(exim_t)
+kernel_dontaudit_read_system_state(exim_t)
++kernel_read_network_state(exim_t)
+
+miscfiles_read_localization(exim_t)
+miscfiles_read_certs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
-+mta_rw_spool(exim_t)
++mta_manage_spool(exim_t)
+mta_mailserver_delivery(exim_t)
+
+# Init script handling
@@ -6118,18 +6119,32 @@
+# Debian uses a template based config generator which generates config
+# files under /var
+ifdef(`distro_debian',`
-+ type exim_lib_t;
-+ files_config_file(exim_lib_t)
++ type exim_var_lib_t;
++ files_config_file(exim_var_lib_t)
+ exim_read_lib(exim_t)
+
+ type exim_lib_update_t;
+ type exim_lib_update_exec_t;
+ init_domain(exim_lib_update_t, exim_lib_update_exec_t)
+ domain_entry_file(exim_lib_update_t, exim_lib_update_exec_t)
-+ mta_read_lib(exim_lib_update_t)
++ exim_read_lib(exim_lib_update_t)
+ exim_manage_var_lib(exim_lib_update_t)
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetchmail.te serefpolicy-2.6.4/policy/modules/services/fetchmail.te
+--- nsaserefpolicy/policy/modules/services/fetchmail.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/fetchmail.te 2007-10-22 11:53:04.000000000 -0400
+@@ -91,6 +91,10 @@
+ ')
+
+ optional_policy(`
++ procmail_domtrans(fetchmail_t)
++')
++
++optional_policy(`
+ seutil_sigchld_newrole(fetchmail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-2.6.4/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/ftp.te 2007-10-04 10:58:50.000000000 -0400
@@ -6936,7 +6951,7 @@
## Read sendmail binary.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-2.6.4/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-18 09:25:13.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mta.te 2007-10-22 11:09:41.000000000 -0400
@@ -6,6 +6,7 @@
# Declarations
#
@@ -6997,6 +7012,17 @@
cron_dontaudit_write_pipes(system_mail_t)
')
+@@ -117,6 +129,10 @@
+ ')
+
+ optional_policy(`
++ exim_domtrans(system_mail_t)
++')
++
++optional_policy(`
+ logrotate_read_tmp_files(system_mail_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-09-01 07:24:41.000000000 -0400
@@ -8269,6 +8295,18 @@
+# For reading spamassasin
+mta_read_config(postfix_virtual_t)
+mta_manage_spool(postfix_virtual_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.fc serefpolicy-2.6.4/policy/modules/services/ppp.fc
+--- nsaserefpolicy/policy/modules/services/ppp.fc 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/ppp.fc 2007-10-26 08:54:56.000000000 -0400
+@@ -25,7 +25,7 @@
+ #
+ # /var
+ #
+-/var/run/(i)?ppp.*pid -- gen_context(system_u:object_r:pppd_var_run_t,s0)
++/var/run/(i)?ppp.*pid[^/]* -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/pppd[0-9]*\.tdb -- gen_context(system_u:object_r:pppd_var_run_t,s0)
+ /var/run/ppp(/.*)? gen_context(system_u:object_r:pppd_var_run_t,s0)
+ # Fix pptp sockets
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-2.6.4/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/ppp.if 2007-10-17 14:23:28.000000000 -0400
@@ -9321,7 +9359,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-18 10:21:16.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-10-22 13:13:10.000000000 -0400
@@ -16,6 +16,14 @@
## <desc>
@@ -10432,10 +10470,37 @@
-# Allow krb5 telnetd to use fork and open /dev/tty for use
-allow telnetd_t userpty_type:chr_file setattr;
-')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-2.6.4/policy/modules/services/tftp.fc
+--- nsaserefpolicy/policy/modules/services/tftp.fc 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/tftp.fc 2007-10-22 13:14:48.000000000 -0400
+@@ -4,3 +4,5 @@
+
+ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0)
+ /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0)
++/var/tftp -d gen_context(system_u:object_r:tftpdir_t,s0)
++/var/tftp/.* gen_context(system_u:object_r:tftpdir_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-2.6.4/policy/modules/services/tftp.te
--- nsaserefpolicy/policy/modules/services/tftp.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/tftp.te 2007-08-22 08:28:44.000000000 -0400
-@@ -26,6 +26,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/tftp.te 2007-10-22 13:17:56.000000000 -0400
+@@ -16,6 +16,17 @@
+ type tftpdir_t;
+ files_type(tftpdir_t)
+
++type tftpdir_rw_t;
++files_type(tftpdir_rw_t)
++
++## <desc>
++## <p>
++## Allow tftp to modify public files
++## used for public file transfer services.
++## </p>
++## </desc>
++gen_tunable(allow_tftp_anon_write,false)
++
+ ########################################
+ #
+ # Local policy
+@@ -26,12 +37,17 @@
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
@@ -10443,15 +10508,29 @@
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
-@@ -69,6 +70,7 @@
+ allow tftpd_t tftpdir_t:file { read getattr };
+ allow tftpd_t tftpdir_t:lnk_file { getattr read };
+
++manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++manage_lnk_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
++
+ manage_files_pattern(tftpd_t,tftpd_var_run_t,tftpd_var_run_t)
+ files_pid_filetrans(tftpd_t,tftpd_var_run_t,file)
+
+@@ -69,6 +85,11 @@
logging_send_syslog_msg(tftpd_t)
miscfiles_read_localization(tftpd_t)
+miscfiles_read_public_files(tftpd_t)
++
++tunable_policy(`allow_tftp_anon_write',`
++ miscfiles_manage_public_files(tftpd_t)
++')
sysnet_read_config(tftpd_t)
sysnet_use_ldap(tftpd_t)
-@@ -102,3 +104,4 @@
+@@ -102,3 +123,4 @@
optional_policy(`
udev_read_db(tftpd_t)
')
@@ -13466,7 +13545,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-10-01 16:12:39.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-10-19 16:20:02.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.500
retrieving revision 1.501
diff -u -r1.500 -r1.501
--- selinux-policy.spec 18 Oct 2007 21:08:24 -0000 1.500
+++ selinux-policy.spec 27 Oct 2007 11:44:01 -0000 1.501
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 49%{?dist}
+Release: 50%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,10 @@
%endif
%changelog
+* Mon Oct 22 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-50
+- Fixes for exim to run from cron
+- Fix /var/run/ppp* spec
+
* Fri Oct 12 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-49
- Change context on vmplayer
- Allow eclipse to dbus_chat with hal
More information about the fedora-extras-commits
mailing list