rpms/selinux-policy/devel modules-targeted.conf, 1.79, 1.80 policy-20071130.patch, 1.46, 1.47 selinux-policy.spec, 1.596, 1.597

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Fri Feb 1 13:49:53 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5365

Modified Files:
	modules-targeted.conf policy-20071130.patch 
	selinux-policy.spec 
Log Message:
* Fri Feb 1 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-25
- Allow fail2ban to create a socket in /var/run



Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- modules-targeted.conf	30 Jan 2008 21:34:13 -0000	1.79
+++ modules-targeted.conf	1 Feb 2008 13:49:05 -0000	1.80
@@ -970,7 +970,7 @@
 #
 # Policy for qmail
 # 
-qmail = base
+qmail = module
 
 # Layer: admin
 # Module: quota

policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.46
retrieving revision 1.47
diff -u -r1.46 -r1.47
--- policy-20071130.patch	31 Jan 2008 20:59:05 -0000	1.46
+++ policy-20071130.patch	1 Feb 2008 13:49:05 -0000	1.47
@@ -1495,7 +1495,7 @@
  #######################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te	2008-01-21 13:29:12.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te	2008-02-01 08:20:58.000000000 -0500
 @@ -28,6 +28,7 @@
  files_purge_tmp(tmpreaper_t)
  # why does it need setattr?
@@ -1504,10 +1504,15 @@
  
  mls_file_read_all_levels(tmpreaper_t)
  mls_file_write_all_levels(tmpreaper_t)
-@@ -43,5 +44,14 @@
+@@ -42,6 +43,19 @@
+ 
  cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
  
- optional_policy(`
++userdom_delete_all_users_home_content_dirs(tmpreaper_t)
++userdom_delete_all_users_home_content_files(tmpreaper_t)
++userdom_delete_all_users_home_content_symlinks(tmpreaper_t)
++
++optional_policy(`
 +	amavis_manage_spool_files(tmpreaper_t)
 +')
 +
@@ -1515,7 +1520,7 @@
 +	kismet_manage_log(tmpreaper_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
  	lpd_manage_spool(tmpreaper_t)
  ')
 +
@@ -10971,12 +10976,13 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc
 --- nsaserefpolicy/policy/modules/services/fail2ban.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc	2008-01-18 12:40:46.000000000 -0500
-@@ -1,3 +1,6 @@
++++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc	2008-02-01 07:42:38.000000000 -0500
+@@ -1,3 +1,7 @@
  /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 +/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
  /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
  /var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
++/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 +/etc/rc.d/init.d/fail2ban	--	gen_context(system_u:object_r:fail2ban_script_exec_t,s0)
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.2.5/policy/modules/services/fail2ban.if
@@ -11053,7 +11059,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.2.5/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te	2008-01-21 13:50:35.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te	2008-02-01 07:40:59.000000000 -0500
 @@ -18,6 +18,9 @@
  type fail2ban_var_run_t;
  files_pid_file(fail2ban_var_run_t)
@@ -11064,7 +11070,18 @@
  ########################################
  #
  # fail2ban local policy
-@@ -55,6 +58,8 @@
+@@ -33,8 +36,9 @@
+ logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
+ 
+ # pid file
++manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
+ manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
+-files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
++files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file })
+ 
+ kernel_read_system_state(fail2ban_t)
+ 
+@@ -55,6 +59,8 @@
  
  miscfiles_read_localization(fail2ban_t)
  
@@ -17973,7 +17990,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.2.5/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/smartmon.te	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/smartmon.te	2008-02-01 08:41:51.000000000 -0500
 @@ -16,6 +16,9 @@
  type fsdaemon_tmp_t;
  files_tmp_file(fsdaemon_tmp_t)
@@ -17984,6 +18001,14 @@
  ########################################
  #
  # Local policy
+@@ -49,6 +52,7 @@
+ corenet_udp_sendrecv_all_ports(fsdaemon_t)
+ 
+ dev_read_sysfs(fsdaemon_t)
++dev_read_urand(fsdaemon_t)
+ 
+ domain_use_interactive_fds(fsdaemon_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.2.5/policy/modules/services/snmp.fc
 --- nsaserefpolicy/policy/modules/services/snmp.fc	2007-06-19 16:23:06.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/snmp.fc	2008-01-18 12:40:46.000000000 -0500
@@ -21638,7 +21663,20 @@
  /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.5/policy/modules/system/fstools.if
 --- nsaserefpolicy/policy/modules/system/fstools.if	2007-08-22 17:33:53.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/system/fstools.if	2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/fstools.if	2008-02-01 08:40:37.000000000 -0500
+@@ -81,10 +81,10 @@
+ #
+ interface(`fstools_read_pipes',`
+ 	gen_require(`
+-		type fsdaemon_t;
++		type fstools_t;
+ 	')
+ 
+-	allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
++	allow $1 fstools_t:fifo_file read_fifo_file_perms;
+ ')
+ 
+ ########################################
 @@ -142,3 +142,20 @@
  
  	allow $1 swapfile_t:file getattr;
@@ -23561,7 +23599,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-29 15:11:06.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-31 15:54:53.000000000 -0500
 @@ -75,7 +75,6 @@
  type restorecond_exec_t;
  init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -24658,7 +24696,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-31 08:42:16.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-02-01 08:23:22.000000000 -0500
 @@ -29,9 +29,14 @@
  	')
  
@@ -26692,7 +26730,87 @@
  ')
  
  ########################################
-@@ -5109,7 +5265,7 @@
+@@ -4833,6 +4989,26 @@
+ 
+ ########################################
+ ## <summary>
++##	delete all directories
++##	in all users home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_all_users_home_content_dirs',`
++	gen_require(`
++		attribute home_type;
++	')
++
++	files_list_home($1)
++	delete_dirs_pattern($1, home_type, home_type)
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete all directories
+ ##	in all users home directories.
+ ## </summary>
+@@ -4853,6 +5029,25 @@
+ 
+ ########################################
+ ## <summary>
++##	Delete all files
++##	in all users home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_all_users_home_content_files',`
++	gen_require(`
++		attribute home_type;
++	')
++
++	delete_files_pattern($1,home_type,home_type)
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete all files
+ ##	in all users home directories.
+ ## </summary>
+@@ -4873,6 +5068,26 @@
+ 
+ ########################################
+ ## <summary>
++##	Delete all symlinks
++##	in all users home directories.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed access.
++##	</summary>
++## </param>
++#
++interface(`userdom_delete_all_users_home_content_symlinks',`
++	gen_require(`
++		attribute home_type;
++	')
++
++	files_list_home($1)
++	delete_lnk_files_pattern($1,home_type,home_type)
++')
++
++########################################
++## <summary>
+ ##	Create, read, write, and delete all symlinks
+ ##	in all users home directories.
+ ## </summary>
+@@ -5109,7 +5324,7 @@
  #
  interface(`userdom_relabelto_generic_user_home_dirs',`
  	gen_require(`
@@ -26701,7 +26819,7 @@
  	')
  
  	files_search_home($1)
-@@ -5298,6 +5454,49 @@
+@@ -5298,6 +5513,49 @@
  
  ########################################
  ## <summary>
@@ -26751,7 +26869,7 @@
  ##	Create, read, write, and delete directories in
  ##	unprivileged users home directories.
  ## </summary>
-@@ -5503,6 +5702,42 @@
+@@ -5503,6 +5761,42 @@
  
  ########################################
  ## <summary>
@@ -26794,7 +26912,7 @@
  ##	Read and write unprivileged user ttys.
  ## </summary>
  ## <param name="domain">
-@@ -5668,6 +5903,42 @@
+@@ -5668,6 +5962,42 @@
  
  ########################################
  ## <summary>
@@ -26837,7 +26955,7 @@
  ##	Send a dbus message to all user domains.
  ## </summary>
  ## <param name="domain">
-@@ -5698,3 +5969,277 @@
+@@ -5698,3 +6028,277 @@
  interface(`userdom_unconfined',`
  	refpolicywarn(`$0($*) has been deprecated.')
  ')


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.596
retrieving revision 1.597
diff -u -r1.596 -r1.597
--- selinux-policy.spec	31 Jan 2008 20:59:05 -0000	1.596
+++ selinux-policy.spec	1 Feb 2008 13:49:05 -0000	1.597
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
 %endif
 
 %changelog
+* Fri Feb 1 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-25
+- Allow fail2ban to create a socket in /var/run
+
 * Wed Jan 30 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-24
 - Allow allow_httpd_mod_auth_pam to work

More information about the fedora-extras-commits mailing list