rpms/selinux-policy/F-7 modules-targeted.conf, 1.62, 1.63 policy-20070501.patch, 1.89, 1.90 selinux-policy.spec, 1.516, 1.517
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jan 8 19:58:37 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31836
Modified Files:
modules-targeted.conf policy-20070501.patch
selinux-policy.spec
Log Message:
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/modules-targeted.conf,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -r1.62 -r1.63
--- modules-targeted.conf 21 Sep 2007 20:22:15 -0000 1.62
+++ modules-targeted.conf 8 Jan 2008 19:57:58 -0000 1.63
@@ -927,7 +927,7 @@
#
# Policy for sendmail.
#
-qmail = module
+qmail = off
# Layer: admin
# Module: quota
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -r1.89 -r1.90
--- policy-20070501.patch 4 Jan 2008 14:29:21 -0000 1.89
+++ policy-20070501.patch 8 Jan 2008 19:57:58 -0000 1.90
@@ -6605,6 +6605,29 @@
sysnet_domtrans_dhcpc(system_dbusd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dcc.te serefpolicy-2.6.4/policy/modules/services/dcc.te
+--- nsaserefpolicy/policy/modules/services/dcc.te 2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dcc.te 2008-01-04 09:46:23.000000000 -0500
+@@ -126,7 +126,7 @@
+ # dcc procmail interface local policy
+ #
+
+-allow dcc_client_t self:capability setuid;
++allow dcc_client_t self:capability { setgid setuid };
+ allow dcc_client_t self:unix_dgram_socket create_socket_perms;
+ allow dcc_client_t self:udp_socket create_socket_perms;
+
+@@ -149,6 +149,10 @@
+ files_read_etc_files(dcc_client_t)
+ files_read_etc_runtime_files(dcc_client_t)
+
++kernel_read_system_state(dcc_client_t)
++
++auth_use_nsswitch(dcc_client_t)
++
+ libs_use_ld_so(dcc_client_t)
+ libs_use_shared_libs(dcc_client_t)
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-2.6.4/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/dhcp.te 2008-01-02 11:27:47.000000000 -0500
@@ -10216,15 +10239,42 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2008-01-02 11:27:47.000000000 -0500
-@@ -59,10 +59,14 @@
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2008-01-08 13:55:38.000000000 -0500
+@@ -1,5 +1,5 @@
+
+-policy_module(rpc,1.5.0)
++policy_module(rpc,1.7.0)
+
+ ########################################
+ #
+@@ -8,7 +8,7 @@
+
+ ## <desc>
+ ## <p>
+-## Allow gssd to read temp directory.
++## Allow gssd to read temp directory. For access to kerberos tgt.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_gssd_read_tmp,true)
+@@ -16,7 +16,8 @@
+ ## <desc>
+ ## <p>
+ ## Allow nfs servers to modify public files
+-## used for public file transfer services.
++## used for public file transfer services. Files/Directories must be
++## labeled public_content_rw_t.
+ ## </p>
+ ## </desc>
+ gen_tunable(allow_nfsd_anon_write,false)
+@@ -59,10 +60,14 @@
manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
+corecmd_exec_bin(rpcd_t)
+
kernel_read_system_state(rpcd_t)
- kernel_search_network_state(rpcd_t)
+-kernel_search_network_state(rpcd_t)
++kernel_read_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
+kernel_rw_fs_sysctls(rpcd_t)
@@ -10232,21 +10282,34 @@
fs_list_rpc(rpcd_t)
fs_read_rpc_files(rpcd_t)
-@@ -79,6 +83,7 @@
+@@ -76,11 +81,17 @@
+ miscfiles_read_certs(rpcd_t)
+
+ seutil_dontaudit_search_config(rpcd_t)
++selinux_dontaudit_read_fs(rpcd_t)
optional_policy(`
nis_read_ypserv_config(rpcd_t)
-+ nis_use_ypbind(rpcd_t)
')
++# automount -> mount -> rpcd
++optional_policy(`
++ automount_dontaudit_use_fds(rpcd_t)
++')
++
########################################
-@@ -91,9 +96,13 @@
+ #
+ # NFSD local policy
+@@ -91,9 +102,16 @@
allow nfsd_t exports_t:file { getattr read };
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
+dev_dontaudit_getattr_all_blk_files(nfsd_t)
+dev_dontaudit_getattr_all_chr_files(nfsd_t)
+
++dev_read_lvm_control(nfsd_t)
++storage_dontaudit_raw_read_fixed_disk(nfsd_t)
++
# for /proc/fs/nfs/exports - should we have a new type?
kernel_read_system_state(nfsd_t)
kernel_read_network_state(nfsd_t)
@@ -10254,7 +10317,7 @@
corenet_tcp_bind_all_rpc_ports(nfsd_t)
corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +132,7 @@
+@@ -123,6 +141,7 @@
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
@@ -10262,6 +10325,33 @@
')
tunable_policy(`nfs_export_all_ro',`
+@@ -143,6 +162,7 @@
+ manage_files_pattern(gssd_t,gssd_tmp_t,gssd_tmp_t)
+ files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+
++kernel_read_system_state(gssd_t)
+ kernel_read_network_state(gssd_t)
+ kernel_read_network_state_symlinks(gssd_t)
+ kernel_search_network_sysctl(gssd_t)
+@@ -156,14 +176,12 @@
+ files_list_tmp(gssd_t)
+ files_read_usr_symlinks(gssd_t)
+
++auth_read_cache(gssd_t)
++
+ miscfiles_read_certs(gssd_t)
+
+-ifdef(`targeted_policy',`
+- files_read_generic_tmp_files(gssd_t)
+- files_read_generic_tmp_symlinks(gssd_t)
+- # Manage the users kerberos tgt file
+- files_manage_generic_tmp_files(gssd_t)
+-')
++userdom_dontaudit_search_users_home_dirs(rpcd_t)
++userdom_dontaudit_search_sysadm_home_dirs(rpcd_t)
+
+ tunable_policy(`allow_gssd_read_tmp',`
+ userdom_list_unpriv_users_tmp(gssd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-2.6.4/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/rshd.te 2008-01-02 11:27:47.000000000 -0500
@@ -10555,7 +10645,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.6.4/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.if 2008-01-02 11:27:47.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/samba.if 2008-01-08 13:41:08.000000000 -0500
@@ -177,6 +177,27 @@
########################################
@@ -10667,7 +10757,7 @@
## Allow the specified domain to write to smbmount tcp sockets.
## </summary>
## <param name="domain">
-@@ -377,3 +462,121 @@
+@@ -377,3 +462,122 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -10736,6 +10826,7 @@
+ type samba_share_t;
+ ')
+
++ allow $1 samba_share_t:filesystem getattr;
+ read_files_pattern($1, samba_share_t, samba_share_t)
+')
+
@@ -10791,7 +10882,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2008-01-02 11:27:47.000000000 -0500
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2008-01-08 13:40:55.000000000 -0500
@@ -16,6 +16,14 @@
## <desc>
@@ -10901,7 +10992,15 @@
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -231,7 +258,8 @@
+@@ -214,6 +241,7 @@
+ manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
+ manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
+ manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
++allow smbd_t samba_share_t:filesystem getattr;
+
+ manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
+ manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
+@@ -231,7 +259,8 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -10911,7 +11010,7 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -241,6 +269,9 @@
+@@ -241,6 +270,9 @@
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
@@ -10921,7 +11020,7 @@
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
-@@ -265,11 +296,14 @@
+@@ -265,11 +297,14 @@
fs_get_xattr_fs_quotas(smbd_t)
fs_search_auto_mountpoints(smbd_t)
fs_getattr_rpc_dirs(smbd_t)
@@ -10936,7 +11035,7 @@
files_list_var_lib(smbd_t)
files_read_etc_files(smbd_t)
-@@ -290,8 +324,6 @@
+@@ -290,8 +325,6 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -10945,7 +11044,7 @@
userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
-@@ -312,10 +344,27 @@
+@@ -312,10 +345,27 @@
miscfiles_manage_public_files(smbd_t)
')
@@ -10973,7 +11072,7 @@
')
optional_policy(`
-@@ -339,6 +388,23 @@
+@@ -339,6 +389,23 @@
udev_read_db(smbd_t)
')
@@ -10997,7 +11096,7 @@
########################################
#
# nmbd Local policy
-@@ -352,7 +418,7 @@
+@@ -352,7 +419,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -11006,7 +11105,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -362,9 +428,11 @@
+@@ -362,9 +429,11 @@
files_pid_filetrans(nmbd_t,nmbd_var_run_t,file)
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
@@ -11020,7 +11119,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
allow nmbd_t samba_log_t:dir setattr;
-@@ -373,6 +441,8 @@
+@@ -373,6 +442,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -11029,7 +11128,7 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -391,6 +461,7 @@
+@@ -391,6 +462,7 @@
corenet_udp_bind_nmbd_port(nmbd_t)
corenet_sendrecv_nmbd_server_packets(nmbd_t)
corenet_sendrecv_nmbd_client_packets(nmbd_t)
@@ -11037,7 +11136,7 @@
dev_read_sysfs(nmbd_t)
dev_getattr_mtrr_dev(nmbd_t)
-@@ -402,6 +473,7 @@
+@@ -402,6 +474,7 @@
files_read_usr_files(nmbd_t)
files_read_etc_files(nmbd_t)
@@ -11045,7 +11144,7 @@
libs_use_ld_so(nmbd_t)
libs_use_shared_libs(nmbd_t)
-@@ -411,8 +483,6 @@
+@@ -411,8 +484,6 @@
miscfiles_read_localization(nmbd_t)
@@ -11054,7 +11153,7 @@
userdom_dontaudit_search_sysadm_home_dirs(nmbd_t)
userdom_dontaudit_use_unpriv_user_fds(nmbd_t)
userdom_use_unpriv_users_fds(nmbd_t)
-@@ -457,6 +527,7 @@
+@@ -457,6 +528,7 @@
allow smbmount_t samba_secrets_t:file manage_file_perms;
@@ -11062,7 +11161,7 @@
allow smbmount_t samba_var_t:dir rw_dir_perms;
manage_files_pattern(smbmount_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
-@@ -489,6 +560,8 @@
+@@ -489,6 +561,8 @@
term_list_ptys(smbmount_t)
term_use_controlling_term(smbmount_t)
@@ -11071,7 +11170,7 @@
corecmd_list_bin(smbmount_t)
files_list_mnt(smbmount_t)
-@@ -508,21 +581,11 @@
+@@ -508,21 +582,11 @@
logging_search_logs(smbmount_t)
@@ -11094,7 +11193,7 @@
')
########################################
-@@ -530,22 +593,36 @@
+@@ -530,22 +594,36 @@
# SWAT Local policy
#
@@ -11138,7 +11237,7 @@
allow swat_t smbd_t:process signull;
-@@ -558,7 +635,11 @@
+@@ -558,7 +636,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -11151,7 +11250,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -582,23 +663,24 @@
+@@ -582,23 +664,24 @@
dev_read_urand(swat_t)
@@ -11178,7 +11277,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -612,32 +694,30 @@
+@@ -612,32 +695,30 @@
kerberos_use(swat_t)
')
@@ -11218,7 +11317,7 @@
manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
-@@ -645,6 +725,8 @@
+@@ -645,6 +726,8 @@
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
@@ -11227,7 +11326,7 @@
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-@@ -682,7 +764,9 @@
+@@ -682,7 +765,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -11237,7 +11336,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -695,9 +779,6 @@
+@@ -695,9 +780,6 @@
miscfiles_read_localization(winbind_t)
@@ -11247,7 +11346,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -713,10 +794,6 @@
+@@ -713,10 +795,6 @@
')
optional_policy(`
@@ -11258,7 +11357,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -736,8 +813,11 @@
+@@ -736,8 +814,11 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
@@ -11270,7 +11369,7 @@
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
-@@ -757,10 +837,68 @@
+@@ -757,10 +838,68 @@
')
optional_policy(`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.516
retrieving revision 1.517
diff -u -r1.516 -r1.517
--- selinux-policy.spec 4 Jan 2008 14:29:21 -0000 1.516
+++ selinux-policy.spec 8 Jan 2008 19:57:58 -0000 1.517
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 68%{?dist}
+Release: 69%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -292,8 +292,10 @@
%rebuildpolicy targeted
%relabel targeted
-%triggerpostun targeted -- selinux-policy-targeted < 2.6.4-13
+%triggerpostun targeted -- selinux-policy-targeted < 2.6.4-68
restorecon -R /root 2> /dev/null
+semodule -r qmail 2> /dev/null
+
exit 0
%files targeted
@@ -363,6 +365,10 @@
%endif
%changelog
+
+* Tue Jan 8 2008 Dan Walsh <dwalsh at redhat.com> 2.6.4-69
+- Allow samba to getattr on file systems labeled samba_share_t
+
* Fri Jan 4 2008 Dan Walsh <dwalsh at redhat.com> 2.6.4-68
- Transition to unconfined_mount on login
More information about the fedora-extras-commits
mailing list