rpms/selinux-policy/devel policy-20071130.patch, 1.44, 1.45 selinux-policy.spec, 1.594, 1.595
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Thu Jan 31 19:32:57 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9267
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Wed Jan 30 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-23
- Allow allow_httpd_mod_auth_pam to work
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20071130.patch,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- policy-20071130.patch 30 Jan 2008 21:34:13 -0000 1.44
+++ policy-20071130.patch 31 Jan 2008 19:32:51 -0000 1.45
@@ -3765,7 +3765,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.fc serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc
--- nsaserefpolicy/policy/modules/apps/nsplugin.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-24 12:34:08.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.fc 2008-01-31 08:37:54.000000000 -0500
@@ -0,0 +1,7 @@
+
+/usr/lib(64)?/nspluginwrapper/npviewer.bin -- gen_context(system_u:object_r:nsplugin_exec_t,s0)
@@ -4117,8 +4117,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.2.5/policy/modules/apps/nsplugin.te
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-25 16:48:50.000000000 -0500
-@@ -0,0 +1,135 @@
++++ serefpolicy-3.2.5/policy/modules/apps/nsplugin.te 2008-01-31 08:42:43.000000000 -0500
+@@ -0,0 +1,136 @@
+policy_module(nsplugin,1.0.0)
+
+########################################
@@ -4188,6 +4188,7 @@
+
+miscfiles_read_localization(nsplugin_t)
+miscfiles_read_fonts(nsplugin_t)
++miscfiles_manage_home_fonts(nsplugin_t)
+
+optional_policy(`
+ userdom_read_user_home_content_files(user, nsplugin_t)
@@ -5909,7 +5910,7 @@
+/etc/rc.d/init.d/amavis -- gen_context(system_u:object_r:amavis_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amavis.if serefpolicy-3.2.5/policy/modules/services/amavis.if
--- nsaserefpolicy/policy/modules/services/amavis.if 2007-06-27 10:10:38.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/amavis.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/amavis.if 2008-01-31 08:45:42.000000000 -0500
@@ -186,3 +186,88 @@
allow $1 amavis_var_run_t:file create_file_perms;
files_search_pids($1)
@@ -6370,7 +6371,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.2.5/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/apache.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/apache.te 2008-01-31 13:44:27.000000000 -0500
@@ -20,6 +20,8 @@
# Declarations
#
@@ -6505,7 +6506,7 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -351,8 +388,6 @@
+@@ -351,25 +388,38 @@
userdom_use_unpriv_users_fds(httpd_t)
@@ -6514,7 +6515,8 @@
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
-@@ -361,6 +396,13 @@
+
+-ifdef(`TODO', `
#
# We need optionals to be able to be within booleans to make this work
#
@@ -6526,9 +6528,12 @@
+gen_tunable(allow_httpd_mod_auth_pam,false)
+
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+- auth_domtrans_chk_passwd(httpd_t)
+-')
++ auth_domtrans_chkpwd(httpd_t)
')
-@@ -370,6 +412,16 @@
+
+ tunable_policy(`httpd_can_network_connect',`
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -6545,7 +6550,7 @@
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,6 +434,10 @@
+@@ -382,6 +432,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -6556,7 +6561,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -399,11 +455,21 @@
+@@ -399,11 +453,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -6578,7 +6583,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +503,14 @@
+@@ -437,8 +501,14 @@
')
optional_policy(`
@@ -6594,7 +6599,7 @@
')
optional_policy(`
-@@ -450,19 +522,13 @@
+@@ -450,19 +520,13 @@
')
optional_policy(`
@@ -6615,7 +6620,7 @@
')
optional_policy(`
-@@ -472,13 +538,14 @@
+@@ -472,13 +536,14 @@
openca_kill(httpd_t)
')
@@ -6634,7 +6639,7 @@
')
optional_policy(`
-@@ -486,6 +553,7 @@
+@@ -486,6 +551,7 @@
')
optional_policy(`
@@ -6642,7 +6647,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +589,13 @@
+@@ -521,6 +587,13 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -6656,7 +6661,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +625,24 @@
+@@ -550,18 +623,24 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -6684,7 +6689,7 @@
')
########################################
-@@ -585,6 +666,8 @@
+@@ -585,6 +664,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -6693,7 +6698,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +676,7 @@
+@@ -593,9 +674,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -6704,7 +6709,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -638,6 +719,12 @@
+@@ -638,6 +717,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -6717,7 +6722,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +742,6 @@
+@@ -655,10 +740,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -6728,7 +6733,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +751,8 @@
+@@ -668,7 +749,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6738,7 +6743,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +766,44 @@
+@@ -682,15 +764,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -6784,7 +6789,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -700,9 +813,15 @@
+@@ -700,9 +811,15 @@
clamav_domtrans_clamscan(httpd_sys_script_t)
')
@@ -6800,7 +6805,7 @@
')
########################################
-@@ -724,3 +843,46 @@
+@@ -724,3 +841,46 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -7581,7 +7586,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.te serefpolicy-3.2.5/policy/modules/services/bind.te
--- nsaserefpolicy/policy/modules/services/bind.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/bind.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/bind.te 2008-01-31 09:00:42.000000000 -0500
@@ -53,6 +53,9 @@
init_system_domain(ndc_t,ndc_exec_t)
role system_r types ndc_t;
@@ -7592,6 +7597,14 @@
########################################
#
# Named local policy
+@@ -222,6 +225,7 @@
+ corenet_tcp_sendrecv_all_nodes(ndc_t)
+ corenet_tcp_sendrecv_all_ports(ndc_t)
+ corenet_tcp_connect_rndc_port(ndc_t)
++corenet_tcp_bind_all_nodes(ndc_t)
+ corenet_sendrecv_rndc_client_packets(ndc_t)
+
+ domain_use_interactive_fds(ndc_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bitlbee.fc serefpolicy-3.2.5/policy/modules/services/bitlbee.fc
--- nsaserefpolicy/policy/modules/services/bitlbee.fc 2007-09-17 15:56:47.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/services/bitlbee.fc 2008-01-18 12:40:46.000000000 -0500
@@ -7805,8 +7818,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.2.5/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-30 11:17:07.000000000 -0500
-@@ -32,6 +32,9 @@
++++ serefpolicy-3.2.5/policy/modules/services/bluetooth.te 2008-01-31 11:15:46.000000000 -0500
+@@ -32,19 +32,22 @@
type bluetooth_var_run_t;
files_pid_file(bluetooth_var_run_t)
@@ -7816,7 +7829,13 @@
########################################
#
# Bluetooth services local policy
-@@ -44,7 +47,7 @@
+ #
+
+-allow bluetooth_t self:capability { net_bind_service net_admin net_raw sys_tty_config ipc_lock };
++allow bluetooth_t self:capability { dac_override net_bind_service net_admin net_raw sys_tty_config ipc_lock };
+ dontaudit bluetooth_t self:capability sys_tty_config;
+ allow bluetooth_t self:process { getsched signal_perms };
+ allow bluetooth_t self:fifo_file rw_fifo_file_perms;
allow bluetooth_t self:shm create_shm_perms;
allow bluetooth_t self:socket create_stream_socket_perms;
allow bluetooth_t self:unix_dgram_socket create_socket_perms;
@@ -12469,7 +12488,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.2.5/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/mta.te 2008-01-31 11:45:40.000000000 -0500
@@ -6,6 +6,8 @@
# Declarations
#
@@ -12487,8 +12506,12 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -40,27 +43,40 @@
- allow system_mail_t self:capability { dac_override };
+@@ -37,30 +40,43 @@
+ #
+
+ # newalias required this, not sure if it is needed in 'if' file
+-allow system_mail_t self:capability { dac_override };
++allow system_mail_t self:capability { dac_override fowner };
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@@ -15087,8 +15110,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.2.5/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/prelude.if 2008-01-30 15:42:04.000000000 -0500
-@@ -0,0 +1,116 @@
++++ serefpolicy-3.2.5/policy/modules/services/prelude.if 2008-01-31 08:49:34.000000000 -0500
+@@ -0,0 +1,128 @@
+
+## <summary>policy for prelude</summary>
+
@@ -15155,18 +15178,30 @@
+interface(`prelude_admin',`
+ gen_require(`
+ type prelude_t;
++ type prelude_spool_t;
++ type prelude_var_run_t;
++ type prelude_var_lib_t;
++ type prelude_script_exec_t;
++ type audisp_prelude_t;
++ type audisp_prelude_var_run_t;
+ ')
+
+ allow $1 prelude_t:process { ptrace signal_perms getattr };
+ read_files_pattern($1, prelude_t, prelude_t)
+
-+
++ allow $1 audisp_prelude_t:process { ptrace signal_perms getattr };
++ read_files_pattern($1, audisp_prelude_t, audisp_prelude_t)
++
+ # Allow prelude_t to restart the apache service
+ prelude_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 prelude_script_exec_t system_r;
+ allow $2 system_r;
+
++ manage_all_pattern($1, prelude_spool_t)
++ manage_all_pattern($1, prelude_var_lib_t)
++ manage_all_pattern($1, prelude_var_run_t)
++ manage_all_pattern($1, audisp_prelude_var_run_t)
+')
+
+########################################
@@ -15208,7 +15243,7 @@
Binary files nsaserefpolicy/policy/modules/services/prelude.pp and serefpolicy-3.2.5/policy/modules/services/prelude.pp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.2.5/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/prelude.te 2008-01-30 15:55:36.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/prelude.te 2008-01-31 13:09:03.000000000 -0500
@@ -0,0 +1,114 @@
+policy_module(prelude,1.0.0)
+
@@ -15222,15 +15257,15 @@
+domain_type(prelude_t)
+init_daemon_domain(prelude_t, prelude_exec_t)
+
++type prelude_spool_t;
++files_type(prelude_spool_t)
++
+type prelude_var_run_t;
+files_pid_file(prelude_var_run_t)
+
+type prelude_var_lib_t;
+files_type(prelude_var_lib_t)
+
-+type prelude_spool_t;
-+files_type(prelude_spool_t)
-+
+type prelude_script_exec_t;
+init_script_type(prelude_script_exec_t)
+
@@ -15968,7 +16003,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.if serefpolicy-3.2.5/policy/modules/services/razor.if
--- nsaserefpolicy/policy/modules/services/razor.if 2007-07-16 14:09:46.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/razor.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/razor.if 2008-01-31 11:58:50.000000000 -0500
@@ -137,6 +137,7 @@
template(`razor_per_role_template',`
gen_require(`
@@ -15994,6 +16029,49 @@
##############################
#
+@@ -218,3 +217,42 @@
+
+ domtrans_pattern($1, razor_exec_t, razor_t)
+ ')
++
++########################################
++## <summary>
++## Create, read, write, and delete razor files
++## in a user home subdirectory.
++## </summary>
++## <desc>
++## <p>
++## Create, read, write, and delete razor files
++## in a user home subdirectory.
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`razor_manage_user_home_files',`
++ gen_require(`
++ type user_home_dir_t, user_razor_home_t;
++ ')
++
++ files_search_home($2)
++ allow $2 user_home_dir_t:dir search_dir_perms;
++ manage_files_pattern($2,user_razor_home_t,user_razor_home_t)
++ read_lnk_files_pattern($2,user_razor_home_t,user_razor_home_t)
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/razor.te serefpolicy-3.2.5/policy/modules/services/razor.te
--- nsaserefpolicy/policy/modules/services/razor.te 2007-12-19 05:32:17.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/razor.te 2008-01-18 12:40:46.000000000 -0500
@@ -16959,7 +17037,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.2.5/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-28 14:28:32.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/samba.te 2008-01-31 11:27:07.000000000 -0500
@@ -26,28 +26,28 @@
## <desc>
@@ -17070,7 +17148,16 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -340,6 +347,17 @@
+@@ -320,6 +327,8 @@
+ userdom_dontaudit_use_unpriv_user_fds(smbd_t)
+ userdom_use_unpriv_users_fds(smbd_t)
+
++term_use_ptmx(smbd_t)
++
+ ifdef(`hide_broken_symptoms', `
+ files_dontaudit_getattr_default_dirs(smbd_t)
+ files_dontaudit_getattr_boot_dirs(smbd_t)
+@@ -340,6 +349,17 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -17088,7 +17175,7 @@
')
optional_policy(`
-@@ -391,7 +409,7 @@
+@@ -391,7 +411,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -17097,7 +17184,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +421,7 @@
+@@ -403,8 +423,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -17107,7 +17194,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +456,7 @@
+@@ -439,6 +458,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -17115,7 +17202,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +540,7 @@
+@@ -522,6 +542,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -17123,7 +17210,7 @@
corecmd_list_bin(smbmount_t)
-@@ -546,28 +565,37 @@
+@@ -546,28 +567,37 @@
userdom_use_all_users_fds(smbmount_t)
@@ -17168,7 +17255,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +605,9 @@
+@@ -577,7 +607,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -17179,7 +17266,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -602,6 +632,7 @@
+@@ -602,6 +634,7 @@
dev_read_urand(swat_t)
@@ -17187,7 +17274,7 @@
files_read_etc_files(swat_t)
files_search_home(swat_t)
files_read_usr_files(swat_t)
-@@ -614,6 +645,7 @@
+@@ -614,6 +647,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -17195,7 +17282,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -631,6 +663,17 @@
+@@ -631,6 +665,17 @@
kerberos_use(swat_t)
')
@@ -17213,7 +17300,7 @@
########################################
#
# Winbind local policy
-@@ -679,6 +722,8 @@
+@@ -679,6 +724,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -17222,7 +17309,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -766,6 +811,7 @@
+@@ -766,6 +813,7 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -17230,7 +17317,7 @@
')
########################################
-@@ -790,3 +836,37 @@
+@@ -790,3 +838,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -18171,7 +18258,7 @@
+/etc/rc.d/init.d/spamd -- gen_context(system_u:object_r:spamd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.2.5/policy/modules/services/spamassassin.if
--- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.if 2008-01-31 12:54:45.000000000 -0500
@@ -37,7 +37,9 @@
gen_require(`
@@ -18384,9 +18471,23 @@
- libs_use_shared_libs($1_spamassassin_t)
-
- logging_send_syslog_msg($1_spamassassin_t)
--
++ ifelse(`$1',`user',`',`
++ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
++ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
++ typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
++ ')
++
++ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
++ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
++ manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
++ relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
++ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
++ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
+
- miscfiles_read_localization($1_spamassassin_t)
--
++ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
++ domtrans_pattern($2, spamc_exec_t, spamc_t)
+
- # cjp: this could probably be removed
- seutil_read_config($1_spamassassin_t)
-
@@ -18448,24 +18549,10 @@
- # Write pid file and socket in ~/.evolution/cache/tmp
- evolution_home_filetrans($1,spamd_t,spamd_tmp_t,{ file sock_file })
- ')
-+ ifelse(`$1',`user',`',`
-+ typealias user_spamassassin_home_t alias $1_spamassassin_home_t;
-+ typealias user_spamassassin_tmp_t alias $1_spamassassin_tmp_t;
-+ typealias user_spamc_tmp_t alias $1_spamc_tmp_t;
-+ ')
-+
-+ manage_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
-+ manage_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
-+ relabel_dirs_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
-+ relabel_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
-+ relabel_lnk_files_pattern($2, user_spamassassin_home_t,user_spamassassin_home_t)
-
+-
- optional_policy(`
- # cjp: clearly some redundancy here
-+ domtrans_pattern($2, spamassassin_exec_t, spamassassin_t)
-+ domtrans_pattern($2, spamc_exec_t, spamc_t)
-
+-
- nis_use_ypbind($1_spamassassin_t)
-
- tunable_policy(`spamassassin_can_network && allow_ypbind',`
@@ -18480,6 +18567,15 @@
')
########################################
+@@ -370,7 +122,7 @@
+ #
+ interface(`spamassassin_exec_spamd',`
+ gen_require(`
+- type spamd_exec_t;
++ type spamd_eoxec_t;
+ ')
+
+ can_exec($1,spamd_exec_t)
@@ -398,11 +150,65 @@
## </param>
#
@@ -18590,7 +18686,7 @@
read_files_pattern($1,spamd_var_lib_t,spamd_var_lib_t)
')
-@@ -528,3 +355,101 @@
+@@ -528,3 +355,133 @@
dontaudit $1 spamd_tmp_t:sock_file getattr;
')
@@ -18691,10 +18787,42 @@
+ manage_all_pattern($1,spamd_var_run_t)
+')
+
++########################################
++## <summary>
++## Read spamassassin per user homedir
++## </summary>
++## <desc>
++## <p>
++## Read spamassassin per user homedir
++## </p>
++## <p>
++## This is a templated interface, and should only
++## be called from a per-userdomain template.
++## </p>
++## </desc>
++## <param name="userdomain_prefix">
++## <summary>
++## The prefix of the user domain (e.g., user
++## is the prefix for user_t).
++## </summary>
++## </param>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++template(`spamassassin_manage_user_home_files',`
++ gen_require(`
++ type user_spamassassin_home_t;
++ ')
+
++ manage_files_pattern($1, user_spamassassin_home_t, user_spamassassin_home_t)
++ razor_manage_user_home_files(user,$1)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.2.5/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-18 12:40:46.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/spamassassin.te 2008-01-31 12:52:59.000000000 -0500
@@ -21,8 +21,9 @@
gen_tunable(spamd_enable_home_dirs,true)
@@ -18802,7 +18930,18 @@
dcc_stream_connect_dccifd(spamd_t)
')
-@@ -212,3 +254,206 @@
+@@ -198,6 +240,10 @@
+
+ optional_policy(`
+ razor_domtrans(spamd_t)
++ tunable_policy(`spamd_enable_home_dirs',`
++ razor_manage_user_home_files(user,spamd_t)
++ ')
++
+ ')
+
+ optional_policy(`
+@@ -212,3 +258,206 @@
optional_policy(`
udev_read_db(spamd_t)
')
@@ -19847,7 +19986,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.2.5/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-12-04 11:02:50.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-25 16:50:51.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/services/xserver.if 2008-01-31 11:12:11.000000000 -0500
@@ -15,6 +15,7 @@
template(`xserver_common_domain_template',`
gen_require(`
@@ -21211,7 +21350,7 @@
+/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.2.5/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-23 09:15:22.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.if 2008-01-31 13:43:36.000000000 -0500
@@ -99,7 +99,7 @@
template(`authlogin_per_role_template',`
@@ -21303,15 +21442,36 @@
')
optional_policy(`
-@@ -356,6 +398,7 @@
+@@ -356,6 +398,28 @@
optional_policy(`
samba_stream_connect_winbind($1)
')
+ auth_domtrans_upd_passwd($1)
++')
++
++########################################
++## <summary>
++## Run unix_chkpwd to check a password.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`auth_domtrans_chkpwd',`
++ gen_require(`
++ type system_chkpwd_t, chkpwd_exec_t, shadow_t;
++ ')
++
++ corecmd_search_sbin($1)
++ domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
++ dontaudit $1 shadow_t:file { getattr read };
++ auth_domtrans_upd_passwd($1)
')
########################################
-@@ -369,12 +412,12 @@
+@@ -369,12 +433,12 @@
## </param>
## <param name="role">
## <summary>
@@ -21326,7 +21486,7 @@
## </summary>
## </param>
#
-@@ -386,6 +429,7 @@
+@@ -386,6 +450,7 @@
auth_domtrans_chk_passwd($1)
role $2 types system_chkpwd_t;
allow system_chkpwd_t $3:chr_file rw_file_perms;
@@ -21334,7 +21494,7 @@
')
########################################
-@@ -1457,6 +1501,7 @@
+@@ -1457,6 +1522,7 @@
optional_policy(`
samba_stream_connect_winbind($1)
samba_read_var_files($1)
@@ -21342,7 +21502,7 @@
')
')
-@@ -1491,3 +1536,23 @@
+@@ -1491,3 +1557,23 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -21368,7 +21528,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-3.2.5/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-22 12:59:23.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/authlogin.te 2008-01-31 11:33:23.000000000 -0500
@@ -59,6 +59,9 @@
type utempter_exec_t;
application_domain(utempter_t,utempter_exec_t)
@@ -22671,6 +22831,80 @@
+ xen_append_log(lvm_t)
+ xen_dontaudit_rw_unix_stream_sockets(lvm_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.fc serefpolicy-3.2.5/policy/modules/system/miscfiles.fc
+--- nsaserefpolicy/policy/modules/system/miscfiles.fc 2007-08-22 17:33:53.000000000 -0400
++++ serefpolicy-3.2.5/policy/modules/system/miscfiles.fc 2008-01-31 08:38:35.000000000 -0500
+@@ -80,3 +80,4 @@
+ /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
+ ')
++HOME_DIR/\.fontconfig(/.*)? gen_context(system_u:object_r:user_fonts_home_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.if serefpolicy-3.2.5/policy/modules/system/miscfiles.if
+--- nsaserefpolicy/policy/modules/system/miscfiles.if 2007-11-16 13:45:14.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/miscfiles.if 2008-01-31 08:40:50.000000000 -0500
+@@ -489,3 +489,44 @@
+ manage_lnk_files_pattern($1,locale_t,locale_t)
+ ')
+
++########################################
++## <summary>
++## Read user homedir fonts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_read_home_fonts',`
++ gen_require(`
++ type user_fonts_home_t;
++ ')
++
++ read_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
++ read_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
++')
++
++########################################
++## <summary>
++## Read user homedir fonts.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`miscfiles_manage_home_fonts',`
++ gen_require(`
++ type user_fonts_home_t;
++ ')
++
++ manage_dirs_pattern($1,user_fonts_home_t,user_fonts_home_t)
++ manage_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
++ manage_lnk_files_pattern($1,user_fonts_home_t,user_fonts_home_t)
++')
++
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfiles.te serefpolicy-3.2.5/policy/modules/system/miscfiles.te
+--- nsaserefpolicy/policy/modules/system/miscfiles.te 2007-12-19 05:32:17.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/miscfiles.te 2008-01-31 08:42:09.000000000 -0500
+@@ -20,6 +20,14 @@
+ files_type(fonts_t)
+
+ #
++# fonts_t is the type of various font
++# files in /usr
++#
++type user_fonts_home_t;
++userdom_user_home_type(user_fonts_home_t)
++files_type(user_fonts_home_t)
++
++#
+ # type for /usr/share/hwdata
+ #
+ type hwdata_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.2.5/policy/modules/system/modutils.if
--- nsaserefpolicy/policy/modules/system/modutils.if 2007-03-26 10:39:07.000000000 -0400
+++ serefpolicy-3.2.5/policy/modules/system/modutils.if 2008-01-18 12:40:46.000000000 -0500
@@ -24389,7 +24623,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-25 11:51:09.000000000 -0500
++++ serefpolicy-3.2.5/policy/modules/system/userdomain.if 2008-01-31 08:42:16.000000000 -0500
@@ -29,9 +29,14 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.594
retrieving revision 1.595
diff -u -r1.594 -r1.595
--- selinux-policy.spec 30 Jan 2008 21:34:13 -0000 1.594
+++ selinux-policy.spec 31 Jan 2008 19:32:51 -0000 1.595
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.2.5
-Release: 22%{?dist}
+Release: 23%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -387,6 +387,9 @@
%endif
%changelog
+* Wed Jan 30 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-23
+- Allow allow_httpd_mod_auth_pam to work
+
* Wed Jan 30 2008 Dan Walsh <dwalsh at redhat.com> 3.2.5-22
- Add audisp policy and prelude
More information about the fedora-extras-commits
mailing list