rpms/selinux-policy/F-11 booleans-targeted.conf, 1.49, 1.50 policy-20090521.patch, 1.45, 1.46 selinux-policy.spec, 1.899, 1.900
Miroslav Grepl
mgrepl at fedoraproject.org
Thu Aug 20 11:27:42 UTC 2009
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv14743
Modified Files:
booleans-targeted.conf policy-20090521.patch
selinux-policy.spec
Log Message:
- Fixes for racoon
- Fixes for ptchown
- Fixes for openvpn
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/booleans-targeted.conf,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -p -r1.49 -r1.50
--- booleans-targeted.conf 20 May 2009 17:28:16 -0000 1.49
+++ booleans-targeted.conf 20 Aug 2009 11:27:42 -0000 1.50
@@ -122,6 +122,10 @@ nfs_export_all_rw = true
#
nfs_export_all_ro = true
+# Allow openvpn to read home directories
+#
+openvpn_enable_homedirs = true
+
# Allow pppd to load kernel modules for certain modems
#
pppd_can_insmod = false
policy-20090521.patch:
man/man8/samba_selinux.8 | 4
policy/mcs | 12 -
policy/modules/admin/certwatch.te | 4
policy/modules/admin/kismet.te | 16 +
policy/modules/admin/logrotate.te | 6
policy/modules/admin/mrtg.te | 8
policy/modules/admin/prelink.te | 9
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.if | 18 +
policy/modules/admin/rpm.te | 4
policy/modules/admin/shorewall.fc | 12 +
policy/modules/admin/shorewall.if | 166 ++++++++++++++++++
policy/modules/admin/shorewall.te | 103 +++++++++++
policy/modules/admin/sudo.if | 4
policy/modules/admin/usermanage.te | 1
policy/modules/apps/awstats.te | 2
policy/modules/apps/calamaris.te | 4
policy/modules/apps/gitosis.fc | 4
policy/modules/apps/gitosis.if | 96 ++++++++++
policy/modules/apps/gitosis.te | 43 ++++
policy/modules/apps/gpg.if | 2
policy/modules/apps/gpg.te | 1
policy/modules/apps/mozilla.if | 16 +
policy/modules/apps/mozilla.te | 14 -
policy/modules/apps/nsplugin.if | 2
policy/modules/apps/ptchown.fc | 2
policy/modules/apps/ptchown.if | 22 ++
policy/modules/apps/ptchown.te | 40 ++++
policy/modules/apps/qemu.fc | 1
policy/modules/apps/qemu.te | 5
policy/modules/apps/sandbox.if | 134 +++++++++++---
policy/modules/apps/sandbox.te | 274 +++++++++++++++++++++++++++---
policy/modules/apps/screen.if | 1
policy/modules/apps/vmware.fc | 1
policy/modules/apps/vmware.te | 6
policy/modules/kernel/corecommands.fc | 10 -
policy/modules/kernel/corenetwork.te.in | 5
policy/modules/kernel/devices.fc | 2
policy/modules/kernel/devices.if | 145 +++++++++++++++
policy/modules/kernel/devices.te | 13 +
policy/modules/kernel/domain.if | 45 +---
policy/modules/kernel/domain.te | 30 +++
policy/modules/kernel/files.if | 3
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/terminal.if | 19 ++
policy/modules/roles/staff.te | 12 +
policy/modules/roles/sysadm.if | 35 +++
policy/modules/roles/sysadm.te | 4
policy/modules/roles/unconfineduser.te | 9
policy/modules/roles/unprivuser.te | 4
policy/modules/roles/xguest.te | 6
policy/modules/services/apache.fc | 4
policy/modules/services/automount.if | 18 +
policy/modules/services/avahi.te | 2
policy/modules/services/bluetooth.te | 1
policy/modules/services/clamav.te | 4
policy/modules/services/consolekit.te | 3
policy/modules/services/cron.if | 19 --
policy/modules/services/cron.te | 2
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 28 ++-
policy/modules/services/dbus.if | 4
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25 ++
policy/modules/services/devicekit.te | 6
policy/modules/services/dnsmasq.te | 4
policy/modules/services/dovecot.if | 34 +--
policy/modules/services/dovecot.te | 20 +-
policy/modules/services/exim.te | 6
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 10 -
policy/modules/services/ftp.te | 7
policy/modules/services/gnomeclock.te | 1
policy/modules/services/gpsd.fc | 3
policy/modules/services/gpsd.te | 17 +
policy/modules/services/hal.te | 14 +
policy/modules/services/hddtemp.fc | 4
policy/modules/services/hddtemp.if | 38 ++++
policy/modules/services/hddtemp.te | 40 ++++
policy/modules/services/kerberos.if | 2
policy/modules/services/kerberos.te | 12 +
policy/modules/services/lircd.te | 4
policy/modules/services/mailman.if | 1
policy/modules/services/mta.if | 1
policy/modules/services/mysql.te | 6
policy/modules/services/nis.te | 3
policy/modules/services/nslcd.fc | 4
policy/modules/services/nslcd.if | 145 +++++++++++++++
policy/modules/services/nslcd.te | 50 +++++
policy/modules/services/openvpn.te | 14 +
policy/modules/services/pcscd.te | 3
policy/modules/services/polkit.fc | 2
policy/modules/services/polkit.if | 2
policy/modules/services/polkit.te | 3
policy/modules/services/postfix.if | 26 ++
policy/modules/services/postfix.te | 26 --
policy/modules/services/postgresql.te | 2
policy/modules/services/ppp.if | 6
policy/modules/services/privoxy.te | 3
policy/modules/services/pyzor.fc | 2
policy/modules/services/pyzor.te | 2
policy/modules/services/rpc.te | 12 +
policy/modules/services/rsync.te | 2
policy/modules/services/sasl.te | 2
policy/modules/services/sendmail.if | 39 ++++
policy/modules/services/sendmail.te | 7
policy/modules/services/setroubleshoot.te | 5
policy/modules/services/shorewall.fc | 12 -
policy/modules/services/shorewall.if | 166 ------------------
policy/modules/services/shorewall.te | 102 -----------
policy/modules/services/spamassassin.fc | 8
policy/modules/services/spamassassin.te | 1
policy/modules/services/ssh.if | 23 ++
policy/modules/services/ssh.te | 4
policy/modules/services/uucp.te | 2
policy/modules/services/virt.te | 27 ++
policy/modules/services/xserver.fc | 2
policy/modules/services/xserver.if | 41 ++++
policy/modules/services/xserver.te | 11 -
policy/modules/system/authlogin.fc | 3
policy/modules/system/authlogin.if | 270 ++++++++++++++++++-----------
policy/modules/system/authlogin.te | 27 +-
policy/modules/system/init.fc | 2
policy/modules/system/init.te | 2
policy/modules/system/ipsec.te | 61 +++++-
policy/modules/system/iptables.te | 4
policy/modules/system/iscsi.te | 1
policy/modules/system/libraries.fc | 11 +
policy/modules/system/locallogin.te | 6
policy/modules/system/miscfiles.fc | 1
policy/modules/system/mount.te | 1
policy/modules/system/sysnetwork.if | 1
policy/modules/system/sysnetwork.te | 17 +
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 10 +
policy/modules/system/userdomain.if | 30 ++-
policy/modules/system/virtual.te | 5
policy/modules/system/xen.te | 1
138 files changed, 2304 insertions(+), 644 deletions(-)
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.45
retrieving revision 1.46
diff -u -p -r1.45 -r1.46
--- policy-20090521.patch 14 Aug 2009 06:45:12 -0000 1.45
+++ policy-20090521.patch 20 Aug 2009 11:27:42 -0000 1.46
@@ -1,3 +1,21 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/samba_selinux.8 serefpolicy-3.6.12/man/man8/samba_selinux.8
+--- nsaserefpolicy/man/man8/samba_selinux.8 2009-04-07 21:54:45.000000000 +0200
++++ serefpolicy-3.6.12/man/man8/samba_selinux.8 2009-08-19 18:01:06.000000000 +0200
+@@ -20,7 +20,7 @@
+ .TP
+ This command adds the following entry to /etc/selinux/POLICYTYPE/contexts/files/file_contexts.local:
+ .TP
+-/var/eng(/.*)? system_u:object_r:samba_share_t
++/var/eng(/.*)? system_u:object_r:samba_share_t:s0
+ .TP
+ Run the restorecon command to apply the changes:
+ .TP
+@@ -53,4 +53,4 @@
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+
+ .SH "SEE ALSO"
+-selinux(8), samba(7), chcon(1), setsebool(8)
++selinux(8), samba(7), chcon(1), setsebool(8), semanage(8)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/mcs serefpolicy-3.6.12/policy/mcs
--- nsaserefpolicy/policy/mcs 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/mcs 2009-07-08 21:09:33.000000000 +0200
@@ -550,6 +568,18 @@ diff -b -B --ignore-all-space --exclude-
# Execute /usr/bin/{passwd,chfn,chsh} and /usr/sbin/{useradd,vipw}.
corecmd_exec_bin(groupadd_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/awstats.te serefpolicy-3.6.12/policy/modules/apps/awstats.te
+--- nsaserefpolicy/policy/modules/apps/awstats.te 2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/apps/awstats.te 2009-08-19 18:08:12.000000000 +0200
+@@ -28,6 +28,8 @@
+ awstats_rw_pipes(awstats_t)
+ awstats_cgi_exec(awstats_t)
+
++can_exec(awstats_t, awstats_exec_t)
++
+ manage_dirs_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+ manage_files_pattern(awstats_t, awstats_tmp_t, awstats_tmp_t)
+ files_tmp_filetrans(awstats_t, awstats_tmp_t, { dir file })
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/calamaris.te serefpolicy-3.6.12/policy/modules/apps/calamaris.te
--- nsaserefpolicy/policy/modules/apps/calamaris.te 2009-04-07 21:54:49.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/calamaris.te 2009-08-05 23:27:19.000000000 +0200
@@ -718,6 +748,29 @@ diff -b -B --ignore-all-space --exclude-
+optional_policy(`
+ ssh_rw_pipes(gitosis_t)
+')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.if serefpolicy-3.6.12/policy/modules/apps/gpg.if
+--- nsaserefpolicy/policy/modules/apps/gpg.if 2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/apps/gpg.if 2009-08-18 15:05:46.000000000 +0200
+@@ -30,7 +30,7 @@
+
+ # allow ps to show gpg
+ ps_process_pattern($2, gpg_t)
+- allow $2 gpg_t:process { signal sigkill };
++ allow $2 gpg_t:process { signull sigstop signal sigkill };
+
+ # communicate with the user
+ allow gpg_helper_t $2:fd use;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gpg.te serefpolicy-3.6.12/policy/modules/apps/gpg.te
+--- nsaserefpolicy/policy/modules/apps/gpg.te 2009-06-25 10:19:43.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/apps/gpg.te 2009-08-18 15:06:47.000000000 +0200
+@@ -90,6 +90,7 @@
+ corenet_tcp_connect_all_ports(gpg_t)
+ corenet_sendrecv_all_client_packets(gpg_t)
+
++dev_read_generic_usb_dev(gpg_t)
+ dev_read_rand(gpg_t)
+ dev_read_urand(gpg_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.if serefpolicy-3.6.12/policy/modules/apps/mozilla.if
--- nsaserefpolicy/policy/modules/apps/mozilla.if 2009-06-25 10:19:43.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/apps/mozilla.if 2009-07-08 21:12:05.000000000 +0200
@@ -856,8 +909,8 @@ diff -b -B --ignore-all-space --exclude-
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.te serefpolicy-3.6.12/policy/modules/apps/ptchown.te
--- nsaserefpolicy/policy/modules/apps/ptchown.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te 2009-08-14 08:31:55.000000000 +0200
-@@ -0,0 +1,39 @@
++++ serefpolicy-3.6.12/policy/modules/apps/ptchown.te 2009-08-20 09:35:25.000000000 +0200
+@@ -0,0 +1,40 @@
+policy_module(ptchown,1.0.0)
+
+########################################
@@ -877,7 +930,7 @@ diff -b -B --ignore-all-space --exclude-
+# ptchown local policy
+#
+
-+allow ptchown_t self:capability { fowner chown setuid };
++allow ptchown_t self:capability { chown fowner fsetid setuid };
+allow ptchown_t self:process { getcap setcap };
+
+# Init script handling
@@ -891,9 +944,10 @@ diff -b -B --ignore-all-space --exclude-
+
+fs_rw_anon_inodefs_files(ptchown_t)
+
-+term_use_generic_ptys(ptchown_t)
+term_setattr_generic_ptys(ptchown_t)
+term_setattr_all_user_ptys(ptchown_t)
++term_use_generic_ptys(ptchown_t)
++term_use_ptmx(ptchown_t)
+
+miscfiles_read_localization(ptchown_t)
+
@@ -3305,7 +3359,7 @@ diff -b -B --ignore-all-space --exclude-
+logging_send_syslog_msg(nslcd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.6.12/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2009-04-07 21:54:45.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/openvpn.te 2009-07-08 21:10:15.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/openvpn.te 2009-08-20 09:42:28.000000000 +0200
@@ -86,6 +86,7 @@
corenet_udp_bind_openvpn_port(openvpn_t)
corenet_tcp_connect_openvpn_port(openvpn_t)
@@ -3314,6 +3368,39 @@ diff -b -B --ignore-all-space --exclude-
corenet_rw_tun_tap_dev(openvpn_t)
corenet_sendrecv_openvpn_server_packets(openvpn_t)
corenet_sendrecv_openvpn_client_packets(openvpn_t)
+@@ -98,6 +99,8 @@
+ files_read_etc_files(openvpn_t)
+ files_read_etc_runtime_files(openvpn_t)
+
++auth_use_pam(openvpn_t)
++
+ logging_send_syslog_msg(openvpn_t)
+
+ miscfiles_read_localization(openvpn_t)
+@@ -114,6 +117,16 @@
+ userdom_read_user_home_content_files(openvpn_t)
+ ')
+
++tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',`
++ fs_read_nfs_files(openvpn_t)
++ fs_read_nfs_symlinks(openvpn_t)
++')
++
++tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
++ fs_read_cifs_files(openvpn_t)
++ fs_read_cifs_symlinks(openvpn_t)
++')
++
+ optional_policy(`
+ daemontools_service_domain(openvpn_t, openvpn_exec_t)
+ ')
+@@ -122,5 +135,6 @@
+ dbus_system_bus_client(openvpn_t)
+ dbus_connect_system_bus(openvpn_t)
+
++ fprintd_dbus_chat(openvpn_t)
+ networkmanager_dbus_chat(openvpn_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pcscd.te serefpolicy-3.6.12/policy/modules/services/pcscd.te
--- nsaserefpolicy/policy/modules/services/pcscd.te 2009-04-07 21:54:45.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/pcscd.te 2009-06-25 10:21:01.000000000 +0200
@@ -3630,6 +3717,18 @@ diff -b -B --ignore-all-space --exclude-
auth_read_all_dirs_except_shadow(rsync_t)
auth_read_all_files_except_shadow(rsync_t)
auth_read_all_symlinks_except_shadow(rsync_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-3.6.12/policy/modules/services/sasl.te
+--- nsaserefpolicy/policy/modules/services/sasl.te 2009-06-25 10:19:44.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/sasl.te 2009-08-18 14:47:01.000000000 +0200
+@@ -31,7 +31,7 @@
+ # Local policy
+ #
+
+-allow saslauthd_t self:capability setuid;
++allow saslauthd_t self:capability { setgid setuid };
+ dontaudit saslauthd_t self:capability sys_tty_config;
+ allow saslauthd_t self:process signal_perms;
+ allow saslauthd_t self:fifo_file rw_fifo_file_perms;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.if serefpolicy-3.6.12/policy/modules/services/sendmail.if
--- nsaserefpolicy/policy/modules/services/sendmail.if 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/sendmail.if 2009-07-31 13:22:05.000000000 +0200
@@ -4029,7 +4128,7 @@ diff -b -B --ignore-all-space --exclude-
-
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.6.12/policy/modules/services/spamassassin.fc
--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-07-07 08:44:02.000000000 +0200
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.fc 2009-08-19 17:48:56.000000000 +0200
@@ -1,13 +1,15 @@
+/root/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
HOME_DIR/\.spamassassin(/.*)? gen_context(system_u:object_r:spamc_home_t,s0)
@@ -4047,6 +4146,14 @@ diff -b -B --ignore-all-space --exclude-
/usr/sbin/spamd -- gen_context(system_u:object_r:spamd_exec_t,s0)
/usr/bin/mimedefang-multiplexor -- gen_context(system_u:object_r:spamd_exec_t,s0)
+@@ -20,5 +22,5 @@
+
+ /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+ /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+-/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
+-/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0)
++/var/spool/MD-Quarantine(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
++/var/spool/MIMEDefang(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2009-06-25 10:19:44.000000000 +0200
+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2009-07-13 11:32:30.000000000 +0200
@@ -4380,8 +4487,62 @@ diff -b -B --ignore-all-space --exclude-
-/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-3.6.12/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-08-04 12:46:42.000000000 +0200
-@@ -42,8 +42,7 @@
++++ serefpolicy-3.6.12/policy/modules/system/authlogin.if 2009-08-20 10:24:42.000000000 +0200
+@@ -30,6 +30,53 @@
+ dontaudit $2 shadow_t:file read_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Make the specified domain used for a login program.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain type used for a login program domain.
++## </summary>
++## </param>
++#
++interface(`auth_use_pam',`
++
++ # for SSP/ProPolice
++ dev_read_urand($1)
++ # for encrypted homedir
++ dev_read_sysfs($1)
++
++ auth_domtrans_chk_passwd($1)
++ auth_domtrans_upd_passwd($1)
++ auth_dontaudit_read_shadow($1)
++ auth_read_login_records($1)
++ auth_append_login_records($1)
++ auth_rw_lastlog($1)
++ auth_rw_faillog($1)
++ auth_exec_pam($1)
++ auth_use_nsswitch($1)
++
++ logging_send_audit_msgs($1)
++ logging_send_syslog_msg($1)
++
++ optional_policy(`
++ dbus_system_bus_client($1)
++ optional_policy(`
++ consolekit_dbus_chat($1)
++ ')
++ ')
++
++ optional_policy(`
++ kerberos_manage_host_rcache($1)
++ kerberos_read_config($1)
++ ')
++
++ optional_policy(`
++ nis_authenticate($1)
++ ')
++')
++
+ ########################################
+ ## <summary>
+ ## Make the specified domain used for a login program.
+@@ -42,8 +89,7 @@
#
interface(`auth_login_pgm_domain',`
gen_require(`
@@ -4391,7 +4552,7 @@ diff -b -B --ignore-all-space --exclude-
')
domain_type($1)
-@@ -77,6 +76,8 @@
+@@ -77,6 +123,8 @@
# for SSP/ProPolice
dev_read_urand($1)
@@ -4400,7 +4561,7 @@ diff -b -B --ignore-all-space --exclude-
# for fingerprint readers
dev_rw_input_dev($1)
dev_rw_generic_usb_dev($1)
-@@ -143,6 +144,11 @@
+@@ -143,6 +191,11 @@
')
optional_policy(`
@@ -4412,7 +4573,7 @@ diff -b -B --ignore-all-space --exclude-
fprintd_dbus_chat($1)
')
-@@ -153,6 +159,7 @@
+@@ -153,6 +206,7 @@
optional_policy(`
ssh_agent_exec($1)
userdom_read_user_home_content_files($1)
@@ -4420,7 +4581,7 @@ diff -b -B --ignore-all-space --exclude-
')
')
-@@ -238,6 +245,97 @@
+@@ -238,6 +292,97 @@
########################################
## <summary>
@@ -4518,7 +4679,7 @@ diff -b -B --ignore-all-space --exclude-
## Run unix_chkpwd to check a password.
## </summary>
## <param name="domain">
-@@ -726,7 +824,7 @@
+@@ -726,7 +871,7 @@
########################################
## <summary>
@@ -4527,7 +4688,7 @@ diff -b -B --ignore-all-space --exclude-
## </summary>
## <param name="domain">
## <summary>
-@@ -1258,6 +1356,25 @@
+@@ -1258,6 +1403,25 @@
########################################
## <summary>
@@ -4553,7 +4714,7 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to write to
## login records files.
## </summary>
-@@ -1415,6 +1532,10 @@
+@@ -1415,6 +1579,10 @@
')
optional_policy(`
@@ -4564,7 +4725,7 @@ diff -b -B --ignore-all-space --exclude-
sssd_stream_connect($1)
')
-@@ -1456,99 +1577,3 @@
+@@ -1456,99 +1624,3 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -4796,15 +4957,38 @@ diff -b -B --ignore-all-space --exclude-
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.6.12/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2009-06-25 10:19:44.000000000 +0200
-+++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-06-25 10:21:01.000000000 +0200
-@@ -1,5 +1,5 @@
++++ serefpolicy-3.6.12/policy/modules/system/ipsec.te 2009-08-20 13:08:01.000000000 +0200
+@@ -1,11 +1,18 @@
-policy_module(ipsec, 1.9.0)
+policy_module(ipsec, 1.9.1)
########################################
#
-@@ -53,7 +53,7 @@
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Allow racoon to read shadow
++## </p>
++## </desc>
++gen_tunable(racoon_read_shadow, false)
++
+ type ipsec_t;
+ type ipsec_exec_t;
+ init_daemon_domain(ipsec_t,ipsec_exec_t)
+@@ -43,6 +50,9 @@
+ init_daemon_domain(racoon_t,racoon_exec_t)
+ role system_r types racoon_t;
+
++type racoon_tmp_t;
++files_tmp_file(racoon_tmp_t)
++
+ type setkey_t;
+ type setkey_exec_t;
+ init_system_domain(setkey_t,setkey_exec_t)
+@@ -53,7 +63,7 @@
# ipsec Local policy
#
@@ -4813,7 +4997,7 @@ diff -b -B --ignore-all-space --exclude-
dontaudit ipsec_t self:capability sys_tty_config;
allow ipsec_t self:process { getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
-@@ -67,7 +67,7 @@
+@@ -67,7 +77,7 @@
read_lnk_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
allow ipsec_t ipsec_key_file_t:dir list_dir_perms;
@@ -4822,7 +5006,16 @@ diff -b -B --ignore-all-space --exclude-
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
manage_files_pattern(ipsec_t, ipsec_var_run_t, ipsec_var_run_t)
-@@ -103,13 +103,11 @@
+@@ -82,7 +92,7 @@
+ # so try flipping back into the ipsec_mgmt_t domain
+ corecmd_shell_domtrans(ipsec_t,ipsec_mgmt_t)
+ allow ipsec_mgmt_t ipsec_t:fd use;
+-allow ipsec_mgmt_t ipsec_t:fifo_file rw_file_perms;
++allow ipsec_mgmt_t ipsec_t:fifo_file rw_fifo_file_perms;
+ allow ipsec_mgmt_t ipsec_t:process sigchld;
+
+ kernel_read_kernel_sysctls(ipsec_t)
+@@ -103,13 +113,11 @@
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
@@ -4837,7 +5030,7 @@ diff -b -B --ignore-all-space --exclude-
corenet_sendrecv_generic_server_packets(ipsec_t)
corenet_sendrecv_isakmp_server_packets(ipsec_t)
-@@ -130,7 +128,7 @@
+@@ -130,7 +138,7 @@
files_read_etc_files(ipsec_t)
files_read_usr_files(ipsec_t)
@@ -4846,7 +5039,7 @@ diff -b -B --ignore-all-space --exclude-
init_use_fds(ipsec_t)
init_use_script_ptys(ipsec_t)
-@@ -158,12 +156,12 @@
+@@ -158,12 +166,12 @@
#
allow ipsec_mgmt_t self:capability { net_admin sys_tty_config dac_override dac_read_search };
@@ -4861,7 +5054,7 @@ diff -b -B --ignore-all-space --exclude-
allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
files_lock_filetrans(ipsec_mgmt_t,ipsec_mgmt_lock_t,file)
-@@ -171,8 +169,6 @@
+@@ -171,8 +179,6 @@
allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
files_pid_filetrans(ipsec_mgmt_t,ipsec_mgmt_var_run_t,file)
@@ -4870,7 +5063,7 @@ diff -b -B --ignore-all-space --exclude-
manage_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
manage_lnk_files_pattern(ipsec_mgmt_t,ipsec_var_run_t,ipsec_var_run_t)
-@@ -248,6 +244,8 @@
+@@ -248,6 +254,8 @@
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
@@ -4879,15 +5072,21 @@ diff -b -B --ignore-all-space --exclude-
miscfiles_read_localization(ipsec_mgmt_t)
modutils_domtrans_insmod(ipsec_mgmt_t)
-@@ -284,6 +282,7 @@
+@@ -284,6 +292,13 @@
allow racoon_t self:netlink_selinux_socket { bind create read };
allow racoon_t self:udp_socket create_socket_perms;
allow racoon_t self:key_socket create_socket_perms;
+allow racoon_t self:fifo_file rw_fifo_file_perms;
++
++manage_dirs_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
++manage_files_pattern(racoon_t, racoon_tmp_t, racoon_tmp_t)
++files_tmp_filetrans(racoon_t, racoon_tmp_t, { dir file })
++
++can_exec(racoon_t, setkey_exec_t)
# manage pid file
manage_files_pattern(racoon_t,ipsec_var_run_t,ipsec_var_run_t)
-@@ -301,11 +300,21 @@
+@@ -301,11 +316,21 @@
kernel_read_system_state(racoon_t)
kernel_read_network_state(racoon_t)
@@ -4910,7 +5109,30 @@ diff -b -B --ignore-all-space --exclude-
corenet_udp_bind_ipsecnat_port(racoon_t)
dev_read_urand(racoon_t)
-@@ -348,6 +357,7 @@
+@@ -315,6 +340,8 @@
+
+ files_read_etc_files(racoon_t)
+
++fs_dontaudit_getattr_xattr_fs(racoon_t)
++
+ # allow racoon to use avc_has_perm to check context on proposed SA
+ selinux_compute_access_vector(racoon_t)
+
+@@ -329,6 +356,13 @@
+
+ miscfiles_read_localization(racoon_t)
+
++auth_use_pam(racoon_t)
++
++auth_can_read_shadow_passwords(racoon_t)
++tunable_policy(`racoon_read_shadow',`
++ auth_tunable_read_shadow(racoon_t)
++')
++
+ ########################################
+ #
+ # Setkey local policy
+@@ -348,6 +382,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.899
retrieving revision 1.900
diff -u -p -r1.899 -r1.900
--- selinux-policy.spec 14 Aug 2009 06:45:12 -0000 1.899
+++ selinux-policy.spec 20 Aug 2009 11:27:42 -0000 1.900
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 78%{?dist}
+Release: 79%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -475,6 +475,11 @@ exit 0
%endif
%changelog
+* Thu Aug 20 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-79
+- Fixes for racoon
+- Fixes for ptchown
+- Fixes for openvpn
+
* Fri Aug 14 2009 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-78
- Add ptchown policy from Dan Walsh
More information about the fedora-extras-commits
mailing list