|
|
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-strict/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv24815
Modified Files:
policy-20051021.patch selinux-policy-strict.spec
Log Message:
* Thu Nov 3 2005 Dan Walsh <dwalsh@xxxxxxxxxx> 1.27.2-12
- Add Russell patch to allow transition to strict policy
- Allow pegasus to use pam
- Add back transtion from unconfined_t to httpd_t
policy-20051021.patch:
Makefile | 14 -
attrib.te | 18 +
domains/admin.te | 2
domains/misc/kernel.te | 2
domains/program/fsadm.te | 2
domains/program/ifconfig.te | 2
domains/program/init.te | 2
domains/program/initrc.te | 13 +
domains/program/logrotate.te | 2
domains/program/modutil.te | 8
domains/program/newrole.te | 4
domains/program/restorecon.te | 4
domains/program/setfiles.te | 2
domains/program/ssh.te | 2
domains/program/su.te | 4
domains/program/syslogd.te | 4
domains/program/tmpreaper.te | 2
domains/program/unused/NetworkManager.te | 10 +
domains/program/unused/amanda.te | 21 +-
domains/program/unused/apache.te | 16 +
domains/program/unused/apmd.te | 13 +
domains/program/unused/auditd.te | 6
domains/program/unused/avahi.te | 31 +++
domains/program/unused/bluetooth.te | 57 +++++
domains/program/unused/cups.te | 11 -
domains/program/unused/dbusd.te | 2
domains/program/unused/dhcpc.te | 3
domains/program/unused/dhcpd.te | 3
domains/program/unused/exim.te | 309 +++++++++++++++++++++++++++++++
domains/program/unused/ftpd.te | 6
domains/program/unused/hald.te | 5
domains/program/unused/hotplug.te | 5
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 3
domains/program/unused/mysqld.te | 6
domains/program/unused/named.te | 17 +
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 5
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 15 +
domains/program/unused/ping.te | 2
domains/program/unused/postfix.te | 54 +++--
domains/program/unused/postgresql.te | 11 -
domains/program/unused/pppd.te | 22 +-
domains/program/unused/rpcd.te | 16 +
domains/program/unused/rpm.te | 4
domains/program/unused/rsync.te | 3
domains/program/unused/samba.te | 6
domains/program/unused/saslauthd.te | 1
domains/program/unused/sendmail.te | 3
domains/program/unused/snmpd.te | 1
domains/program/unused/spamd.te | 28 --
domains/program/unused/udev.te | 8
domains/program/unused/webalizer.te | 3
domains/program/unused/xdm.te | 2
domains/program/unused/yppasswdd.te | 40 ++++
domains/program/unused/ypserv.te | 8
file_contexts/distros.fc | 1
file_contexts/program/apache.fc | 3
file_contexts/program/avahi.fc | 4
file_contexts/program/backup.fc | 2
file_contexts/program/bluetooth.fc | 2
file_contexts/program/compat.fc | 7
file_contexts/program/dhcpc.fc | 1
file_contexts/program/dhcpd.fc | 5
file_contexts/program/exim.fc | 18 +
file_contexts/program/ftpd.fc | 5
file_contexts/program/games.fc | 3
file_contexts/program/kudzu.fc | 2
file_contexts/program/pegasus.fc | 6
file_contexts/program/rshd.fc | 1
file_contexts/program/rsync.fc | 2
file_contexts/program/squid.fc | 3
file_contexts/program/yppasswdd.fc | 2
file_contexts/types.fc | 4
genfs_contexts | 1
macros/base_user_macros.te | 7
macros/global_macros.te | 25 --
macros/home_macros.te | 9
macros/program/chkpwd_macros.te | 7
macros/program/dbusd_macros.te | 1
macros/program/exim_macros.te | 75 +++++++
macros/program/su_macros.te | 2
macros/program/ypbind_macros.te | 1
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 +
man/man8/httpd_selinux.8 | 9
man/man8/rsync_selinux.8 | 12 -
man/man8/samba_selinux.8 | 9
mcs | 194 ++++++-------------
mls | 227 ++++++++--------------
targeted/assert.te | 2
targeted/domains/program/compat.te | 1
targeted/domains/program/sendmail.te | 1
targeted/domains/program/ssh.te | 2
targeted/domains/program/xdm.te | 4
targeted/domains/unconfined.te | 8
tunables/distro.tun | 2
tunables/tunable.tun | 4
types/devpts.te | 4
types/file.te | 43 +---
types/network.te | 10 -
types/nfs.te | 1
types/security.te | 2
104 files changed, 1092 insertions(+), 510 deletions(-)
Index: policy-20051021.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-strict/devel/policy-20051021.patch,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- policy-20051021.patch 31 Oct 2005 16:06:49 -0000 1.12
+++ policy-20051021.patch 3 Nov 2005 18:57:05 -0000 1.13
@@ -363,7 +363,7 @@
############################
diff --exclude-from=exclude -N -u -r
nsapolicy/domains/program/unused/apache.te
policy-1.27.2/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-10-21 11:36:15.000000000
-0400
-+++ policy-1.27.2/domains/program/unused/apache.te 2005-10-27
10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/apache.te 2005-11-03
09:09:38.000000000 -0500
@@ -225,7 +225,7 @@
# Creation of lock files for apache2
lock_domain(httpd)
@@ -373,7 +373,15 @@
anonymous_domain(httpd)
# connect to mysql
-@@ -308,9 +308,9 @@
+@@ -262,6 +262,7 @@
+ allow httpd_t mnt_t:dir r_dir_perms;
+
+ ifdef(`targeted_policy', `
++domain_auto_trans(unconfined_t, httpd_exec_t, httpd_t)
+ typealias httpd_sys_content_t alias httpd_user_content_t;
+ typealias httpd_sys_script_exec_t alias httpd_user_script_exec_t;
+
+@@ -308,9 +309,9 @@
if (httpd_tty_comm) {
allow { httpd_t httpd_helper_t } devpts_t:dir search;
ifdef(`targeted_policy', `
@@ -385,7 +393,7 @@
} else {
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
-@@ -370,13 +370,13 @@
+@@ -370,13 +371,13 @@
allow httpd_suexec_t autofs_t:dir { search getattr };
tmp_domain(httpd_suexec)
@@ -401,7 +409,7 @@
domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
create_dir_file(httpd_t, httpdcontent)
}
-@@ -407,3 +407,8 @@
+@@ -407,3 +408,8 @@
allow system_mail_t httpd_squirrelmail_t:file { append read };
dontaudit system_mail_t httpd_t:tcp_socket { read write };
')
@@ -1175,13 +1183,13 @@
diff --exclude-from=exclude -N -u -r
nsapolicy/domains/program/unused/pegasus.te
policy-1.27.2/domains/program/unused/pegasus.te
--- nsapolicy/domains/program/unused/pegasus.te 2005-10-20
15:53:02.000000000 -0400
-+++ policy-1.27.2/domains/program/unused/pegasus.te 2005-10-27
10:26:28.000000000 -0400
++++ policy-1.27.2/domains/program/unused/pegasus.te 2005-10-31
15:19:43.000000000 -0500
@@ -7,17 +7,20 @@
#
# Rules for the pegasus domain
#
-daemon_domain(pegasus, `, nscd_client_domain')
-+daemon_domain(pegasus, `, nscd_client_domain, auth')
++daemon_domain(pegasus, `, nscd_client_domain, auth_chkpwd')
type pegasus_data_t, file_type, sysadmfile;
type pegasus_conf_t, file_type, sysadmfile;
+typealias sbin_t alias pegasus_conf_exec_t;
@@ -1200,7 +1208,7 @@
allow pegasus_t { pegasus_http_port_t pegasus_https_port_t }:tcp_socket {
name_bind name_connect };
allow pegasus_t proc_t:file { getattr read };
allow pegasus_t sysctl_vm_t:dir search;
-@@ -26,6 +29,9 @@
+@@ -26,6 +29,8 @@
r_dir_file(pegasus_t, etc_t)
r_dir_file(pegasus_t, var_lib_t)
r_dir_file(pegasus_t, pegasus_mof_t)
@@ -1209,7 +1217,6 @@
+file_type_auto_trans(pegasus_t, pegasus_conf_t, pegasus_data_t)
rw_dir_create_file(pegasus_t, pegasus_data_t)
-rw_dir_create_file(pegasus_conf_exec_t, pegasus_conf_t)
-+allow pegasus_t shadow_t:file { getattr read };
+dontaudit pegasus_t selinux_config_t:dir search;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ping.te
policy-1.27.2/domains/program/unused/ping.te
@@ -1556,8 +1563,17 @@
+allow rsync_t self:capability sys_chroot;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te
policy-1.27.2/domains/program/unused/samba.te
--- nsapolicy/domains/program/unused/samba.te 2005-10-21 11:36:15.000000000
-0400
-+++ policy-1.27.2/domains/program/unused/samba.te 2005-10-27
10:26:28.000000000 -0400
-@@ -78,9 +78,10 @@
++++ policy-1.27.2/domains/program/unused/samba.te 2005-11-03
13:34:23.000000000 -0500
+@@ -46,7 +46,7 @@
+ allow smbd_t smbd_port_t:tcp_socket name_bind;
+
+ # Use capabilities.
+-allow smbd_t self:capability { setgid setuid sys_resource net_bind_service
lease dac_override dac_read_search };
++allow smbd_t self:capability { fowner setgid setuid sys_resource
net_bind_service lease dac_override dac_read_search };
+
+ # Use the network.
+ can_network(smbd_t)
+@@ -78,14 +78,16 @@
dontaudit smbd_t samba_log_t:dir remove_name;
ifdef(`hide_broken_symptoms', `
@@ -1569,6 +1585,12 @@
allow smbd_t usr_t:file { getattr read };
+ # Access Samba shares.
+ create_dir_file(smbd_t, samba_share_t)
++
+ anonymous_domain(smbd)
+
+ ifdef(`logrotate.te', `
diff --exclude-from=exclude -N -u -r
nsapolicy/domains/program/unused/saslauthd.te
policy-1.27.2/domains/program/unused/saslauthd.te
--- nsapolicy/domains/program/unused/saslauthd.te 2005-09-16
11:17:10.000000000 -0400
+++ policy-1.27.2/domains/program/unused/saslauthd.te 2005-10-31
09:50:32.000000000 -0500
@@ -1746,6 +1768,21 @@
+can_exec(yppasswdd_t, { bin_t shell_exec_t hostname_exec_t })
+allow yppasswdd_t self:fifo_file rw_file_perms;
+rw_dir_create_file(yppasswdd_t, var_yp_t)
+diff --exclude-from=exclude -N -u -r
nsapolicy/domains/program/unused/ypserv.te
policy-1.27.2/domains/program/unused/ypserv.te
+--- nsapolicy/domains/program/unused/ypserv.te 2005-10-21 11:36:15.000000000
-0400
++++ policy-1.27.2/domains/program/unused/ypserv.te 2005-11-03
11:08:20.000000000 -0500
+@@ -40,3 +40,11 @@
+ allow ypserv_t reserved_port_t:{ udp_socket tcp_socket } name_bind;
+ dontaudit ypserv_t reserved_port_type:{ tcp_socket udp_socket } name_bind;
+ can_exec(ypserv_t, bin_t)
++
++application_domain(ypxfr, `, nscd_client_domain')
++can_network_client(ypxfr_t)
++allow ypxfr_t etc_t:file { getattr read };
++allow ypxfr_t portmap_port_t:tcp_socket name_connect;
++allow ypxfr_t reserved_port_t:tcp_socket name_connect;
++dontaudit ypxfr_t reserved_port_type:tcp_socket name_connect;
++allow ypxfr_t self:unix_stream_socket create_stream_socket_perms;
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/distros.fc
policy-1.27.2/file_contexts/distros.fc
--- nsapolicy/file_contexts/distros.fc 2005-10-21 11:36:15.000000000 -0400
+++ policy-1.27.2/file_contexts/distros.fc 2005-10-27 10:26:28.000000000
-0400
@@ -1759,7 +1796,7 @@
/usr/lib/.*/program/libicudata\.so.* --
system_u:object_r:texrel_shlib_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc
policy-1.27.2/file_contexts/program/apache.fc
--- nsapolicy/file_contexts/program/apache.fc 2005-09-16 11:17:10.000000000
-0400
-+++ policy-1.27.2/file_contexts/program/apache.fc 2005-10-27
10:26:28.000000000 -0400
++++ policy-1.27.2/file_contexts/program/apache.fc 2005-10-31
11:34:40.000000000 -0500
@@ -9,6 +9,8 @@
/var/cache/httpd(/.*)? system_u:object_r:httpd_cache_t
/var/cache/php-eaccelerator(/.*)? system_u:object_r:httpd_cache_t
@@ -1769,6 +1806,14 @@
/etc/httpd -d system_u:object_r:httpd_config_t
/etc/httpd/conf.* system_u:object_r:httpd_config_t
/etc/httpd/logs system_u:object_r:httpd_log_t
+@@ -30,6 +32,7 @@
+ /var/cache/mod_ssl(/.*)? system_u:object_r:httpd_cache_t
+ /var/run/apache.* system_u:object_r:httpd_var_run_t
+ /var/lib/httpd(/.*)? system_u:object_r:httpd_var_lib_t
++/var/lib/dav(/.*)? system_u:object_r:httpd_var_lib_t
+ /var/lib/php/session(/.*)? system_u:object_r:httpd_var_run_t
+ /etc/apache-ssl(2)?(/.*)? system_u:object_r:httpd_config_t
+ /usr/lib/apache-ssl/.+ -- system_u:object_r:httpd_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/avahi.fc
policy-1.27.2/file_contexts/program/avahi.fc
--- nsapolicy/file_contexts/program/avahi.fc 1969-12-31 19:00:00.000000000
-0500
+++ policy-1.27.2/file_contexts/program/avahi.fc 2005-10-28
20:52:18.000000000 -0400
@@ -1795,6 +1840,30 @@
/usr/sbin/hid2hci -- system_u:object_r:bluetooth_exec_t
+/usr/bin/blue.*pin -- system_u:object_r:bluetooth_helper_exec_t
+/var/lib/bluetooth(/.*)? system_u:object_r:bluetooth_var_lib_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/compat.fc
policy-1.27.2/file_contexts/program/compat.fc
+--- nsapolicy/file_contexts/program/compat.fc 2005-09-12 16:40:27.000000000
-0400
++++ policy-1.27.2/file_contexts/program/compat.fc 2005-11-03
08:51:12.000000000 -0500
+@@ -43,6 +43,7 @@
+ /sbin/hdparm -- system_u:object_r:fsadm_exec_t
+ /sbin/raidstart -- system_u:object_r:fsadm_exec_t
+ /sbin/mkraid -- system_u:object_r:fsadm_exec_t
++/sbin/dmraid -- system_u:object_r:fsadm_exec_t
+ /sbin/blockdev -- system_u:object_r:fsadm_exec_t
+ /sbin/losetup.* -- system_u:object_r:fsadm_exec_t
+ /sbin/jfs_.* -- system_u:object_r:fsadm_exec_t
+@@ -55,6 +56,12 @@
+ /usr/bin/partition_uuid -- system_u:object_r:fsadm_exec_t
+ /sbin/partprobe -- system_u:object_r:fsadm_exec_t
+ ')
++ifdef(`lvm.te', `', `
++/sbin/lvm.static -- system_u:object_r:lvm_exec_t
++')
++ifdef(`lvm.te', `', `
++/sbin/lvm.static -- system_u:object_r:lvm_exec_t
++')
+ ifdef(`kudzu.te', `', `
+ # kudzu
+ /usr/sbin/kudzu -- system_u:object_r:kudzu_exec_t
diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/dhcpc.fc
policy-1.27.2/file_contexts/program/dhcpc.fc
--- nsapolicy/file_contexts/program/dhcpc.fc 2005-10-21 11:36:15.000000000
-0400
+++ policy-1.27.2/file_contexts/program/dhcpc.fc 2005-10-27
10:26:28.000000000 -0400
@@ -2878,6 +2947,14 @@
# Confined domains must never see /proc/pid entries for an unconfined domain.
neverallow { domain -unrestricted -snmpd_t } unconfined_t:dir { getattr
search };
+diff --exclude-from=exclude -N -u -r
nsapolicy/targeted/domains/program/compat.te
policy-1.27.2/targeted/domains/program/compat.te
+--- nsapolicy/targeted/domains/program/compat.te 2005-09-12
16:40:26.000000000 -0400
++++ policy-1.27.2/targeted/domains/program/compat.te 2005-11-03
08:51:29.000000000 -0500
+@@ -1,3 +1,4 @@
+ typealias bin_t alias mount_exec_t;
+ typealias bin_t alias dmesg_exec_t;
+ typealias bin_t alias loadkeys_exec_t;
++typealias sbin_t alias lvm_exec_t;
diff --exclude-from=exclude -N -u -r
nsapolicy/targeted/domains/program/sendmail.te
policy-1.27.2/targeted/domains/program/sendmail.te
--- nsapolicy/targeted/domains/program/sendmail.te 2005-09-12
16:40:26.000000000 -0400
+++ policy-1.27.2/targeted/domains/program/sendmail.te 2005-10-27
10:26:29.000000000 -0400
Index: selinux-policy-strict.spec
===================================================================
RCS file:
/cvs/dist/rpms/selinux-policy-strict/devel/selinux-policy-strict.spec,v
retrieving revision 1.411
retrieving revision 1.412
diff -u -r1.411 -r1.412
--- selinux-policy-strict.spec 31 Oct 2005 16:06:49 -0000 1.411
+++ selinux-policy-strict.spec 3 Nov 2005 18:57:05 -0000 1.412
@@ -9,7 +9,7 @@
Summary: SELinux %{type} policy configuration
Name: selinux-policy-%{type}
Version: 1.27.2
-Release: 11
+Release: 12
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -245,6 +245,11 @@
exit 0
%changelog
+* Thu Nov 3 2005 Dan Walsh <dwalsh@xxxxxxxxxx> 1.27.2-12
+- Add Russell patch to allow transition to strict policy
+- Allow pegasus to use pam
+- Add back transtion from unconfined_t to httpd_t
+
* Mon Oct 31 2005 Dan Walsh <dwalsh@xxxxxxxxxx> 1.27.2-11
- Fix spamc and postfix
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|