|
|
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv6888
Modified Files:
policy-20070219.patch
Log Message:
* Thu Feb 15 2007 Dan Walsh <dwalsh@xxxxxxxxxx> 2.5.3-3
- Add sepolgen support
- Add bugzilla policy
policy-20070219.patch:
Rules.modular | 10
man/man8/kerberos_selinux.8 | 2
policy/flask/access_vectors | 4
policy/global_booleans | 2
policy/global_tunables | 64 ++++-
policy/mls | 31 ++
policy/modules/admin/acct.te | 1
policy/modules/admin/consoletype.te | 8
policy/modules/admin/dmesg.te | 1
policy/modules/admin/kudzu.te | 3
policy/modules/admin/netutils.te | 1
policy/modules/admin/prelink.te | 1
policy/modules/admin/quota.te | 1
policy/modules/admin/rpm.fc | 3
policy/modules/admin/rpm.if | 44 ++++
policy/modules/admin/rpm.te | 5
policy/modules/admin/su.if | 6
policy/modules/admin/sudo.if | 5
policy/modules/admin/usermanage.te | 14 +
policy/modules/apps/games.fc | 4
policy/modules/apps/gnome.if | 25 ++
policy/modules/apps/gpg.fc | 2
policy/modules/apps/gpg.if | 1
policy/modules/apps/loadkeys.if | 44 +---
policy/modules/apps/mozilla.if | 1
policy/modules/apps/wine.fc | 1
policy/modules/kernel/corecommands.fc | 4
policy/modules/kernel/corecommands.if | 52 ++++
policy/modules/kernel/corenetwork.if.in | 24 +-
policy/modules/kernel/corenetwork.te.in | 15 +
policy/modules/kernel/corenetwork.te.m4 | 4
policy/modules/kernel/devices.fc | 2
policy/modules/kernel/devices.if | 18 +
policy/modules/kernel/domain.if | 18 +
policy/modules/kernel/domain.te | 22 ++
policy/modules/kernel/files.if | 56 ++++-
policy/modules/kernel/filesystem.if | 20 +
policy/modules/kernel/kernel.if | 3
policy/modules/kernel/kernel.te | 2
policy/modules/kernel/mls.if | 20 +
policy/modules/kernel/mls.te | 3
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 20 +
policy/modules/kernel/terminal.te | 5
policy/modules/services/apache.fc | 20 +
policy/modules/services/apache.if | 158 ++++++++++++++
policy/modules/services/apache.te | 18 +
policy/modules/services/apm.te | 2
policy/modules/services/automount.te | 1
policy/modules/services/bluetooth.te | 3
policy/modules/services/ccs.te | 1
policy/modules/services/clamav.te | 2
policy/modules/services/cron.fc | 1
policy/modules/services/cron.if | 33 +--
policy/modules/services/cron.te | 43 +++
policy/modules/services/cups.te | 1
policy/modules/services/cvs.te | 1
policy/modules/services/dbus.if | 58 +++++
policy/modules/services/dhcp.te | 2
policy/modules/services/ftp.te | 7
policy/modules/services/hal.fc | 2
policy/modules/services/hal.te | 19 +
policy/modules/services/inetd.te | 5
policy/modules/services/kerberos.if | 4
policy/modules/services/kerberos.te | 4
policy/modules/services/mta.te | 2
policy/modules/services/networkmanager.fc | 3
policy/modules/services/nis.if | 4
policy/modules/services/nis.te | 22 +-
policy/modules/services/nscd.if | 20 +
policy/modules/services/nscd.te | 4
policy/modules/services/pegasus.if | 27 ++
policy/modules/services/pegasus.te | 5
policy/modules/services/postfix.fc | 1
policy/modules/services/postfix.te | 4
policy/modules/services/procmail.te | 13 -
policy/modules/services/pyzor.if | 22 ++
policy/modules/services/pyzor.te | 7
policy/modules/services/ricci.te | 10
policy/modules/services/rpc.te | 26 ++
policy/modules/services/rsync.te | 1
policy/modules/services/samba.te | 2
policy/modules/services/setroubleshoot.te | 2
policy/modules/services/smartmon.te | 1
policy/modules/services/spamassassin.fc | 1
policy/modules/services/spamassassin.if | 41 +++
policy/modules/services/spamassassin.te | 15 +
policy/modules/services/squid.fc | 1
policy/modules/services/squid.if | 2
policy/modules/services/squid.te | 12 +
policy/modules/services/ssh.fc | 2
policy/modules/services/ssh.if | 39 +++
policy/modules/services/ssh.te | 5
policy/modules/services/uucp.te | 1
policy/modules/services/xserver.if | 2
policy/modules/system/authlogin.if | 87 ++++++-
policy/modules/system/authlogin.te | 3
policy/modules/system/fstools.fc | 1
policy/modules/system/fstools.te | 1
policy/modules/system/getty.te | 3
policy/modules/system/hostname.te | 14 +
policy/modules/system/init.if | 63 +++++
policy/modules/system/init.te | 26 ++
policy/modules/system/ipsec.if | 100 +++++++++
policy/modules/system/iptables.te | 8
policy/modules/system/libraries.fc | 4
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.te | 9
policy/modules/system/lvm.if | 23 ++
policy/modules/system/lvm.te | 18 +
policy/modules/system/miscfiles.fc | 2
policy/modules/system/miscfiles.if | 3
policy/modules/system/modutils.te | 3
policy/modules/system/mount.te | 10
policy/modules/system/raid.te | 4
policy/modules/system/selinuxutil.fc | 2
policy/modules/system/selinuxutil.if | 115 ++++++++++
policy/modules/system/selinuxutil.te | 126 +++--------
policy/modules/system/unconfined.fc | 1
policy/modules/system/unconfined.if | 1
policy/modules/system/unconfined.te | 15 +
policy/modules/system/userdomain.if | 329 ++++++++++++++++++++++--------
policy/modules/system/userdomain.te | 33 ++-
policy/modules/system/xen.te | 26 ++
policy/support/obj_perm_sets.spt | 2
126 files changed, 1919 insertions(+), 376 deletions(-)
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.1 -r 1.2 policy-20070219.patch
Index: policy-20070219.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy/devel/policy-20070219.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- policy-20070219.patch 20 Feb 2007 17:53:56 -0000 1.1
+++ policy-20070219.patch 20 Feb 2007 20:29:58 -0000 1.2
@@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/man/man8/kerberos_selinux.8
serefpolicy-2.5.4/man/man8/kerberos_selinux.8
--- nsaserefpolicy/man/man8/kerberos_selinux.8 2007-02-19 11:32:55.000000000
-0500
-+++ serefpolicy-2.5.4/man/man8/kerberos_selinux.8 2007-02-19
15:56:02.000000000 -0500
++++ serefpolicy-2.5.4/man/man8/kerberos_selinux.8 2007-02-19
16:01:52.000000000 -0500
@@ -23,7 +23,7 @@
.EX
setsebool -P krb5kdc_disable_trans 1
@@ -12,7 +12,7 @@
.PP
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/flask/access_vectors
serefpolicy-2.5.4/policy/flask/access_vectors
--- nsaserefpolicy/policy/flask/access_vectors 2006-11-16 17:15:00.000000000
-0500
-+++ serefpolicy-2.5.4/policy/flask/access_vectors 2007-02-19
15:56:02.000000000 -0500
++++ serefpolicy-2.5.4/policy/flask/access_vectors 2007-02-19
16:01:52.000000000 -0500
@@ -594,6 +594,8 @@
shmempwd
shmemgrp
@@ -33,7 +33,7 @@
class key
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_booleans
serefpolicy-2.5.4/policy/global_booleans
--- nsaserefpolicy/policy/global_booleans 2006-11-16 17:15:26.000000000
-0500
-+++ serefpolicy-2.5.4/policy/global_booleans 2007-02-19 15:56:02.000000000
-0500
++++ serefpolicy-2.5.4/policy/global_booleans 2007-02-19 16:01:52.000000000
-0500
@@ -4,7 +4,6 @@
# file should be used.
#
@@ -52,244 +52,88 @@
## <p>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables
serefpolicy-2.5.4/policy/global_tunables
--- nsaserefpolicy/policy/global_tunables 2007-02-19 11:32:54.000000000
-0500
-+++ serefpolicy-2.5.4/policy/global_tunables 2007-02-19 15:56:02.000000000
-0500
-@@ -66,14 +66,6 @@
-
- ## <desc>
- ## <p>
--## Allow ftp servers to login to local users and
--## read/write all files on the system, governed by DAC.
--## </p>
--## </desc>
--gen_tunable(allow_ftpd_full_access,false)
--
--## <desc>
--## <p>
- ## Allow ftp servers to use cifs
- ## used for public file transfer services.
- ## </p>
-@@ -90,6 +82,14 @@
-
- ## <desc>
- ## <p>
-+## Allow ftp servers to login to local users and
-+## read/write all files on the system, governed by DAC.
-+## </p>
-+## </desc>
-+gen_tunable(allow_ftpd_full_access,false)
-+
-+## <desc>
-+## <p>
- ## Allow gssd to read temp directory.
- ## </p>
++++ serefpolicy-2.5.4/policy/global_tunables 2007-02-19 17:17:41.000000000
-0500
+@@ -370,12 +370,6 @@
## </desc>
-@@ -336,13 +336,6 @@
-
- ## <desc>
- ## <p>
--## Allow ssh logins as sysadm_r:sysadm_t
--## </p>
--## </desc>
--gen_tunable(ssh_sysadm_login,false)
--
--## <desc>
--## <p>
- ## Configure stunnel to be a standalone daemon or
- ## inetd service.
- ## </p>
-@@ -365,17 +358,16 @@
-
- ## <desc>
- ## <p>
--## Allow xdm logins as sysadm
-+## Allow users to read system messages.
- ## </p>
- ## </desc>
--gen_tunable(xdm_sysadm_login,false)
-+gen_tunable(user_dmesg,false)
-
- ########################################
- #
- # Strict policy specific
- #
+ gen_tunable(xdm_sysadm_login,false)
+-########################################
+-#
+-# Strict policy specific
+-#
+-
-ifdef(`strict_policy',`
## <desc>
## <p>
## Control users use of ping and traceroute
-@@ -385,6 +377,45 @@
+@@ -528,6 +522,33 @@
## <desc>
## <p>
-+## Allow regular users direct mouse access
-+## </p>
-+## </desc>
-+gen_tunable(user_direct_mouse,false)
-+
-+## <desc>
-+## <p>
-+## Allow users to control network interfaces
-+## (also needs USERCTL=true)
++## Allow unlabeled packets to work on system
+## </p>
+## </desc>
-+gen_tunable(user_net_control,false)
++gen_tunable(allow_unlabeled_packets,true)
+
-+## <desc>
-+## <p>
-+## Allow user to r/w files on filesystems
-+## that do not have extended attributes (FAT, CDROM, FLOPPY)
-+## </p>
-+## </desc>
-+gen_tunable(user_rw_noexattrfile,false)
++########################################
++#
++# Targeted policy specific
++#
+
++ifdef(`targeted_policy',`
+## <desc>
+## <p>
-+## Allow users to run TCP servers (bind to ports and accept connection from
-+## the same domain and outside users) disabling this forces FTP passive mode
-+## and may change other protocols.
++## Allow all daemons to write corefiles to /
+## </p>
+## </desc>
-+gen_tunable(user_tcp_server,false)
++gen_tunable(allow_daemons_dump_core,false)
+
+## <desc>
+## <p>
-+## Allow w to display everyone
++## Allow unconfined to dyntrans to unconfined_execmem
+## </p>
+## </desc>
-+gen_tunable(user_ttyfile_stat,false)
++gen_tunable(allow_unconfined_execmem_dyntrans,false)
+
+## <desc>
+## <p>
- ## Allow gpg executable stack
+ ## Use lpd server instead of cups
## </p>
## </desc>
-@@ -520,6 +551,13 @@
-
- ## <desc>
- ## <p>
-+## Allow ssh logins as sysadm_r:sysadm_t
-+## </p>
-+## </desc>
-+gen_tunable(ssh_sysadm_login,false)
-+
-+## <desc>
-+## <p>
- ## Allow staff_r users to search the sysadm home
- ## dir and read files (such as ~/.bashrc)
- ## </p>
-@@ -528,91 +566,96 @@
-
- ## <desc>
- ## <p>
--## Use lpd server instead of cups
-+## Allow applications to write untrusted content
-+## If this is disallowed, no Internet content
-+## will be stored.
+@@ -587,14 +608,7 @@
## </p>
## </desc>
--gen_tunable(use_lpd_server,false)
-+gen_tunable(write_untrusted_content,false)
+ gen_tunable(write_untrusted_content,false)
+-')
+-
[...2296 lines suppressed...]
interface(`userdom_read_unpriv_users_tmp_files',`
ifdef(`targeted_policy',`
files_read_generic_tmp_files($1)
@@ -4919,7 +4311,7 @@
')
########################################
-@@ -5513,13 +5407,12 @@
+@@ -5513,13 +5500,12 @@
interface(`userdom_read_unpriv_users_tmp_symlinks',`
ifdef(`targeted_policy',`
files_read_generic_tmp_symlinks($1)
@@ -4938,7 +4330,7 @@
')
########################################
-@@ -5553,13 +5446,12 @@
+@@ -5553,13 +5539,12 @@
interface(`userdom_use_unpriv_users_ttys',`
ifdef(`targeted_policy',`
term_use_unallocated_ttys($1)
@@ -4957,7 +4349,7 @@
')
########################################
-@@ -5576,13 +5468,12 @@
+@@ -5576,13 +5561,12 @@
interface(`userdom_dontaudit_use_unpriv_users_ttys',`
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys($1)
@@ -4976,7 +4368,7 @@
')
########################################
-@@ -5754,3 +5645,276 @@
+@@ -5754,3 +5738,184 @@
allow $1 user_home_dir_t:dir manage_dir_perms;
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -5121,98 +4513,6 @@
+
+########################################
+## <summary>
-+## Allow user to run as a secadm
-+## </summary>
-+## <desc>
-+## <p>
-+## Create objects in a user home directory
-+## with an automatic type transition to
-+## a specified private type.
-+## </p>
-+## <p>
-+## This is a templated interface, and should only
-+## be called from a per-userdomain template.
-+## </p>
-+## </desc>
-+## <param name="userdomain_prefix">
-+## <summary>
-+## The prefix of the user domain (e.g., user
-+## is the prefix for user_t).
-+## </summary>
-+## </param>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+## <param name="role">
-+## <summary>
-+## The role of the object to create.
-+## </summary>
-+## </param>
-+## <param name="object_class">
-+## <summary>
-+## The terminal
-+## </summary>
-+## </param>
-+#
-+template(`userdom_security_administrator',`
-+ allow $1 self:capability { dac_read_search dac_override };
-+
-+ selinux_set_enforce_mode($1)
-+ selinux_set_boolean($1)
-+ selinux_set_parameters($1)
-+
-+ seutil_manage_bin_policy($1)
-+ seutil_run_checkpolicy($1,$2,$3)
-+ seutil_run_loadpolicy($1,$2,$3)
-+ seutil_run_semanage($1,$2,$3)
-+ seutil_run_setfiles($1, $2, $3)
-+ seutil_run_restorecon($1,$2,$3)
-+
-+ corecmd_exec_shell($1)
-+ consoletype_exec($1)
-+
-+ dmesg_exec($1)
-+
-+ domain_obj_id_change_exemption($1)
-+
-+ files_create_boot_flag($1)
-+
-+ # Necessary for managing /boot/efi
-+ fs_manage_dos_files($1)
-+
-+ mls_process_read_up($1)
-+ mls_file_read_up($1)
-+ mls_file_upgrade($1)
-+ mls_file_downgrade($1)
-+
-+ auth_relabel_all_files_except_shadow($1)
-+ auth_relabel_shadow($1)
-+
-+ dev_relabel_all_dev_nodes($1)
-+
-+ init_exec($1)
-+
-+ logging_send_syslog_msg($1)
-+ logging_read_audit_log($1)
-+ logging_read_generic_logs($1)
-+ logging_read_audit_config($1)
-+
-+ userdom_dontaudit_append_staff_home_content_files($1)
-+ userdom_dontaudit_read_sysadm_home_content_files($1)
-+
-+ optional_policy(`
-+ netlabel_run_mgmt($1,$2, $3)
-+ ')
-+ optional_policy(`
-+ aide_run($1,$2, $3)
-+ ')
-+
-+')
-+
-+########################################
-+## <summary>
+## getattr all executables
+## </summary>
+## <param name="domain">
@@ -5255,7 +4555,7 @@
+
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/userdomain.te
serefpolicy-2.5.4/policy/modules/system/userdomain.te
--- nsaserefpolicy/policy/modules/system/userdomain.te 2007-02-19
11:32:53.000000000 -0500
-+++ serefpolicy-2.5.4/policy/modules/system/userdomain.te 2007-02-19
15:56:03.000000000 -0500
++++ serefpolicy-2.5.4/policy/modules/system/userdomain.te 2007-02-19
16:43:17.000000000 -0500
@@ -24,6 +24,9 @@
# users home directory contents
attribute home_type;
@@ -5278,21 +4578,16 @@
# user role change rules:
# sysadm_r can change to user roles
-@@ -396,9 +399,12 @@
- seutil_run_runinit(sysadm_t,sysadm_r,admin_terminal)
+@@ -397,6 +400,9 @@
ifdef(`enable_mls',`
-- userdom_security_admin_template(secadm_t,secadm_r,{
secadm_tty_device_t sysadm_devpts_t })
-+ userdom_security_administrator(secadm_t,secadm_r,{
secadm_tty_device_t sysadm_devpts_t })
+ userdom_security_admin_template(secadm_t,secadm_r,{
secadm_tty_device_t sysadm_devpts_t })
+# tunable_policy(`allow_sysadm_manage_security',`
-+
userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
++
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
+# ')
', `
--
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
-+
userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal)
+
userdom_security_admin_template(sysadm_t,sysadm_r,admin_terminal)
')
- ')
-
@@ -423,6 +429,9 @@
')
@@ -5339,7 +4634,7 @@
')
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/modules/system/xen.te
serefpolicy-2.5.4/policy/modules/system/xen.te
--- nsaserefpolicy/policy/modules/system/xen.te 2007-01-02
12:57:49.000000000 -0500
-+++ serefpolicy-2.5.4/policy/modules/system/xen.te 2007-02-19
15:56:03.000000000 -0500
++++ serefpolicy-2.5.4/policy/modules/system/xen.te 2007-02-19
16:01:52.000000000 -0500
@@ -166,8 +166,13 @@
files_manage_etc_runtime_files(xend_t)
files_etc_filetrans_etc_runtime(xend_t,file)
@@ -5394,7 +4689,7 @@
+fs_read_dos_files(xend_t)
diff --exclude-from=exclude -N -u -r
nsaserefpolicy/policy/support/obj_perm_sets.spt
serefpolicy-2.5.4/policy/support/obj_perm_sets.spt
--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-01-02
12:57:51.000000000 -0500
-+++ serefpolicy-2.5.4/policy/support/obj_perm_sets.spt 2007-02-19
15:56:03.000000000 -0500
++++ serefpolicy-2.5.4/policy/support/obj_perm_sets.spt 2007-02-19
16:01:52.000000000 -0500
@@ -215,7 +215,7 @@
define(`getattr_file_perms',`{ getattr }')
define(`setattr_file_perms',`{ setattr }')
@@ -5406,7 +4701,7 @@
define(`write_file_perms',`{ getattr write append lock ioctl }')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular
serefpolicy-2.5.4/Rules.modular
--- nsaserefpolicy/Rules.modular 2006-11-16 17:15:29.000000000 -0500
-+++ serefpolicy-2.5.4/Rules.modular 2007-02-19 15:56:03.000000000 -0500
++++ serefpolicy-2.5.4/Rules.modular 2007-02-19 16:01:52.000000000 -0500
@@ -219,6 +219,16 @@
########################################
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|