[selinux-policy/f14/master] * Thu Aug 5 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-11 - Fix nis calls to allow bind to ports 512-1
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Aug 5 19:20:07 UTC 2010
commit 95c3d3a8fc1eb7edc0a5797e981023a0ce10884d
Author: Dan Walsh <dwalsh at redhat.com>
Date: Thu Aug 5 15:20:02 2010 -0400
* Thu Aug 5 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-11
- Fix nis calls to allow bind to ports 512-1024
- Fix smartmon
policy-F14.patch | 83 ++++++++++++++++++++++++++++++++++++++-------------
selinux-policy.spec | 6 +++-
2 files changed, 67 insertions(+), 22 deletions(-)
---
diff --git a/policy-F14.patch b/policy-F14.patch
index ca3d6d5..7d4f405 100644
--- a/policy-F14.patch
+++ b/policy-F14.patch
@@ -3266,7 +3266,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.fc
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/gnome.if serefpolicy-3.8.8/policy/modules/apps/gnome.if
--- nsaserefpolicy/policy/modules/apps/gnome.if 2010-07-27 16:06:04.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/apps/gnome.if 2010-08-05 09:43:28.000000000 -0400
@@ -74,6 +74,24 @@
########################################
@@ -8394,7 +8394,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
+/nsr/logs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.8.8/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-03 13:27:30.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/files.if 2010-08-05 14:54:37.000000000 -0400
@@ -1053,10 +1053,8 @@
relabel_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
relabel_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
@@ -9427,7 +9427,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
+/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.if serefpolicy-3.8.8/policy/modules/kernel/storage.if
--- nsaserefpolicy/policy/modules/kernel/storage.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/kernel/storage.if 2010-08-05 14:41:46.000000000 -0400
@@ -101,6 +101,8 @@
dev_list_all_dev_nodes($1)
allow $1 fixed_disk_device_t:blk_file read_blk_file_perms;
@@ -9437,6 +9437,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storag
typeattribute $1 fixed_disk_raw_read;
')
+@@ -203,6 +205,8 @@
+ type fixed_disk_device_t;
+ ')
+
++ allow $1 self:capability mknod;
++
+ allow $1 fixed_disk_device_t:blk_file create_blk_file_perms;
+ dev_add_entry_generic_dirs($1)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/terminal.if serefpolicy-3.8.8/policy/modules/kernel/terminal.if
--- nsaserefpolicy/policy/modules/kernel/terminal.if 2010-07-27 16:12:33.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/kernel/terminal.if 2010-08-03 13:44:23.000000000 -0400
@@ -14787,7 +14796,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobbler.te serefpolicy-3.8.8/policy/modules/services/cobbler.te
--- nsaserefpolicy/policy/modules/services/cobbler.te 2010-07-27 16:06:05.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/cobbler.te 2010-08-05 09:43:50.000000000 -0400
@@ -1,3 +1,4 @@
+
policy_module(cobbler, 1.1.0)
@@ -14936,7 +14945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
+
+init_dontaudit_read_all_script_files(cobblerd_t)
+
-+term_dontaudit_use_console(cobblerd_t)
++term_use_console(cobblerd_t)
miscfiles_read_localization(cobblerd_t)
miscfiles_read_public_files(cobblerd_t)
@@ -14992,7 +15001,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
dhcpd_domtrans(cobblerd_t)
dhcpd_initrc_domtrans(cobblerd_t)
')
-@@ -110,12 +209,20 @@
+@@ -106,16 +205,28 @@
+ ')
+
+ optional_policy(`
++ gnome_dontaudit_search_config(cobblerd_t)
++')
++
++optional_policy(`
+ rpm_exec(cobblerd_t)
')
optional_policy(`
@@ -15016,7 +15033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cobb
')
########################################
-@@ -123,6 +230,18 @@
+@@ -123,6 +234,18 @@
# Cobbler web local policy.
#
@@ -19916,7 +19933,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
/var/yp(/.*)? gen_context(system_u:object_r:var_yp_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.if serefpolicy-3.8.8/policy/modules/services/nis.if
--- nsaserefpolicy/policy/modules/services/nis.if 2010-07-27 16:12:33.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/nis.if 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/nis.if 2010-08-05 14:51:55.000000000 -0400
@@ -19,7 +19,7 @@
## </desc>
## <param name="domain">
@@ -19926,6 +19943,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
## </summary>
## </param>
#
+@@ -49,12 +49,12 @@
+ corenet_udp_bind_generic_node($1)
+ corenet_tcp_bind_generic_port($1)
+ corenet_udp_bind_generic_port($1)
+- corenet_dontaudit_tcp_bind_all_reserved_ports($1)
+- corenet_dontaudit_udp_bind_all_reserved_ports($1)
++ corenet_tcp_bind_all_rpc_ports($1)
++ corenet_udp_bind_all_rpc_ports($1)
+ corenet_dontaudit_tcp_bind_all_ports($1)
+ corenet_dontaudit_udp_bind_all_ports($1)
+ corenet_tcp_connect_portmap_port($1)
+- corenet_tcp_connect_reserved_port($1)
++ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_generic_port($1)
+ corenet_dontaudit_tcp_connect_all_ports($1)
+ corenet_sendrecv_portmap_client_packets($1)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.8.8/policy/modules/services/nscd.if
--- nsaserefpolicy/policy/modules/services/nscd.if 2010-07-27 16:12:33.000000000 -0400
+++ serefpolicy-3.8.8/policy/modules/services/nscd.if 2010-07-30 14:06:53.000000000 -0400
@@ -24347,7 +24380,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setr
rpm_read_db(setroubleshoot_fixit_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.8.8/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/services/smartmon.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/services/smartmon.te 2010-08-05 14:48:00.000000000 -0400
@@ -82,6 +82,8 @@
storage_raw_read_fixed_disk(fsdaemon_t)
storage_raw_write_fixed_disk(fsdaemon_t)
@@ -30103,7 +30136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.8.8/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2010-07-27 16:06:06.000000000 -0400
-+++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-07-30 14:06:53.000000000 -0400
++++ serefpolicy-3.8.8/policy/modules/system/ipsec.te 2010-08-05 14:55:13.000000000 -0400
@@ -72,7 +72,7 @@
#
@@ -30125,7 +30158,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
can_exec(ipsec_t, ipsec_mgmt_exec_t)
-@@ -166,6 +167,8 @@
+@@ -149,6 +150,7 @@
+ files_list_tmp(ipsec_t)
+ files_read_etc_files(ipsec_t)
+ files_read_usr_files(ipsec_t)
++files_dontaudit_search_home(ipsec_t)
+
+ fs_getattr_all_fs(ipsec_t)
+ fs_search_auto_mountpoints(ipsec_t)
+@@ -166,6 +168,8 @@
miscfiles_read_localization(ipsec_t)
sysnet_domtrans_ifconfig(ipsec_t)
@@ -30134,7 +30175,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_dontaudit_use_unpriv_user_fds(ipsec_t)
userdom_dontaudit_search_user_home_dirs(ipsec_t)
-@@ -184,8 +187,8 @@
+@@ -184,8 +188,8 @@
#
allow ipsec_mgmt_t self:capability { dac_override dac_read_search net_admin setpcap sys_nice };
@@ -30145,7 +30186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
allow ipsec_mgmt_t self:unix_stream_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:tcp_socket create_stream_socket_perms;
allow ipsec_mgmt_t self:udp_socket create_socket_perms;
-@@ -224,7 +227,6 @@
+@@ -224,7 +228,6 @@
manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
@@ -30153,7 +30194,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# whack needs to connect to pluto
stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
-@@ -243,6 +245,17 @@
+@@ -243,6 +246,17 @@
kernel_getattr_core_if(ipsec_mgmt_t)
kernel_getattr_message_if(ipsec_mgmt_t)
@@ -30171,7 +30212,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
files_read_kernel_symbol_table(ipsec_mgmt_t)
files_getattr_kernel_modules(ipsec_mgmt_t)
-@@ -257,7 +270,7 @@
+@@ -257,7 +271,7 @@
domain_use_interactive_fds(ipsec_mgmt_t)
# denials when ps tries to search /proc. Do not audit these denials.
@@ -30180,7 +30221,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# suppress audit messages about unnecessary socket access
# cjp: this seems excessive
domain_dontaudit_rw_all_udp_sockets(ipsec_mgmt_t)
-@@ -275,8 +288,11 @@
+@@ -275,8 +289,11 @@
fs_list_tmpfs(ipsec_mgmt_t)
term_use_console(ipsec_mgmt_t)
@@ -30193,7 +30234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
init_use_script_ptys(ipsec_mgmt_t)
init_exec_script_files(ipsec_mgmt_t)
init_use_fds(ipsec_mgmt_t)
-@@ -290,7 +306,9 @@
+@@ -290,7 +307,9 @@
seutil_dontaudit_search_config(ipsec_mgmt_t)
@@ -30203,7 +30244,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
userdom_use_user_terminals(ipsec_mgmt_t)
-@@ -299,6 +317,23 @@
+@@ -299,6 +318,23 @@
')
optional_policy(`
@@ -30227,7 +30268,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
nscd_socket_use(ipsec_mgmt_t)
')
-@@ -385,6 +420,8 @@
+@@ -385,6 +421,8 @@
sysnet_exec_ifconfig(racoon_t)
@@ -30236,7 +30277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
auth_can_read_shadow_passwords(racoon_t)
tunable_policy(`racoon_read_shadow',`
auth_tunable_read_shadow(racoon_t)
-@@ -411,6 +448,7 @@
+@@ -411,6 +449,7 @@
files_read_etc_files(setkey_t)
init_dontaudit_use_fds(setkey_t)
@@ -30244,7 +30285,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
-@@ -422,3 +460,4 @@
+@@ -422,3 +461,4 @@
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9db7cdd..72a8fda 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.8.8
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Thu Aug 5 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-11
+- Fix nis calls to allow bind to ports 512-1024
+- Fix smartmon
+
* Wed Aug 4 2010 Dan Walsh <dwalsh at redhat.com> 3.8.8-10
- Allow pcscd to read sysfs
- systemd fixes
More information about the scm-commits
mailing list