rpms/selinux-policy/F-12 booleans-targeted.conf, 1.60, 1.61 policy-20100106.patch, 1.6, 1.7 selinux-policy.spec, 1.995, 1.996
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Jan 15 17:09:03 UTC 2010
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3631
Modified Files:
booleans-targeted.conf policy-20100106.patch
selinux-policy.spec
Log Message:
- Allow hotplug to transition to brctl domain
- Fixes for sftpd
Index: booleans-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/booleans-targeted.conf,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -p -r1.60 -r1.61
--- booleans-targeted.conf 23 Nov 2009 19:58:36 -0000 1.60
+++ booleans-targeted.conf 15 Jan 2010 17:09:02 -0000 1.61
@@ -262,3 +262,8 @@ nscd_use_shm = true
# Allow fenced domain to connect to the network using TCP.
#
fenced_can_network_connect=false
+
+# Allow privoxy to connect to all ports, not just HTTP, FTP, and Gopher ports.
+#
+privoxy_connect_any = true
+
policy-20100106.patch:
modules/apps/mozilla.fc | 1
modules/apps/sandbox.if | 46 +++++++++++++--
modules/apps/sandbox.te | 29 +++++----
modules/apps/wine.if | 4 +
modules/apps/wine.te | 14 ++++
modules/kernel/devices.fc | 2
modules/kernel/devices.if | 18 ++++++
modules/kernel/devices.te | 6 ++
modules/roles/unconfineduser.fc | 2
modules/roles/unconfineduser.te | 2
modules/roles/xguest.te | 2
modules/services/abrt.te | 1
modules/services/apache.if | 3 +
modules/services/apcupsd.te | 2
modules/services/cups.te | 1
modules/services/dovecot.te | 6 ++
modules/services/fail2ban.if | 18 ++++++
modules/services/ftp.if | 37 ++++++++++++
modules/services/ftp.te | 114 +++++++++++++++++++++++++++++++++++++++
modules/services/git.te | 2
modules/services/nagios.fc | 40 +++++++++++++
modules/services/nagios.te | 3 +
modules/services/openvpn.te | 1
modules/services/postfix.te | 5 +
modules/services/samba.te | 5 +
modules/services/sendmail.te | 2
modules/services/snmp.te | 2
modules/services/spamassassin.if | 18 ++++++
modules/services/ssh.te | 80 +--------------------------
modules/services/sssd.if | 19 ++++++
modules/services/virt.te | 4 +
modules/services/xserver.fc | 4 +
modules/services/xserver.te | 2
modules/system/hotplug.te | 4 +
modules/system/init.te | 5 +
modules/system/iscsi.fc | 2
modules/system/iscsi.te | 4 +
modules/system/libraries.fc | 6 ++
modules/system/miscfiles.if | 19 ++++++
modules/system/mount.te | 1
modules/system/selinuxutil.te | 1
modules/system/unconfined.if | 2
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 ++++++
modules/system/xen.te | 6 ++
support/obj_perm_sets.spt | 2
users | 2
47 files changed, 464 insertions(+), 104 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- policy-20100106.patch 12 Jan 2010 17:20:57 -0000 1.6
+++ policy-20100106.patch 15 Jan 2010 17:09:02 -0000 1.7
@@ -311,6 +311,18 @@ diff -b -B --ignore-all-space --exclude-
domain_user_exemption_target(unconfined_t)
allow system_r unconfined_r;
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
+--- nsaserefpolicy/policy/modules/roles/xguest.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2010-01-14 20:12:41.000000000 +0100
+@@ -15,7 +15,7 @@
+
+ ## <desc>
+ ## <p>
+-## Allow xguest to configure Network Manager
++## Allow xguest to configure Network Manager and connect to apache ports
+ ## </p>
+ ## </desc>
+ gen_tunable(xguest_connect_network, true)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100
@@ -417,6 +429,200 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.if serefpolicy-3.6.32/policy/modules/services/ftp.if
+--- nsaserefpolicy/policy/modules/services/ftp.if 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/services/ftp.if 2010-01-15 12:37:45.000000000 +0100
+@@ -115,6 +115,43 @@
+ role $2 types ftpdctl_t;
+ ')
+
++######################################
++## <summary>
++## Allow domain dyntransition to sftpd-anon domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd_anon',`
++ gen_require(`
++ type anon_sftpd_t;
++ ')
++
++ allow $1 anon_sftpd_t:process dyntransition;
++')
++
++######################################
++## <summary>
++## Allow domain dyntransition to sftpd domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`ftp_dyntransition_sftpd',`
++ gen_require(`
++ type sftpd_t;
++ ')
++
++ allow $1 sftpd_t:process dyntransition;
++ allow sftpd_t $1:process sigchld;
++')
++
+ ########################################
+ ## <summary>
+ ## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.32/policy/modules/services/ftp.te
+--- nsaserefpolicy/policy/modules/services/ftp.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ftp.te 2010-01-15 12:44:47.000000000 +0100
+@@ -53,6 +53,39 @@
+ ## </desc>
+ gen_tunable(ftp_home_dir, false)
+
++## <desc>
++## <p>
++## Allow anon internal-sftp to upload files, used for
++## public file transfer services. Directories must be labeled
++## public_content_rw_t.
++## </p>
++## </desc>
++gen_tunable(sftpd_anon_write, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to login to local users and
++## read/write all files on the system, governed by DAC.
++## </p>
++## </desc>
++gen_tunable(sftpd_full_access, false)
++
++## <desc>
++## <p>
++## Allow interlnal-sftp to read and write files
++## in the user ssh home directories.
++## </p>
++## </desc>
++gen_tunable(sftpd_write_ssh_home, false)
++
++## <desc>
++## <p>
++## Allow sftp-internal to read and write files
++## in the user home directories
++## </p>
++## </desc>
++gen_tunable(sftp_enable_homedirs, false)
++
+ type ftpd_t;
+ type ftpd_exec_t;
+ init_daemon_domain(ftpd_t, ftpd_exec_t)
+@@ -93,6 +126,14 @@
+ init_ranged_daemon_domain(ftpd_t, ftpd_exec_t, mls_systemhigh)
+ ')
+
++type sftpd_t;
++domain_type(sftpd_t)
++role system_r types sftpd_t;
++
++type sftpd_anon_t;
++domain_type(sftpd_anon_t)
++role system_r types sftpd_anon_t;
++
+ ########################################
+ #
+ # ftpd local policy
+@@ -342,3 +383,76 @@
+ files_read_etc_files(ftpdctl_t)
+
+ userdom_use_user_terminals(ftpdctl_t)
++
++#######################################
++#
++# sftpd-anon local policy
++#
++
++files_read_etc_files(sftpd_anon_t)
++
++miscfiles_read_public_files(sftpd_anon_t)
++
++tunable_policy(`sftpd_anon_write',`
++ miscfiles_manage_public_files(sftpd_anon_t)
++')
++
++#######################################
++#
++# sftpd local policy
++#
++
++files_read_etc_files(sftpd_t)
++
++# allow read access to /home by default
++userdom_read_user_home_content_files(sftpd_t)
++userdom_read_user_home_content_symlinks(sftpd_t)
++userdom_dontaudit_list_admin_dir(sftpd_t)
++
++tunable_policy(`sftpd_full_access',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++ fs_read_noxattr_fs_files(sftpd_t)
++ auth_manage_all_files_except_shadow(sftpd_t)
++')
++
++tunable_policy(`sftpd_write_ssh_home',`
++ ssh_manage_user_home_files(sftpd_t)
++')
++
++tunable_policy(`sftp_enable_homedirs',`
++ allow sftpd_t self:capability { dac_override dac_read_search };
++
++ # allow access to /home
++ files_list_home(sftpd_t)
++ userdom_read_user_home_content_files(sftpd_t)
++ userdom_manage_user_home_content(sftpd_t)
++
++ auth_read_all_dirs_except_shadow(sftpd_t)
++ auth_read_all_files_except_shadow(sftpd_t)
++ auth_read_all_symlinks_except_shadow(sftpd_t)
++', `
++ # Needed for permissive mode, to make sure everything gets labeled correctly
++ userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
++')
++
++tunable_policy(`sftp_enable_homedirs && use_nfs_home_dirs',`
++ fs_manage_nfs_dirs(sftpd_t)
++ fs_manage_nfs_files(sftpd_t)
++ fs_manage_nfs_symlinks(sftpd_t)
++')
++
++tunable_policy(`sftp_enable_homedirs && use_samba_home_dirs',`
++ fs_manage_cifs_dirs(sftpd_t)
++ fs_manage_cifs_files(sftpd_t)
++ fs_manage_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_samba_home_dirs',`
++ fs_read_cifs_files(sftpd_t)
++ fs_read_cifs_symlinks(sftpd_t)
++')
++
++tunable_policy(`use_nfs_home_dirs',`
++ fs_read_nfs_files(sftpd_t)
++ fs_read_nfs_symlinks(ftpd_t)
++')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/git.te serefpolicy-3.6.32/policy/modules/services/git.te
+--- nsaserefpolicy/policy/modules/services/git.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/git.te 2010-01-14 20:34:07.000000000 +0100
+@@ -73,7 +73,7 @@
+ #
+
+ allow gitd_type self:fifo_file rw_fifo_file_perms;
+-allow gitd_type self:tcp_socket create_socket_perms;
++allow gitd_type self:tcp_socket create_stream_socket_perms;
+ allow gitd_type self:udp_socket create_socket_perms;
+ allow gitd_type self:unix_dgram_socket create_socket_perms;
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-3.6.32/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/nagios.fc 2010-01-11 12:37:36.000000000 +0100
@@ -621,18 +827,112 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-12 18:08:14.000000000 +0100
-@@ -477,8 +477,8 @@
++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-15 12:33:14.000000000 +0100
+@@ -8,31 +8,6 @@
+
+ ## <desc>
+ ## <p>
+-## Allow sftp to upload files, used for public file
+-## transfer services. Directories must be labeled
+-## public_content_rw_t.
+-## </p>
+-## </desc>
+-gen_tunable(allow_sftpd_anon_write, false)
+-
+-## <desc>
+-## <p>
+-## Allow sftp to login to local users and
+-## read/write all files on the system, governed by DAC.
+-## </p>
+-## </desc>
+-gen_tunable(allow_sftpd_full_access, false)
+-
+-## <desc>
+-## <p>
+-## Allow interlnal-sftp to read and write files
+-## in the user ssh home directories.
+-## </p>
+-## </desc>
+-gen_tunable(sftpd_ssh_home_dir, false)
+-
+-## <desc>
+-## <p>
+ ## allow host key based authentication
+ ## </p>
+ ## </desc>
+@@ -69,10 +44,6 @@
+ type sshd_tmpfs_t;
+ files_tmpfs_file(sshd_tmpfs_t)
+
+-type sftpd_t;
+-domain_type(sftpd_t)
+-role system_r types sftpd_t;
+-
+ ifdef(`enable_mcs',`
+ init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
+ ')
+@@ -361,6 +332,11 @@
+ ')
+
+ optional_policy(`
++ ftp_dyntransition_sftpd(sshd_t)
++ ftp_dyntransition_sftpd_anon(sshd_t)
++')
++
++optional_policy(`
+ gitosis_manage_var_lib(sshd_t)
+ ')
- ssh_sigchld(sftpd_t)
+@@ -468,49 +444,3 @@
+ udev_read_db(ssh_keygen_t)
+ ')
+-#######################################
+-#
+-# sftp Local policy
+-#
+-
+-allow ssh_server sftpd_t:process dyntransition;
+-
+-ssh_sigchld(sftpd_t)
+-
-files_read_all_files(sftpd_t)
-files_read_all_symlinks(sftpd_t)
-+auth_read_all_files_except_shadow(sftpd_t)
-+auth_read_all_symlinks_except_shadow(sftpd_t)
-
- fs_read_noxattr_fs_files(sftpd_t)
- fs_read_nfs_files(sftpd_t)
+-
+-fs_read_noxattr_fs_files(sftpd_t)
+-fs_read_nfs_files(sftpd_t)
+-fs_read_cifs_files(sftpd_t)
+-
+-# allow access to /home by default
+-userdom_manage_user_home_content_dirs(sftpd_t)
+-userdom_manage_user_home_content_files(sftpd_t)
+-userdom_manage_user_home_content_symlinks(sftpd_t)
+-
+-userdom_user_home_dir_filetrans_pattern(sftpd_t, { dir file lnk_file })
+-
+-tunable_policy(`allow_sftpd_anon_write',`
+- miscfiles_manage_public_files(sftpd_t)
+-')
+-
+-tunable_policy(`allow_sftpd_full_access',`
+- allow sftpd_t self:capability { dac_override dac_read_search };
+- fs_read_noxattr_fs_files(sftpd_t)
+- auth_manage_all_files_except_shadow(sftpd_t)
+-')
+-
+-tunable_policy(`sftpd_ssh_home_dir',`
+- ssh_manage_user_home_files(sftpd_t)
+-')
+-
+-tunable_policy(`use_nfs_home_dirs',`
+- fs_manage_nfs_dirs(sftpd_t)
+- fs_manage_nfs_files(sftpd_t)
+-')
+-
+-tunable_policy(`use_samba_home_dirs',`
+- fs_manage_cifs_dirs(sftpd_t)
+- fs_manage_cifs_files(sftpd_t)
+-')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100
@@ -723,10 +1023,35 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/hotplug.te serefpolicy-3.6.32/policy/modules/system/hotplug.te
+--- nsaserefpolicy/policy/modules/system/hotplug.te 2009-09-16 16:01:19.000000000 +0200
++++ serefpolicy-3.6.32/policy/modules/system/hotplug.te 2010-01-14 20:30:58.000000000 +0100
+@@ -125,6 +125,10 @@
+ ')
+
+ optional_policy(`
++ brctl_domtrans(hotplug_t)
++')
++
++optional_policy(`
+ consoletype_exec(hotplug_t)
+ ')
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-06 11:05:50.000000000 +0100
-+++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-12 13:43:28.000000000 +0100
-@@ -872,6 +872,7 @@
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-15 12:26:30.000000000 +0100
+@@ -212,6 +212,10 @@
+ ')
+
+ optional_policy(`
++ dbus_system_bus_client(init_t)
++')
++
++optional_policy(`
+ # /var/run/dovecot/login/ssl-parameters.dat is a hard link to
+ # /var/lib/dovecot/ssl-parameters.dat and init tries to clean up
+ # the directory. But we do not want to allow this.
+@@ -872,6 +876,7 @@
optional_policy(`
unconfined_domain(initrc_t)
@@ -830,6 +1155,17 @@ diff -b -B --ignore-all-space --exclude-
')
optional_policy(`
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.6.32/policy/modules/system/selinuxutil.te
+--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/selinuxutil.te 2010-01-15 12:28:55.000000000 +0100
+@@ -190,6 +190,7 @@
+
+ init_use_script_fds(load_policy_t)
+ init_use_script_ptys(load_policy_t)
++init_write_script_pipes(load_policy_t)
+
+ miscfiles_read_localization(load_policy_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.6.32/policy/modules/system/unconfined.if
--- nsaserefpolicy/policy/modules/system/unconfined.if 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/system/unconfined.if 2010-01-08 16:35:49.000000000 +0100
@@ -909,6 +1245,18 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Xen store local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.6.32/policy/support/obj_perm_sets.spt
+--- nsaserefpolicy/policy/support/obj_perm_sets.spt 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/support/obj_perm_sets.spt 2010-01-15 12:24:53.000000000 +0100
+@@ -28,7 +28,7 @@
+ #
+ # All socket classes.
+ #
+-define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket }')
++define(`socket_class_set', `{ tcp_socket udp_socket rawip_socket netlink_socket packet_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket }')
+
+
+ #
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
--- nsaserefpolicy/policy/users 2010-01-06 11:05:51.000000000 +0100
+++ serefpolicy-3.6.32/policy/users 2010-01-12 13:48:30.000000000 +0100
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.995
retrieving revision 1.996
diff -u -p -r1.995 -r1.996
--- selinux-policy.spec 12 Jan 2010 17:20:57 -0000 1.995
+++ selinux-policy.spec 15 Jan 2010 17:09:02 -0000 1.996
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -456,6 +456,10 @@ exit 0
%endif
%changelog
+* Fri Jan 15 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-71
+- Allow hotplug to transition to brctl domain
+- Fixes for sftpd
+
* Tue Jan 12 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-70
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
More information about the scm-commits
mailing list