[selinux-policy: 1714/3172] 5 patches from dan. confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samb
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:33:07 UTC 2010
commit 697489040eac9d5fcc7030018d94c21b7df2ae9f
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Apr 11 17:56:03 2007 +0000
5 patches from dan. confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samba port fixes
Changelog | 3 ++-
policy/modules/apps/games.fc | 1 +
policy/modules/apps/games.te | 2 +-
policy/modules/kernel/corecommands.fc | 2 ++
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/corenetwork.te.in | 6 +++---
policy/modules/services/sasl.te | 13 ++++++++++++-
policy/modules/system/modutils.te | 7 ++++---
policy/modules/system/udev.fc | 2 +-
policy/modules/system/udev.te | 6 +++---
10 files changed, 30 insertions(+), 14 deletions(-)
---
diff --git a/Changelog b/Changelog
index dc1ff70..9f156e6 100644
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,5 @@
-- Patch to confine ldconfig in the targeted policy from Dan Walsh.
+- Patch for sasl's use of kerberos from Dan Walsh.
+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
- Man page updates from Dan Walsh.
- Two patches from Paul Moore to for ipsec to remove redundant rules and
have setkey read the config file.
diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc
index d242050..0e5ed81 100644
--- a/policy/modules/apps/games.fc
+++ b/policy/modules/apps/games.fc
@@ -4,6 +4,7 @@
/usr/games/powermanga -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/games/nethack-3.4.3/nethack -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/games/vulturesclaw/vulturesclaw -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/games/vultureseye/vultureseye -- gen_context(system_u:object_r:games_exec_t,s0)
/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0)
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 4c462b8..21fcecf 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games,1.1.3)
+policy_module(games,1.1.4)
########################################
#
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 068d138..d422ed8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -189,6 +189,7 @@ ifdef(`distro_gentoo', `
ifdef(`distro_redhat', `
/usr/lib/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/authconfig/authconfig.py -- gen_context(system_u:object_r:bin_t,s0)
@@ -205,6 +206,7 @@ ifdef(`distro_redhat', `
/usr/share/ssl/misc(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 288e15d..4acf62c 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
-policy_module(corecommands,1.5.4)
+policy_module(corecommands,1.5.5)
########################################
#
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2b67c12..c235aa6 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.5)
+policy_module(corenetwork,1.2.6)
########################################
#
@@ -108,7 +108,7 @@ network_port(monopd, tcp,1234,s0)
network_port(mysqld, tcp,3306,s0)
network_port(nessus, tcp,1241,s0)
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
-network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0)
network_port(ntp, udp,123,s0)
network_port(ocsp, tcp,9080,s0)
network_port(openvpn, tcp,1194,s0, udp,1194,s0)
@@ -132,7 +132,7 @@ network_port(rndc, tcp,953,s0)
network_port(router, udp,520,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+network_port(smbd, tcp,139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
network_port(spamd, tcp,783,s0)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 6128b90..2a6970d 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl,1.4.2)
+policy_module(sasl,1.4.3)
########################################
#
@@ -17,6 +17,9 @@ type saslauthd_t;
type saslauthd_exec_t;
init_daemon_domain(saslauthd_t,saslauthd_exec_t)
+type saslauthd_tmp_t;
+files_tmp_file(saslauthd_tmp_t)
+
type saslauthd_var_run_t;
files_pid_file(saslauthd_var_run_t)
@@ -33,6 +36,10 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
allow saslauthd_t self:tcp_socket create_socket_perms;
+allow saslauthd_t saslauthd_tmp_t:dir setattr;
+manage_files_pattern(saslauthd_t,saslauthd_tmp_t,saslauthd_tmp_t)
+files_tmp_filetrans(saslauthd_t,saslauthd_tmp_t,file)
+
manage_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
manage_sock_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
@@ -96,6 +103,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
')
optional_policy(`
+ kerberos_read_keytab(saslauthd_t)
+')
+
+optional_policy(`
mysql_search_db(saslauthd_t)
mysql_stream_connect(saslauthd_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 8bf4cb5..ef4a0a6 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
-policy_module(modutils,1.2.1)
+policy_module(modutils,1.2.2)
gen_require(`
bool secure_mode_insmod;
@@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t)
# for locking: (cjp: ????)
files_write_kernel_modules(insmod_t)
-dev_read_sysfs(insmod_t)
+dev_rw_sysfs(insmod_t)
dev_search_usbfs(insmod_t)
dev_rw_mtrr(insmod_t)
dev_read_urand(insmod_t)
@@ -117,7 +117,8 @@ if( ! secure_mode_insmod ) {
}
ifdef(`targeted_policy',`
- unconfined_domain(insmod_t)
+ term_use_unallocated_ttys(insmod_t)
+ term_use_generic_ptys(insmod_t)
')
optional_policy(`
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index b6523d7..99b7ffb 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
# udev
-/dev/\.udev(/.*)? gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udev(/.*)? -- gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/\.udevdb -- gen_context(system_u:object_r:udev_tbl_t,s0)
/dev/udev\.tbl -- gen_context(system_u:object_r:udev_tbl_t,s0)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index aa8da2e..6fff992 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
-policy_module(udev,1.5.1)
+policy_module(udev,1.5.2)
########################################
#
@@ -164,6 +164,8 @@ ifdef(`distro_redhat',`
fs_relabel_tmpfs_blk_file(udev_t)
fs_relabel_tmpfs_chr_file(udev_t)
+ term_search_ptys(udev_t)
+
# for arping used for static IP addresses on PCMCIA ethernet
netutils_domtrans(udev_t)
')
@@ -171,8 +173,6 @@ ifdef(`distro_redhat',`
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(udev_t)
term_dontaudit_use_generic_ptys(udev_t)
-
- unconfined_domain(udev_t)
')
optional_policy(`
More information about the scm-commits
mailing list