[selinux-policy: 1714/3172] 5 patches from dan. confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samb

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:33:07 UTC 2010 

commit 697489040eac9d5fcc7030018d94c21b7df2ae9f
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Apr 11 17:56:03 2007 +0000

    5 patches from dan.  confine insmod and udev on targeted, misc fc fixes, sasl kerberos use, and samba port fixes

 Changelog                               |    3 ++-
 policy/modules/apps/games.fc            |    1 +
 policy/modules/apps/games.te            |    2 +-
 policy/modules/kernel/corecommands.fc   |    2 ++
 policy/modules/kernel/corecommands.te   |    2 +-
 policy/modules/kernel/corenetwork.te.in |    6 +++---
 policy/modules/services/sasl.te         |   13 ++++++++++++-
 policy/modules/system/modutils.te       |    7 ++++---
 policy/modules/system/udev.fc           |    2 +-
 policy/modules/system/udev.te           |    6 +++---
 10 files changed, 30 insertions(+), 14 deletions(-)
---
diff --git a/Changelog b/Changelog
index dc1ff70..9f156e6 100644
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,5 @@
-- Patch to confine ldconfig in the targeted policy from Dan Walsh.
+- Patch for sasl's use of kerberos from Dan Walsh.
+- Patches to confine ldconfig, udev, and insmod in the targeted policy from Dan Walsh.
 - Man page updates from Dan Walsh.
 - Two patches from Paul Moore to for ipsec to remove redundant rules and
   have setkey read the config file.
diff --git a/policy/modules/apps/games.fc b/policy/modules/apps/games.fc
index d242050..0e5ed81 100644
--- a/policy/modules/apps/games.fc
+++ b/policy/modules/apps/games.fc
@@ -4,6 +4,7 @@
 /usr/games/powermanga	--	gen_context(system_u:object_r:games_exec_t,s0)
 /usr/games/nethack-3.4.3/nethack -- gen_context(system_u:object_r:games_exec_t,s0)
 /usr/games/vulturesclaw/vulturesclaw -- gen_context(system_u:object_r:games_exec_t,s0)
+/usr/games/vultureseye/vultureseye -- gen_context(system_u:object_r:games_exec_t,s0)
 
 /usr/lib/games(/.*)? 		gen_context(system_u:object_r:games_exec_t,s0)
 
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 4c462b8..21fcecf 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
 
-policy_module(games,1.1.3)
+policy_module(games,1.1.4)
 
 ########################################
 #
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 068d138..d422ed8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -189,6 +189,7 @@ ifdef(`distro_gentoo', `
 ifdef(`distro_redhat', `
 /usr/lib/.*/program(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
+/usr/lib64/bluetooth(/.*)?	--      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-gtk\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig-tui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/authconfig/authconfig.py --	gen_context(system_u:object_r:bin_t,s0)
@@ -205,6 +206,7 @@ ifdef(`distro_redhat', `
 /usr/share/ssl/misc(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/switchdesk/switchdesk-gui\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-date/system-config-date\.py -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/system-config-selinux/system-config-selinux\.py -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-display/system-config-display -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-httpd/system-config-httpd -- gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-keyboard/system-config-keyboard -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 288e15d..4acf62c 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.5.4)
+policy_module(corecommands,1.5.5)
 
 ########################################
 #
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2b67c12..c235aa6 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.2.5)
+policy_module(corenetwork,1.2.6)
 
 ########################################
 #
@@ -108,7 +108,7 @@ network_port(monopd, tcp,1234,s0)
 network_port(mysqld, tcp,3306,s0)
 network_port(nessus, tcp,1241,s0)
 network_port(netsupport, tcp,5405,s0, udp,5405,s0)
-network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0)
 network_port(ntp, udp,123,s0)
 network_port(ocsp, tcp,9080,s0)
 network_port(openvpn, tcp,1194,s0, udp,1194,s0)
@@ -132,7 +132,7 @@ network_port(rndc, tcp,953,s0)
 network_port(router, udp,520,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+network_port(smbd, tcp,139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
 network_port(spamd, tcp,783,s0)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index 6128b90..2a6970d 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
 
-policy_module(sasl,1.4.2)
+policy_module(sasl,1.4.3)
 
 ########################################
 #
@@ -17,6 +17,9 @@ type saslauthd_t;
 type saslauthd_exec_t;
 init_daemon_domain(saslauthd_t,saslauthd_exec_t)
 
+type saslauthd_tmp_t;
+files_tmp_file(saslauthd_tmp_t)
+
 type saslauthd_var_run_t;
 files_pid_file(saslauthd_var_run_t)
 
@@ -33,6 +36,10 @@ allow saslauthd_t self:unix_dgram_socket create_socket_perms;
 allow saslauthd_t self:unix_stream_socket create_stream_socket_perms;
 allow saslauthd_t self:tcp_socket create_socket_perms;
 
+allow saslauthd_t saslauthd_tmp_t:dir setattr;
+manage_files_pattern(saslauthd_t,saslauthd_tmp_t,saslauthd_tmp_t)
+files_tmp_filetrans(saslauthd_t,saslauthd_tmp_t,file)
+
 manage_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
 manage_sock_files_pattern(saslauthd_t,saslauthd_var_run_t,saslauthd_var_run_t)
 files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
@@ -96,6 +103,10 @@ tunable_policy(`allow_saslauthd_read_shadow',`
 ')
 
 optional_policy(`
+	kerberos_read_keytab(saslauthd_t)
+')
+
+optional_policy(`
 	mysql_search_db(saslauthd_t)
 	mysql_stream_connect(saslauthd_t)
 ')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 8bf4cb5..ef4a0a6 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,5 +1,5 @@
 
-policy_module(modutils,1.2.1)
+policy_module(modutils,1.2.2)
 
 gen_require(`
 	bool secure_mode_insmod;
@@ -68,7 +68,7 @@ files_read_kernel_modules(insmod_t)
 # for locking: (cjp: ????)
 files_write_kernel_modules(insmod_t)
 
-dev_read_sysfs(insmod_t)
+dev_rw_sysfs(insmod_t)
 dev_search_usbfs(insmod_t)
 dev_rw_mtrr(insmod_t)
 dev_read_urand(insmod_t)
@@ -117,7 +117,8 @@ if( ! secure_mode_insmod ) {
 }
 
 ifdef(`targeted_policy',`
-	unconfined_domain(insmod_t)
+	term_use_unallocated_ttys(insmod_t)
+	term_use_generic_ptys(insmod_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index b6523d7..99b7ffb 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -1,6 +1,6 @@
 # udev
 
-/dev/\.udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+/dev/\.udev(/.*)? --	gen_context(system_u:object_r:udev_tbl_t,s0)
 /dev/\.udevdb	--	gen_context(system_u:object_r:udev_tbl_t,s0)
 /dev/udev\.tbl	--	gen_context(system_u:object_r:udev_tbl_t,s0)
 
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index aa8da2e..6fff992 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,5 +1,5 @@
 
-policy_module(udev,1.5.1)
+policy_module(udev,1.5.2)
 
 ########################################
 #
@@ -164,6 +164,8 @@ ifdef(`distro_redhat',`
 	fs_relabel_tmpfs_blk_file(udev_t)
 	fs_relabel_tmpfs_chr_file(udev_t)
 
+	term_search_ptys(udev_t)
+
 	# for arping used for static IP addresses on PCMCIA ethernet
 	netutils_domtrans(udev_t)
 ')
@@ -171,8 +173,6 @@ ifdef(`distro_redhat',`
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(udev_t)
 	term_dontaudit_use_generic_ptys(udev_t)
-
-	unconfined_domain(udev_t)
 ')
 
 optional_policy(`

More information about the scm-commits mailing list