[selinux-policy: 1823/3172] trunk: 10 patches from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:42:44 UTC 2010
commit cdf98fedc03f496f684052dd09a3b1db7ee0b416
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Thu Oct 11 18:12:29 2007 +0000
trunk: 10 patches from dan.
man/man8/ftpd_selinux.8 | 2 +-
man/man8/httpd_selinux.8 | 2 +-
policy/modules/admin/dmidecode.te | 3 ++-
policy/modules/kernel/corenetwork.te.in | 3 ++-
policy/modules/services/ktalk.te | 16 +++++-----------
policy/modules/services/rsync.te | 3 ++-
policy/modules/services/setroubleshoot.te | 9 ++++++++-
policy/modules/services/tftp.te | 3 ++-
policy/modules/services/xfs.te | 11 ++++++++++-
policy/modules/system/ipsec.te | 3 ++-
10 files changed, 35 insertions(+), 20 deletions(-)
---
diff --git a/man/man8/ftpd_selinux.8 b/man/man8/ftpd_selinux.8
index 42f96b9..cfc51ec 100644
--- a/man/man8/ftpd_selinux.8
+++ b/man/man8/ftpd_selinux.8
@@ -12,7 +12,7 @@ If you want to share files anonymously, you must label the files and directories
.TP
chcon -R -t public_content_t /var/ftp
.TP
-If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
+If you want to setup a directory where you can upload files to you must label the files and directories public_content_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
.TP
chcon -t public_content_rw_t /var/ftp/incoming
.TP
diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
index 4bacdfc..7f14925 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -30,7 +30,7 @@ httpd_sys_script_exec_t
.EX
httpd_sys_script_ro_t
.EE
-- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other sys scripts from access.
+- Set files with httpd_sys_script_ro_t if you want httpd_sys_script_exec_t scripts to read the data, and disallow other non sys scripts from access.
.EX
httpd_sys_script_rw_t
.EE
diff --git a/policy/modules/admin/dmidecode.te b/policy/modules/admin/dmidecode.te
index cbd336c..da13ae5 100644
--- a/policy/modules/admin/dmidecode.te
+++ b/policy/modules/admin/dmidecode.te
@@ -1,5 +1,5 @@
-policy_module(dmidecode,1.2.1)
+policy_module(dmidecode,1.2.2)
########################################
#
@@ -18,6 +18,7 @@ role system_r types dmidecode_t;
allow dmidecode_t self:capability sys_rawio;
+dev_read_sysfs(dmidecode_t)
# Allow dmidecode to read /dev/mem
dev_read_raw_memory(dmidecode_t)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b0f5d5f..b0a25be 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.11)
+policy_module(corenetwork,1.2.12)
########################################
#
@@ -164,6 +164,7 @@ type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined por
network_port(uucpd, tcp,540,s0)
network_port(vnc, tcp,5900,s0)
network_port(xen, tcp,8002,s0)
+network_port(xfs, tcp,7100,s0)
network_port(xserver, tcp, 6000, s0, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
network_port(zebra, tcp,2600,s0, tcp,2601,s0, tcp,2602,s0, tcp,2603,s0, tcp,2604,s0, tcp,2606,s0, udp,2600,s0, udp,2601,s0, udp,2602,s0, udp,2603,s0, udp,2604,s0, udp,2606,s0)
network_port(zope, tcp,8021,s0)
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
index 743692d..90704b3 100644
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@@ -1,5 +1,5 @@
-policy_module(ktalk,1.5.1)
+policy_module(ktalk,1.5.2)
########################################
#
@@ -68,6 +68,10 @@ fs_getattr_xattr_fs(ktalkd_t)
files_read_etc_files(ktalkd_t)
+term_search_ptys(ktalkd_t)
+
+auth_use_nsswitch(ktalkd_t)
+
init_read_utmp(ktalkd_t)
libs_use_ld_so(ktalkd_t)
@@ -75,13 +79,3 @@ libs_use_shared_libs(ktalkd_t)
logging_send_syslog_msg(ktalkd_t)
miscfiles_read_localization(ktalkd_t)
-
-sysnet_read_config(ktalkd_t)
-
-optional_policy(`
- nis_use_ypbind(ktalkd_t)
-')
-
-optional_policy(`
- nscd_socket_use(ktalkd_t)
-')
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index a069f65..25c0238 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync,1.5.0)
+policy_module(rsync,1.5.1)
########################################
#
@@ -17,6 +17,7 @@ gen_tunable(allow_rsync_anon_write,false)
type rsync_t;
type rsync_exec_t;
init_daemon_domain(rsync_t,rsync_exec_t)
+application_executable_file(rsync_exec_t)
role system_r types rsync_t;
type rsync_data_t;
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index fd0a84d..00c722f 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.5.1)
+policy_module(setroubleshoot,1.5.2)
########################################
#
@@ -67,6 +67,7 @@ corenet_tcp_connect_smtp_port(setroubleshootd_t)
corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
dev_read_urand(setroubleshootd_t)
+dev_read_sysfs(setroubleshootd_t)
domain_dontaudit_search_all_domains_state(setroubleshootd_t)
@@ -107,6 +108,12 @@ sysnet_read_config(setroubleshootd_t)
userdom_dontaudit_read_sysadm_home_content_files(setroubleshootd_t)
optional_policy(`
+ dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
+ dbus_send_system_bus(setroubleshootd_t)
+ dbus_connect_system_bus(setroubleshootd_t)
+')
+
+optional_policy(`
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 2c01c89..4edddfb 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp,1.5.1)
+policy_module(tftp,1.5.2)
########################################
#
@@ -26,6 +26,7 @@ allow tftpd_t self:tcp_socket create_stream_socket_perms;
allow tftpd_t self:udp_socket create_socket_perms;
allow tftpd_t self:unix_dgram_socket create_socket_perms;
allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
+allow tftpd_t self:netlink_route_socket r_netlink_socket_perms;
dontaudit tftpd_t self:capability sys_tty_config;
allow tftpd_t tftpdir_t:dir { getattr read search };
diff --git a/policy/modules/services/xfs.te b/policy/modules/services/xfs.te
index a7693d6..33f81dd 100644
--- a/policy/modules/services/xfs.te
+++ b/policy/modules/services/xfs.te
@@ -1,5 +1,5 @@
-policy_module(xfs,1.2.1)
+policy_module(xfs,1.2.2)
########################################
#
@@ -37,6 +37,15 @@ files_pid_filetrans(xfs_t,xfs_var_run_t,file)
kernel_read_kernel_sysctls(xfs_t)
kernel_read_system_state(xfs_t)
+corenet_all_recvfrom_unlabeled(xfs_t)
+corenet_all_recvfrom_netlabel(xfs_t)
+corenet_tcp_sendrecv_generic_if(xfs_t)
+corenet_tcp_sendrecv_all_nodes(xfs_t)
+corenet_tcp_sendrecv_all_ports(xfs_t)
+corenet_tcp_bind_all_nodes(xfs_t)
+corenet_tcp_bind_xfs_port(xfs_t)
+corenet_sendrecv_xfs_server_packets(xfs_t)
+
corecmd_list_bin(xfs_t)
dev_read_sysfs(xfs_t)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index c5c3837..8005483 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec,1.4.1)
+policy_module(ipsec,1.4.2)
########################################
#
@@ -321,6 +321,7 @@ libs_use_shared_libs(racoon_t)
locallogin_use_fds(racoon_t)
logging_send_syslog_msg(racoon_t)
+logging_send_audit_msgs(racoon_t)
miscfiles_read_localization(racoon_t)
More information about the scm-commits
mailing list