[selinux-policy/f17] * Tue Apr 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-110 - /var/run/postmaster.* labeling is n
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Apr 3 07:12:52 UTC 2012
commit d5eb4288bde904799e285cc3faca547c90110121
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue Apr 3 09:12:42 2012 +0200
* Tue Apr 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-110
- /var/run/postmaster.* labeling is no longer needed
- Alllow drbdadmin to read /dev/urandom
- l2tpd_t seems to use ptmx
- group+ and passwd+ should be labeled as /etc/passwd
- Zarafa-indexer is a socket
policy-F16.patch | 43 ++++++++++++++++++++++++++++++++-----------
selinux-policy.spec | 9 ++++++++-
2 files changed, 40 insertions(+), 12 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 1423ae9..2bcd13f 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -99163,10 +99163,10 @@ index 0000000..659d051
+
diff --git a/policy/modules/services/drbd.te b/policy/modules/services/drbd.te
new file mode 100644
-index 0000000..3bca7b0
+index 0000000..f09fbb3
--- /dev/null
+++ b/policy/modules/services/drbd.te
-@@ -0,0 +1,50 @@
+@@ -0,0 +1,52 @@
+policy_module(drbd, 1.0.0)
+
+########################################
@@ -99209,6 +99209,8 @@ index 0000000..3bca7b0
+kernel_read_system_state(drbd_t)
+
+dev_read_sysfs(drbd_t)
++dev_read_rand(drbd_t)
++dev_read_urand(drbd_t)
+
+files_read_etc_files(drbd_t)
+
@@ -105116,10 +105118,10 @@ index 0000000..2021c49
+')
diff --git a/policy/modules/services/l2tpd.te b/policy/modules/services/l2tpd.te
new file mode 100644
-index 0000000..deb55ee
+index 0000000..ab62151
--- /dev/null
+++ b/policy/modules/services/l2tpd.te
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,93 @@
+policy_module(l2tpd, 1.0.0)
+
+########################################
@@ -105192,6 +105194,8 @@ index 0000000..deb55ee
+# net-pf-24 (pppox)
+kernel_request_load_module(l2tpd_t)
+
++term_use_ptmx(l2tpd_t)
++
+# prol2tpc
+corecmd_exec_bin(l2tpd_t)
+
@@ -116407,7 +116411,7 @@ index 7257526..7d73656 100644
manage_files_pattern(postfix_policyd_t, postfix_policyd_var_run_t, postfix_policyd_var_run_t)
files_pid_filetrans(postfix_policyd_t, postfix_policyd_var_run_t, file)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
-index f03fad4..1865d8f 100644
+index f03fad4..668467d 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -11,9 +11,9 @@
@@ -116423,6 +116427,12 @@ index f03fad4..1865d8f 100644
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+@@ -45,4 +45,4 @@ ifdef(`distro_redhat', `
+
+ /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+-/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
++#/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 09aeffa..e66adbd 100644
--- a/policy/modules/services/postgresql.if
@@ -133679,7 +133689,7 @@ index 7f88f5f..67a111c 100644
zabbix_tcp_connect(zabbix_agent_t)
+
diff --git a/policy/modules/services/zarafa.fc b/policy/modules/services/zarafa.fc
-index 3defaa1..2ad2488 100644
+index 3defaa1..963b70c 100644
--- a/policy/modules/services/zarafa.fc
+++ b/policy/modules/services/zarafa.fc
@@ -8,7 +8,8 @@
@@ -133692,6 +133702,15 @@ index 3defaa1..2ad2488 100644
/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0)
/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0)
+@@ -20,7 +21,7 @@
+ /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+ /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0)
+ /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0)
+-/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
++/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0)
+ /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0)
+ /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0)
+ /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0)
diff --git a/policy/modules/services/zarafa.if b/policy/modules/services/zarafa.if
index 21ae664..cb3a098 100644
--- a/policy/modules/services/zarafa.if
@@ -134516,7 +134535,7 @@ index c6fdab7..41198a4 100644
cron_sigchld(application_domain_type)
')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
-index 28ad538..bb13287 100644
+index 28ad538..82def3d 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,3 +1,7 @@
@@ -134533,10 +134552,10 @@ index 28ad538..bb13287 100644
/etc/passwd\.lock -- gen_context(system_u:object_r:shadow_t,s0)
+/etc/passwd\.adjunct.* -- gen_context(system_u:object_r:shadow_t,s0)
/etc/shadow.* -- gen_context(system_u:object_r:shadow_t,s0)
-+/etc/passwd-? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/passwd[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/passwd\.OLD -- gen_context(system_u:object_r:passwd_file_t,s0)
+/etc/ptmptmp -- gen_context(system_u:object_r:passwd_file_t,s0)
-+/etc/group-? -- gen_context(system_u:object_r:passwd_file_t,s0)
++/etc/group[-\+]? -- gen_context(system_u:object_r:passwd_file_t,s0)
/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)
/sbin/pam_timestamp_check -- gen_context(system_u:object_r:pam_exec_t,s0)
@@ -134590,7 +134609,7 @@ index 28ad538..bb13287 100644
-/var/run/user(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/var/(db|lib|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
-index 73554ec..8beee5b 100644
+index 73554ec..3fcce09 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -57,6 +57,8 @@ interface(`auth_use_pam',`
@@ -135037,7 +135056,7 @@ index 73554ec..8beee5b 100644
## </p>
## </desc>
## <param name="domain">
-@@ -1575,87 +1808,204 @@ interface(`auth_relabel_login_records',`
+@@ -1575,87 +1808,206 @@ interface(`auth_relabel_login_records',`
## Domain allowed access.
## </summary>
## </param>
@@ -135086,8 +135105,10 @@ index 73554ec..8beee5b 100644
- sysnet_use_ldap($1)
+ files_etc_filetrans($1, passwd_file_t, file, "group")
+ files_etc_filetrans($1, passwd_file_t, file, "group-")
++ #files_etc_filetrans($1, passwd_file_t, file, "group+")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd-")
++ #files_etc_filetrans($1, passwd_file_t, file, "passwd+")
+ files_etc_filetrans($1, passwd_file_t, file, "passwd.OLD")
+ files_etc_filetrans($1, passwd_file_t, file, "ptmptmp")
+ files_etc_filetrans($1, shadow_t, file, "group.lock")
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 1c9d7ca..a230686 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -19,7 +19,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 109%{?dist}
+Release: 110%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -489,6 +489,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Tue Apr 3 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-110
+- /var/run/postmaster.* labeling is no longer needed
+- Alllow drbdadmin to read /dev/urandom
+- l2tpd_t seems to use ptmx
+- group+ and passwd+ should be labeled as /etc/passwd
+- Zarafa-indexer is a socket
+
* Fri Mar 30 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-109
- Ensure lastlog is labeled correctly
- Allow accountsd to read /proc data about gdm
More information about the scm-commits
mailing list