rpms/selinux-policy/F-7 policy-20070501.patch, 1.60, 1.61 selinux-policy.spec, 1.495, 1.496
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Wed Sep 26 15:20:36 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv19370
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-45
- Allow nsswitch apps to read samba_var_t
- Changes to allow setroubleshoot to run
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.60
retrieving revision 1.61
diff -u -r1.60 -r1.61
--- policy-20070501.patch 22 Sep 2007 12:17:31 -0000 1.60
+++ policy-20070501.patch 26 Sep 2007 15:20:00 -0000 1.61
@@ -7550,7 +7550,7 @@
/usr/libexec/postfix/(n)?qmgr -- gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-2.6.4/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/postfix.if 2007-09-26 11:18:04.000000000 -0400
@@ -41,6 +41,7 @@
allow postfix_$1_t self:unix_stream_socket connectto;
@@ -7559,7 +7559,16 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
read_files_pattern(postfix_$1_t,postfix_etc_t,postfix_etc_t)
-@@ -66,6 +67,7 @@
+@@ -56,6 +57,8 @@
+ allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+ files_pid_filetrans(postfix_$1_t,postfix_var_run_t,file)
+
++ auth_use_nsswitch(postfix_$1_t)
++
+ kernel_read_system_state(postfix_$1_t)
+ kernel_read_network_state(postfix_$1_t)
+ kernel_read_all_sysctls(postfix_$1_t)
+@@ -66,6 +69,7 @@
fs_search_auto_mountpoints(postfix_$1_t)
fs_getattr_xattr_fs(postfix_$1_t)
@@ -7567,19 +7576,19 @@
term_dontaudit_use_console(postfix_$1_t)
-@@ -137,10 +139,8 @@
+@@ -137,11 +141,6 @@
corenet_tcp_connect_all_ports(postfix_$1_t)
corenet_sendrecv_all_client_packets(postfix_$1_t)
- sysnet_read_config(postfix_$1_t)
-
- optional_policy(`
+- optional_policy(`
- nis_use_ypbind(postfix_$1_t)
-+ auth_use_nsswitch(postfix_$1_t)
- ')
+- ')
')
-@@ -274,6 +274,42 @@
+ ########################################
+@@ -274,6 +273,42 @@
########################################
## <summary>
@@ -7622,7 +7631,7 @@
## Do not audit attempts to use
## postfix master process file
## file descriptors.
-@@ -439,6 +475,25 @@
+@@ -439,6 +474,25 @@
########################################
## <summary>
@@ -7648,7 +7657,7 @@
## Execute postfix user mail programs
## in their respective domains.
## </summary>
-@@ -455,3 +510,22 @@
+@@ -455,3 +509,22 @@
typeattribute $1 postfix_user_domtrans;
')
@@ -8588,7 +8597,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-2.6.4/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-09-18 08:18:51.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.if 2007-09-24 17:17:58.000000000 -0400
@@ -177,6 +177,27 @@
########################################
@@ -8625,7 +8634,7 @@
allow $1 samba_var_t:dir search_dir_perms;
')
-@@ -250,11 +272,55 @@
+@@ -250,11 +272,74 @@
')
files_search_var($1)
@@ -8678,10 +8687,29 @@
+
+########################################
+## <summary>
++## dontaudit the specified domain to
++## write samba /var files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`samba_dontaudit_write_var_files',`
++ gen_require(`
++ type samba_var_t;
++ ')
++
++ dontaudit $1 samba_var_t:file write;
++')
++
++########################################
++## <summary>
## Allow the specified domain to write to smbmount tcp sockets.
## </summary>
## <param name="domain">
-@@ -377,3 +443,121 @@
+@@ -377,3 +462,121 @@
allow $1 samba_var_t:dir search_dir_perms;
stream_connect_pattern($1,winbind_var_run_t,winbind_var_run_t,winbind_t)
')
@@ -8805,7 +8833,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-09-18 08:17:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-09-25 17:10:56.000000000 -0400
@@ -16,6 +16,14 @@
## <desc>
@@ -8950,7 +8978,7 @@
files_list_var_lib(smbd_t)
files_read_etc_files(smbd_t)
-@@ -290,12 +324,16 @@
+@@ -290,8 +324,6 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -8959,6 +8987,9 @@
userdom_dontaudit_search_sysadm_home_dirs(smbd_t)
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
+@@ -312,6 +344,12 @@
+ miscfiles_manage_public_files(smbd_t)
+ ')
+tunable_policy(`samba_domain_controller',`
+ usermanage_domtrans_passwd(smbd_t)
@@ -8966,9 +8997,9 @@
+ usermanage_domtrans_groupadd(smbd_t)
+')
+
- ifdef(`hide_broken_symptoms', `
- files_dontaudit_getattr_default_dirs(smbd_t)
- files_dontaudit_getattr_boot_dirs(smbd_t)
+ # Support Samba sharing of NFS mount points
+ tunable_policy(`samba_share_nfs',`
+ fs_manage_nfs_dirs(smbd_t)
@@ -319,6 +357,14 @@
')
@@ -9105,7 +9136,7 @@
')
########################################
-@@ -530,22 +590,30 @@
+@@ -530,22 +590,36 @@
# SWAT Local policy
#
@@ -9125,12 +9156,19 @@
+allow swat_t nmbd_port_t:udp_socket name_bind;
+allow swat_t nmbd_t:process { signal signull };
+allow swat_t nmbd_var_run_t:file { lock read unlink };
-
- rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
-
++
+init_read_utmp(swat_t)
+init_dontaudit_write_utmp(swat_t)
+
++manage_dirs_pattern(swat_t,samba_log_t,samba_log_t)
++create_files_pattern(swat_t,samba_log_t,samba_log_t)
+
+-rw_files_pattern(swat_t,samba_etc_t,samba_etc_t)
++manage_files_pattern(swat_t,samba_etc_t,samba_etc_t)
++
++manage_files_pattern(swat_t,samba_var_t,samba_var_t)
++files_list_var_lib(swat_t)
+
append_files_pattern(swat_t,samba_log_t,samba_log_t)
-allow swat_t smbd_exec_t:file execute ;
@@ -9142,7 +9180,7 @@
allow swat_t smbd_t:process signull;
-@@ -558,7 +626,11 @@
+@@ -558,7 +632,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -9155,7 +9193,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -582,23 +654,24 @@
+@@ -582,23 +660,24 @@
dev_read_urand(swat_t)
@@ -9182,7 +9220,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -612,32 +685,30 @@
+@@ -612,32 +691,30 @@
kerberos_use(swat_t)
')
@@ -9222,7 +9260,7 @@
manage_files_pattern(winbind_t,samba_etc_t,samba_secrets_t)
filetrans_pattern(winbind_t,samba_etc_t,samba_secrets_t,file)
-@@ -645,6 +716,8 @@
+@@ -645,6 +722,8 @@
manage_files_pattern(winbind_t,samba_log_t,samba_log_t)
manage_lnk_files_pattern(winbind_t,samba_log_t,samba_log_t)
@@ -9231,7 +9269,7 @@
manage_files_pattern(winbind_t,samba_var_t,samba_var_t)
manage_lnk_files_pattern(winbind_t,samba_var_t,samba_var_t)
-@@ -682,7 +755,9 @@
+@@ -682,7 +761,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -9241,7 +9279,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -695,9 +770,6 @@
+@@ -695,9 +776,6 @@
miscfiles_read_localization(winbind_t)
@@ -9251,7 +9289,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -713,10 +785,6 @@
+@@ -713,10 +791,6 @@
')
optional_policy(`
@@ -9262,7 +9300,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -736,6 +804,7 @@
+@@ -736,6 +810,7 @@
read_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
read_lnk_files_pattern(winbind_helper_t,samba_etc_t,samba_etc_t)
@@ -9270,7 +9308,7 @@
allow winbind_helper_t samba_var_t:dir search;
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -763,4 +832,64 @@
+@@ -763,4 +838,64 @@
optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
@@ -9417,7 +9455,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/setroubleshoot.te serefpolicy-2.6.4/policy/modules/services/setroubleshoot.te
--- nsaserefpolicy/policy/modules/services/setroubleshoot.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/setroubleshoot.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/setroubleshoot.te 2007-09-26 11:13:13.000000000 -0400
@@ -28,12 +28,11 @@
#
@@ -9432,23 +9470,41 @@
# database files
allow setroubleshootd_t setroubleshoot_var_lib_t:dir setattr;
-@@ -51,6 +50,8 @@
- manage_sock_files_pattern(setroubleshootd_t,setroubleshoot_var_run_t,setroubleshoot_var_run_t)
- files_pid_filetrans(setroubleshootd_t,setroubleshoot_var_run_t, { file sock_file })
+@@ -67,6 +66,7 @@
+ corenet_sendrecv_smtp_client_packets(setroubleshootd_t)
+
+ dev_read_urand(setroubleshootd_t)
++dev_read_sysfs(setroubleshootd_t)
+
+ domain_dontaudit_search_all_domains_state(setroubleshootd_t)
+
+@@ -75,12 +75,17 @@
+ files_getattr_all_dirs(setroubleshootd_t)
+ files_getattr_all_files(setroubleshootd_t)
+
++fs_getattr_all_dirs(setroubleshootd_t)
++fs_getattr_all_files(setroubleshootd_t)
++
+ selinux_get_enforce_mode(setroubleshootd_t)
+ selinux_validate_context(setroubleshootd_t)
+
+ term_dontaudit_use_all_user_ptys(setroubleshootd_t)
+ term_dontaudit_use_all_user_ttys(setroubleshootd_t)
+auth_use_nsswitch(setroubleshootd_t)
+
- kernel_read_kernel_sysctls(setroubleshootd_t)
- kernel_read_system_state(setroubleshootd_t)
- kernel_read_network_state(setroubleshootd_t)
-@@ -111,7 +112,3 @@
- rpm_dontaudit_manage_db(setroubleshootd_t)
- rpm_use_script_fds(setroubleshootd_t)
+ init_read_utmp(setroubleshootd_t)
+ init_dontaudit_write_utmp(setroubleshootd_t)
+
+@@ -113,5 +118,7 @@
')
--
--optional_policy(`
+
+ optional_policy(`
- nis_use_ypbind(setroubleshootd_t)
--')
++ dbus_system_bus_client_template(setroubleshootd, setroubleshootd_t)
++ dbus_send_system_bus(setroubleshootd_t)
++ dbus_connect_system_bus(setroubleshootd_t)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-2.6.4/policy/modules/services/smartmon.te
--- nsaserefpolicy/policy/modules/services/smartmon.te 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/smartmon.te 2007-08-07 09:42:35.000000000 -0400
@@ -10154,7 +10210,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.if serefpolicy-2.6.4/policy/modules/system/authlogin.if
--- nsaserefpolicy/policy/modules/system/authlogin.if 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.if 2007-09-24 17:17:32.000000000 -0400
@@ -27,11 +27,9 @@
domain_type($1_chkpwd_t)
domain_entry_file($1_chkpwd_t,chkpwd_exec_t)
@@ -10324,7 +10380,16 @@
## Get the attributes of the shadow passwords file.
## </summary>
## <param name="domain">
-@@ -1391,3 +1425,114 @@
+@@ -1357,6 +1391,8 @@
+
+ optional_policy(`
+ samba_stream_connect_winbind($1)
++ samba_read_var_files($1)
++ samba_dontaudit_write_var_files($1)
+ ')
+ ')
+
+@@ -1391,3 +1427,114 @@
typeattribute $1 can_write_shadow_passwords;
typeattribute $1 can_relabelto_shadow_passwords;
')
@@ -12775,7 +12840,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-2.6.4/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-09-18 08:18:22.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/unconfined.te 2007-09-24 17:20:49.000000000 -0400
@@ -6,6 +6,15 @@
# Declarations
#
@@ -12792,7 +12857,15 @@
type unconfined_t;
type unconfined_exec_t;
init_system_domain(unconfined_t,unconfined_exec_t)
-@@ -50,6 +59,8 @@
+@@ -28,6 +37,7 @@
+ ifdef(`targeted_policy',`
+ allow unconfined_t self:system syslog_read;
+ dontaudit unconfined_t self:capability sys_module;
++ dontaudit unconfined_t self:dir write;
+
+ domain_auto_trans(unconfined_t,unconfined_execmem_exec_t,unconfined_execmem_t)
+
+@@ -50,6 +60,8 @@
userdom_unconfined(unconfined_t)
userdom_priveleged_home_dir_manager(unconfined_t)
@@ -12801,7 +12874,7 @@
optional_policy(`
ada_domtrans(unconfined_t)
')
-@@ -63,10 +74,6 @@
+@@ -63,10 +75,6 @@
')
optional_policy(`
@@ -12812,7 +12885,7 @@
init_dbus_chat_script(unconfined_t)
dbus_stub(unconfined_t)
-@@ -93,6 +100,7 @@
+@@ -93,6 +101,7 @@
optional_policy(`
networkmanager_dbus_chat(unconfined_t)
@@ -12820,7 +12893,7 @@
')
optional_policy(`
-@@ -153,11 +161,14 @@
+@@ -153,11 +162,14 @@
optional_policy(`
rpm_domtrans(unconfined_t)
@@ -12835,7 +12908,7 @@
')
optional_policy(`
-@@ -192,6 +203,9 @@
+@@ -192,6 +204,9 @@
optional_policy(`
xserver_domtrans_xdm_xserver(unconfined_t)
')
@@ -12845,7 +12918,7 @@
')
########################################
-@@ -200,10 +214,18 @@
+@@ -200,10 +215,18 @@
#
ifdef(`targeted_policy',`
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.495
retrieving revision 1.496
diff -u -r1.495 -r1.496
--- selinux-policy.spec 22 Sep 2007 12:17:31 -0000 1.495
+++ selinux-policy.spec 26 Sep 2007 15:20:00 -0000 1.496
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 44%{?dist}
+Release: 45%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,10 @@
%endif
%changelog
+* Mon Sep 24 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-45
+- Allow nsswitch apps to read samba_var_t
+- Changes to allow setroubleshoot to run
+
* Sat Sep 22 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-44
- Fix /dev/input/uinput
More information about the scm-commits
mailing list