rpms/selinux-policy/F-8 policy-20070703.patch, 1.199, 1.200 selinux-policy.spec, 1.625, 1.626
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Apr 15 16:57:12 UTC 2008
- Previous message: rpms/kdebase-workspace/devel kdebase-workspace-4.0.3-krdb.patch, NONE, 1.1 kdebase-workspace.spec, 1.69, 1.70
- Next message: rpms/initscripts/devel .cvsignore, 1.139, 1.140 initscripts.spec, 1.164, 1.165 sources, 1.154, 1.155
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8445
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Apr 8 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-99
- Allow privoxy to write to /etc/privoxy/default\.action
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.199
retrieving revision 1.200
diff -u -r1.199 -r1.200
--- policy-20070703.patch 6 Apr 2008 12:07:02 -0000 1.199
+++ policy-20070703.patch 15 Apr 2008 16:57:03 -0000 1.200
@@ -1,3 +1,55 @@
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
+--- nsaserefpolicy/Rules.modular 2007-10-22 13:21:44.000000000 -0400
++++ serefpolicy-3.0.8/Rules.modular 2008-04-04 16:11:04.000000000 -0400
+@@ -96,6 +96,9 @@
+ @test -d $(builddir) || mkdir -p $(builddir)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
+
++ifneq "$(UNK_PERMS)" ""
++$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
++endif
+ $(base_mod): $(base_conf)
+ @echo "Compiling $(NAME) base module"
+ $(verbose) $(CHECKMODULE) $^ -o $@
+@@ -144,6 +147,7 @@
+
+ $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
+ $(tmpdir)/rolemap.conf: $(rolemap)
++ $(verbose) echo "" > $@
+ $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.0.8/Rules.monolithic
+--- nsaserefpolicy/Rules.monolithic 2007-10-22 13:21:43.000000000 -0400
++++ serefpolicy-3.0.8/Rules.monolithic 2008-04-04 16:11:04.000000000 -0400
+@@ -63,6 +63,9 @@
+ #
+ # Build a binary policy locally
+ #
++ifneq "$(UNK_PERMS)" ""
++$(polver): CHECKPOLICY += -U $(UNK_PERMS)
++endif
+ $(polver): $(policy_conf)
+ @echo "Compiling $(NAME) $(polver)"
+ ifneq ($(pv),$(kv))
+@@ -76,6 +79,9 @@
+ #
+ # Install a binary policy
+ #
++ifneq "$(UNK_PERMS)" ""
++$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
++endif
+ $(loadpath): $(policy_conf)
+ @mkdir -p $(policypath)
+ @echo "Compiling and installing $(NAME) $(loadpath)"
+@@ -127,6 +133,7 @@
+ @echo "divert" >> $@
+
+ $(tmpdir)/rolemap.conf: $(rolemap)
++ $(verbose) echo "" > $@
+ $(call parse-rolemap,base,$@)
+
+ $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/default_contexts serefpolicy-3.0.8/config/appconfig-mcs/default_contexts
--- nsaserefpolicy/config/appconfig-mcs/default_contexts 2007-10-22 13:21:43.000000000 -0400
+++ serefpolicy-3.0.8/config/appconfig-mcs/default_contexts 2008-04-04 16:11:03.000000000 -0400
@@ -92,12 +144,6 @@
+staff_r:staff_sudo_t:s0 staff_r:staff_t:s0
+sysadm_r:sysadm_su_t:s0 sysadm_r:sysadm_t:s0
+sysadm_r:sysadm_sudo_t:s0 sysadm_r:sysadm_t:s0
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context
---- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-22 13:21:43.000000000 -0400
-+++ serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context 2008-04-04 16:11:03.000000000 -0400
-@@ -1 +1 @@
--system_u:sysadm_r:sysadm_t:s0
-+system_u:system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/user_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mcs/user_u_default_contexts 2008-04-04 16:11:03.000000000 -0400
@@ -109,6 +155,12 @@
+system_r:xdm_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_su_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+user_r:user_sudo_t:s0 system_r:unconfined_t:s0 user_r:user_t:s0
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/userhelper_context serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context
+--- nsaserefpolicy/config/appconfig-mcs/userhelper_context 2007-10-22 13:21:43.000000000 -0400
++++ serefpolicy-3.0.8/config/appconfig-mcs/userhelper_context 2008-04-04 16:11:03.000000000 -0400
+@@ -1 +1 @@
+-system_u:sysadm_r:sysadm_t:s0
++system_u:system_r:unconfined_t:s0
diff --exclude-from=exclude -N -u -r nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts
--- nsaserefpolicy/config/appconfig-mcs/xguest_u_default_contexts 1969-12-31 19:00:00.000000000 -0500
+++ serefpolicy-3.0.8/config/appconfig-mcs/xguest_u_default_contexts 2008-04-04 16:11:03.000000000 -0400
@@ -2203,80 +2255,6 @@
userdom_use_all_users_fds(rpm_script_t)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.8/policy/modules/admin/sudo.if
---- nsaserefpolicy/policy/modules/admin/sudo.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/sudo.if 2008-04-04 16:11:03.000000000 -0400
-@@ -55,7 +55,7 @@
- #
-
- # Use capabilities.
-- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
-+ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
- allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_sudo_t self:process { setexec setrlimit };
- allow $1_sudo_t self:fd use;
-@@ -68,7 +68,6 @@
- allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_sudo_t self:unix_dgram_socket sendto;
- allow $1_sudo_t self:unix_stream_socket connectto;
-- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
- allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
-
- # Enter this derived domain from the user domain
-@@ -76,6 +75,7 @@
-
- # By default, revert to the calling domain when a shell is executed.
- corecmd_shell_domtrans($1_sudo_t,$2)
-+ corecmd_bin_domtrans($1_sudo_t,$2)
- allow $2 $1_sudo_t:fd use;
- allow $2 $1_sudo_t:fifo_file rw_file_perms;
- allow $2 $1_sudo_t:process sigchld;
-@@ -89,9 +89,11 @@
- fs_search_auto_mountpoints($1_sudo_t)
- fs_getattr_xattr_fs($1_sudo_t)
-
-- auth_domtrans_chk_passwd($1_sudo_t)
-+ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
-+ auth_run_upd_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
- # sudo stores a token in the pam_pid directory
- auth_manage_pam_pid($1_sudo_t)
-+ auth_search_key($1_sudo_t)
-
- corecmd_read_bin_symlinks($1_sudo_t)
- corecmd_getattr_all_executables($1_sudo_t)
-@@ -106,18 +108,21 @@
- files_getattr_usr_files($1_sudo_t)
- # for some PAM modules and for cwd
- files_dontaudit_search_home($1_sudo_t)
-+ files_list_tmp($1_sudo_t)
-
- init_rw_utmp($1_sudo_t)
-
- libs_use_ld_so($1_sudo_t)
- libs_use_shared_libs($1_sudo_t)
-
-+ logging_send_audit_msgs($1_sudo_t)
- logging_send_syslog_msg($1_sudo_t)
-
- miscfiles_read_localization($1_sudo_t)
-
- userdom_manage_user_home_content_files($1,$1_sudo_t)
- userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
-+
- userdom_manage_user_tmp_files($1,$1_sudo_t)
- userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
- userdom_use_user_terminals($1,$1_sudo_t)
-@@ -126,6 +131,10 @@
- userdom_dontaudit_search_all_users_home_content($1_sudo_t)
-
- optional_policy(`
-+ locallogin_search_keys($1_sudo_t)
-+ ')
-+
-+ optional_policy(`
- nis_use_ypbind($1_sudo_t)
- ')
-
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if serefpolicy-3.0.8/policy/modules/admin/su.if
--- nsaserefpolicy/policy/modules/admin/su.if 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/su.if 2008-04-04 16:11:03.000000000 -0400
@@ -2375,6 +2353,80 @@
ifdef(`TODO',`
allow $1_su_t $1_home_t:file manage_file_perms;
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.0.8/policy/modules/admin/sudo.if
+--- nsaserefpolicy/policy/modules/admin/sudo.if 2007-10-22 13:21:42.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/sudo.if 2008-04-04 16:11:03.000000000 -0400
+@@ -55,7 +55,7 @@
+ #
+
+ # Use capabilities.
+- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
++ allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1_sudo_t self:process { setexec setrlimit };
+ allow $1_sudo_t self:fd use;
+@@ -68,7 +68,6 @@
+ allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
+ allow $1_sudo_t self:unix_dgram_socket sendto;
+ allow $1_sudo_t self:unix_stream_socket connectto;
+- allow $1_sudo_t self:netlink_audit_socket { create bind write nlmsg_read read };
+ allow $1_sudo_t self:netlink_route_socket r_netlink_socket_perms;
+
+ # Enter this derived domain from the user domain
+@@ -76,6 +75,7 @@
+
+ # By default, revert to the calling domain when a shell is executed.
+ corecmd_shell_domtrans($1_sudo_t,$2)
++ corecmd_bin_domtrans($1_sudo_t,$2)
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_file_perms;
+ allow $2 $1_sudo_t:process sigchld;
+@@ -89,9 +89,11 @@
+ fs_search_auto_mountpoints($1_sudo_t)
+ fs_getattr_xattr_fs($1_sudo_t)
+
+- auth_domtrans_chk_passwd($1_sudo_t)
++ auth_run_chk_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
++ auth_run_upd_passwd($1_sudo_t, $3, { $1_tty_device_t $1_devpts_t })
+ # sudo stores a token in the pam_pid directory
+ auth_manage_pam_pid($1_sudo_t)
++ auth_search_key($1_sudo_t)
+
+ corecmd_read_bin_symlinks($1_sudo_t)
+ corecmd_getattr_all_executables($1_sudo_t)
+@@ -106,18 +108,21 @@
+ files_getattr_usr_files($1_sudo_t)
+ # for some PAM modules and for cwd
+ files_dontaudit_search_home($1_sudo_t)
++ files_list_tmp($1_sudo_t)
+
+ init_rw_utmp($1_sudo_t)
+
+ libs_use_ld_so($1_sudo_t)
+ libs_use_shared_libs($1_sudo_t)
+
++ logging_send_audit_msgs($1_sudo_t)
+ logging_send_syslog_msg($1_sudo_t)
+
+ miscfiles_read_localization($1_sudo_t)
+
+ userdom_manage_user_home_content_files($1,$1_sudo_t)
+ userdom_manage_user_home_content_symlinks($1,$1_sudo_t)
++
+ userdom_manage_user_tmp_files($1,$1_sudo_t)
+ userdom_manage_user_tmp_symlinks($1,$1_sudo_t)
+ userdom_use_user_terminals($1,$1_sudo_t)
+@@ -126,6 +131,10 @@
+ userdom_dontaudit_search_all_users_home_content($1_sudo_t)
+
+ optional_policy(`
++ locallogin_search_keys($1_sudo_t)
++ ')
++
++ optional_policy(`
+ nis_use_ypbind($1_sudo_t)
+ ')
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te
--- nsaserefpolicy/policy/modules/admin/tmpreaper.te 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/tmpreaper.te 2008-04-04 16:11:03.000000000 -0400
@@ -6751,7 +6803,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2008-04-10 13:08:35.000000000 -0400
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -6799,7 +6851,19 @@
# Allow the web server to run scripts and serve pages
tunable_policy(`httpd_builtin_scripting',`
manage_dirs_pattern(httpd_t,httpd_$1_script_rw_t,httpd_$1_script_rw_t)
-@@ -177,48 +169,6 @@
+@@ -150,9 +142,11 @@
+
+ # privileged users run the script:
+ domtrans_pattern(httpd_exec_scripts, httpd_$1_script_exec_t, httpd_$1_script_t)
++ allow httpd_exec_scripts httpd_$1_script_exec_t:file read_file_perms;
+
+ # apache runs the script:
+ domtrans_pattern(httpd_t, httpd_$1_script_exec_t, httpd_$1_script_t)
++ allow httpd_t httpd_$1_script_exec_t:file read_file_perms;
+
+ allow httpd_t httpd_$1_script_t:process { signal sigkill sigstop };
+ allow httpd_t httpd_$1_script_exec_t:dir list_dir_perms;
+@@ -177,48 +171,6 @@
miscfiles_read_localization(httpd_$1_script_t)
')
@@ -6848,7 +6912,7 @@
optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
-@@ -265,12 +215,19 @@
+@@ -265,12 +217,19 @@
template(`apache_per_role_template', `
gen_require(`
attribute httpdcontent, httpd_script_domains;
@@ -6870,7 +6934,7 @@
typeattribute httpd_$1_script_t httpd_script_domains;
userdom_user_home_content($1,httpd_$1_content_t)
-@@ -324,6 +281,7 @@
+@@ -324,6 +283,7 @@
userdom_search_user_home_dirs($1,httpd_t)
userdom_search_user_home_dirs($1,httpd_suexec_t)
userdom_search_user_home_dirs($1,httpd_$1_script_t)
@@ -6878,7 +6942,7 @@
')
')
-@@ -345,12 +303,11 @@
+@@ -345,12 +305,11 @@
#
template(`apache_read_user_scripts',`
gen_require(`
@@ -6895,7 +6959,7 @@
')
########################################
-@@ -371,12 +328,12 @@
+@@ -371,12 +330,12 @@
#
template(`apache_read_user_content',`
gen_require(`
@@ -6912,7 +6976,7 @@
')
########################################
-@@ -754,6 +711,7 @@
+@@ -754,6 +713,7 @@
')
allow $1 httpd_modules_t:dir list_dir_perms;
@@ -6920,7 +6984,7 @@
')
########################################
-@@ -838,6 +796,10 @@
+@@ -838,6 +798,10 @@
type httpd_sys_script_t;
')
@@ -6931,7 +6995,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern($1, httpdcontent, httpd_sys_script_t)
')
-@@ -925,7 +887,7 @@
+@@ -925,7 +889,7 @@
type httpd_squirrelmail_t;
')
@@ -6940,7 +7004,7 @@
')
########################################
-@@ -1005,6 +967,31 @@
+@@ -1005,6 +969,31 @@
########################################
## <summary>
@@ -6972,7 +7036,7 @@
## Search system script state directory.
## </summary>
## <param name="domain">
-@@ -1056,3 +1043,138 @@
+@@ -1056,3 +1045,138 @@
allow httpd_t $1:process signal;
')
@@ -9750,7 +9814,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dhcp.te serefpolicy-3.0.8/policy/modules/services/dhcp.te
--- nsaserefpolicy/policy/modules/services/dhcp.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/dhcp.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/dhcp.te 2008-04-10 11:28:45.000000000 -0400
@@ -24,7 +24,7 @@
# Local policy
#
@@ -9760,6 +9824,14 @@
dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
allow dhcpd_t self:process signal_perms;
allow dhcpd_t self:fifo_file { read write getattr };
+@@ -51,6 +51,7 @@
+
+ kernel_read_system_state(dhcpd_t)
+ kernel_read_kernel_sysctls(dhcpd_t)
++kernel_read_network_state(dhcpd_t)
+
+ corenet_all_recvfrom_unlabeled(dhcpd_t)
+ corenet_all_recvfrom_netlabel(dhcpd_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dictd.fc serefpolicy-3.0.8/policy/modules/services/dictd.fc
--- nsaserefpolicy/policy/modules/services/dictd.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/dictd.fc 2008-04-04 16:11:03.000000000 -0400
@@ -11039,7 +11111,7 @@
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2008-04-07 20:47:25.000000000 -0400
@@ -42,11 +42,17 @@
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
@@ -11068,10 +11140,13 @@
')
optional_policy(`
-@@ -172,3 +175,51 @@
- allow $1 krb5kdc_conf_t:file read_file_perms;
+@@ -169,6 +172,53 @@
+ ')
- ')
+ files_search_etc($1)
+- allow $1 krb5kdc_conf_t:file read_file_perms;
++ read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
++')
+
+########################################
+## <summary>
@@ -11099,7 +11174,7 @@
+ # creates files as system_u no matter what the selinux user
+ domain_obj_id_change_exemption($1)
+')
-+
+
+########################################
+## <summary>
+## Connect to krb524 service
@@ -11119,7 +11194,7 @@
+ corenet_udp_sendrecv_kerberos_master_port($1)
+ corenet_udp_bind_all_nodes($1)
+ ')
-+')
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/kerberos.te 2008-04-04 16:11:03.000000000 -0400
@@ -13323,7 +13398,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2008-04-14 14:31:24.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -13406,7 +13481,18 @@
')
###########################################################
-@@ -263,6 +288,8 @@
+@@ -238,6 +263,10 @@
+
+ corecmd_exec_bin(postfix_cleanup_t)
+
++optional_policy(`
++ mailman_read_data_files(postfix_cleanup_t)
++')
++
+ ########################################
+ #
+ # Postfix local local policy
+@@ -263,6 +292,8 @@
files_read_etc_files(postfix_local_t)
@@ -13415,7 +13501,7 @@
mta_read_aliases(postfix_local_t)
mta_delete_spool(postfix_local_t)
# For reading spamassasin
-@@ -270,11 +297,14 @@
+@@ -270,11 +301,14 @@
optional_policy(`
clamav_search_lib(postfix_local_t)
@@ -13430,7 +13516,7 @@
')
optional_policy(`
-@@ -327,6 +357,8 @@
+@@ -327,6 +361,8 @@
files_read_etc_runtime_files(postfix_map_t)
files_dontaudit_search_var(postfix_map_t)
@@ -13439,7 +13525,7 @@
libs_use_ld_so(postfix_map_t)
libs_use_shared_libs(postfix_map_t)
-@@ -334,10 +366,6 @@
+@@ -334,10 +370,6 @@
miscfiles_read_localization(postfix_map_t)
@@ -13450,7 +13536,7 @@
tunable_policy(`read_default_t',`
files_list_default(postfix_map_t)
files_read_default_files(postfix_map_t)
-@@ -350,10 +378,6 @@
+@@ -350,10 +382,6 @@
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -13461,7 +13547,7 @@
########################################
#
# Postfix pickup local policy
-@@ -377,7 +401,7 @@
+@@ -377,7 +405,7 @@
# Postfix pipe local policy
#
@@ -13470,7 +13556,7 @@
write_sock_files_pattern(postfix_pipe_t,postfix_private_t,postfix_private_t)
-@@ -386,6 +410,10 @@
+@@ -386,6 +414,10 @@
rw_files_pattern(postfix_pipe_t,postfix_spool_t,postfix_spool_t)
optional_policy(`
@@ -13481,7 +13567,7 @@
procmail_domtrans(postfix_pipe_t)
')
-@@ -394,6 +422,10 @@
+@@ -394,6 +426,10 @@
')
optional_policy(`
@@ -13492,7 +13578,7 @@
uucp_domtrans_uux(postfix_pipe_t)
')
-@@ -418,14 +450,17 @@
+@@ -418,14 +454,17 @@
term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
@@ -13512,7 +13598,7 @@
optional_policy(`
ppp_use_fds(postfix_postqueue_t)
ppp_sigchld(postfix_postqueue_t)
-@@ -454,8 +489,6 @@
+@@ -454,8 +493,6 @@
init_sigchld_script(postfix_postqueue_t)
init_use_script_fds(postfix_postqueue_t)
@@ -13521,7 +13607,7 @@
########################################
#
# Postfix qmgr local policy
-@@ -498,15 +531,11 @@
+@@ -498,15 +535,11 @@
term_use_all_user_ptys(postfix_showq_t)
term_use_all_user_ttys(postfix_showq_t)
@@ -13537,7 +13623,7 @@
# connect to master process
stream_connect_pattern(postfix_smtp_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
-@@ -514,6 +543,8 @@
+@@ -514,6 +547,8 @@
allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
@@ -13546,7 +13632,7 @@
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
-@@ -538,9 +569,45 @@
+@@ -538,9 +573,45 @@
mta_read_aliases(postfix_smtpd_t)
optional_policy(`
@@ -13750,9 +13836,25 @@
/var/run/postgrey\.pid -- gen_context(system_u:object_r:postgrey_var_run_t,s0)
+
+/var/spool/postfix/postgrey(/.*)? gen_context(system_u:object_r:postgrey_spool_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.0.8/policy/modules/services/postgrey.if
+--- nsaserefpolicy/policy/modules/services/postgrey.if 2007-10-22 13:21:36.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgrey.if 2008-04-14 10:39:57.000000000 -0400
+@@ -12,10 +12,11 @@
+ #
+ interface(`postgrey_stream_connect',`
+ gen_require(`
+- type postgrey_var_run_t, postgrey_t;
++ type postgrey_var_run_t, postgrey_t, postgrey_spool_t;
+ ')
+
+ allow $1 postgrey_t:unix_stream_socket connectto;
+ allow $1 postgrey_var_run_t:sock_file write;
++ allow $1 postgrey_spool_t:sock_file write;
+ files_search_pids($1)
+ ')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.te serefpolicy-3.0.8/policy/modules/services/postgrey.te
--- nsaserefpolicy/policy/modules/services/postgrey.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postgrey.te 2008-04-14 10:40:08.000000000 -0400
@@ -13,6 +13,9 @@
type postgrey_etc_t;
files_config_file(postgrey_etc_t)
@@ -13763,7 +13865,7 @@
type postgrey_var_lib_t;
files_type(postgrey_var_lib_t)
-@@ -24,15 +27,20 @@
+@@ -24,15 +27,21 @@
# Local policy
#
@@ -13781,11 +13883,12 @@
+manage_dirs_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+manage_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+manage_fifo_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
++manage_sock_files_pattern(postgrey_t,postgrey_spool_t,postgrey_spool_t)
+
manage_files_pattern(postgrey_t,postgrey_var_lib_t,postgrey_var_lib_t)
files_var_lib_filetrans(postgrey_t,postgrey_var_lib_t,file)
-@@ -68,6 +76,8 @@
+@@ -68,6 +77,8 @@
fs_getattr_all_fs(postgrey_t)
fs_search_auto_mountpoints(postgrey_t)
@@ -13794,7 +13897,7 @@
libs_use_ld_so(postgrey_t)
libs_use_shared_libs(postgrey_t)
-@@ -75,13 +85,12 @@
+@@ -75,13 +86,12 @@
miscfiles_read_localization(postgrey_t)
@@ -14190,6 +14293,29 @@
+ ')
+')
+
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.fc serefpolicy-3.0.8/policy/modules/services/privoxy.fc
+--- nsaserefpolicy/policy/modules/services/privoxy.fc 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/privoxy.fc 2008-04-08 08:26:27.000000000 -0400
+@@ -1,6 +1,8 @@
+
+ /etc/privoxy/user\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
+
++/etc/privoxy/default\.action -- gen_context(system_u:object_r:privoxy_etc_rw_t,s0)
++
+ /usr/sbin/privoxy -- gen_context(system_u:object_r:privoxy_exec_t,s0)
+
+ /var/log/privoxy(/.*)? gen_context(system_u:object_r:privoxy_log_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/privoxy.te serefpolicy-3.0.8/policy/modules/services/privoxy.te
+--- nsaserefpolicy/policy/modules/services/privoxy.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/privoxy.te 2008-04-09 08:36:50.000000000 -0400
+@@ -51,6 +51,7 @@
+ corenet_tcp_connect_http_cache_port(privoxy_t)
+ corenet_tcp_connect_ftp_port(privoxy_t)
+ corenet_tcp_connect_tor_port(privoxy_t)
++corenet_tcp_connect_pgpkeyserver_port(privoxy_t)
+ corenet_sendrecv_http_cache_client_packets(privoxy_t)
+ corenet_sendrecv_http_cache_server_packets(privoxy_t)
+ corenet_sendrecv_http_client_packets(privoxy_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.fc serefpolicy-3.0.8/policy/modules/services/procmail.fc
--- nsaserefpolicy/policy/modules/services/procmail.fc 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/procmail.fc 2008-04-04 16:11:03.000000000 -0400
@@ -14845,32 +14971,6 @@
-allow rlogind_t userpty_type:chr_file setattr;
+ kerberos_manage_host_rcache(rlogind_t)
')
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
---- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2008-04-04 16:11:03.000000000 -0400
-@@ -21,11 +21,13 @@
- # rpcbind local policy
- #
-
--allow rpcbind_t self:capability setuid;
-+allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
- allow rpcbind_t self:fifo_file rw_file_perms;
- allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
- allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
- allow rpcbind_t self:udp_socket create_socket_perms;
-+# BROKEN ...
-+dontaudit rpcbind_t self:udp_socket listen;
- allow rpcbind_t self:tcp_socket create_stream_socket_perms;
-
- manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
-@@ -37,6 +39,7 @@
- manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
- files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
-
-+kernel_read_system_state(rpcbind_t)
- kernel_read_network_state(rpcbind_t)
-
- corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.if serefpolicy-3.0.8/policy/modules/services/rpc.if
--- nsaserefpolicy/policy/modules/services/rpc.if 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rpc.if 2008-04-04 16:11:03.000000000 -0400
@@ -14998,6 +15098,32 @@
tunable_policy(`allow_gssd_read_tmp',`
userdom_list_unpriv_users_tmp(gssd_t)
userdom_read_unpriv_users_tmp_files(gssd_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpcbind.te serefpolicy-3.0.8/policy/modules/services/rpcbind.te
+--- nsaserefpolicy/policy/modules/services/rpcbind.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rpcbind.te 2008-04-04 16:11:03.000000000 -0400
+@@ -21,11 +21,13 @@
+ # rpcbind local policy
+ #
+
+-allow rpcbind_t self:capability setuid;
++allow rpcbind_t self:capability { dac_override setuid sys_tty_config };
+ allow rpcbind_t self:fifo_file rw_file_perms;
+ allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
+ allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
+ allow rpcbind_t self:udp_socket create_socket_perms;
++# BROKEN ...
++dontaudit rpcbind_t self:udp_socket listen;
+ allow rpcbind_t self:tcp_socket create_stream_socket_perms;
+
+ manage_files_pattern(rpcbind_t,rpcbind_var_run_t,rpcbind_var_run_t)
+@@ -37,6 +39,7 @@
+ manage_sock_files_pattern(rpcbind_t,rpcbind_var_lib_t,rpcbind_var_lib_t)
+ files_var_lib_filetrans(rpcbind_t,rpcbind_var_lib_t, { file dir sock_file })
+
++kernel_read_system_state(rpcbind_t)
+ kernel_read_network_state(rpcbind_t)
+
+ corenet_all_recvfrom_unlabeled(rpcbind_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rshd.te serefpolicy-3.0.8/policy/modules/services/rshd.te
--- nsaserefpolicy/policy/modules/services/rshd.te 2007-10-22 13:21:39.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/rshd.te 2008-04-04 16:11:03.000000000 -0400
@@ -17872,7 +17998,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-04-14 09:15:01.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -19993,7 +20119,7 @@
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-04-10 10:49:01.000000000 -0400
@@ -34,6 +34,51 @@
#
interface(`logging_send_audit_msgs',`
@@ -20137,7 +20263,7 @@
## Write generic log files.
## </summary>
## <param name="domain">
-@@ -597,3 +677,272 @@
+@@ -597,3 +677,273 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -20388,6 +20514,7 @@
+ domtrans_pattern(audisp_t,$2,$1)
+
+ allow audisp_t $2:file getattr;
++ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
@@ -20675,7 +20802,7 @@
+/var/run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.te serefpolicy-3.0.8/policy/modules/system/lvm.te
--- nsaserefpolicy/policy/modules/system/lvm.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/lvm.te 2008-04-08 14:25:54.000000000 -0400
@@ -44,9 +44,9 @@
# Cluster LVM daemon local policy
#
@@ -20930,7 +21057,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.0.8/policy/modules/system/modutils.te
--- nsaserefpolicy/policy/modules/system/modutils.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/modutils.te 2008-04-08 14:23:01.000000000 -0400
@@ -42,7 +42,7 @@
# insmod local policy
#
@@ -25356,58 +25483,6 @@
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-')
+gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.modular serefpolicy-3.0.8/Rules.modular
---- nsaserefpolicy/Rules.modular 2007-10-22 13:21:44.000000000 -0400
-+++ serefpolicy-3.0.8/Rules.modular 2008-04-04 16:11:04.000000000 -0400
-@@ -96,6 +96,9 @@
- @test -d $(builddir) || mkdir -p $(builddir)
- $(verbose) $(SEMOD_PKG) -o $@ -m $(base_mod) -f $(base_fc) -u $(users_extra) -s $(tmpdir)/seusers
-
-+ifneq "$(UNK_PERMS)" ""
-+$(base_mod): CHECKMODULE += -U $(UNK_PERMS)
-+endif
- $(base_mod): $(base_conf)
- @echo "Compiling $(NAME) base module"
- $(verbose) $(CHECKMODULE) $^ -o $@
-@@ -144,6 +147,7 @@
-
- $(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
- $(tmpdir)/rolemap.conf: $(rolemap)
-+ $(verbose) echo "" > $@
- $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
-diff --exclude-from=exclude -N -u -r nsaserefpolicy/Rules.monolithic serefpolicy-3.0.8/Rules.monolithic
---- nsaserefpolicy/Rules.monolithic 2007-10-22 13:21:43.000000000 -0400
-+++ serefpolicy-3.0.8/Rules.monolithic 2008-04-04 16:11:04.000000000 -0400
-@@ -63,6 +63,9 @@
- #
- # Build a binary policy locally
- #
-+ifneq "$(UNK_PERMS)" ""
-+$(polver): CHECKPOLICY += -U $(UNK_PERMS)
-+endif
- $(polver): $(policy_conf)
- @echo "Compiling $(NAME) $(polver)"
- ifneq ($(pv),$(kv))
-@@ -76,6 +79,9 @@
- #
- # Install a binary policy
- #
-+ifneq "$(UNK_PERMS)" ""
-+$(loadpath): CHECKPOLICY += -U $(UNK_PERMS)
-+endif
- $(loadpath): $(policy_conf)
- @mkdir -p $(policypath)
- @echo "Compiling and installing $(NAME) $(loadpath)"
-@@ -127,6 +133,7 @@
- @echo "divert" >> $@
-
- $(tmpdir)/rolemap.conf: $(rolemap)
-+ $(verbose) echo "" > $@
- $(call parse-rolemap,base,$@)
-
- $(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
diff --exclude-from=exclude -N -u -r nsaserefpolicy/support/Makefile.devel serefpolicy-3.0.8/support/Makefile.devel
--- nsaserefpolicy/support/Makefile.devel 2007-10-22 13:21:44.000000000 -0400
+++ serefpolicy-3.0.8/support/Makefile.devel 2008-04-04 16:11:04.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.625
retrieving revision 1.626
diff -u -r1.625 -r1.626
--- selinux-policy.spec 6 Apr 2008 12:07:02 -0000 1.625
+++ selinux-policy.spec 15 Apr 2008 16:57:03 -0000 1.626
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 98%{?dist}
+Release: 99%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,9 @@
%endif
%changelog
+* Tue Apr 8 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-99
+- Allow privoxy to write to /etc/privoxy/default\.action
+
* Fri Apr 4 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-98
- dontaudit setfiles reading links
- allow semanage sys_resource
- Previous message: rpms/kdebase-workspace/devel kdebase-workspace-4.0.3-krdb.patch, NONE, 1.1 kdebase-workspace.spec, 1.69, 1.70
- Next message: rpms/initscripts/devel .cvsignore, 1.139, 1.140 initscripts.spec, 1.164, 1.165 sources, 1.154, 1.155
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list