rpms/selinux-policy/devel modules-minimum.conf, 1.4, 1.5 modules-targeted.conf, 1.106, 1.107 policy-20080710.patch, 1.86, 1.87 selinux-policy.spec, 1.740, 1.741
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Nov 4 15:41:02 UTC 2008
- Previous message: rpms/cairo-dock/devel .cvsignore, 1.73, 1.74 cairo-dock.spec, 1.92, 1.93 sources, 1.73, 1.74
- Next message: rpms/openoffice.org/devel openoffice.org-3.0.0.ooo95834.dontset-nonfunctional-forward.patch, NONE, 1.1 openoffice.org.spec, 1.1685, 1.1686
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26606
Modified Files:
modules-minimum.conf modules-targeted.conf
policy-20080710.patch selinux-policy.spec
Log Message:
* Tue Nov 3 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-14
- Additional fixes for cyphesis
- Fix certmaster file context
- Add policy for system-config-samba
Index: modules-minimum.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-minimum.conf,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- modules-minimum.conf 3 Nov 2008 22:42:53 -0000 1.4
+++ modules-minimum.conf 4 Nov 2008 15:40:31 -0000 1.5
@@ -1130,6 +1130,13 @@
samba = module
# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+#
+sambagui = module
+
+# Layer: apps
# Module: screen
#
# GNU terminal multiplexer
Index: modules-targeted.conf
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/modules-targeted.conf,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -r1.106 -r1.107
--- modules-targeted.conf 3 Nov 2008 22:42:53 -0000 1.106
+++ modules-targeted.conf 4 Nov 2008 15:40:31 -0000 1.107
@@ -1130,6 +1130,13 @@
samba = module
# Layer: apps
+# Module: sambagui
+#
+# policy for system-config-samba
+#
+sambagui = module
+
+# Layer: apps
# Module: screen
#
# GNU terminal multiplexer
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080710.patch,v
retrieving revision 1.86
retrieving revision 1.87
diff -u -r1.86 -r1.87
--- policy-20080710.patch 3 Nov 2008 22:42:53 -0000 1.86
+++ policy-20080710.patch 4 Nov 2008 15:40:31 -0000 1.87
@@ -5466,6 +5466,84 @@
########################################
#
# qemu_unconfined local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.fc serefpolicy-3.5.13/policy/modules/apps/sambagui.fc
+--- nsaserefpolicy/policy/modules/apps/sambagui.fc 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.fc 2008-11-04 09:44:32.000000000 -0500
+@@ -0,0 +1,4 @@
++/usr/share/system-config-samba/system-config-samba-mechanism.py -- gen_context(system_u:object_r:sambagui_exec_t,s0)
++
++
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.if serefpolicy-3.5.13/policy/modules/apps/sambagui.if
+--- nsaserefpolicy/policy/modules/apps/sambagui.if 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.if 2008-11-04 10:25:22.000000000 -0500
+@@ -0,0 +1,2 @@
++## <summary>system-config-samba policy</summary>
++
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sambagui.te serefpolicy-3.5.13/policy/modules/apps/sambagui.te
+--- nsaserefpolicy/policy/modules/apps/sambagui.te 1969-12-31 19:00:00.000000000 -0500
++++ serefpolicy-3.5.13/policy/modules/apps/sambagui.te 2008-11-04 10:21:56.000000000 -0500
+@@ -0,0 +1,60 @@
++policy_module(sambagui,1.0.0)
++
++########################################
++#
++# Declarations
++#
++
++type sambagui_t;
++type sambagui_exec_t;
++
++dbus_system_domain(sambagui_t, sambagui_exec_t)
++
++########################################
++#
++# system-config-samba local policy
++#
++
++allow sambagui_t self:fifo_file rw_fifo_file_perms;
++
++# handling with samba conf files
++samba_append_log(sambagui_t)
++samba_manage_config(sambagui_t)
++samba_manage_var_files(sambagui_t)
++samba_initrc_domtrans(sambagui_t)
++samba_domtrans_smb(sambagui_t)
++samba_domtrans_nmb(sambagui_t)
++
++# execut apps of system-config-samba
++corecmd_exec_shell(sambagui_t)
++corecmd_exec_bin(sambagui_t)
++
++files_read_etc_files(sambagui_t)
++files_search_var_lib(sambagui_t)
++files_search_usr(sambagui_t)
++
++fs_list_inotifyfs(sambagui_t)
++
++libs_use_ld_so(sambagui_t)
++libs_use_shared_libs(sambagui_t)
++
++# reading shadow by pdbedit
++#auth_read_shadow(sambagui_t)
++
++miscfiles_read_localization(sambagui_t)
++
++# read meminfo
++kernel_read_system_state(sambagui_t)
++
++dev_dontaudit_read_urand(sambagui_t)
++nscd_dontaudit_search_pid(sambagui_t)
++
++optional_policy(`
++ consoletype_exec(sambagui_t)
++')
++
++optional_policy(`
++ polkit_dbus_chat(sambagui_t)
++')
++
++permissive sambagui_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.fc serefpolicy-3.5.13/policy/modules/apps/screen.fc
--- nsaserefpolicy/policy/modules/apps/screen.fc 2008-08-07 11:15:03.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/apps/screen.fc 2008-10-28 10:56:19.000000000 -0400
@@ -6275,8 +6353,8 @@
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2008-10-14 11:58:07.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-10-28 10:56:19.000000000 -0400
-@@ -79,6 +79,7 @@
++++ serefpolicy-3.5.13/policy/modules/kernel/corenetwork.te.in 2008-11-04 09:01:51.000000000 -0500
+@@ -79,11 +79,13 @@
network_port(auth, tcp,113,s0)
network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
type biff_port_t, port_type, reserved_port_type; dnl network_port(biff) # no defined portcon in current strict
@@ -6284,7 +6362,13 @@
network_port(clamd, tcp,3310,s0)
network_port(clockspeed, udp,4041,s0)
network_port(cluster, tcp,5149,s0, udp,5149,s0, tcp,40040,s0, tcp,50006,s0, udp,50006,s0, tcp,50007,s0, udp,50007,s0, tcp,50008,s0, udp,50008,s0)
-@@ -93,6 +94,7 @@
+ network_port(comsat, udp,512,s0)
+ network_port(cyphesis, tcp,6767,s0, tcp,6769,s0, udp,32771,s0)
++portcon tcp 6780-6799 gen_context(system_u:object_r:cyphesis_port_t, s0)
+ network_port(cvs, tcp,2401,s0, udp,2401,s0)
+ network_port(dcc, udp,6276,s0, udp,6277,s0)
+ network_port(dbskkd, tcp,1178,s0)
+@@ -93,6 +95,7 @@
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
network_port(fingerd, tcp,79,s0)
@@ -6292,7 +6376,7 @@
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
network_port(gatekeeper, udp,1718,s0, udp,1719,s0, tcp,1721,s0, tcp,7000,s0)
-@@ -117,6 +119,8 @@
+@@ -117,6 +120,8 @@
network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
@@ -6301,7 +6385,7 @@
network_port(ktalkd, udp,517,s0, udp,518,s0)
network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0, tcp,3268,s0)
type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
-@@ -126,6 +130,7 @@
+@@ -126,6 +131,7 @@
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
network_port(monopd, tcp,1234,s0)
network_port(msnp, tcp,1863,s0, udp,1863,s0)
@@ -6309,7 +6393,7 @@
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
network_port(nessus, tcp,1241,s0)
-@@ -137,11 +142,13 @@
+@@ -137,11 +143,13 @@
network_port(pegasus_http, tcp,5988,s0)
network_port(pegasus_https, tcp,5989,s0)
network_port(postfix_policyd, tcp,10031,s0)
@@ -6323,7 +6407,7 @@
network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pxe, udp,4011,s0)
-@@ -159,9 +166,10 @@
+@@ -159,9 +167,10 @@
network_port(rwho, udp,513,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
@@ -6335,7 +6419,7 @@
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
type socks_port_t, port_type; dnl network_port(socks) # no defined portcon
type stunnel_port_t, port_type; dnl network_port(stunnel) # no defined portcon in current strict
-@@ -170,13 +178,16 @@
+@@ -170,13 +179,16 @@
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
@@ -12157,16 +12241,14 @@
optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/certmaster.fc serefpolicy-3.5.13/policy/modules/services/certmaster.fc
--- nsaserefpolicy/policy/modules/services/certmaster.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-10-30 14:43:22.000000000 -0400
-@@ -0,0 +1,11 @@
++++ serefpolicy-3.5.13/policy/modules/services/certmaster.fc 2008-11-04 08:52:09.000000000 -0500
+@@ -0,0 +1,9 @@
+
+/etc/rc\.d/init\.d/certmaster -- gen_context(system_u:object_r:certmaster_initrc_exec_t,s0)
+/usr/bin/certmaster -- gen_context(system_u:object_r:certmaster_exec_t,s0)
+
+/etc/certmaster(/.*)? gen_context(system_u:object_r:certmaster_etc_rw_t,s0)
+
-+/etc/pki/certmaster(/.*)? gen_context(system_u:object_r:certmaster_cert_t,s0)
-+
+/var/run/certmaster.* gen_context(system_u:object_r:certmaster_var_run_t,s0)
+
+/var/log/certmaster(/.*)? gen_context(system_u:object_r:certmaster_var_log_t,s0)
@@ -12641,7 +12723,7 @@
+/var/log/ConsoleKit(/.*)? gen_context(system_u:object_r:consolekit_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/consolekit.if serefpolicy-3.5.13/policy/modules/services/consolekit.if
--- nsaserefpolicy/policy/modules/services/consolekit.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/consolekit.if 2008-11-04 09:40:18.000000000 -0500
@@ -38,3 +38,24 @@
allow $1 consolekit_t:dbus send_msg;
allow consolekit_t $1:dbus send_msg;
@@ -14081,6 +14163,16 @@
manage_files_pattern(httpd_cvs_script_t, cvs_tmp_t, cvs_tmp_t)
+ files_tmp_filetrans(httpd_cvs_script_t, cvs_tmp_t, { file dir })
')
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cyphesis.fc serefpolicy-3.5.13/policy/modules/services/cyphesis.fc
+--- nsaserefpolicy/policy/modules/services/cyphesis.fc 2008-09-03 11:05:02.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/cyphesis.fc 2008-11-04 09:54:55.000000000 -0500
+@@ -1 +1,6 @@
+ /usr/bin/cyphesis -- gen_context(system_u:object_r:cyphesis_exec_t,s0)
++
++/var/log/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_log_t,s0)
++
++/var/run/cyphesis(/.*)? gen_context(system_u:object_r:cyphesis_run_t,s0)
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.fc serefpolicy-3.5.13/policy/modules/services/dbus.fc
--- nsaserefpolicy/policy/modules/services/dbus.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.13/policy/modules/services/dbus.fc 2008-10-28 10:56:19.000000000 -0400
@@ -18567,8 +18659,8 @@
+/var/lib/PolicyKit-public(/.*)? gen_context(system_u:object_r:polkit_var_lib_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.if serefpolicy-3.5.13/policy/modules/services/polkit.if
--- nsaserefpolicy/policy/modules/services/polkit.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-10-28 10:56:19.000000000 -0400
-@@ -0,0 +1,213 @@
++++ serefpolicy-3.5.13/policy/modules/services/polkit.if 2008-11-04 09:56:57.000000000 -0500
+@@ -0,0 +1,233 @@
+
+## <summary>policy for polkit_auth</summary>
+
@@ -18782,9 +18874,29 @@
+ polkit_read_lib($2)
+')
+
++########################################
++## <summary>
++## Send and receive messages from
++## polkit over dbus.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`polkit_dbus_chat',`
++ gen_require(`
++ type polkit_t;
++ class dbus send_msg;
++ ')
++
++ allow $1 polkit_t:dbus send_msg;
++ allow polkit_t $1:dbus send_msg;
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/polkit.te serefpolicy-3.5.13/policy/modules/services/polkit.te
--- nsaserefpolicy/policy/modules/services/polkit.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-10-28 10:56:19.000000000 -0400
++++ serefpolicy-3.5.13/policy/modules/services/polkit.te 2008-11-04 09:58:08.000000000 -0500
@@ -0,0 +1,231 @@
+policy_module(polkit_auth, 1.0.0)
+
@@ -21515,11 +21627,19 @@
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.5.13/policy/modules/services/samba.if
--- nsaserefpolicy/policy/modules/services/samba.if 2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-10-28 10:56:19.000000000 -0400
-@@ -52,6 +52,25 @@
- ## </summary>
- ## </param>
- #
++++ serefpolicy-3.5.13/policy/modules/services/samba.if 2008-11-04 10:21:25.000000000 -0500
+@@ -44,6 +44,44 @@
+
+ ########################################
+ ## <summary>
++## Execute smbd net in the smbd_t domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
+interface(`samba_domtrans_smb',`
+ gen_require(`
+ type smbd_t, smbd_exec_t;
@@ -21531,7 +21651,7 @@
+
+########################################
+## <summary>
-+## Execute samba net in the samba_net domain.
++## Execute nmbd net in the nmbd_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
@@ -21539,10 +21659,21 @@
+## </summary>
+## </param>
+#
- interface(`samba_domtrans_net',`
- gen_require(`
- type samba_net_t, samba_net_exec_t;
-@@ -63,6 +82,25 @@
++interface(`samba_domtrans_nmb',`
++ gen_require(`
++ type nmbd_t, nmbd_exec_t;
++ ')
++
++ corecmd_search_bin($1)
++ domtrans_pattern($1, nmbd_exec_t, nmbd_t)
++')
++
++########################################
++## <summary>
+ ## Execute samba net in the samba_net domain.
+ ## </summary>
+ ## <param name="domain">
+@@ -63,6 +101,25 @@
########################################
## <summary>
@@ -21568,7 +21699,7 @@
## Execute samba net in the samba_net domain, and
## allow the specified role the samba_net domain.
## </summary>
-@@ -95,6 +133,38 @@
+@@ -95,6 +152,38 @@
########################################
## <summary>
@@ -21607,7 +21738,36 @@
## Execute smbmount in the smbmount domain.
## </summary>
## <param name="domain">
-@@ -331,6 +401,25 @@
+@@ -188,6 +277,28 @@
+
+ ########################################
+ ## <summary>
++## Allow the specified domain to read
++## and write samba configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`samba_manage_config',`
++ gen_require(`
++ type samba_etc_t;
++ ')
++
++ files_search_etc($1)
++ manage_dirs_pattern($1, samba_etc_t, samba_etc_t)
++ manage_files_pattern($1, samba_etc_t, samba_etc_t)
++')
++
++########################################
++## <summary>
+ ## Allow the specified domain to read samba's log files.
+ ## </summary>
+ ## <param name="domain">
+@@ -331,6 +442,25 @@
########################################
## <summary>
@@ -21633,7 +21793,7 @@
## Allow the specified domain to
## read and write samba /var files.
## </summary>
-@@ -348,6 +437,7 @@
+@@ -348,6 +478,7 @@
files_search_var($1)
files_search_var_lib($1)
manage_files_pattern($1, samba_var_t, samba_var_t)
@@ -21641,7 +21801,7 @@
')
########################################
-@@ -420,6 +510,7 @@
+@@ -420,6 +551,7 @@
')
domtrans_pattern($1, winbind_helper_exec_t, winbind_helper_t)
@@ -21649,7 +21809,7 @@
')
########################################
-@@ -503,3 +594,190 @@
+@@ -503,3 +635,208 @@
stream_connect_pattern($1, winbind_tmp_t, winbind_tmp_t, winbind_t)
')
')
@@ -21756,6 +21916,24 @@
+
+########################################
+## <summary>
++## Execute samba server in the samba domain.
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`samba_initrc_domtrans',`
++ gen_require(`
++ type samba_initrc_exec_t;
++ ')
++
++ init_labeled_script_domtrans($1, samba_initrc_exec_t)
++')
++
++########################################
++## <summary>
+## All of the rules required to administrate
+## an samba environment
+## </summary>
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.740
retrieving revision 1.741
diff -u -r1.740 -r1.741
--- selinux-policy.spec 3 Nov 2008 20:42:38 -0000 1.740
+++ selinux-policy.spec 4 Nov 2008 15:40:31 -0000 1.741
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.5.13
-Release: 13%{?dist}
+Release: 14%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -457,6 +457,11 @@
%endif
%changelog
+* Tue Nov 3 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-14
+- Additional fixes for cyphesis
+- Fix certmaster file context
+- Add policy for system-config-samba
+
* Mon Nov 3 2008 Dan Walsh <dwalsh at redhat.com> 3.5.13-13
- Allow dhcpc to restart ypbind
- Fixup labeling in /var/run
- Previous message: rpms/cairo-dock/devel .cvsignore, 1.73, 1.74 cairo-dock.spec, 1.92, 1.93 sources, 1.73, 1.74
- Next message: rpms/openoffice.org/devel openoffice.org-3.0.0.ooo95834.dontset-nonfunctional-forward.patch, NONE, 1.1 openoffice.org.spec, 1.1685, 1.1686
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list