rpms/selinux-policy/F-9 policy-20071130.patch, 1.223, 1.224 selinux-policy.spec, 1.716, 1.717
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 9 02:28:55 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27649
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Oct 6 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-100
- Allow rsync to fownee and fsetid
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.223
retrieving revision 1.224
diff -u -r1.223 -r1.224
--- policy-20071130.patch 6 Oct 2008 14:32:42 -0000 1.223
+++ policy-20071130.patch 9 Oct 2008 02:28:50 -0000 1.224
@@ -2083,7 +2083,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.3.1/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-10-03 11:04:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/kismet.te 2008-10-06 12:38:15.000000000 -0400
@@ -0,0 +1,66 @@
+
+policy_module(kismet, 1.0.2)
@@ -2112,7 +2112,7 @@
+# kismet local policy
+#
+
-+allow kismet_t self:capability { net_admin net_raw setuid setgid };
++allow kismet_t self:capability { kill net_admin net_raw setuid setgid };
+allow kismet_t self:fifo_file rw_file_perms;
+allow kismet_t self:packet_socket create_socket_perms;
+allow kismet_t self:unix_dgram_socket { create_socket_perms sendto };
@@ -9234,7 +9234,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.3.1/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-10-03 11:04:46.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/filesystem.te 2008-10-06 14:17:48.000000000 -0400
@@ -21,10 +21,11 @@
# Use xattrs for the following filesystem types.
@@ -9260,7 +9260,7 @@
type eventpollfs_t;
fs_type(eventpollfs_t)
# change to task SID 20060628
-@@ -135,6 +141,11 @@
+@@ -135,6 +141,12 @@
genfscon squash / gen_context(system_u:object_r:squash_t,s0)
files_mountpoint(squash_t)
@@ -9268,11 +9268,12 @@
+fs_noxattr_type(vmblock_t)
+files_mountpoint(vmblock_t)
+genfscon vmblock / gen_context(system_u:object_r:vmblock_t,s0)
++genfscon vboxsf / gen_context(system_u:object_r:vmblock_t,s0)
+
type vxfs_t;
fs_noxattr_type(vxfs_t)
files_mountpoint(vxfs_t)
-@@ -199,6 +210,7 @@
+@@ -199,6 +211,7 @@
allow fusefs_t fs_t:filesystem associate;
genfscon fuse / gen_context(system_u:object_r:fusefs_t,s0)
genfscon fuseblk / gen_context(system_u:object_r:fusefs_t,s0)
@@ -9280,7 +9281,7 @@
#
# iso9660_t is the type for CD filesystems
-@@ -231,6 +243,10 @@
+@@ -231,6 +244,10 @@
genfscon hfs / gen_context(system_u:object_r:nfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:nfs_t,s0)
genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0)
@@ -20557,7 +20558,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.3.1/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-10-03 11:25:31.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/networkmanager.te 2008-10-08 18:10:42.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.9.0)
@@ -20741,12 +20742,17 @@
')
optional_policy(`
-@@ -152,25 +207,54 @@
+@@ -152,25 +207,60 @@
')
optional_policy(`
-- ppp_domtrans(NetworkManager_t)
++ polkit_domtrans_auth(NetworkManager_t)
++ polkit_read_lib(NetworkManager_t)
++')
++
++optional_policy(`
+ ppp_script_domtrans(NetworkManager_t)
+ ppp_domtrans(NetworkManager_t)
ppp_read_pid_files(NetworkManager_t)
+ ppp_sigkill(NetworkManager_t)
ppp_signal(NetworkManager_t)
@@ -23733,7 +23739,7 @@
/etc/ppp/peers(/.*)? gen_context(system_u:object_r:pppd_etc_rw_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.if serefpolicy-3.3.1/policy/modules/services/ppp.if
--- nsaserefpolicy/policy/modules/services/ppp.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/ppp.if 2008-10-03 11:04:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ppp.if 2008-10-06 12:41:41.000000000 -0400
@@ -39,6 +39,25 @@
########################################
@@ -23896,7 +23902,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ppp.te serefpolicy-3.3.1/policy/modules/services/ppp.te
--- nsaserefpolicy/policy/modules/services/ppp.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-10-03 11:04:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/ppp.te 2008-10-08 17:31:06.000000000 -0400
@@ -71,7 +71,7 @@
# PPPD Local policy
#
@@ -23940,16 +23946,58 @@
')
optional_policy(`
-@@ -217,7 +222,7 @@
+@@ -215,14 +220,16 @@
+ # PPTP Local policy
+ #
- allow pptp_t self:capability net_raw;
+-allow pptp_t self:capability net_raw;
++allow pptp_t self:capability { net_raw net_admin };
dontaudit pptp_t self:capability sys_tty_config;
-allow pptp_t self:process signal;
+-allow pptp_t self:fifo_file { read write };
+allow pptp_t self:process signal;
- allow pptp_t self:fifo_file { read write };
++allow pptp_t self:fifo_file rw_fifo_file_perms;
allow pptp_t self:unix_dgram_socket create_socket_perms;
allow pptp_t self:unix_stream_socket { connectto create_stream_socket_perms };
-@@ -287,6 +292,14 @@
+ allow pptp_t self:rawip_socket create_socket_perms;
+ allow pptp_t self:tcp_socket create_socket_perms;
++allow pptp_t self:udp_socket create_socket_perms;
++allow pptp_t self:netlink_route_socket rw_netlink_socket_perms;
+
+ allow pptp_t pppd_etc_t:dir { getattr read search };
+ allow pptp_t pppd_etc_t:file { read getattr };
+@@ -246,9 +253,13 @@
+ kernel_list_proc(pptp_t)
+ kernel_read_kernel_sysctls(pptp_t)
+ kernel_read_proc_symlinks(pptp_t)
++kernel_read_system_state(pptp_t)
+
+ dev_read_sysfs(pptp_t)
+
++corecmd_exec_shell(pptp_t)
++corecmd_read_bin_symlinks(pptp_t)
++
+ corenet_all_recvfrom_unlabeled(pptp_t)
+ corenet_all_recvfrom_netlabel(pptp_t)
+ corenet_tcp_sendrecv_all_if(pptp_t)
+@@ -264,6 +275,8 @@
+ fs_getattr_all_fs(pptp_t)
+ fs_search_auto_mountpoints(pptp_t)
+
++files_read_etc_files(pptp_t)
++
+ term_ioctl_generic_ptys(pptp_t)
+ term_search_ptys(pptp_t)
+ term_use_ptmx(pptp_t)
+@@ -278,6 +291,7 @@
+ miscfiles_read_localization(pptp_t)
+
+ sysnet_read_config(pptp_t)
++sysnet_exec_ifconfig(pppd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(pptp_t)
+ userdom_dontaudit_search_sysadm_home_dirs(pptp_t)
+@@ -287,6 +301,14 @@
')
optional_policy(`
@@ -25914,7 +25962,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.3.1/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/rsync.te 2008-10-03 11:04:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/rsync.te 2008-10-06 12:50:25.000000000 -0400
@@ -31,6 +31,9 @@
type rsync_data_t;
files_type(rsync_data_t)
@@ -25930,7 +25978,7 @@
#
-allow rsync_t self:capability sys_chroot;
-+allow rsync_t self:capability { chown dac_read_search dac_override setuid setgid sys_chroot };
++allow rsync_t self:capability { chown dac_read_search dac_override fowner fsetid setuid setgid sys_chroot };
allow rsync_t self:process signal_perms;
allow rsync_t self:fifo_file rw_fifo_file_perms;
allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -26430,8 +26478,22 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.3.1/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-10-03 11:04:47.000000000 -0400
-@@ -59,6 +59,13 @@
++++ serefpolicy-3.3.1/policy/modules/services/samba.te 2008-10-08 17:01:58.000000000 -0400
+@@ -17,6 +17,13 @@
+
+ ## <desc>
+ ## <p>
++## Allow samba to create new home directories (e.g. via PAM)
++## </p>
++## </desc>
++gen_tunable(samba_create_home_dirs, false)
++
++## <desc>
++## <p>
+ ## Allow samba to act as the domain controller, add users,
+ ## groups and change passwords.
+ ##
+@@ -59,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -26445,7 +26507,7 @@
type nmbd_t;
type nmbd_exec_t;
init_daemon_domain(nmbd_t,nmbd_exec_t)
-@@ -73,11 +80,9 @@
+@@ -73,11 +87,9 @@
logging_log_file(samba_log_t)
type samba_net_t;
@@ -26459,7 +26521,7 @@
type samba_net_tmp_t;
files_tmp_file(samba_net_tmp_t)
-@@ -139,6 +144,14 @@
+@@ -139,11 +151,21 @@
type winbind_var_run_t;
files_pid_file(winbind_var_run_t)
@@ -26474,7 +26536,36 @@
########################################
#
# Samba net local policy
-@@ -193,7 +206,10 @@
+ #
+
++allow samba_net_t self:capability { dac_read_search dac_override };
++allow samba_net_t self:process getsched;
+ allow samba_net_t self:unix_dgram_socket create_socket_perms;
+ allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
+ allow samba_net_t self:udp_socket create_socket_perms;
+@@ -158,11 +180,12 @@
+ manage_files_pattern(samba_net_t,samba_net_tmp_t,samba_net_tmp_t)
+ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
+
+-allow samba_net_t samba_var_t:dir rw_dir_perms;
++manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
+ manage_files_pattern(samba_net_t,samba_var_t,samba_var_t)
+ manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
+
+ kernel_read_proc_symlinks(samba_net_t)
++kernel_read_system_state(samba_net_t)
+
+ corenet_all_recvfrom_unlabeled(samba_net_t)
+ corenet_all_recvfrom_netlabel(samba_net_t)
+@@ -183,6 +206,7 @@
+ domain_use_interactive_fds(samba_net_t)
+
+ files_read_etc_files(samba_net_t)
++files_read_usr_symlinks(samba_net_t)
+
+ auth_use_nsswitch(samba_net_t)
+
+@@ -193,7 +217,10 @@
miscfiles_read_localization(samba_net_t)
@@ -26485,7 +26576,7 @@
optional_policy(`
kerberos_use(samba_net_t)
-@@ -203,7 +219,7 @@
+@@ -203,7 +230,7 @@
#
# smbd Local policy
#
@@ -26494,7 +26585,7 @@
dontaudit smbd_t self:capability sys_tty_config;
allow smbd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow smbd_t self:process setrlimit;
-@@ -213,7 +229,7 @@
+@@ -213,7 +240,7 @@
allow smbd_t self:msgq create_msgq_perms;
allow smbd_t self:sem create_sem_perms;
allow smbd_t self:shm create_shm_perms;
@@ -26503,7 +26594,7 @@
allow smbd_t self:tcp_socket create_stream_socket_perms;
allow smbd_t self:udp_socket create_socket_perms;
allow smbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -221,10 +237,8 @@
+@@ -221,10 +248,8 @@
allow smbd_t samba_etc_t:file { rw_file_perms setattr };
@@ -26515,7 +26606,7 @@
allow smbd_t samba_net_tmp_t:file getattr;
-@@ -234,6 +248,7 @@
+@@ -234,6 +259,7 @@
manage_dirs_pattern(smbd_t,samba_share_t,samba_share_t)
manage_files_pattern(smbd_t,samba_share_t,samba_share_t)
manage_lnk_files_pattern(smbd_t,samba_share_t,samba_share_t)
@@ -26523,7 +26614,7 @@
manage_dirs_pattern(smbd_t,samba_var_t,samba_var_t)
manage_files_pattern(smbd_t,samba_var_t,samba_var_t)
-@@ -251,7 +266,7 @@
+@@ -251,7 +277,7 @@
manage_sock_files_pattern(smbd_t,smbd_var_run_t,smbd_var_run_t)
files_pid_filetrans(smbd_t,smbd_var_run_t,file)
@@ -26532,7 +26623,7 @@
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
-@@ -320,6 +335,8 @@
+@@ -320,6 +346,8 @@
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
@@ -26541,7 +26632,7 @@
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -340,6 +357,25 @@
+@@ -340,6 +368,25 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -26567,7 +26658,20 @@
')
optional_policy(`
-@@ -391,7 +427,7 @@
+@@ -363,6 +410,12 @@
+ udev_read_db(smbd_t)
+ ')
+
++tunable_policy(`samba_create_home_dirs',`
++ allow smbd_t self:capability chown;
++ unprivuser_create_home_dir(smbd_t)
++ unprivuser_home_filetrans_home_dir(smbd_t)
++')
++
+ tunable_policy(`samba_export_all_ro',`
+ fs_read_noxattr_fs_files(smbd_t)
+ auth_read_all_files_except_shadow(smbd_t)
+@@ -391,7 +444,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -26576,7 +26680,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -403,8 +439,7 @@
+@@ -403,8 +456,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -26586,7 +26690,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -439,6 +474,7 @@
+@@ -439,6 +491,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -26594,7 +26698,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -522,6 +558,7 @@
+@@ -522,6 +575,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -26602,7 +26706,7 @@
corecmd_list_bin(smbmount_t)
-@@ -533,41 +570,50 @@
+@@ -533,41 +587,50 @@
auth_use_nsswitch(smbmount_t)
@@ -26663,7 +26767,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -577,7 +623,9 @@
+@@ -577,7 +640,9 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -26674,7 +26778,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -602,10 +650,12 @@
+@@ -602,10 +667,12 @@
dev_read_urand(swat_t)
@@ -26687,7 +26791,7 @@
auth_domtrans_chk_passwd(swat_t)
auth_use_nsswitch(swat_t)
-@@ -614,6 +664,7 @@
+@@ -614,6 +681,7 @@
libs_use_shared_libs(swat_t)
logging_send_syslog_msg(swat_t)
@@ -26695,7 +26799,7 @@
logging_search_logs(swat_t)
miscfiles_read_localization(swat_t)
-@@ -631,6 +682,17 @@
+@@ -631,6 +699,17 @@
kerberos_use(swat_t)
')
@@ -26713,7 +26817,14 @@
########################################
#
# Winbind local policy
-@@ -679,6 +741,8 @@
+@@ -673,12 +752,15 @@
+
+ manage_dirs_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
+ manage_files_pattern(winbind_t,winbind_tmp_t,winbind_tmp_t)
++manage_sock_files_pattern(winbind_t, winbind_tmp_t, winbind_tmp_t)
+ files_tmp_filetrans(winbind_t, winbind_tmp_t, { file dir })
+
+ manage_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -26722,7 +26833,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -764,8 +828,13 @@
+@@ -764,8 +846,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -26736,35 +26847,52 @@
')
########################################
-@@ -774,6 +843,14 @@
+@@ -774,19 +861,64 @@
#
optional_policy(`
+- type samba_unconfined_script_t;
+- type samba_unconfined_script_exec_t;
+- domain_type(samba_unconfined_script_t)
+- domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
+- corecmd_shell_entry_type(samba_unconfined_script_t)
+- role system_r types samba_unconfined_script_t;
+-
+- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
+- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
+-
+- unconfined_domain(samba_unconfined_script_t)
+-
+- tunable_policy(`samba_run_unconfined',`
+- domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+- ')
+ type samba_unconfined_net_t;
+ domain_type(samba_unconfined_net_t)
-+ unconfined_domain(samba_unconfined_net_t)
+ role system_r types samba_unconfined_net_t;
+
++ unconfined_domain(samba_unconfined_net_t)
++
+ manage_files_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t)
+ filetrans_pattern(samba_unconfined_net_t,samba_etc_t,samba_secrets_t,file)
+ ')
+
- type samba_unconfined_script_t;
- type samba_unconfined_script_exec_t;
- domain_type(samba_unconfined_script_t)
-@@ -784,9 +861,49 @@
- allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
- allow smbd_t samba_unconfined_script_exec_t:file ioctl;
-
-- unconfined_domain(samba_unconfined_script_t)
++type samba_unconfined_script_t;
++type samba_unconfined_script_exec_t;
++domain_type(samba_unconfined_script_t)
++domain_entry_file(samba_unconfined_script_t,samba_unconfined_script_exec_t)
++corecmd_shell_entry_type(samba_unconfined_script_t)
++role system_r types samba_unconfined_script_t;
+
-+ optional_policy(`
-+ unconfined_domain(samba_unconfined_script_t)
-+ ')
-
- tunable_policy(`samba_run_unconfined',`
- domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
- ')
- ')
++allow smbd_t samba_unconfined_script_exec_t:dir search_dir_perms;
++allow smbd_t samba_unconfined_script_exec_t:file ioctl;
++
++optional_policy(` unconfined_domain(samba_unconfined_script_t) ')
++
++tunable_policy(`samba_run_unconfined',`
++ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
++', `
++ can_exec(smbd_t, samba_unconfined_script_exec_t)
++')
+
+########################################
+#
@@ -26799,9 +26927,6 @@
+allow winbind_t smbcontrol_t:process signal;
+
+allow smbcontrol_t nmbd_var_run_t:file { read lock };
-+
-+
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.fc serefpolicy-3.3.1/policy/modules/services/sasl.fc
--- nsaserefpolicy/policy/modules/services/sasl.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/sasl.fc 2008-10-03 11:04:47.000000000 -0400
@@ -29998,7 +30123,7 @@
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.3.1/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-10-03 11:04:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/xserver.if 2008-10-06 12:31:56.000000000 -0400
@@ -12,9 +12,15 @@
## </summary>
## </param>
@@ -30305,16 +30430,16 @@
optional_policy(`
- userhelper_search_config($1_xserver_t)
-+ userhelper_search_config(xdm_xserver_t)
- ')
-
+- ')
+-
- ifdef(`TODO',`
- ifdef(`xdm.te', `
- allow $1_t xdm_tmp_t:sock_file unlink;
- allow $1_xserver_t xdm_var_run_t:dir search;
-- ')
++ userhelper_search_config(xdm_xserver_t)
+ ')
- ') dnl end TODO
--
+
##############################
#
- # $1_xauth_t Local policy
@@ -30330,10 +30455,10 @@
- manage_dirs_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- manage_files_pattern($1_xauth_t,$1_xauth_tmp_t,$1_xauth_tmp_t)
- files_tmp_filetrans($1_xauth_t, $1_xauth_tmp_t, { file dir })
+-
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
--
- allow $2 $1_xauth_t:process signal;
+ allow $2 xauth_t:process signal;
@@ -30356,10 +30481,10 @@
-
- # cjp: why?
- term_use_ptmx($1_xauth_t)
+-
+- auth_use_nsswitch($1_xauth_t)
+ ps_process_pattern($2,xauth_t)
-- auth_use_nsswitch($1_xauth_t)
--
- libs_use_ld_so($1_xauth_t)
- libs_use_shared_libs($1_xauth_t)
-
@@ -30466,7 +30591,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -542,26 +544,535 @@
+@@ -542,25 +544,533 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -30916,7 +31041,7 @@
+ allow x_server_domain $3:x_drawable send;
+
+ allow $3 xdm_t:x_client destroy;
-+ allow $3 xdm_t:x_drawable { get_property receive getattr read send list_child };
++ allow $3 xdm_t:x_drawable { read get_property receive getattr read send list_child };
+ allow $3 xdm_t:x_property { write read };
+ allow $3 xdm_t:x_synthetic_event send;
+')
@@ -30950,7 +31075,7 @@
+## </summary>
+## </param>
+#
-+template(`xserver_user_x_domain_template',`
++template(`xserver_user_x_domain_template', `
+ gen_require(`
+ type xdm_t, xdm_tmp_t;
+ type user_xauth_home_t, user_iceauth_home_t, xdm_xserver_t, xdm_xserver_tmpfs_t;
@@ -31004,11 +31129,9 @@
+ allow $3 xdm_xserver_t:shm rw_shm_perms;
+ allow $3 xdm_xserver_tmpfs_t:file rw_file_perms;
')
-+
')
- ########################################
-@@ -593,26 +1104,44 @@
+@@ -593,26 +1103,44 @@
#
template(`xserver_use_user_fonts',`
gen_require(`
@@ -31060,14 +31183,15 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -638,10 +1167,77 @@
+@@ -638,10 +1166,77 @@
#
template(`xserver_domtrans_user_xauth',`
gen_require(`
- type $1_xauth_t, xauth_exec_t;
+ type xauth_exec_t, xauth_t;
-+ ')
-+
+ ')
+
+- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
+ domtrans_pattern($2, xauth_exec_t, xauth_t)
+')
+
@@ -31099,9 +31223,8 @@
+template(`xserver_read_user_xauth',`
+ gen_require(`
+ type user_xauth_home_t;
- ')
-
-- domtrans_pattern($2, xauth_exec_t, $1_xauth_t)
++ ')
++
+ allow $2 user_xauth_home_t:file { getattr read };
+')
+
@@ -31140,7 +31263,7 @@
')
########################################
-@@ -671,10 +1267,10 @@
+@@ -671,10 +1266,10 @@
#
template(`xserver_user_home_dir_filetrans_user_xauth',`
gen_require(`
@@ -31153,7 +31276,7 @@
')
########################################
-@@ -760,7 +1356,7 @@
+@@ -760,7 +1355,7 @@
type xconsole_device_t;
')
@@ -31162,7 +31285,7 @@
')
########################################
-@@ -860,6 +1456,25 @@
+@@ -860,6 +1455,25 @@
########################################
## <summary>
@@ -31188,7 +31311,7 @@
## Read xdm-writable configuration files.
## </summary>
## <param name="domain">
-@@ -914,6 +1529,7 @@
+@@ -914,6 +1528,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -31196,7 +31319,7 @@
')
########################################
-@@ -932,7 +1548,7 @@
+@@ -932,7 +1547,7 @@
')
files_search_pids($1)
@@ -31205,7 +31328,7 @@
')
########################################
-@@ -955,6 +1571,24 @@
+@@ -955,6 +1570,24 @@
########################################
## <summary>
@@ -31230,7 +31353,7 @@
## Execute the X server in the XDM X server domain.
## </summary>
## <param name="domain">
-@@ -965,15 +1599,47 @@
+@@ -965,15 +1598,47 @@
#
interface(`xserver_domtrans_xdm_xserver',`
gen_require(`
@@ -31279,7 +31402,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1123,7 +1789,7 @@
+@@ -1123,7 +1788,7 @@
type xdm_xserver_tmp_t;
')
@@ -31288,7 +31411,7 @@
')
########################################
-@@ -1312,3 +1978,179 @@
+@@ -1312,3 +1977,199 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -31468,6 +31591,26 @@
+ read_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+ read_lnk_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+')
++
++########################################
++## <summary>
++## Ptrace XDM
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit
++## </summary>
++## </param>
++#
++interface(`xserver_lock_xdm',`
++ gen_require(`
++ type xdm_t;
++ ')
++
++ allow $1 xdm_t:x_client destroy;
++ allow $1 xdm_t:x_drawable { read getattr };
++')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.3.1/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/xserver.te 2008-10-03 11:04:47.000000000 -0400
@@ -33618,8 +33761,8 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/ipsec.te serefpolicy-3.3.1/policy/modules/system/ipsec.te
--- nsaserefpolicy/policy/modules/system/ipsec.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/ipsec.te 2008-10-03 11:04:47.000000000 -0400
-@@ -55,11 +55,12 @@
++++ serefpolicy-3.3.1/policy/modules/system/ipsec.te 2008-10-08 22:22:17.000000000 -0400
+@@ -55,11 +55,13 @@
allow ipsec_t self:capability { net_admin dac_override dac_read_search };
dontaudit ipsec_t self:capability sys_tty_config;
@@ -33627,13 +33770,15 @@
+allow ipsec_t self:process { signal setsched };
allow ipsec_t self:netlink_route_socket r_netlink_socket_perms;
allow ipsec_t self:tcp_socket create_stream_socket_perms;
- allow ipsec_t self:key_socket { create write read setopt };
+-allow ipsec_t self:key_socket { create write read setopt };
++allow ipsec_t self:udp_socket create_socket_perms;
++allow ipsec_t self:key_socket create_socket_perms;
allow ipsec_t self:fifo_file { read getattr };
+allow ipsec_t self:netlink_xfrm_socket create_socket_perms;
allow ipsec_t ipsec_conf_file_t:dir list_dir_perms;
read_files_pattern(ipsec_t,ipsec_conf_file_t,ipsec_conf_file_t)
-@@ -69,8 +70,8 @@
+@@ -69,8 +71,8 @@
read_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
@@ -33972,7 +34117,7 @@
-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.3.1/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-10-03 11:04:47.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/logging.fc 2008-10-06 16:04:05.000000000 -0400
@@ -4,6 +4,8 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -33992,15 +34137,21 @@
ifdef(`distro_suse', `
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
-@@ -46,7 +51,7 @@
+@@ -45,10 +50,10 @@
+ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
- /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+-/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
- /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
- /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+-/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
+-/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
++/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
++/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
++/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
++/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
+ /var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
+ /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
@@ -57,3 +62,8 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.716
retrieving revision 1.717
diff -u -r1.716 -r1.717
--- selinux-policy.spec 6 Oct 2008 14:32:43 -0000 1.716
+++ selinux-policy.spec 9 Oct 2008 02:28:54 -0000 1.717
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -386,6 +386,9 @@
%endif
%changelog
+* Mon Oct 6 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-100
+- Allow rsync to fownee and fsetid
+
* Mon Oct 6 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-99
- Fix file contexts
More information about the scm-commits
mailing list