rpms/selinux-policy/F-11 policy-20090521.patch, 1.66, 1.67 selinux-policy.spec, 1.916, 1.917
Miroslav Grepl
mgrepl at fedoraproject.org
Fri Feb 19 16:24:30 UTC 2010
Author: mgrepl
Update of /cvs/pkgs/rpms/selinux-policy/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15279
Modified Files:
policy-20090521.patch selinux-policy.spec
Log Message:
- Fixes for avahi policy
policy-20090521.patch:
man/man8/nfs_selinux.8 | 6
man/man8/samba_selinux.8 | 4
policy/mcs | 12 -
policy/modules/admin/certwatch.te | 4
policy/modules/admin/dmesg.te | 3
policy/modules/admin/kismet.te | 16 +
policy/modules/admin/logrotate.te | 6
policy/modules/admin/mrtg.te | 8
policy/modules/admin/netutils.te | 2
policy/modules/admin/prelink.te | 9
policy/modules/admin/readahead.te | 2
policy/modules/admin/rpm.fc | 1
policy/modules/admin/rpm.if | 46 +++++
policy/modules/admin/rpm.te | 4
policy/modules/admin/shorewall.fc | 13 +
policy/modules/admin/shorewall.if | 166 ++++++++++++++++++
policy/modules/admin/shorewall.te | 103 +++++++++++
policy/modules/admin/sudo.if | 4
policy/modules/admin/tzdata.te | 2
policy/modules/admin/usermanage.if | 3
policy/modules/admin/usermanage.te | 3
policy/modules/admin/vpn.te | 1
policy/modules/apps/awstats.te | 2
policy/modules/apps/calamaris.te | 4
policy/modules/apps/gitosis.fc | 4
policy/modules/apps/gitosis.if | 96 ++++++++++
policy/modules/apps/gitosis.te | 43 ++++
policy/modules/apps/gnome.te | 10 +
policy/modules/apps/gpg.if | 2
policy/modules/apps/gpg.te | 1
policy/modules/apps/java.te | 2
policy/modules/apps/mozilla.if | 16 +
policy/modules/apps/mozilla.te | 14 -
policy/modules/apps/nsplugin.if | 2
policy/modules/apps/ptchown.fc | 2
policy/modules/apps/ptchown.if | 22 ++
policy/modules/apps/ptchown.te | 40 ++++
policy/modules/apps/qemu.fc | 1
policy/modules/apps/qemu.te | 8
policy/modules/apps/sandbox.if | 134 +++++++++++---
policy/modules/apps/sandbox.te | 274 +++++++++++++++++++++++++++---
policy/modules/apps/screen.if | 1
policy/modules/apps/slocate.te | 1
policy/modules/apps/vmware.fc | 1
policy/modules/apps/vmware.te | 6
policy/modules/kernel/corecommands.fc | 10 -
policy/modules/kernel/corenetwork.if.in | 18 +
policy/modules/kernel/corenetwork.te.in | 5
policy/modules/kernel/devices.fc | 3
policy/modules/kernel/devices.if | 145 +++++++++++++++
policy/modules/kernel/devices.te | 13 +
policy/modules/kernel/domain.if | 45 +---
policy/modules/kernel/domain.te | 31 +++
policy/modules/kernel/files.if | 4
policy/modules/kernel/kernel.if | 2
policy/modules/kernel/storage.fc | 1
policy/modules/kernel/storage.if | 2
policy/modules/kernel/terminal.if | 19 ++
policy/modules/roles/staff.te | 12 +
policy/modules/roles/sysadm.if | 35 +++
policy/modules/roles/sysadm.te | 4
policy/modules/roles/unconfineduser.te | 10 -
policy/modules/roles/unprivuser.te | 4
policy/modules/roles/xguest.te | 6
policy/modules/services/afs.fc | 2
policy/modules/services/afs.te | 1
policy/modules/services/apache.fc | 5
policy/modules/services/apache.if | 3
policy/modules/services/apache.te | 16 +
policy/modules/services/apm.te | 4
policy/modules/services/automount.if | 18 +
policy/modules/services/avahi.te | 3
policy/modules/services/bluetooth.te | 1
policy/modules/services/clamav.te | 6
policy/modules/services/cobbler.fc | 2
policy/modules/services/cobbler.if | 21 ++
policy/modules/services/cobbler.te | 10 +
policy/modules/services/consolekit.te | 5
policy/modules/services/cron.if | 19 --
policy/modules/services/cron.te | 2
policy/modules/services/cups.fc | 2
policy/modules/services/cups.te | 29 ++-
policy/modules/services/cyrus.te | 1
policy/modules/services/dbus.if | 28 +++
policy/modules/services/dcc.te | 8
policy/modules/services/ddclient.if | 25 ++
policy/modules/services/devicekit.te | 6
policy/modules/services/dnsmasq.te | 8
policy/modules/services/dovecot.if | 34 +--
policy/modules/services/dovecot.te | 39 +++-
policy/modules/services/exim.te | 7
policy/modules/services/fail2ban.if | 18 +
policy/modules/services/fail2ban.te | 1
policy/modules/services/fetchmail.te | 2
policy/modules/services/fprintd.te | 10 -
policy/modules/services/ftp.te | 15 +
policy/modules/services/gnomeclock.te | 1
policy/modules/services/gpsd.fc | 3
policy/modules/services/gpsd.te | 19 +-
policy/modules/services/hal.te | 15 +
policy/modules/services/hddtemp.fc | 4
policy/modules/services/hddtemp.if | 38 ++++
policy/modules/services/hddtemp.te | 40 ++++
policy/modules/services/kerberos.if | 2
policy/modules/services/kerberos.te | 12 +
policy/modules/services/lircd.te | 7
policy/modules/services/mailman.if | 1
policy/modules/services/milter.if | 2
policy/modules/services/mta.if | 1
policy/modules/services/mysql.te | 7
policy/modules/services/networkmanager.fc | 2
policy/modules/services/networkmanager.te | 3
policy/modules/services/nis.te | 3
policy/modules/services/nslcd.fc | 4
policy/modules/services/nslcd.if | 144 +++++++++++++++
policy/modules/services/nslcd.te | 50 +++++
policy/modules/services/nx.fc | 3
policy/modules/services/nx.if | 20 ++
policy/modules/services/openvpn.te | 14 +
policy/modules/services/pcscd.if | 3
policy/modules/services/pcscd.te | 3
policy/modules/services/polkit.fc | 2
policy/modules/services/polkit.if | 2
policy/modules/services/polkit.te | 3
policy/modules/services/postfix.if | 26 ++
policy/modules/services/postfix.te | 27 --
policy/modules/services/postgresql.te | 2
policy/modules/services/ppp.if | 6
policy/modules/services/ppp.te | 2
policy/modules/services/privoxy.te | 3
policy/modules/services/pyzor.fc | 2
policy/modules/services/pyzor.te | 2
policy/modules/services/radvd.te | 2
policy/modules/services/rpc.te | 15 +
policy/modules/services/rpcbind.if | 20 ++
policy/modules/services/rsync.te | 2
policy/modules/services/samba.te | 13 +
policy/modules/services/sasl.te | 6
policy/modules/services/sendmail.if | 39 ++++
policy/modules/services/sendmail.te | 8
policy/modules/services/setroubleshoot.te | 5
policy/modules/services/shorewall.fc | 12 -
policy/modules/services/shorewall.if | 166 ------------------
policy/modules/services/shorewall.te | 102 -----------
policy/modules/services/smartmon.te | 4
policy/modules/services/snmp.if | 37 ++++
policy/modules/services/snmp.te | 4
policy/modules/services/spamassassin.fc | 8
policy/modules/services/spamassassin.if | 18 +
policy/modules/services/spamassassin.te | 6
policy/modules/services/squid.te | 2
policy/modules/services/ssh.if | 23 ++
policy/modules/services/ssh.te | 14 +
policy/modules/services/sssd.fc | 7
policy/modules/services/sssd.if | 16 -
policy/modules/services/sssd.te | 41 ++--
policy/modules/services/tftp.fc | 2
policy/modules/services/uucp.te | 2
policy/modules/services/virt.fc | 1
policy/modules/services/virt.te | 30 ++-
policy/modules/services/xserver.fc | 3
policy/modules/services/xserver.if | 41 ++++
policy/modules/services/xserver.te | 18 +
policy/modules/system/authlogin.fc | 3
policy/modules/system/authlogin.if | 270 ++++++++++++++++++-----------
policy/modules/system/authlogin.te | 27 +-
policy/modules/system/hotplug.te | 4
policy/modules/system/init.fc | 2
policy/modules/system/init.if | 23 ++
policy/modules/system/init.te | 6
policy/modules/system/ipsec.te | 61 +++++-
policy/modules/system/iptables.te | 10 +
policy/modules/system/iscsi.te | 1
policy/modules/system/libraries.fc | 20 ++
policy/modules/system/locallogin.te | 6
policy/modules/system/logging.fc | 2
policy/modules/system/logging.te | 4
policy/modules/system/miscfiles.fc | 1
policy/modules/system/miscfiles.if | 18 +
policy/modules/system/mount.if | 8
policy/modules/system/mount.te | 1
policy/modules/system/sysnetwork.if | 1
policy/modules/system/sysnetwork.te | 17 +
policy/modules/system/udev.fc | 1
policy/modules/system/udev.te | 10 +
policy/modules/system/unconfined.if | 2
policy/modules/system/userdomain.fc | 1
policy/modules/system/userdomain.if | 57 +++++-
policy/modules/system/userdomain.te | 4
policy/modules/system/virtual.te | 5
policy/modules/system/xen.te | 1
191 files changed, 2841 insertions(+), 694 deletions(-)
Index: policy-20090521.patch
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-11/policy-20090521.patch,v
retrieving revision 1.66
retrieving revision 1.67
diff -u -p -r1.66 -r1.67
--- policy-20090521.patch 19 Jan 2010 12:34:09 -0000 1.66
+++ policy-20090521.patch 19 Feb 2010 16:24:29 -0000 1.67
@@ -1736,6 +1736,34 @@ diff -b -B --ignore-all-space --exclude-
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.if.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in
+--- nsaserefpolicy/policy/modules/kernel/corenetwork.if.in 2010-01-19 12:51:11.968607327 +0100
++++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.if.in 2010-02-15 11:55:04.801319350 +0100
+@@ -1703,6 +1703,24 @@
+ allow $1 tun_tap_device_t:chr_file rw_chr_file_perms;
+ ')
+
++#######################################
++## <summary>
++## Dontaudit read and write the TUN/TAP virtual network device.
++## </summary>
++## <param name="domain">
++## <summary>
++## The domain allowed access.
++## </summary>
++## </param>
++#
++interface(`corenet_dontaudit_rw_tun_tap_dev',`
++ gen_require(`
++ type tun_tap_device_t;
++ ')
++
++ dontaudit $1 tun_tap_device_t:chr_file { read write };
++')
++
+ ########################################
+ ## <summary>
+ ## Getattr the point-to-point device.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corenetwork.te.in serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in
--- nsaserefpolicy/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:51:11.969607384 +0100
+++ serefpolicy-3.6.12/policy/modules/kernel/corenetwork.te.in 2010-01-19 12:51:30.720620172 +0100
@@ -2527,7 +2555,7 @@ diff -b -B --ignore-all-space --exclude-
## <param name="domain">
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.6.12/policy/modules/services/avahi.te
--- nsaserefpolicy/policy/modules/services/avahi.te 2010-01-19 12:51:12.011613147 +0100
-+++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2010-01-19 12:51:30.753620389 +0100
++++ serefpolicy-3.6.12/policy/modules/services/avahi.te 2010-02-19 16:26:20.062788152 +0100
@@ -24,7 +24,7 @@
# Local policy
#
@@ -2537,6 +2565,14 @@ diff -b -B --ignore-all-space --exclude-
dontaudit avahi_t self:capability sys_tty_config;
allow avahi_t self:process { setrlimit signal_perms getcap setcap };
allow avahi_t self:fifo_file rw_fifo_file_perms;
+@@ -32,6 +32,7 @@
+ allow avahi_t self:unix_dgram_socket create_socket_perms;
+ allow avahi_t self:tcp_socket create_stream_socket_perms;
+ allow avahi_t self:udp_socket create_socket_perms;
++allow avahi_t self:packet_socket create_socket_perms;
+
+ files_search_var_lib(avahi_t)
+ manage_dirs_pattern(avahi_t, avahi_var_lib_t, avahi_var_lib_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bluetooth.te serefpolicy-3.6.12/policy/modules/services/bluetooth.te
--- nsaserefpolicy/policy/modules/services/bluetooth.te 2010-01-19 12:51:12.015607859 +0100
+++ serefpolicy-3.6.12/policy/modules/services/bluetooth.te 2010-01-19 12:51:30.754620516 +0100
@@ -5071,7 +5107,7 @@ diff -b -B --ignore-all-space --exclude-
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.te serefpolicy-3.6.12/policy/modules/services/spamassassin.te
--- nsaserefpolicy/policy/modules/services/spamassassin.te 2010-01-19 12:51:12.172608000 +0100
-+++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2010-01-19 12:51:30.870608939 +0100
++++ serefpolicy-3.6.12/policy/modules/services/spamassassin.te 2010-02-19 17:06:55.362786312 +0100
@@ -263,6 +263,7 @@
corenet_tcp_sendrecv_generic_node(spamc_t)
corenet_tcp_connect_spamd_port(spamc_t)
@@ -5088,6 +5124,17 @@ diff -b -B --ignore-all-space --exclude-
manage_dirs_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
manage_files_pattern(spamd_t, spamd_var_run_t, spamd_var_run_t)
+@@ -469,6 +471,10 @@
+ userdom_search_user_home_dirs(spamd_t)
+
+ optional_policy(`
++ dcc_domtrans_cdcc(spamd_t)
++')
++
++optional_policy(`
+ exim_manage_spool_dirs(spamd_t)
+ exim_manage_spool_files(spamd_t)
+ ')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.6.12/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2010-01-19 12:51:12.176608090 +0100
+++ serefpolicy-3.6.12/policy/modules/services/squid.te 2010-01-19 12:51:30.871608089 +0100
@@ -6104,6 +6151,36 @@ diff -b -B --ignore-all-space --exclude-
/etc/rc\.d/init\.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/etc/X11/prefdm -- gen_context(system_u:object_r:initrc_exec_t,s0)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.if serefpolicy-3.6.12/policy/modules/system/init.if
+--- nsaserefpolicy/policy/modules/system/init.if 2010-01-19 12:51:12.215617940 +0100
++++ serefpolicy-3.6.12/policy/modules/system/init.if 2010-02-19 17:14:08.890786923 +0100
+@@ -1641,3 +1641,26 @@
+ allow $1 init_t:unix_dgram_socket sendto;
+ allow init_t $1:unix_dgram_socket sendto;
+ ')
++
++#######################################
++## <summary>
++## Dontaudit read and write an leaked init scrip file descriptors
++## </summary>
++## <param name="domain">
++## <summary>
++## The type of the process performing this action.
++## </summary>
++## </param>
++#
++interface(`init_dontaudit_script_leaks',`
++ gen_require(`
++ type initrc_t;
++ ')
++
++ dontaudit $1 initrc_t:tcp_socket { read write };
++ dontaudit $1 initrc_t:unix_dgram_socket { read write };
++ dontaudit $1 initrc_t:unix_stream_socket { read write };
++ dontaudit $1 initrc_t:shm rw_shm_perms;
++ init_dontaudit_use_script_ptys($1)
++ init_dontaudit_use_script_fds($1)
++')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.12/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2010-01-19 12:51:12.218608055 +0100
+++ serefpolicy-3.6.12/policy/modules/system/init.te 2010-01-19 12:51:30.897609022 +0100
@@ -6328,8 +6405,24 @@ diff -b -B --ignore-all-space --exclude-
ipsec_setcontext_default_spd(setkey_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iptables.te serefpolicy-3.6.12/policy/modules/system/iptables.te
--- nsaserefpolicy/policy/modules/system/iptables.te 2010-01-19 12:51:12.220618087 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2010-01-19 12:51:30.899617658 +0100
-@@ -101,10 +101,18 @@
++++ serefpolicy-3.6.12/policy/modules/system/iptables.te 2010-02-19 17:01:13.929787818 +0100
+@@ -43,6 +43,7 @@
+ kernel_use_fds(iptables_t)
+
+ corenet_relabelto_all_packets(iptables_t)
++corenet_dontaudit_rw_tun_tap_dev(iptables_t)
+
+ dev_read_sysfs(iptables_t)
+
+@@ -67,6 +68,7 @@
+ # to allow rules to be saved on reboot:
+ init_rw_script_tmp_files(iptables_t)
+ init_rw_script_stream_sockets(iptables_t)
++init_dontaudit_script_leaks(iptables_t)
+
+ logging_send_syslog_msg(iptables_t)
+
+@@ -101,10 +103,18 @@
')
optional_policy(`
@@ -6461,7 +6554,7 @@ diff -b -B --ignore-all-space --exclude-
allow sulogin_t self:capability sys_tty_config;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.6.12/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2010-01-19 12:51:12.227608292 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2010-01-19 12:51:30.903607202 +0100
++++ serefpolicy-3.6.12/policy/modules/system/logging.fc 2010-02-16 17:57:57.974848550 +0100
@@ -50,6 +50,7 @@
')
@@ -6470,6 +6563,14 @@ diff -b -B --ignore-all-space --exclude-
/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
')
+@@ -62,6 +63,7 @@
+ /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+ /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+
++/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
+ /var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0)
+ /var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.6.12/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2010-01-19 12:51:12.230617963 +0100
+++ serefpolicy-3.6.12/policy/modules/system/logging.te 2010-01-19 12:51:30.903607202 +0100
@@ -6525,8 +6626,21 @@ diff -b -B --ignore-all-space --exclude-
## Do not audit attempts to search man pages.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-3.6.12/policy/modules/system/mount.if
--- nsaserefpolicy/policy/modules/system/mount.if 2010-01-19 12:51:12.236617958 +0100
-+++ serefpolicy-3.6.12/policy/modules/system/mount.if 2010-01-19 12:51:30.907607780 +0100
-@@ -175,7 +175,9 @@
++++ serefpolicy-3.6.12/policy/modules/system/mount.if 2010-02-15 11:50:23.579325271 +0100
+@@ -16,6 +16,12 @@
+ ')
+
+ domtrans_pattern($1,mount_exec_t,mount_t)
++
++ ifdef(`hide_broken_symptoms', `
++ dontaudit mount_t $1:unix_stream_socket { read write };
++ dontaudit mount_t $1:tcp_socket { read write };
++ dontaudit mount_t $1:udp_socket { read write };
++ ')
+ ')
+
+ ########################################
+@@ -175,7 +181,9 @@
interface(`mount_signal',`
gen_require(`
type mount_t;
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/pkgs/rpms/selinux-policy/F-11/selinux-policy.spec,v
retrieving revision 1.916
retrieving revision 1.917
diff -u -p -r1.916 -r1.917
--- selinux-policy.spec 19 Jan 2010 12:34:10 -0000 1.916
+++ selinux-policy.spec 19 Feb 2010 16:24:29 -0000 1.917
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.12
-Release: 94%{?dist}
+Release: 95%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -442,6 +442,9 @@ exit 0
%endif
%changelog
+* Fri Feb 19 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-95
+- Fixes for avahi policy
+
* Tue Jan 19 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.12-94
- Allow hotplug to transition to brctl domain
- Allow sendmail to read and write to an fail2ban unix stream socket
More information about the scm-commits
mailing list