rpms/selinux-policy/F-12 users-minimum, NONE, 1.1 users-mls, NONE, 1.1 users-olpc, NONE, 1.1 users-targeted, NONE, 1.1 policy-20100106.patch, 1.5, 1.6 selinux-policy.spec, 1.994, 1.995
Miroslav Grepl
mgrepl at fedoraproject.org
Tue Jan 12 17:20:58 UTC 2010
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4556
Modified Files:
policy-20100106.patch selinux-policy.spec
Added Files:
users-minimum users-mls users-olpc users-targeted
Log Message:
- Move users file to selection by spec file.
- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
--- NEW FILE users-minimum ---
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- NEW FILE users-mls ---
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r secadm_r auditadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, sysadm_r staff_r secadm_r auditadm_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- NEW FILE users-olpc ---
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
--- NEW FILE users-targeted ---
##################################
#
# Core User configuration.
#
#
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
# There should be no corresponding Unix user identity for system,
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
# SELinux user identity defined. The modified daemons will use
# this user identity in the security context if there is no matching
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, user, staff_r system_r sysadm_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, user, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
# when login starts the user shell. Users with access to the sysadm_r
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
gen_user(root, user, unconfined_r sysadm_r staff_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
policy-20100106.patch:
modules/apps/mozilla.fc | 1
modules/apps/sandbox.if | 46 +++++++++++++++++++++++++++++++++------
modules/apps/sandbox.te | 29 ++++++++++++++----------
modules/apps/wine.if | 4 +++
modules/apps/wine.te | 14 +++++++++++
modules/kernel/devices.fc | 2 +
modules/kernel/devices.if | 18 +++++++++++++++
modules/kernel/devices.te | 6 +++++
modules/roles/unconfineduser.fc | 2 -
modules/roles/unconfineduser.te | 2 +
modules/services/abrt.te | 1
modules/services/apache.if | 3 ++
modules/services/apcupsd.te | 2 -
modules/services/cups.te | 1
modules/services/dovecot.te | 6 +++++
modules/services/fail2ban.if | 18 +++++++++++++++
modules/services/nagios.fc | 40 ++++++++++++++++++++++++++++++++-
modules/services/nagios.te | 3 ++
modules/services/openvpn.te | 1
modules/services/postfix.te | 5 +++-
modules/services/samba.te | 5 ++++
modules/services/sendmail.te | 2 +
modules/services/snmp.te | 2 -
modules/services/spamassassin.if | 18 +++++++++++++++
modules/services/ssh.te | 4 +--
modules/services/sssd.if | 19 ++++++++++++++++
modules/services/virt.te | 4 ++-
modules/services/xserver.fc | 4 +++
modules/services/xserver.te | 2 +
modules/system/init.te | 1
modules/system/iscsi.fc | 2 +
modules/system/iscsi.te | 4 +++
modules/system/libraries.fc | 6 +++++
modules/system/miscfiles.if | 19 ++++++++++++++++
modules/system/mount.te | 1
modules/system/unconfined.if | 2 +
modules/system/userdomain.fc | 1
modules/system/userdomain.if | 18 +++++++++++++++
modules/system/xen.te | 6 +++++
users | 2 -
40 files changed, 298 insertions(+), 28 deletions(-)
Index: policy-20100106.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/policy-20100106.patch,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -p -r1.5 -r1.6
--- policy-20100106.patch 11 Jan 2010 16:00:57 -0000 1.5
+++ policy-20100106.patch 12 Jan 2010 17:20:57 -0000 1.6
@@ -1,3 +1,14 @@
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.fc serefpolicy-3.6.32/policy/modules/apps/mozilla.fc
+--- nsaserefpolicy/policy/modules/apps/mozilla.fc 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.fc 2010-01-11 18:21:26.000000000 +0100
+@@ -11,6 +11,7 @@
+ /usr/bin/netscape -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla-snapshot -- gen_context(system_u:object_r:mozilla_exec_t,s0)
++/usr/bin/epiphany -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/epiphany-bin -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
+ /usr/bin/mozilla-bin-[0-9].* -- gen_context(system_u:object_r:mozilla_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2010-01-11 13:38:03.000000000 +0100
@@ -276,6 +287,30 @@ diff -b -B --ignore-all-space --exclude-
type v4l_device_t;
dev_node(v4l_device_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.fc serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc
+--- nsaserefpolicy/policy/modules/roles/unconfineduser.fc 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.fc 2010-01-12 13:41:16.000000000 +0100
+@@ -2,7 +2,7 @@
+ # e.g.:
+ # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+ # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
+-/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
++/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
+ /usr/sbin/mock -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+ /usr/sbin/sysreport -- gen_context(system_u:object_r:unconfined_notrans_exec_t,s0)
+
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
+--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2010-01-12 13:42:23.000000000 +0100
+@@ -39,6 +39,8 @@
+ type unconfined_exec_t;
+ init_system_domain(unconfined_t, unconfined_exec_t)
+ role unconfined_r types unconfined_t;
++role_transition system_r unconfined_exec_t unconfined_r;
++allow system_r unconfined_r;
+
+ domain_user_exemption_target(unconfined_t)
+ allow system_r unconfined_r;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2010-01-08 14:42:10.000000000 +0100
@@ -584,6 +619,20 @@ diff -b -B --ignore-all-space --exclude-
########################################
## <summary>
## All of the rules required to administrate
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.6.32/policy/modules/services/ssh.te
+--- nsaserefpolicy/policy/modules/services/ssh.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/services/ssh.te 2010-01-12 18:08:14.000000000 +0100
+@@ -477,8 +477,8 @@
+
+ ssh_sigchld(sftpd_t)
+
+-files_read_all_files(sftpd_t)
+-files_read_all_symlinks(sftpd_t)
++auth_read_all_files_except_shadow(sftpd_t)
++auth_read_all_symlinks_except_shadow(sftpd_t)
+
+ fs_read_noxattr_fs_files(sftpd_t)
+ fs_read_nfs_files(sftpd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sssd.if serefpolicy-3.6.32/policy/modules/services/sssd.if
--- nsaserefpolicy/policy/modules/services/sssd.if 2010-01-06 11:05:50.000000000 +0100
+++ serefpolicy-3.6.32/policy/modules/services/sssd.if 2010-01-11 13:46:50.000000000 +0100
@@ -674,6 +723,17 @@ diff -b -B --ignore-all-space --exclude-
domain_use_interactive_fds(xauth_t)
dev_rw_xserver_misc(xauth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.6.32/policy/modules/system/init.te
+--- nsaserefpolicy/policy/modules/system/init.te 2010-01-06 11:05:50.000000000 +0100
++++ serefpolicy-3.6.32/policy/modules/system/init.te 2010-01-12 13:43:28.000000000 +0100
+@@ -872,6 +872,7 @@
+
+ optional_policy(`
+ unconfined_domain(initrc_t)
++ domain_role_change_exemption(initrc_t)
+
+ ifdef(`distro_redhat',`
+ # system-config-services causes avc messages that should be dontaudited
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi.fc serefpolicy-3.6.32/policy/modules/system/iscsi.fc
--- nsaserefpolicy/policy/modules/system/iscsi.fc 2009-09-16 16:01:19.000000000 +0200
+++ serefpolicy-3.6.32/policy/modules/system/iscsi.fc 2010-01-09 20:37:29.000000000 +0100
@@ -849,3 +909,15 @@ diff -b -B --ignore-all-space --exclude-
########################################
#
# Xen store local policy
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/users serefpolicy-3.6.32/policy/users
+--- nsaserefpolicy/policy/users 2010-01-06 11:05:51.000000000 +0100
++++ serefpolicy-3.6.32/policy/users 2010-01-12 13:48:30.000000000 +0100
+@@ -15,7 +15,7 @@
+ # and a user process should never be assigned the system user
+ # identity.
+ #
+-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
++gen_user(system_u,, system_r unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+
+ #
+ # user_u is a generic user identity for Linux users who have no
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-12/selinux-policy.spec,v
retrieving revision 1.994
retrieving revision 1.995
diff -u -p -r1.994 -r1.995
--- selinux-policy.spec 11 Jan 2010 16:00:57 -0000 1.994
+++ selinux-policy.spec 12 Jan 2010 17:20:57 -0000 1.995
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.32
-Release: 69%{?dist}
+Release: 70%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -46,6 +46,10 @@ Source18: setrans-minimum.conf
Source19: securetty_types-minimum
Source20: customizable_types
Source21: config.tgz
+Source22: users-mls
+Source23: users-targeted
+Source24: users-olpc
+Source25: users-minimum
Url: http://oss.tresys.com/repos/refpolicy/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -98,6 +102,7 @@ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO
make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 conf \
cp -f $RPM_SOURCE_DIR/modules-%1.conf ./policy/modules.conf \
cp -f $RPM_SOURCE_DIR/booleans-%1.conf ./policy/booleans.conf \
+cp -f $RPM_SOURCE_DIR/users-%1 ./policy/users \
%define moduleList() %([ -f %{_sourcedir}/modules-%{1}.conf ] && \
awk '$1 !~ "/^#/" && $2 == "=" && $3 == "module" { printf "%%s.pp.bz2 ", $1 }' %{_sourcedir}/modules-%{1}.conf )
@@ -451,6 +456,10 @@ exit 0
%endif
%changelog
+* Tue Jan 12 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-70
+- Move users file to selection by spec file.
+- Allow vncserver to run as unconfined_u:unconfined_r:unconfined_t
+
* Mon Jan 11 2010 Miroslav Grepl <mgrepl at redhat.com> 3.6.32-69
- Fixes for iscsid
- Allow openvpn to bind to http port
More information about the scm-commits
mailing list