[selinux-policy: 1585/3172] patch from erich Sat, 02 Sep 2006 03:37:44 +0200
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:22:12 UTC 2010
commit 13d7cec671c7c840f8f24e24501a9b5838e3e687
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Mon Sep 4 18:22:12 2006 +0000
patch from erich Sat, 02 Sep 2006 03:37:44 +0200
Changelog | 1 +
policy/modules/admin/apt.te | 8 ++++++--
policy/modules/admin/sxid.te | 3 ++-
policy/modules/admin/usermanage.te | 3 ++-
policy/modules/kernel/devices.fc | 5 +++++
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/files.fc | 2 ++
policy/modules/kernel/files.te | 2 +-
policy/modules/services/amavis.fc | 4 ++++
policy/modules/services/amavis.te | 3 ++-
policy/modules/services/hal.te | 3 ++-
policy/modules/services/ldap.fc | 4 ++++
policy/modules/services/ldap.te | 2 +-
policy/modules/services/openvpn.te | 4 ++--
policy/modules/services/rpc.te | 3 ++-
policy/modules/services/tor.te | 7 ++++++-
policy/modules/system/fstools.fc | 2 ++
policy/modules/system/fstools.te | 10 +++++++++-
policy/modules/system/libraries.fc | 16 +++++++++++++++-
policy/modules/system/libraries.te | 2 +-
policy/modules/system/selinuxutil.fc | 4 ----
policy/modules/system/selinuxutil.te | 3 ++-
22 files changed, 72 insertions(+), 21 deletions(-)
---
diff --git a/Changelog b/Changelog
index 13813bd..89f9ae3 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Debian updates from Erich Schubert.
- Add nscd_socket_use() to auth_use_nsswitch().
- Remove old selopt rules.
- Full support for netfilter_contexts.
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 995ede0..9067dea 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt,1.0.1)
+policy_module(apt,1.0.2)
########################################
#
@@ -10,7 +10,6 @@ type apt_t;
type apt_exec_t;
init_system_domain(apt_t,apt_exec_t)
domain_system_change_exemption(apt_t)
-domain_getattr_all_domains(apt_t)
role system_r types apt_t;
type apt_tmp_t;
@@ -91,10 +90,15 @@ corenet_sendrecv_all_client_packets(apt_t)
dev_read_urand(apt_t)
+domain_getattr_all_domains(apt_t)
+domain_use_interactive_fds(apt_t)
+
files_exec_usr_files(apt_t)
files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
+fs_dontaudit_getattr_all_fs(apt_t)
+
term_list_ptys(apt_t)
term_use_all_terms(apt_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index f79f8fd..5a2f043 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -1,5 +1,5 @@
-policy_module(sxid,1.0.2)
+policy_module(sxid,1.0.3)
########################################
#
@@ -69,6 +69,7 @@ fs_list_all(sxid_t)
term_dontaudit_use_console(sxid_t)
auth_read_all_files_except_shadow(sxid_t)
+auth_dontaudit_getattr_shadow(sxid_t)
init_use_fds(sxid_t)
init_use_script_ptys(sxid_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 49ebcf1..6e3d737 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,5 +1,5 @@
-policy_module(usermanage,1.3.9)
+policy_module(usermanage,1.3.10)
########################################
#
@@ -170,6 +170,7 @@ files_read_etc_runtime_files(crack_t)
files_read_usr_files(crack_t)
corecmd_exec_bin(crack_t)
+corecmd_dontaudit_search_sbin(crack_t)
libs_use_ld_so(crack_t)
libs_use_shared_libs(crack_t)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 9a25b78..1aa840b 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -98,6 +98,11 @@ ifdef(`distro_suse', `
/dev/xen/evtchn -c gen_context(system_u:object_r:xen_device_t,s0)
+ifdef(`distro_debian',`
+# used by udev init script as temporary mount point
+/lib/udev/devices -d gen_context(system_u:object_r:device_t,s0)
+')
+
ifdef(`distro_gentoo',`
# used by init scripts to initally populate udev /dev
/lib/udev/devices/null -c gen_context(system_u:object_r:null_device_t,s0)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index c5575ad..3150795 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,5 +1,5 @@
-policy_module(devices,1.1.19)
+policy_module(devices,1.1.20)
########################################
#
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index e80a186..61d1524 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -120,6 +120,7 @@ HOME_ROOT/lost\+found/.* <<none>>
#
# Mount points; do not relabel subdirectories, since
# we don't want to change any removable media by default.
+/media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
/media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/media/[^/]*/.* <<none>>
@@ -131,6 +132,7 @@ HOME_ROOT/lost\+found/.* <<none>>
#
# /mnt
#
+/mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
/mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
/mnt/[^/]*/.* <<none>>
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 9901261..d397dca 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
-policy_module(files,1.2.14)
+policy_module(files,1.2.15)
########################################
#
diff --git a/policy/modules/services/amavis.fc b/policy/modules/services/amavis.fc
index 31b1ab7..4533c2d 100644
--- a/policy/modules/services/amavis.fc
+++ b/policy/modules/services/amavis.fc
@@ -4,6 +4,10 @@
/usr/sbin/amavisd.* -- gen_context(system_u:object_r:amavis_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/sbin/amavisd-new-cronjob -- gen_context(system_u:object_r:amavis_exec_t,s0)
+')
+
/var/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/lib/amavis(/.*)? gen_context(system_u:object_r:amavis_var_lib_t,s0)
/var/log/amavisd\.log -- gen_context(system_u:object_r:amavis_var_log_t,s0)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 1908b92..e8f7662 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis,1.0.7)
+policy_module(amavis,1.0.8)
########################################
#
@@ -143,6 +143,7 @@ logging_send_syslog_msg(amavis_t)
miscfiles_read_localization(amavis_t)
sysnet_dns_name_resolve(amavis_t)
+sysnet_use_ldap(amavis_t)
userdom_dontaudit_search_sysadm_home_dirs(amavis_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index e2adeef..bc7634e 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.3.12)
+policy_module(hal,1.3.13)
########################################
#
@@ -47,6 +47,7 @@ kernel_read_system_state(hald_t)
kernel_read_network_state(hald_t)
kernel_read_kernel_sysctls(hald_t)
kernel_read_fs_sysctls(hald_t)
+kernel_read_irq_sysctls(hald_t)
kernel_rw_vm_sysctls(hald_t)
kernel_write_proc_files(hald_t)
diff --git a/policy/modules/services/ldap.fc b/policy/modules/services/ldap.fc
index d740147..53d71e0 100644
--- a/policy/modules/services/ldap.fc
+++ b/policy/modules/services/ldap.fc
@@ -3,6 +3,10 @@
/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+ifdef(`distro_debian',`
+/usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
+')
+
/var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
/var/lib/ldap/replog(/.*)? gen_context(system_u:object_r:slapd_replog_t,s0)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index fb1482b..a0ad0bb 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap,1.2.6)
+policy_module(ldap,1.2.7)
########################################
#
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index dcdafd6..67548c8 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn,1.0.4)
+policy_module(openvpn,1.0.5)
########################################
#
@@ -28,7 +28,7 @@ files_pid_file(openvpn_var_run_t)
# openvpn local policy
#
-allow openvpn_t self:capability { net_admin setgid setuid };
+allow openvpn_t self:capability { net_admin setgid setuid sys_tty_config };
allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto };
allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow openvpn_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index b052590..318ec0a 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.12)
+policy_module(rpc,1.2.13)
########################################
#
@@ -44,6 +44,7 @@ allow rpcd_t rpcd_var_run_t:file manage_file_perms;
allow rpcd_t rpcd_var_run_t:dir { rw_dir_perms setattr };
files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
+kernel_read_system_state(rpcd_t)
kernel_search_network_state(rpcd_t)
# for rpc.rquotad
kernel_read_sysctl(rpcd_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index aa9c4a5..814c162 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,5 +1,5 @@
-policy_module(tor,1.0.3)
+policy_module(tor,1.0.4)
########################################
#
@@ -61,6 +61,8 @@ allow tor_t tor_var_run_t:sock_file manage_file_perms;
allow tor_t tor_var_run_t:dir rw_dir_perms;
files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
+kernel_read_system_state(tor_t)
+
# networking basics
corenet_non_ipsec_sendrecv(tor_t)
corenet_tcp_sendrecv_all_if(tor_t)
@@ -82,6 +84,9 @@ dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
files_read_etc_files(tor_t)
+files_read_etc_runtime_files(tor_t)
+
+term_dontaudit_use_console(tor_t)
# comm with init
init_use_fds(tor_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index dcd5ba6..9f64242 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -38,3 +38,5 @@
/usr/bin/syslinux -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/smartctl -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+
+/var/log/fsck(/.*)? gen_context(system_u:object_r:fsadm_log_t,s0)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 8d24711..0ef6d0b 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
-policy_module(fstools,1.3.3)
+policy_module(fstools,1.3.4)
########################################
#
@@ -12,6 +12,9 @@ init_system_domain(fsadm_t,fsadm_exec_t)
mls_file_read_up(fsadm_t)
role system_r types fsadm_t;
+type fsadm_log_t;
+logging_log_file(fsadm_log_t)
+
type fsadm_tmp_t;
files_tmp_file(fsadm_tmp_t)
@@ -44,6 +47,11 @@ allow fsadm_t fsadm_tmp_t:dir create_dir_perms;
allow fsadm_t fsadm_tmp_t:file create_file_perms;
files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
+# log files
+allow fsadm_t fsadm_log_t:file manage_file_perms;
+allow fsadm_t fsadm_log_t:dir { rw_dir_perms setattr };
+logging_log_filetrans(fsadm_t,fsadm_log_t,file)
+
# Enable swapping to files
allow fsadm_t swapfile_t:file { read write getattr swapon };
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 76cf6f7..bc9a6ac 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -1,6 +1,15 @@
#
# /emul
#
+ifdef(`distro_debian',`
+/emul/ia32-linux/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/usr(/.*)?/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* gen_context(system_u:object_r:ld_so_t,s0)
+/emul/ia32-linux/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
+/emul/ia32-linux/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
+/emul/ia32-linux/lib(/.*)?/ld-[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
+')
+
ifdef(`distro_gentoo',`
/emul/linux/x86/usr(/.*)?/lib(/.*)? gen_context(system_u:object_r:lib_t,s0)
/emul/linux/x86/usr(/.*)?/lib/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -42,6 +51,11 @@ ifdef(`distro_redhat',`
/lib/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/lib64/security/pam_poldi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ifdef(`distro_debian',`
+/lib32 -l gen_context(system_u:object_r:lib_t,s0)
+/lib64 -l gen_context(system_u:object_r:lib_t,s0)
+')
+
ifdef(`distro_gentoo',`
/lib32(/.*)? gen_context(system_u:object_r:lib_t,s0)
/lib32/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:shlib_t,s0)
@@ -64,7 +78,7 @@ ifdef(`distro_gentoo',`
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
-# despite the extensions, they're actually libs
+# despite the extensions, they are actually libs
/opt/Acrobat[5-9]/Reader/intellinux/plug_ins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
/opt/Acrobat[5-9]/Reader/intellinux/SPPlugins/.*\.api -- gen_context(system_u:object_r:shlib_t,s0)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 1206d2c..1aad262 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.3.12)
+policy_module(libraries,1.3.13)
########################################
#
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 1d5d4d2..2e6f4c7 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -41,10 +41,6 @@
/usr/sbin/semanage -- gen_context(system_u:object_r:semanage_exec_t,s0)
/usr/sbin/semodule -- gen_context(system_u:object_r:semanage_exec_t,s0)
-ifdef(`distro_debian', `
-/usr/share/selinux(/.*)? gen_context(system_u:object_r:policy_src_t,s0)
-')
-
#
# /var/run
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 02e30cb..8b2ede9 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,5 +1,5 @@
-policy_module(selinuxutil,1.2.14)
+policy_module(selinuxutil,1.2.15)
ifdef(`strict_policy',`
gen_require(`
@@ -576,6 +576,7 @@ dev_read_urand(semanage_t)
domain_use_interactive_fds(semanage_t)
files_read_etc_files(semanage_t)
+files_read_etc_runtime_files(semanage_t)
files_read_usr_files(semanage_t)
files_list_pids(semanage_t)
More information about the scm-commits
mailing list