From bd0db4f14796ef9f3f51a803cc6236361cf8e7ab Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Feb 09 2009 22:07:20 +0000 Subject: - Add setrans contains from upstream --- diff --git a/.cvsignore b/.cvsignore index 3d35cf9..014fd8d 100644 --- a/.cvsignore +++ b/.cvsignore @@ -159,3 +159,4 @@ serefpolicy-3.6.1.tgz serefpolicy-3.6.2.tgz serefpolicy-3.6.3.tgz serefpolicy-3.6.4.tgz +serefpolicy-3.6.5.tgz diff --git a/policy-20090105.patch b/policy-20090105.patch index 7ae5851..e3a1810 100644 --- a/policy-20090105.patch +++ b/policy-20090105.patch @@ -284,8 +284,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment. diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.4/man/man8/nfs_selinux.8 --- nsaserefpolicy/man/man8/nfs_selinux.8 2008-08-07 11:15:14.000000000 -0400 -+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-03 22:57:28.000000000 -0500 -@@ -26,5 +26,5 @@ ++++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-09 10:19:24.000000000 -0500 +@@ -1,14 +1,12 @@ +-.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation" ++.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation" + .SH "NAME" + nfs_selinux \- Security Enhanced Linux Policy for NFS + .SH "DESCRIPTION" + +-Security-Enhanced Linux secures the nfs server via flexible mandatory access ++Security Enhanced Linux secures the NFS server via flexible mandatory access + control. + .SH BOOLEANS +-SELinux policy is customizable based on least access required. So by +-default SElinux policy does not allow nfs to share files. If you want to +-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean. ++SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on: + + .TP + setsebool -P nfs_export_all_ro 1 +@@ -18,7 +16,10 @@ + setsebool -P nfs_export_all_rw 1 + + .TP +-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean. ++These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off. ++ ++.TP ++If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean: + .TP + setsebool -P use_nfs_home_dirs 1 + .TP +@@ -26,5 +27,5 @@ .SH AUTHOR This manual page was written by Dan Walsh . @@ -712,7 +742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc --- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400 -+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-05 13:41:50.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-09 15:39:27.000000000 -0500 @@ -3,6 +3,7 @@ /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -731,7 +761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0) ifdef(`distro_redhat', ` -@@ -21,14 +23,17 @@ +@@ -21,14 +23,18 @@ /usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) @@ -745,6 +775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) - -/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0) ++/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0) +/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0) +/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0) @@ -8884,7 +8915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te --- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-06 16:08:00.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-09 15:59:54.000000000 -0500 @@ -19,6 +19,8 @@ # Declarations # @@ -9105,7 +9136,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_pam, false) + -+tunable_policy(`allow_httpd_mod_auth_pam',` + tunable_policy(`allow_httpd_mod_auth_pam',` +- auth_domtrans_chk_passwd(httpd_t) + auth_domtrans_chkpwd(httpd_t) +') + @@ -9116,8 +9148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +## +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false) +optional_policy(` - tunable_policy(`allow_httpd_mod_auth_pam',` -- auth_domtrans_chk_passwd(httpd_t) ++tunable_policy(`allow_httpd_mod_auth_pam',` + samba_domtrans_winbind_helper(httpd_t) ') ') @@ -9211,7 +9242,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_ssi_exec',` corecmd_shell_domtrans(httpd_t,httpd_sys_script_t) allow httpd_sys_script_t httpd_t:fd use; -@@ -459,8 +575,13 @@ +@@ -451,6 +567,10 @@ + ') + + optional_policy(` ++ cvs_read_data(httpd_t) ++') ++ ++optional_policy(` + cron_system_entry(httpd_t, httpd_exec_t) + ') + +@@ -459,8 +579,13 @@ ') optional_policy(` @@ -9227,7 +9269,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -472,18 +593,13 @@ +@@ -468,22 +593,18 @@ + mailman_domtrans_cgi(httpd_t) + # should have separate types for public and private archives + mailman_search_data(httpd_t) ++ mailman_read_data_files(httpd_t) + mailman_read_archive(httpd_t) ') optional_policy(` @@ -9247,7 +9294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -493,6 +609,12 @@ +@@ -493,6 +614,12 @@ openca_kill(httpd_t) ') @@ -9260,7 +9307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` # Allow httpd to work with postgresql postgresql_stream_connect(httpd_t) -@@ -500,6 +622,7 @@ +@@ -500,6 +627,7 @@ tunable_policy(`httpd_can_network_connect_db',` postgresql_tcp_connect(httpd_t) @@ -9268,7 +9315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ') -@@ -508,6 +631,7 @@ +@@ -508,6 +636,7 @@ ') optional_policy(` @@ -9276,7 +9323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol snmp_dontaudit_read_snmp_var_lib_files(httpd_t) snmp_dontaudit_write_snmp_var_lib_files(httpd_t) ') -@@ -535,6 +659,22 @@ +@@ -535,6 +664,22 @@ userdom_use_user_terminals(httpd_helper_t) @@ -9299,7 +9346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Apache PHP script local policy -@@ -564,20 +704,25 @@ +@@ -564,20 +709,25 @@ fs_search_auto_mountpoints(httpd_php_t) @@ -9331,7 +9378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -595,23 +740,24 @@ +@@ -595,23 +745,24 @@ append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t) @@ -9360,7 +9407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol files_read_etc_files(httpd_suexec_t) files_read_usr_files(httpd_suexec_t) -@@ -624,6 +770,7 @@ +@@ -624,6 +775,7 @@ logging_send_syslog_msg(httpd_suexec_t) miscfiles_read_localization(httpd_suexec_t) @@ -9368,7 +9415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_can_network_connect',` allow httpd_suexec_t self:tcp_socket create_stream_socket_perms; -@@ -641,12 +788,19 @@ +@@ -641,12 +793,19 @@ corenet_sendrecv_all_client_packets(httpd_suexec_t) ') @@ -9391,7 +9438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -672,15 +826,14 @@ +@@ -672,15 +831,14 @@ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write }; ') @@ -9410,7 +9457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow httpd_sys_script_t httpd_t:tcp_socket { read write }; dontaudit httpd_sys_script_t httpd_config_t:dir search; -@@ -699,12 +852,24 @@ +@@ -699,12 +857,24 @@ # Should we add a boolean? apache_domtrans_rotatelogs(httpd_sys_script_t) @@ -9437,7 +9484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` -@@ -712,6 +877,35 @@ +@@ -712,6 +882,35 @@ fs_read_nfs_symlinks(httpd_sys_script_t) ') @@ -9473,7 +9520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',` fs_read_cifs_files(httpd_sys_script_t) fs_read_cifs_symlinks(httpd_sys_script_t) -@@ -724,6 +918,10 @@ +@@ -724,6 +923,10 @@ optional_policy(` mysql_stream_connect(httpd_sys_script_t) mysql_rw_db_sockets(httpd_sys_script_t) @@ -9484,7 +9531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -735,6 +933,8 @@ +@@ -735,6 +938,8 @@ # httpd_rotatelogs local policy # @@ -9493,7 +9540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t) kernel_read_kernel_sysctls(httpd_rotatelogs_t) -@@ -754,6 +954,12 @@ +@@ -754,6 +959,12 @@ tunable_policy(`httpd_enable_cgi && httpd_unified',` allow httpd_user_script_t httpdcontent:file entrypoint; @@ -9506,7 +9553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') # allow accessing files/dirs below the users home dir -@@ -762,3 +968,66 @@ +@@ -762,3 +973,66 @@ userdom_search_user_home_dirs(httpd_suexec_t) userdom_search_user_home_dirs(httpd_user_script_t) ') @@ -11779,6 +11826,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t) +miscfiles_read_fonts(cups_pdf_t) + +diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.4/policy/modules/services/cvs.if +--- nsaserefpolicy/policy/modules/services/cvs.if 2008-11-11 16:13:46.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/cvs.if 2009-02-09 16:00:34.000000000 -0500 +@@ -15,7 +15,9 @@ + type cvs_data_t; + ') + +- allow $1 cvs_data_t:file { getattr read }; ++ list_dirs_pattern($1, cvs_data_t, cvs_data_t) ++ read_files_pattern($1, cvs_data_t, cvs_data_t) ++ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t) + ') + + ######################################## diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.4/policy/modules/services/cvs.te --- nsaserefpolicy/policy/modules/services/cvs.te 2009-01-19 11:06:49.000000000 -0500 +++ serefpolicy-3.6.4/policy/modules/services/cvs.te 2009-02-03 22:57:29.000000000 -0500 @@ -13170,7 +13231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.4/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-09 09:53:23.000000000 -0500 @@ -26,7 +26,7 @@ ## ##

@@ -13197,17 +13258,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) -@@ -223,6 +224,10 @@ +@@ -222,8 +223,12 @@ + userdom_manage_user_home_content_dirs(ftpd_t) userdom_manage_user_home_content_files(ftpd_t) userdom_manage_user_home_content_symlinks(ftpd_t) - userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) +- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) + + auth_read_all_dirs_except_shadow(ftpd_t) + auth_read_all_files_except_shadow(ftpd_t) + auth_read_all_symlinks_except_shadow(ftpd_t) ') ++userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file }) tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` + fs_manage_nfs_files(ftpd_t) @@ -258,7 +263,9 @@ ') @@ -14054,7 +14118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.4/policy/modules/services/mailman.if --- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-09 15:34:52.000000000 -0500 @@ -31,6 +31,12 @@ allow mailman_$1_t self:tcp_socket create_stream_socket_perms; allow mailman_$1_t self:udp_socket create_socket_perms; @@ -14076,7 +14140,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_exec_all_executables(mailman_$1_t) -@@ -209,6 +216,7 @@ +@@ -191,6 +198,7 @@ + ') + + read_files_pattern($1, mailman_data_t, mailman_data_t) ++ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t) + ') + + ####################################### +@@ -209,6 +217,7 @@ type mailman_data_t; ') @@ -14084,7 +14156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol manage_files_pattern($1, mailman_data_t, mailman_data_t) ') -@@ -250,6 +258,25 @@ +@@ -250,6 +259,25 @@ ####################################### ##

@@ -18916,7 +18988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.4/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-04 08:49:43.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-09 15:50:22.000000000 -0500 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -18986,7 +19058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol corecmd_search_bin(prelude_t) corenet_all_recvfrom_unlabeled(prelude_t) -@@ -56,15 +91,24 @@ +@@ -56,15 +91,25 @@ corenet_tcp_sendrecv_generic_if(prelude_t) corenet_tcp_sendrecv_generic_node(prelude_t) corenet_tcp_bind_generic_node(prelude_t) @@ -18997,6 +19069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_t) dev_read_urand(prelude_t) ++kernel_read_system_state(prelude_t) +kernel_read_sysctl(prelude_t) + # Init script handling @@ -19011,7 +19084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_use_nsswitch(prelude_t) -@@ -86,7 +130,7 @@ +@@ -86,7 +131,7 @@ # # prelude_audisp local policy # @@ -19020,7 +19093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow prelude_audisp_t self:fifo_file rw_file_perms; allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms; allow prelude_audisp_t self:unix_dgram_socket create_socket_perms; -@@ -107,6 +151,7 @@ +@@ -107,6 +152,7 @@ corenet_tcp_sendrecv_generic_if(prelude_audisp_t) corenet_tcp_sendrecv_generic_node(prelude_audisp_t) corenet_tcp_bind_generic_node(prelude_audisp_t) @@ -19028,7 +19101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -114,12 +159,134 @@ +@@ -114,12 +160,135 @@ # Init script handling domain_use_interactive_fds(prelude_audisp_t) @@ -19127,6 +19200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +dev_read_rand(prelude_lml_t) +dev_read_urand(prelude_lml_t) + ++kernel_read_system_state(prelude_lml_t) +kernel_read_sysctl(prelude_lml_t) + +files_list_etc(prelude_lml_t) @@ -19163,7 +19237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # prewikka_cgi Declarations -@@ -128,6 +295,20 @@ +@@ -128,6 +297,20 @@ optional_policy(` apache_content_template(prewikka) files_read_etc_files(httpd_prewikka_script_t) @@ -20094,7 +20168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:05:45.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:51:37.000000000 -0500 @@ -23,7 +23,7 @@ gen_tunable(allow_nfsd_anon_write, false) @@ -20124,10 +20198,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`nfs_export_all_rw',` fs_read_noxattr_fs_files(nfsd_t) auth_manage_all_files_except_shadow(nfsd_t) -+ userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) + dev_getattr_all_blk_files(nfsd_t) + dev_getattr_all_chr_files(nfsd_t) ') ++userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir }) tunable_policy(`nfs_export_all_ro',` fs_read_noxattr_fs_files(nfsd_t) @@ -20172,7 +20246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_write_login_records(rshd_t) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.4/policy/modules/services/rsync.te --- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-03 22:57:29.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-09 15:32:24.000000000 -0500 @@ -119,5 +119,9 @@ tunable_policy(`rsync_export_all_ro',` @@ -20614,7 +20688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te --- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-07 07:19:23.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-09 10:49:17.000000000 -0500 @@ -66,6 +66,13 @@ ## gen_tunable(samba_share_nfs, false) @@ -20825,7 +20899,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') optional_policy(` -@@ -381,8 +426,10 @@ +@@ -376,13 +421,15 @@ + tunable_policy(`samba_create_home_dirs',` + allow smbd_t self:capability chown; + userdom_create_user_home_dirs(smbd_t) +- userdom_home_filetrans_user_home_dir(smbd_t) + ') ++userdom_home_filetrans_user_home_dir(smbd_t) tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) @@ -20836,6 +20916,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol auth_read_all_files_except_shadow(nmbd_t) ') +@@ -391,8 +438,8 @@ + auth_manage_all_files_except_shadow(smbd_t) + fs_read_noxattr_fs_files(nmbd_t) + auth_manage_all_files_except_shadow(nmbd_t) +- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) + ') ++userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir }) + + ######################################## + # @@ -454,6 +501,7 @@ dev_getattr_mtrr_dev(nmbd_t) @@ -21004,7 +21094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol tunable_policy(`samba_run_unconfined',` domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t) -+', ` ++',` + can_exec(smbd_t, samba_unconfined_script_exec_t) ') -') @@ -28666,7 +28756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500 -+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-08 17:11:31.000000000 -0500 ++++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-09 11:05:11.000000000 -0500 @@ -30,8 +30,9 @@ ') @@ -29664,9 +29754,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol # the same domain and outside users) disabling this forces FTP passive mode # and may change other protocols tunable_policy(`user_tcp_server',` - corenet_tcp_bind_generic_node($1_t) +- corenet_tcp_bind_generic_node($1_t) - corenet_tcp_bind_generic_port($1_t) -+ corenet_tcp_bind_all_unreserved_ports($1_t) ++ corenet_tcp_bind_all_nodes($1_usertype) ++ corenet_tcp_bind_all_unreserved_ports($1_usertype) ') optional_policy(` diff --git a/selinux-policy.spec b/selinux-policy.spec index 28a1e73..17ddb48 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,8 +19,8 @@ %define CHECKPOLICYVER 2.0.16-3 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.6.4 -Release: 5%{?dist} +Version: 3.6.5 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -184,7 +184,7 @@ fi; %description SELinux Reference Policy - modular. -Based off of reference policy: Checked out revision 2907. +Based off of reference policy: Checked out revision 2908. %build @@ -444,6 +444,12 @@ exit 0 %endif %changelog +* Mon Feb 9 2009 Dan Walsh 3.6.5-1 +- Add setrans contains from upstream + +* Mon Feb 9 2009 Dan Walsh 3.6.4-6 +- Do transitions outside of the booleans + * Sun Feb 8 2009 Dan Walsh 3.6.4-5 - Allow xdm to create user_tmp_t sockets for switch user to work diff --git a/sources b/sources index b08fdc0..9562250 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -5c9f2ee48dab2742927fb099740e9fbc serefpolicy-3.6.4.tgz +5911f8b7b5cd991b6367110b0617ac4c serefpolicy-3.6.5.tgz