From 457e0d79b4ba4185aa110a06e8f6e4dc84e7b870 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: May 15 2009 08:05:30 +0000 Subject: - Fixes for kpropd - Add /usr/share/selinux/packages --- diff --git a/policy-20080710.patch b/policy-20080710.patch index 339ff6e..f4ecbae 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -17476,7 +17476,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fetc diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.5.13/policy/modules/services/ftp.te --- nsaserefpolicy/policy/modules/services/ftp.te 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2009-03-05 13:32:40.000000000 +0100 ++++ serefpolicy-3.5.13/policy/modules/services/ftp.te 2009-05-15 09:30:07.000000000 +0200 @@ -26,7 +26,7 @@ ## ##

@@ -17510,7 +17510,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. type ftpd_t; type ftpd_exec_t; init_daemon_domain(ftpd_t, ftpd_exec_t) -@@ -158,8 +166,10 @@ +@@ -92,6 +100,7 @@ + allow ftpd_t self:unix_stream_socket create_stream_socket_perms; + allow ftpd_t self:tcp_socket create_stream_socket_perms; + allow ftpd_t self:udp_socket create_socket_perms; ++allow ftpd_t self:key manage_key_perms; + + allow ftpd_t ftpd_etc_t:file read_file_perms; + +@@ -158,8 +167,10 @@ files_read_etc_runtime_files(ftpd_t) files_search_var_lib(ftpd_t) @@ -17521,7 +17529,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. auth_use_nsswitch(ftpd_t) auth_domtrans_chk_passwd(ftpd_t) -@@ -226,8 +236,16 @@ +@@ -226,8 +237,16 @@ userdom_manage_all_users_home_content_dirs(ftpd_t) userdom_manage_all_users_home_content_files(ftpd_t) userdom_manage_all_users_home_content_symlinks(ftpd_t) @@ -17538,7 +17546,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. tunable_policy(`ftp_home_dir && use_nfs_home_dirs',` fs_manage_nfs_files(ftpd_t) fs_read_nfs_symlinks(ftpd_t) -@@ -238,6 +256,11 @@ +@@ -238,6 +257,11 @@ fs_read_cifs_symlinks(ftpd_t) ') @@ -17550,7 +17558,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. optional_policy(` tunable_policy(`ftp_home_dir',` apache_search_sys_content(ftpd_t) -@@ -245,6 +268,18 @@ +@@ -245,6 +269,18 @@ ') optional_policy(` @@ -17569,7 +17577,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. corecmd_exec_shell(ftpd_t) files_read_usr_files(ftpd_t) -@@ -261,7 +296,9 @@ +@@ -261,7 +297,9 @@ ') optional_policy(` @@ -17580,7 +17588,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp. ') optional_policy(` -@@ -273,6 +310,14 @@ +@@ -273,6 +311,14 @@ ') optional_policy(` @@ -18341,20 +18349,53 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inet diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.fc serefpolicy-3.5.13/policy/modules/services/kerberos.fc --- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-10-17 14:49:13.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/kerberos.fc 2009-02-10 15:07:15.000000000 +0100 -@@ -20,7 +20,7 @@ ++++ serefpolicy-3.5.13/policy/modules/services/kerberos.fc 2009-05-15 09:29:04.000000000 +0200 +@@ -6,21 +6,23 @@ + /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + + /etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) +-/etc/rc\.d/init\.d/kpropd -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) ++/etc/rc\.d/init\.d/kprop -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + /etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0) + + /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0) + /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0) + /usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0) ++/usr/kerberos/sbin/kpropd -- gen_context(system_u:object_r:kpropd_exec_t,s0) + + /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) + /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) + /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0) /var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0) ++/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0) -/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) -+/var/kerberos/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0) ++/var/kerberos/krb5kdc/principal.*\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0) /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0) /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.5.13/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2008-10-17 14:49:11.000000000 +0200 -+++ serefpolicy-3.5.13/policy/modules/services/kerberos.te 2009-02-10 15:07:15.000000000 +0100 -@@ -298,6 +298,7 @@ ++++ serefpolicy-3.5.13/policy/modules/services/kerberos.te 2009-05-15 09:15:30.000000000 +0200 +@@ -33,6 +33,7 @@ + type kpropd_t; + type kpropd_exec_t; + init_daemon_domain(kpropd_t, kpropd_exec_t) ++domain_obj_id_change_exemption(kpropd_t) + + type krb5_conf_t; + files_type(krb5_conf_t) +@@ -289,6 +290,7 @@ + + allow kpropd_t krb5_keytab_t:file read_file_perms; + ++manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_lock_t) + manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t) + + corecmd_exec_bin(kpropd_t) +@@ -298,6 +300,7 @@ corenet_tcp_sendrecv_all_nodes(kpropd_t) corenet_tcp_sendrecv_all_ports(kpropd_t) corenet_tcp_bind_all_nodes(kpropd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 6763161..a96af4b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 59%{?dist} +Release: 60%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -63,6 +63,7 @@ SELinux Base package %dir %{_usr}/share/selinux/modules %dir %{_usr}/share/selinux/devel %dir %{_usr}/share/selinux/devel/include +%dir %{_usr}/share/selinux/packages %dir %{_sysconfdir}/selinux %ghost %config(noreplace) %{_sysconfdir}/selinux/config %ghost %{_sysconfdir}/sysconfig/selinux @@ -248,6 +249,7 @@ make clean make UNK_PERMS=allow NAME=targeted TYPE=mcs DISTRO=%{distro} DIRECT_INITRC=n MONOLITHIC=%{monolithic} DESTDIR=%{buildroot} PKGNAME=%{name}-%{version} POLY=y MLS_CATS=1024 MCS_CATS=1024 install-headers install-docs mkdir %{buildroot}%{_usr}/share/selinux/devel/ +mkdir %{buildroot}%{_usr}/share/selinux/packages/ mv %{buildroot}%{_usr}/share/selinux/targeted/include %{buildroot}%{_usr}/share/selinux/devel/include install -m 755 $RPM_SOURCE_DIR/policygentool %{buildroot}%{_usr}/share/selinux/devel/ install -m 644 $RPM_SOURCE_DIR/Makefile.devel %{buildroot}%{_usr}/share/selinux/devel/Makefile @@ -460,6 +462,10 @@ exit 0 %endif %changelog +* Fri May 15 2009 Miroslav Grepl 3.5.13-60 +- Fixes for kpropd +- Add /usr/share/selinux/packages + * Thu May 7 2009 Miroslav Grepl 3.5.13-59 - Fix /sbin/ip6tables-save context - Fix milter policy