diff --git a/policy-20080710.patch b/policy-20080710.patch index 8fc7906..30c0c25 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -19457,7 +19457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol + diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.5.13/policy/modules/services/postfix.te --- nsaserefpolicy/policy/modules/services/postfix.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/postfix.te 2008-11-06 13:11:09.000000000 -0500 @@ -6,6 +6,14 @@ # Declarations # @@ -19666,11 +19666,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol optional_policy(` procmail_domtrans(postfix_pipe_t) ') -@@ -397,6 +454,14 @@ +@@ -397,6 +454,15 @@ ') optional_policy(` + mta_manage_spool(postfix_pipe_t) ++ mta_send_mail(postfix_pipe_t) +') + +optional_policy(` @@ -19681,7 +19682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol uucp_domtrans_uux(postfix_pipe_t) ') -@@ -433,8 +498,11 @@ +@@ -433,8 +499,11 @@ ') optional_policy(` @@ -19695,7 +19696,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ####################################### -@@ -460,6 +528,15 @@ +@@ -460,6 +529,15 @@ init_sigchld_script(postfix_postqueue_t) init_use_script_fds(postfix_postqueue_t) @@ -19711,7 +19712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # Postfix qmgr local policy -@@ -543,6 +620,10 @@ +@@ -543,6 +621,10 @@ mta_read_aliases(postfix_smtpd_t) optional_policy(` @@ -19722,7 +19723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol mailman_read_data_files(postfix_smtpd_t) ') -@@ -569,7 +650,7 @@ +@@ -569,7 +651,7 @@ files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir }) # connect to master process @@ -20396,7 +20397,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.5.13/policy/modules/services/prelude.te --- nsaserefpolicy/policy/modules/services/prelude.te 2008-08-07 11:15:11.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/services/prelude.te 2008-11-06 13:23:25.000000000 -0500 @@ -13,25 +13,57 @@ type prelude_spool_t; files_type(prelude_spool_t) @@ -20507,13 +20508,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol dev_read_rand(prelude_audisp_t) dev_read_urand(prelude_audisp_t) -@@ -117,15 +161,139 @@ +@@ -117,15 +161,140 @@ # Init script handling domain_use_interactive_fds(prelude_audisp_t) +kernel_read_sysctl(prelude_audisp_t) + files_read_etc_files(prelude_audisp_t) ++files_read_etc_runtime_files(prelude_audisp_t) libs_use_ld_so(prelude_audisp_t) libs_use_shared_libs(prelude_audisp_t) @@ -20647,7 +20649,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ######################################## # # prewikka_cgi Declarations -@@ -134,6 +302,20 @@ +@@ -134,6 +303,20 @@ optional_policy(` apache_content_template(prewikka) files_read_etc_files(httpd_prewikka_script_t) @@ -28421,8 +28423,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol -') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.5.13/policy/modules/system/logging.fc --- nsaserefpolicy/policy/modules/system/logging.fc 2008-09-24 09:07:28.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -53,10 +53,10 @@ ++++ serefpolicy-3.5.13/policy/modules/system/logging.fc 2008-11-07 08:13:03.000000000 -0500 +@@ -53,15 +53,18 @@ /var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0) ') @@ -28437,15 +28439,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s gen_context(system_u:object_r:devlog_t,s0) /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) -@@ -65,3 +65,5 @@ + /var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0) + /var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0) ++/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) ++/var/spool/rsyslog(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) + -+/var/spool/plymouth/boot.log gen_context(system_u:object_r:var_log_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.13/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.if 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/logging.if 2008-11-06 13:16:14.000000000 -0500 @@ -451,7 +451,7 @@ ') @@ -28473,7 +28477,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.5.13/policy/modules/system/logging.te --- nsaserefpolicy/policy/modules/system/logging.te 2008-10-16 17:21:16.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-10-28 10:56:19.000000000 -0400 ++++ serefpolicy-3.5.13/policy/modules/system/logging.te 2008-11-06 13:13:09.000000000 -0500 @@ -129,7 +129,7 @@ allow auditd_t self:process { signal_perms setpgid setsched }; allow auditd_t self:file rw_file_perms; @@ -28495,7 +28499,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol allow audisp_t self:unix_stream_socket create_stream_socket_perms; allow audisp_t self:unix_dgram_socket create_socket_perms; -@@ -352,7 +352,7 @@ +@@ -237,9 +237,12 @@ + domain_use_interactive_fds(audisp_t) + + files_read_etc_files(audisp_t) ++files_read_etc_runtime_files(audisp_t) + + mls_file_write_all_levels(audisp_t) + ++auth_use_nsswitch(audisp_t) ++ + libs_use_ld_so(audisp_t) + libs_use_shared_libs(audisp_t) + +@@ -352,7 +355,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; allow syslogd_t self:unix_dgram_socket sendto; @@ -30361,8 +30378,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.fc serefpolicy-3.5.13/policy/modules/system/unconfined.fc --- nsaserefpolicy/policy/modules/system/unconfined.fc 2008-09-11 16:42:49.000000000 -0400 -+++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-10-28 10:56:19.000000000 -0400 -@@ -2,15 +2,28 @@ ++++ serefpolicy-3.5.13/policy/modules/system/unconfined.fc 2008-11-06 13:03:04.000000000 -0500 +@@ -2,15 +2,29 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t @@ -30391,15 +30408,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/usr/lib64/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) +/usr/lib/erlang/erts-[^/]+/bin/beam.smp -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/usr/bin/haddock.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/hasktags -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/runghc -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/bin/runhaskell -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) -+/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/usr/bin/haddock.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/hasktags -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runghc -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/runhaskell -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/.*bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/libexec/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/lib(64)?/ghc-[^/]+/ghc-.* -- gen_context(system_u:object_r:execmem_exec_t,s0) + -+/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) ++/opt/real/(.*/)?realplay\.bin -- gen_context(system_u:object_r:execmem_exec_t,s0) ++/usr/bin/gcl -- gen_context(system_u:object_r:execmem_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.if serefpolicy-3.5.13/policy/modules/system/unconfined.if --- nsaserefpolicy/policy/modules/system/unconfined.if 2008-09-11 16:42:49.000000000 -0400 +++ serefpolicy-3.5.13/policy/modules/system/unconfined.if 2008-10-29 13:21:22.000000000 -0400 diff --git a/selinux-policy.spec b/selinux-policy.spec index a63710f..aed0025 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -20,7 +20,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.5.13 -Release: 18%{?dist} +Release: 19%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -457,6 +457,9 @@ exit 0 %endif %changelog +* Fri Nov 5 2008 Dan Walsh 3.5.13-19 +- Fix labeling on /var/spool/rsyslog + * Thu Nov 5 2008 Dan Walsh 3.5.13-18 - Allow postgresl to bind to udp nodes