diff --git a/.cvsignore b/.cvsignore index 1cdef7f..fa83ea7 100644 --- a/.cvsignore +++ b/.cvsignore @@ -206,3 +206,8 @@ serefpolicy-3.7.12.tgz serefpolicy-3.7.13.tgz serefpolicy-3.7.14.tgz serefpolicy-3.7.15.tgz +serefpolicy-3.7.16.tgz +serefpolicy-3.7.17.tgz +serefpolicy-3.7.18.tgz +serefpolicy-3.7.19.tgz +serefpolicy-3.8.1.tgz diff --git a/customizable_types b/customizable_types index dbe706b..0edf31e 100644 --- a/customizable_types +++ b/customizable_types @@ -1,3 +1,4 @@ +sandbox_file_t svirt_image_t virt_content_t httpd_user_htaccess_t @@ -6,3 +7,4 @@ httpd_user_content_ra_t httpd_user_content_rw_t httpd_user_content_t git_session_content_t +home_bin_t diff --git a/modules-minimum.conf b/modules-minimum.conf index 117ca3f..967a530 100644 --- a/modules-minimum.conf +++ b/modules-minimum.conf @@ -12,6 +12,13 @@ # # Layer: admin +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin # Module: acct # # Berkeley process accounting @@ -181,6 +188,13 @@ boinc = module bind = module # Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services # Module: dnsmasq # # A lightweight DHCP and caching DNS server. @@ -1155,6 +1169,13 @@ pcmcia = base pegasus = module # Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: services # Module: postgresql # # PostgreSQL relational database @@ -1239,6 +1260,13 @@ pyzor = module # qmail = module +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpidd = module + # Layer: admin # Module: quota # @@ -1679,6 +1707,13 @@ vhostmd = module # wine = module +# Layer: apps +# Module: telepathy_sofiasip +# +# telepathy-sofiasip - Telepathy connection manager for SIP +# +telepathysofiasip = module + # Layer: admin # Module: tzdata # @@ -2078,18 +2113,18 @@ guest = module xguest = module # Layer: services -# Module: courier +# Module: cgroup # -# IMAP and POP3 email servers +# Tools and libraries to control and monitor control groups # -courier = module +cgroup = module # Layer: services -# Module: cgroup +# Module: courier # -# Tools and libraries to control and monitor control groups +# IMAP and POP3 email servers # -cgroup = module +courier = module # Layer: services # Module: denyhosts diff --git a/modules-mls.conf b/modules-mls.conf index 236334f..86a4270 100644 --- a/modules-mls.conf +++ b/modules-mls.conf @@ -12,6 +12,13 @@ # # Layer: admin +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin # Module: acct # # Berkeley process accounting @@ -160,6 +167,13 @@ boinc = module bind = module # Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services # Module: dnsmasq # # A lightweight DHCP and caching DNS server. @@ -1093,6 +1107,13 @@ pcmcia = base pegasus = module # Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: services # Module: postgresql # # PostgreSQL relational database @@ -1169,7 +1190,6 @@ pulseaudio = module # pyzor = module - # Layer: services # Module: qmail # @@ -1177,6 +1197,13 @@ pyzor = module # qmail = module +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpidd = module + # Layer: admin # Module: quota # @@ -1483,7 +1510,6 @@ sudo = base # sysnetwork = base - # Layer: services # Module: sysstat # @@ -1773,6 +1799,13 @@ portreserve = module rpcbind = module # Layer: apps +# Module: telepathy_sofiasip +# +# telepathy-sofiasip - Telepathy connection manager for SIP +# +telepathysofiasip = module + +# Layer: apps # Module: vmware # # VMWare Workstation virtual machines @@ -1926,6 +1959,13 @@ guest = module xguest = module # Layer: services +# Module: cgroup +# +# Tools and libraries to control and monitor control groups +# +cgroup = module + +# Layer: services # Module: courier # # IMAP and POP3 email servers diff --git a/modules-targeted.conf b/modules-targeted.conf index 117ca3f..967a530 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -12,6 +12,13 @@ # # Layer: admin +# Module: accountsd +# +# An application to view and modify user accounts information +# +accountsd = module + +# Layer: admin # Module: acct # # Berkeley process accounting @@ -181,6 +188,13 @@ boinc = module bind = module # Layer: services +# Module: bugzilla +# +# Bugzilla server +# +bugzilla = module + +# Layer: services # Module: dnsmasq # # A lightweight DHCP and caching DNS server. @@ -1155,6 +1169,13 @@ pcmcia = base pegasus = module # Layer: services +# Module: piranha +# +# piranha - various tools to administer and configure the Linux Virtual Server +# +piranha = module + +# Layer: services # Module: postgresql # # PostgreSQL relational database @@ -1239,6 +1260,13 @@ pyzor = module # qmail = module +# Layer: services +# Module: qpidd +# +# Policy for qpidd +# +qpidd = module + # Layer: admin # Module: quota # @@ -1679,6 +1707,13 @@ vhostmd = module # wine = module +# Layer: apps +# Module: telepathy_sofiasip +# +# telepathy-sofiasip - Telepathy connection manager for SIP +# +telepathysofiasip = module + # Layer: admin # Module: tzdata # @@ -2078,18 +2113,18 @@ guest = module xguest = module # Layer: services -# Module: courier +# Module: cgroup # -# IMAP and POP3 email servers +# Tools and libraries to control and monitor control groups # -courier = module +cgroup = module # Layer: services -# Module: cgroup +# Module: courier # -# Tools and libraries to control and monitor control groups +# IMAP and POP3 email servers # -cgroup = module +courier = module # Layer: services # Module: denyhosts diff --git a/nsadiff b/nsadiff index 115cf3c..bdd7655 100755 --- a/nsadiff +++ b/nsadiff @@ -1 +1 @@ -diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.7.15 > /tmp/diff +diff --exclude-from=exclude -N -u -r nsaserefpolicy serefpolicy-3.8.1 > /tmp/diff diff --git a/selinux-policy.spec b/selinux-policy.spec index 3b87b5f..656b09b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,12 +19,12 @@ %define CHECKPOLICYVER 2.0.21-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 3.7.15 +Version: 3.8.1 Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz -patch: policy-F13.patch +patch: policy-F14.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -96,7 +96,9 @@ SELinux policy documentation package %attr(755,root,root) %{_usr}/share/selinux/devel/policyhelp %check -/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null +if /usr/sbin/selinuxenabled; then +/usr/bin/sepolgen-ifgen -i %{buildroot}%{_usr}/share/selinux/devel/include -o /dev/null +fi %define makeCmds() \ make UNK_PERMS=%5 NAME=%1 TYPE=%2 DISTRO=%{distro} UBAC=n DIRECT_INITRC=%3 MONOLITHIC=%{monolithic} POLY=%4 MLS_CATS=1024 MCS_CATS=1024 bare \ @@ -314,6 +316,7 @@ Requires(pre): selinux-policy = %{version}-%{release} Requires: selinux-policy = %{version}-%{release} Conflicts: audispd-plugins <= 1.7.7-1 Obsoletes: mod_fcgid-selinux <= %{version}-%{release} +Obsoletes: cachefilesd-selinux <= 0.10-1 Conflicts: seedit %description targeted @@ -466,6 +469,222 @@ exit 0 %endif %changelog +* Tue May 25 2010 Dan Walsh 3.8.1-1 +- Update to upstream + +* Tue May 25 2010 Dan Walsh 3.7.19-22 +- Allow procmail to execute scripts in the users home dir that are labeled home_bin_t +- Fix /var/run/abrtd.lock label + +* Mon May 24 2010 Dan Walsh 3.7.19-21 +- Allow login programs to read krb5_home_t +Resolves: 594833 +- Add obsoletes for cachefilesfd-selinux package +Resolves: #575084 + +* Thu May 20 2010 Dan Walsh 3.7.19-20 +- Allow mount to r/w abrt fifo file +- Allow svirt_t to getattr on hugetlbfs +- Allow abrt to create a directory under /var/spool + +* Wed May 19 2010 Dan Walsh 3.7.19-19 +- Add labels for /sys +- Allow sshd to getattr on shutdown +- Fixes for munin +- Allow sssd to use the kernel key ring +- Allow tor to send syslog messages +- Allow iptabels to read usr files +- allow policykit to read all domains state + +* Thu May 13 2010 Dan Walsh 3.7.19-17 +- Fix path for /var/spool/abrt +- Allow nfs_t as an entrypoint for http_sys_script_t +- Add policy for piranha +- Lots of fixes for sosreport + +* Wed May 12 2010 Dan Walsh 3.7.19-16 +- Allow xm_t to read network state and get and set capabilities +- Allow policykit to getattr all processes +- Allow denyhosts to connect to tcp port 9911 +- Allow pyranha to use raw ip sockets and ptrace itself +- Allow unconfined_execmem_t and gconfsd mechanism to dbus +- Allow staff to kill ping process +- Add additional MLS rules + +* Mon May 10 2010 Dan Walsh 3.7.19-15 +- Allow gdm to edit ~/.gconf dir +Resolves: #590677 +- Allow dovecot to create directories in /var/lib/dovecot +Partially resolves 590224 +- Allow avahi to dbus chat with NetworkManager +- Fix cobbler labels +- Dontaudit iceauth_t leaks +- fix /var/lib/lxdm file context +- Allow aiccu to use tun tap devices +- Dontaudit shutdown using xserver.log + +* Fri May 6 2010 Dan Walsh 3.7.19-14 +- Fixes for sandbox_x_net_t to match access for sandbox_web_t ++ +- Add xdm_etc_t for /etc/gdm directory, allow accountsd to manage this directory +- Add dontaudit interface for bluetooth dbus +- Add chronyd_read_keys, append_keys for initrc_t +- Add log support for ksmtuned +Resolves: #586663 + +* Thu May 6 2010 Dan Walsh 3.7.19-13 +- Allow boinc to send mail + +* Wed May 5 2010 Dan Walsh 3.7.19-12 +- Allow initrc_t to remove dhcpc_state_t +- Fix label on sa-update.cron +- Allow dhcpc to restart chrony initrc +- Don't allow sandbox to send signals to its parent processes +- Fix transition from unconfined_t -> unconfined_mount_t -> rpcd_t +Resolves: #589136 + +* Mon May 3 2010 Dan Walsh 3.7.19-11 +- Fix location of oddjob_mkhomedir +Resolves: #587385 +- fix labeling on /root/.shosts and ~/.shosts +- Allow ipsec_mgmt_t to manage net_conf_t +Resolves: #586760 + +* Fri Apr 30 2010 Dan Walsh 3.7.19-10 +- Dontaudit sandbox trying to connect to netlink sockets +Resolves: #587609 +- Add policy for piranha + +* Thu Apr 29 2010 Dan Walsh 3.7.19-9 +- Fixups for xguest policy +- Fixes for running sandbox firefox + +* Wed Apr 28 2010 Dan Walsh 3.7.19-8 +- Allow ksmtuned to use terminals +Resolves: #586663 +- Allow lircd to write to generic usb devices + +* Tue Apr 27 2010 Dan Walsh 3.7.19-7 +- Allow sandbox_xserver to connectto unconfined stream +Resolves: #585171 + +* Mon Apr 26 2010 Dan Walsh 3.7.19-6 +- Allow initrc_t to read slapd_db_t +Resolves: #585476 +- Allow ipsec_mgmt to use unallocated devpts and to create /etc/resolv.conf +Resolves: #585963 + +* Thu Apr 22 2010 Dan Walsh 3.7.19-5 +- Allow rlogind_t to search /root for .rhosts +Resolves: #582760 +- Fix path for cached_var_t +- Fix prelink paths /var/lib/prelink +- Allow confined users to direct_dri +- Allow mls lvm/cryptosetup to work + +* Wed Apr 21 2010 Dan Walsh 3.7.19-4 +- Allow virtd_t to manage firewall/iptables config +Resolves: #573585 + +* Tue Apr 20 2010 Dan Walsh 3.7.19-3 +- Fix label on /root/.rhosts +Resolves: #582760 +- Add labels for Picasa +- Allow openvpn to read home certs +- Allow plymouthd_t to use tty_device_t +- Run ncftool as iptables_t +- Allow mount to unmount unlabeled_t +- Dontaudit hal leaks + +* Wed Apr 14 2010 Dan Walsh 3.7.19-2 +- Allow livecd to transition to mount + +* Tue Apr 13 2010 Dan Walsh 3.7.19-1 +- Update to upstream +- Allow abrt to delete sosreport +Resolves: #579998 +- Allow snmp to setuid and gid +Resolves: #582155 +- Allow smartd to use generic scsi devices +Resolves: #582145 + +* Tue Apr 13 2010 Dan Walsh 3.7.18-3 +- Allow ipsec_t to create /etc/resolv.conf with the correct label +- Fix reserved port destination +- Allow autofs to transition to showmount +- Stop crashing tuned + +* Mon Apr 12 2010 Dan Walsh 3.7.18-2 +- Add telepathysofiasip policy + +* Mon Apr 5 2010 Dan Walsh 3.7.18-1 +- Update to upstream +- Fix label for /opt/google/chrome/chrome-sandbox +- Allow modemmanager to dbus with policykit + +* Mon Apr 5 2010 Dan Walsh 3.7.17-6 +- Fix allow_httpd_mod_auth_pam to use auth_use_pam(httpd_t) +- Allow accountsd to read shadow file +- Allow apache to send audit messages when using pam +- Allow asterisk to bind and connect to sip tcp ports +- Fixes for dovecot 2.0 +- Allow initrc_t to setattr on milter directories +- Add procmail_home_t for .procmailrc file + + +* Thu Apr 1 2010 Dan Walsh 3.7.17-5 +- Fixes for labels during install from livecd + +* Thu Apr 1 2010 Dan Walsh 3.7.17-4 +- Fix /cgroup file context +- Fix broken afs use of unlabled_t +- Allow getty to use the console for s390 + +* Wed Mar 31 2010 Dan Walsh 3.7.17-3 +- Fix cgroup handling adding policy for /cgroup +- Allow confined users to write to generic usb devices, if user_rw_noexattrfile boolean set + +* Tue Mar 30 2010 Dan Walsh 3.7.17-2 +- Merge patches from dgrift + +* Mon Mar 29 2010 Dan Walsh 3.7.17-1 +- Update upstream +- Allow abrt to write to the /proc under any process + +* Fri Mar 26 2010 Dan Walsh 3.7.16-2 + - Fix ~/.fontconfig label +- Add /root/.cert label +- Allow reading of the fixed_file_disk_t:lnk_file if you can read file +- Allow qemu_exec_t as an entrypoint to svirt_t + +* Tue Mar 23 2010 Dan Walsh 3.7.16-1 +- Update to upstream +- Allow tmpreaper to delete sandbox sock files +- Allow chrome-sandbox_t to use /dev/zero, and dontaudit getattr file systems +- Fixes for gitosis +- No transition on livecd to passwd or chfn +- Fixes for denyhosts + +* Tue Mar 23 2010 Dan Walsh 3.7.15-4 +- Add label for /var/lib/upower +- Allow logrotate to run sssd +- dontaudit readahead on tmpfs blk files +- Allow tmpreaper to setattr on sandbox files +- Allow confined users to execute dos files +- Allow sysadm_t to kill processes running within its clearance +- Add accountsd policy +- Fixes for corosync policy +- Fixes from crontab policy +- Allow svirt to manage svirt_image_t chr files +- Fixes for qdisk policy +- Fixes for sssd policy +- Fixes for newrole policy + +* Thu Mar 18 2010 Dan Walsh 3.7.15-3 +- make libvirt work on an MLS platform + +* Thu Mar 18 2010 Dan Walsh 3.7.15-2 +- Add qpidd policy + * Thu Mar 18 2010 Dan Walsh 3.7.15-1 - Update to upstream diff --git a/sources b/sources index f23a132..da283cf 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4c7d323036f1662a06a7a4f2a7da57a5 config.tgz -aaaf54fcfe4fe4e0a906dca6c21fa7ed serefpolicy-3.7.15.tgz +d9c54ebb76f5d986974def003ef2189d serefpolicy-3.8.1.tgz