From d5301868562bc833838df826b9b0688ba1b78ec6 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 08 2008 20:29:53 +0000 Subject: *** empty log message *** --- diff --git a/modules-targeted.conf b/modules-targeted.conf index 06bc269..4c87117 100644 --- a/modules-targeted.conf +++ b/modules-targeted.conf @@ -927,7 +927,7 @@ pyzor = module # # Policy for sendmail. # -qmail = module +qmail = off # Layer: admin # Module: quota diff --git a/policy-20070501.patch b/policy-20070501.patch index 1a04465..7239d36 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -4559,6 +4559,31 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi dev_read_sound(entropyd_t) fs_getattr_all_fs(entropyd_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.if serefpolicy-2.6.4/policy/modules/services/automount.if +--- nsaserefpolicy/policy/modules/services/automount.if 2007-05-07 14:51:01.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/automount.if 2008-01-08 15:20:46.000000000 -0500 +@@ -74,3 +74,21 @@ + + dontaudit $1 automount_tmp_t:dir getattr; + ') ++ ++######################################## ++## ++## Do not audit attempts to file descriptors for automount. ++## ++## ++## ++## Domain to not audit. ++## ++## ++# ++interface(`automount_dontaudit_use_fds',` ++ gen_require(` ++ type automount_t; ++ ') ++ ++ dontaudit $1 automount_t:fd use; ++') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-2.6.4/policy/modules/services/automount.te --- nsaserefpolicy/policy/modules/services/automount.te 2007-05-07 14:51:01.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/services/automount.te 2008-01-02 11:27:47.000000000 -0500 @@ -6950,7 +6975,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.fc 2008-01-02 11:27:47.000000000 -0500 @@ -0,0 +1,16 @@ -+# $Id: policy-20070501.patch,v 1.90 2008/01/08 19:57:58 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.91 2008/01/08 20:29:53 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -7131,7 +7156,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim --- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500 +++ serefpolicy-2.6.4/policy/modules/services/exim.te 2008-01-02 11:27:47.000000000 -0500 @@ -0,0 +1,231 @@ -+# $Id: policy-20070501.patch,v 1.90 2008/01/08 19:57:58 dwalsh Exp $ ++# $Id: policy-20070501.patch,v 1.91 2008/01/08 20:29:53 dwalsh Exp $ +# Draft SELinux refpolicy module for the Exim MTA +# +# Devin Carraway @@ -10239,7 +10264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. ## diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te --- nsaserefpolicy/policy/modules/services/rpc.te 2007-05-07 14:51:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2008-01-08 13:55:38.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/services/rpc.te 2008-01-08 15:27:04.000000000 -0500 @@ -1,5 +1,5 @@ -policy_module(rpc,1.5.0) @@ -10308,7 +10333,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. +dev_dontaudit_getattr_all_chr_files(nfsd_t) + +dev_read_lvm_control(nfsd_t) -+storage_dontaudit_raw_read_fixed_disk(nfsd_t) ++storage_dontaudit_read_fixed_disk(nfsd_t) + # for /proc/fs/nfs/exports - should we have a new type? kernel_read_system_state(nfsd_t) @@ -10333,12 +10358,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. kernel_read_network_state(gssd_t) kernel_read_network_state_symlinks(gssd_t) kernel_search_network_sysctl(gssd_t) -@@ -156,14 +176,12 @@ - files_list_tmp(gssd_t) - files_read_usr_symlinks(gssd_t) +@@ -158,12 +178,7 @@ -+auth_read_cache(gssd_t) -+ miscfiles_read_certs(gssd_t) -ifdef(`targeted_policy',` @@ -10347,7 +10368,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc. - # Manage the users kerberos tgt file - files_manage_generic_tmp_files(gssd_t) -') -+userdom_dontaudit_search_users_home_dirs(rpcd_t) +userdom_dontaudit_search_sysadm_home_dirs(rpcd_t) tunable_policy(`allow_gssd_read_tmp',` diff --git a/selinux-policy.spec b/selinux-policy.spec index 41f317a..0071d2d 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 68%{?dist} +Release: 69%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -292,8 +292,10 @@ semodule -r moilscanner 2>/dev/null %rebuildpolicy targeted %relabel targeted -%triggerpostun targeted -- selinux-policy-targeted < 2.6.4-13 +%triggerpostun targeted -- selinux-policy-targeted < 2.6.4-68 restorecon -R /root 2> /dev/null +semodule -r qmail 2> /dev/null + exit 0 %files targeted @@ -363,6 +365,10 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog + +* Tue Jan 8 2008 Dan Walsh 2.6.4-69 +- Allow samba to getattr on file systems labeled samba_share_t + * Fri Jan 4 2008 Dan Walsh 2.6.4-68 - Transition to unconfined_mount on login