diff --git a/policy-20070703.patch b/policy-20070703.patch index 4be5371..c04d244 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -3987,7 +3987,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.te ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.fc serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc --- nsaserefpolicy/policy/modules/kernel/corecommands.fc 2007-10-22 13:21:42.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-01-07 11:08:45.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/kernel/corecommands.fc 2008-01-14 14:12:06.000000000 -0500 @@ -7,6 +7,7 @@ /bin/d?ash -- gen_context(system_u:object_r:shell_exec_t,s0) /bin/bash -- gen_context(system_u:object_r:shell_exec_t,s0) @@ -4008,7 +4008,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /etc/hotplug/.*agent -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/.*rc -- gen_context(system_u:object_r:bin_t,s0) /etc/hotplug/hotplug\.functions -- gen_context(system_u:object_r:bin_t,s0) -@@ -108,7 +114,6 @@ +@@ -44,6 +50,7 @@ + /etc/init\.d/functions -- gen_context(system_u:object_r:bin_t,s0) + + /etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0) ++/etc/NetworkManager/dispatcher.d(/.*)? gen_context(system_u:object_r:bin_t,s0) + + /etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0) + /etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0) +@@ -108,7 +115,6 @@ /opt/RealPlayer/postint(/.*)? gen_context(system_u:object_r:bin_t,s0) /opt/vmware/workstation/lib/lib/wrapper-gtk24\.sh -- gen_context(system_u:object_r:bin_t,s0) ') @@ -4016,7 +4024,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco # # /usr # -@@ -126,10 +131,10 @@ +@@ -126,10 +132,10 @@ /usr/lib(64)?/[^/]*firefox[^/]*/firefox -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) @@ -4029,7 +4037,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) -@@ -163,9 +168,15 @@ +@@ -163,9 +169,15 @@ /usr/libexec/openssh/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -4046,7 +4054,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco /usr/share/apr-0/build/[^/]+\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/apr-0/build/libtool -- gen_context(system_u:object_r:bin_t,s0) -@@ -180,6 +191,7 @@ +@@ -180,6 +192,7 @@ /usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0) @@ -4054,7 +4062,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/coreco ifdef(`distro_gentoo', ` /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -@@ -259,3 +271,23 @@ +@@ -259,3 +272,23 @@ ifdef(`distro_suse',` /var/lib/samba/bin/.+ gen_context(system_u:object_r:bin_t,s0) ') @@ -8280,7 +8288,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.8/policy/modules/services/dbus.if --- nsaserefpolicy/policy/modules/services/dbus.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-08 15:14:32.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/dbus.if 2008-01-14 14:18:38.000000000 -0500 @@ -50,6 +50,12 @@ ## # @@ -8341,12 +8349,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus class dbus send_msg; ') -@@ -202,9 +224,16 @@ +@@ -201,10 +223,19 @@ + # SE-DBus specific permissions allow $1_dbusd_system_t { system_dbusd_t self }:dbus send_msg; - -+ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t) ++ allow $2 { system_dbusd_t $2 }:dbus send_msg; + ++ read_files_pattern($2,system_dbusd_var_lib_t,system_dbusd_var_lib_t) ++ files_search_var_lib($2) + # For connecting to the bus files_search_pids($2) stream_connect_pattern($2,system_dbusd_var_run_t,system_dbusd_var_run_t,system_dbusd_t) @@ -8358,7 +8369,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ####################################### -@@ -236,14 +265,16 @@ +@@ -236,14 +267,16 @@ class dbus send_msg; ') @@ -8378,7 +8389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ') ######################################## -@@ -271,6 +302,60 @@ +@@ -271,6 +304,60 @@ allow $2 $1_dbusd_t:dbus send_msg; ') @@ -8439,7 +8450,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus ######################################## ## ## Read dbus configuration. -@@ -286,6 +371,7 @@ +@@ -286,6 +373,7 @@ type dbusd_etc_t; ') @@ -8447,7 +8458,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus allow $1 dbusd_etc_t:file read_file_perms; ') -@@ -346,3 +432,55 @@ +@@ -346,3 +434,55 @@ allow $1 system_dbusd_t:dbus *; ') @@ -10719,7 +10730,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi # diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.0.8/policy/modules/services/networkmanager.fc --- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2007-12-31 08:48:19.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/networkmanager.fc 2008-01-14 09:31:26.000000000 -0500 @@ -1,7 +1,9 @@ /usr/s?bin/NetworkManager -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) /usr/s?bin/wpa_supplicant -- gen_context(system_u:object_r:NetworkManager_exec_t,s0) @@ -10729,7 +10740,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw /var/run/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant(/.*)? gen_context(system_u:object_r:NetworkManager_var_run_t,s0) /var/run/wpa_supplicant-global -s gen_context(system_u:object_r:NetworkManager_var_run_t,s0) -+/var/log/wpa_supplicant.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0) ++/var/log/wpa_supplicant.log.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.if serefpolicy-3.0.8/policy/modules/services/networkmanager.if --- nsaserefpolicy/policy/modules/services/networkmanager.if 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/networkmanager.if 2007-12-31 08:56:04.000000000 -0500 @@ -12855,7 +12866,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samb /var/run/samba/brlock\.tdb -- gen_context(system_u:object_r:smbd_var_run_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.if serefpolicy-3.0.8/policy/modules/services/samba.if --- nsaserefpolicy/policy/modules/services/samba.if 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-01-08 13:38:54.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/samba.if 2008-01-14 10:34:31.000000000 -0500 @@ -332,6 +332,25 @@ ######################################## @@ -13543,7 +13554,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.0.8/policy/modules/services/sendmail.te --- nsaserefpolicy/policy/modules/services/sendmail.te 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2007-12-31 15:41:55.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/sendmail.te 2008-01-14 11:54:37.000000000 -0500 @@ -20,19 +20,22 @@ mta_mailserver_delivery(sendmail_t) mta_mailserver_sender(sendmail_t) @@ -13580,7 +13591,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send corenet_all_recvfrom_unlabeled(sendmail_t) corenet_all_recvfrom_netlabel(sendmail_t) -@@ -66,6 +72,8 @@ +@@ -66,10 +72,13 @@ fs_getattr_all_fs(sendmail_t) fs_search_auto_mountpoints(sendmail_t) @@ -13589,7 +13600,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send term_dontaudit_use_console(sendmail_t) # for piping mail to a command -@@ -94,30 +102,34 @@ + corecmd_exec_shell(sendmail_t) ++corecmd_exec_bin(sendmail_t) + + domain_use_interactive_fds(sendmail_t) + +@@ -94,30 +103,34 @@ miscfiles_read_certs(sendmail_t) miscfiles_read_localization(sendmail_t) @@ -13630,7 +13646,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send ') optional_policy(` -@@ -131,28 +143,33 @@ +@@ -131,28 +144,33 @@ ') optional_policy(` @@ -13908,6 +13924,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/soun seutil_sigchld_newrole(soundd_t) ') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.fc serefpolicy-3.0.8/policy/modules/services/spamassassin.fc +--- nsaserefpolicy/policy/modules/services/spamassassin.fc 2007-10-22 13:21:36.000000000 -0400 ++++ serefpolicy-3.0.8/policy/modules/services/spamassassin.fc 2008-01-14 11:58:07.000000000 -0500 +@@ -11,6 +11,7 @@ + + /var/run/spamassassin(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + /var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) ++/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:spamd_var_run_t,s0) + + /var/spool/spamassassin(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) + /var/spool/spamd(/.*)? gen_context(system_u:object_r:spamd_spool_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/spamassassin.if serefpolicy-3.0.8/policy/modules/services/spamassassin.if --- nsaserefpolicy/policy/modules/services/spamassassin.if 2007-10-22 13:21:39.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/spamassassin.if 2008-01-04 09:49:16.000000000 -0500 @@ -14586,12 +14613,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/teln -') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.fc serefpolicy-3.0.8/policy/modules/services/tftp.fc --- nsaserefpolicy/policy/modules/services/tftp.fc 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/tftp.fc 2007-12-02 21:15:34.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/services/tftp.fc 2008-01-14 12:49:42.000000000 -0500 @@ -4,3 +4,4 @@ /tftpboot -d gen_context(system_u:object_r:tftpdir_t,s0) /tftpboot/.* gen_context(system_u:object_r:tftpdir_t,s0) -+/var/lib/tftp(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) ++/var/lib/tftpboot(/.*)? gen_context(system_u:object_r:tftpdir_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/tftp.te serefpolicy-3.0.8/policy/modules/services/tftp.te --- nsaserefpolicy/policy/modules/services/tftp.te 2007-10-22 13:21:36.000000000 -0400 +++ serefpolicy-3.0.8/policy/modules/services/tftp.te 2007-12-02 21:15:34.000000000 -0500 @@ -17006,7 +17033,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/iscsi. diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.0.8/policy/modules/system/libraries.fc --- nsaserefpolicy/policy/modules/system/libraries.fc 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2007-12-27 11:39:05.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/libraries.fc 2008-01-14 12:58:26.000000000 -0500 @@ -65,11 +65,15 @@ /opt/(.*/)?java/.+\.jar -- gen_context(system_u:object_r:lib_t,s0) /opt/(.*/)?jre.*/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -17055,7 +17082,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -223,6 +232,7 @@ +@@ -142,6 +151,8 @@ + /usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xorg/modules/extensions/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xorg/modules/drivers/fglrx_drv\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++/usr/lib(64)?/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) ++ + /usr/lib(64)?/xorg/modules/drivers/nvidia_drv\.o -- gen_context(system_u:object_r:textrel_shlib_t,s0) + /usr/lib(64)?/xorg/modules/extensions/nvidia(-[^/]*)?/libglx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) + +@@ -223,6 +234,7 @@ /usr/lib(64)?/libmp3lame\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) # Flash plugin, Macromedia @@ -17063,7 +17099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar HOME_DIR/\.mozilla(/.*)?/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) HOME_DIR/.*/plugins/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) -@@ -236,6 +246,8 @@ +@@ -236,6 +248,8 @@ /usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0) @@ -17072,7 +17108,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar /usr/lib(64)?/python2.4/site-packages/M2Crypto/__m2crypto.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) # vmware -@@ -284,3 +296,14 @@ +@@ -284,3 +298,14 @@ /var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0) /var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0) @@ -18063,7 +18099,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. -/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.8/policy/modules/system/mount.te --- nsaserefpolicy/policy/modules/system/mount.te 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/mount.te 2007-12-31 11:02:48.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/mount.te 2008-01-14 10:34:46.000000000 -0500 @@ -8,6 +8,13 @@ ## @@ -18178,7 +18214,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. ') optional_policy(` -@@ -180,17 +195,17 @@ +@@ -180,17 +195,18 @@ ') ') @@ -18197,10 +18233,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount. optional_policy(` - nscd_socket_use(mount_t) + samba_domtrans_smbmount(mount_t) ++ samba_read_config(mount_t) ') ######################################## -@@ -201,4 +216,29 @@ +@@ -201,4 +217,29 @@ optional_policy(` files_etc_filetrans_etc_runtime(unconfined_mount_t,file) unconfined_domain(unconfined_mount_t) @@ -19710,7 +19747,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-08 15:13:25.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2008-01-14 09:59:37.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -19955,9 +19992,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo - tunable_policy(`use_nfs_home_dirs',` - fs_exec_nfs_files($1_t) + tunable_policy(`allow_$1_exec_content', ` -+ can_exec($1_usertype,$1_home_t) ++ can_exec($1_usertype,$1_home_type) + ',` -+ dontaudit $1_usertype $1_home_t:file execute; ++ dontaudit $1_usertype $1_home_type:file execute; ') - tunable_policy(`use_samba_home_dirs',` diff --git a/selinux-policy.spec b/selinux-policy.spec index 06ca623..c3cbc43 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 75%{?dist} +Release: 76%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -381,6 +381,14 @@ exit 0 %endif %changelog +* Mon Jan 14 2008 Dan Walsh 3.0.8-76 +- Fix filecontext for networkmanagerlog files +- Allow mount to read samba config +- Fix label of /var/lib/tftpboot +- Fix label of /usr/lib(64)?/xorg/modules/glesx.so +- Fix label on /etc/NetworkManager/dispatcher.d/* +- Allow httpd to send dbus messages + * Thu Jan 3 2008 Dan Walsh 3.0.8-75 - Alow postgrey to read postfix_etc_t - Lots of fixes to get javaplugin to run under xguest