- Merge upstream changes

- Add Xavier Toth patches
2008-09-18 14:19:06 +00:00 · 2008-09-18 14:19:06 +00:00 · 8d197ddd11
commit 8d197ddd11
parent b844bb281b
3 changed files with 119 additions and 95 deletions
--- a/modules-mls.conf
+++ b/modules-mls.conf
@ -161,7 +161,7 @@ netutils = base
 #
 # Virtual Private Networking client
 # 
-vpn = base
+vpn = module
 # Layer: admin
 # Module: su
@ -189,7 +189,7 @@ anaconda = base
 #
 # Automated backup program.
 # 
-amanda = base
+amanda = module
 # Layer: admin
 # Module: logrotate
@ -232,14 +232,14 @@ firstboot = base
 #
 # Digital Certificate Tracking
 # 
-certwatch = base
+certwatch = module
 # Layer: admin
 # Module: tmpreaper
 #
 # Manage temporary directory sizes and file ages
 # 
-tmpreaper = base
+tmpreaper = module
 # Layer: admin
 # Module: dmidecode
@ -253,7 +253,7 @@ dmidecode = base
 #
 # Policy for GNU Privacy Guard and related programs.
 # 
-gpg = base
+gpg = module
 # Layer: apps
 # Module: loadkeys
@ -267,7 +267,7 @@ loadkeys = base
 #
 # Web server log analysis
 # 
-webalizer = base
+webalizer = module
 # Layer: kernel
 # Module: bootloader
@ -288,7 +288,7 @@ storage = base
 #
 # Policy for NIS (YP) servers and clients
 # 
-nis = base
+nis = module
 # Layer: services
 # Module: distcc
@ -302,7 +302,7 @@ distcc = off
 #
 # Remote shell service.
 # 
-rshd = base
+rshd = module
 # Layer: services
 # Module: cpucontrol
@ -323,35 +323,35 @@ vbetool = base
 #
 # Berkeley internet name domain DNS server.
 # 
-bind = base
+bind = module
 # Layer: services
 # Module: canna
 #
 # Canna - kana-kanji conversion server
 # 
-canna = base
+canna = module
 # Layer: services
 # Module: uucp
 #
 # Unix to Unix Copy
 # 
-uucp = base
+uucp = module
 # Layer: services
 # Module: sasl
 #
 # SASL authentication server
 # 
-sasl = base
+sasl = module
 # Layer: services
 # Module: pegasus
 #
 # The Open Group Pegasus CIM/WBEM Server.
 # 
-pegasus = base
+pegasus = module
 # Layer: services
 # Module: cron
@ -374,7 +374,7 @@ sendmail = base
 # name  Service  Switch  daemon for resolving names
 # from Windows NT servers.
 # 
-samba = base
+samba = module
 # Layer: services
 # Module: dbus
@ -388,21 +388,21 @@ dbus = base
 #
 # Port of Apple Rendezvous multicast DNS
 # 
-howl = base
+howl = module
 # Layer: services
 # Module: postgresql
 #
 # PostgreSQL relational database
 # 
-postgresql = base
+postgresql = module
 # Layer: services
 # Module: snmp
 #
 # Simple network management protocol services
 # 
-snmp = base
+snmp = module
 # Layer: services
 # Module: remotelogin
@ -430,56 +430,56 @@ irqbalance = base
 #
 # Mailman is for managing electronic mail discussion and e-newsletter lists
 # 
-mailman = base
+mailman = module
 # Layer: services
 # Module: dbskk
 #
 # Dictionary server for the SKK Japanese input method system.
 # 
-dbskk = base
+dbskk = module
 # Layer: services
 # Module: ldap
 #
 # OpenLDAP directory server
 # 
-ldap = base
+ldap = module
 # Layer: services
 # Module: tftp
 #
 # Trivial file transfer protocol daemon
 # 
-tftp = base
+tftp = module
 # Layer: services
 # Module: portmap
 #
 # RPC port mapping service.
 # 
-portmap = base
+portmap = module
 # Layer: services
 # Module: arpwatch
 #
 # Ethernet activity monitor.
 # 
-arpwatch = base
+arpwatch = module
 # Layer: services
 # Module: dovecot
 #
 # Dovecot POP and IMAP mail server
 # 
-dovecot = base
+dovecot = module
 # Layer: services
 # Module: cups
 #
 # Common UNIX printing system
 # 
-cups = base
+cups = module
 # Layer: services
 # Module: networkmanager
@ -493,35 +493,35 @@ networkmanager = base
 #
 # Internet News NNTP server
 # 
-inn = base
+inn = module
 # Layer: services
 # Module: sysstat
 #
 # Policy for sysstat. Reports on various system states
 # 
-sysstat = base
+sysstat = module
 # Layer: services
 # Module: comsat
 #
 # Comsat, a biff server.
 # 
-comsat = base
+comsat = module
 # Layer: services
 # Module: squid
 #
 # Squid caching http proxy server
 # 
-squid = base
+squid = module
 # Layer: services
 # Module: zebra
 #
 # Zebra border gateway protocol network routing service
 # 
-zebra = base
+zebra = module
 # Layer: services
 # Module: xfs
@ -535,35 +535,35 @@ xfs = off
 #
 # KDE Talk daemon
 # 
-ktalk = base
+ktalk = module
 # Layer: services
 # Module: procmail
 #
 # Procmail mail delivery agent
 # 
-procmail = base
+procmail = module
 # Layer: services
 # Module: lpd
 #
 # Line printer daemon
 # 
-lpd = base
+lpd = module
 # Layer: services
 # Module: cyrus
 #
 # Cyrus is an IMAP service intended to be run on sealed servers
 # 
-cyrus = base
+cyrus = module
 # Layer: services
 # Module: rdisc
 #
 # Network router discovery daemon
 # 
-rdisc = base
+rdisc = module
 # Layer: services
 # Module: xserver
@ -584,21 +584,21 @@ nscd = base
 #
 # Point to Point Protocol daemon creates links in ppp networks
 # 
-ppp = base
+ppp = module
 # Layer: services
 # Module: ftp
 #
 # File transfer protocol service
 # 
-ftp = base
+ftp = module
 # Layer: services
 # Module: gpm
 #
 # General Purpose Mouse driver
 # 
-gpm = base
+gpm = module
 # Layer: services
 # Module: mta
@ -612,28 +612,28 @@ mta = base
 #
 # Postfix email server
 # 
-postfix = base
+postfix = module
 # Layer: services
 # Module: fetchmail
 #
 # Remote-mail retrieval and forwarding utility
 # 
-fetchmail = base
+fetchmail = module
 # Layer: services
 # Module: ntp
 #
 # Network time protocol daemon
 # 
-ntp = base
+ntp = module
 # Layer: services
 # Module: bluetooth
 #
 # Bluetooth tools and system services.
 # 
-bluetooth = base
+bluetooth = module
 # Layer: services
 # Module: hal
@ -647,7 +647,7 @@ hal = base
 #
 # mDNS/DNS-SD daemon implementing Apple ZeroConf architecture
 # 
-avahi = base
+avahi = module
 # Layer: services
 # Module: rpc
@ -661,35 +661,35 @@ rpc = base
 #
 # Apache web server
 # 
-apache = base
+apache = module
 # Layer: services
 # Module: rsync
 #
 # Fast incremental file transfer for synchronization
 # 
-rsync = base
+rsync = module
 # Layer: services
 # Module: automount
 #
 # Filesystem automounter service.
 # 
-automount = base
+automount = module
 # Layer: services
 # Module: kerberos
 #
 # MIT Kerberos admin and KDC
 # 
-kerberos = base
+kerberos = module
 # Layer: services
 # Module: dhcp
 #
 # Dynamic host configuration protocol (DHCP) server
 # 
-dhcp = base
+dhcp = module
 # Layer: services
 # Module: ssh
@ -710,42 +710,42 @@ inetd = base
 #
 # Policy for MySQL
 # 
-mysql = base
+mysql = module
 # Layer: services
 # Module: dictd
 #
 # Dictionary daemon
 # 
-dictd = base
+dictd = module
 # Layer: services
 # Module: finger
 #
 # Finger user information service.
 # 
-finger = base
+finger = module
 # Layer: services
 # Module: radius
 #
 # RADIUS authentication and accounting server.
 # 
-radius = base
+radius = module
 # Layer: services
 # Module: spamassassin
 #
 # Filter used for removing unsolicited email.
 # 
-spamassassin = base
+spamassassin = module
 # Layer: services
 # Module: radvd
 #
 # IPv6 router advertisement daemon
 # 
-radvd = base
+radvd = module
 # Layer: services
 # Module: apm
@ -767,35 +767,35 @@ application = base
 #
 # Policy for TCP daemon.
 # 
-tcpd = base
+tcpd = module
 # Layer: services
 # Module: stunnel
 #
 # SSL Tunneling Proxy
 # 
-stunnel = base
+stunnel = module
 # Layer: services
 # Module: privoxy
 #
 # Privacy enhancing web proxy.
 # 
-privoxy = base
+privoxy = module
 # Layer: services
 # Module: cvs
 #
 # Concurrent versions system
 # 
-cvs = base
+cvs = module
 # Layer: services
 # Module: rlogin
 #
 # Remote login daemon
 # 
-rlogin = base
+rlogin = module
 # Layer: system
 # Module: application
@ -965,7 +965,7 @@ miscfiles = base
 #
 # TCP/IP encryption
 # 
-ipsec = base
+ipsec = module
 # Layer: apps
 # Module: java
@ -986,7 +986,7 @@ prelink = base
 #
 # locate executable
 # 
-slocate = base
+slocate = module
 # Layer: services
 # Module: logwatch
@ -1008,14 +1008,14 @@ setrans = base
 #
 # Policy for OPENVPN full-featured SSL VPN solution
 # 
-openvpn = base
+openvpn = module
 # Layer: services
 # Module: smartmon
 #
 # Smart disk monitoring daemon policy
 # 
-smartmon = base
+smartmon = module
 # Layer: system
 # Module: netlabel
@ -1023,14 +1023,14 @@ smartmon = base
 #
 # Basic netlabel types and interfaces.
 # 
-netlabel = base
+netlabel = module
 # Layer: services
 # Module: aide
 #
 # Policy for aide
 # 
-aide = base
+aide = module
 # Layer: service
 # Module: pcscd
@ -1131,16 +1131,31 @@ courier = module
 rpcbind = module
 # Layer: services
 # Module: xserver
 #
 # X windows login display manager
 # 
 xserver = module
 # Layer: apps
 # Module: wm
 #
 # X windows window manager
 # 
 wm = module
 # Layer: services
 # Module: virt
 #
 # Virtualization libraries
 # 
 virt = module
 # Layer: apps
 # Module: qemu
 #
 # Virtualization emulator 
 # 
 qemu = module
 # Layer: system
 # Module: brctl
 #
 # Utilities for configuring the linux ethernet bridge
 # 
 brctl = base
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -108,7 +108,7 @@ authlogin = base
 #
 # Filesystem automounter service.
 # 
-automount = base
+automount = module
 # Layer: services
 # Module: avahi
@ -331,7 +331,7 @@ devices = base
 #
 # Dynamic host configuration protocol (DHCP) server
 # 
-dhcp = base
+dhcp = module
 # Layer: services
 # Module: dictd
@ -374,7 +374,7 @@ domain = base
 #
 # Dovecot POP and IMAP mail server
 # 
-dovecot = base
+dovecot = module
 # Layer: apps
 # Module: gpg
@ -489,7 +489,7 @@ gnomeclock = module
 #
 # Hardware abstraction layer
 # 
-hal = module
+hal = base
 # Layer: services
 # Module: polkit
@ -741,7 +741,7 @@ modutils = base
 #
 # mono executable
 # 
-mono = base
+mono = module
 # Layer: system
 # Module: mount
@ -785,7 +785,6 @@ gpg = module
 # 
 mrtg = module
 # Layer: services
 # Module: mta
 #
@ -985,7 +984,7 @@ qmail = module
 #
 # File system quota management
 # 
-quota = off
+quota = base
 # Layer: system
 # Module: raid
@ -1027,7 +1026,7 @@ readahead = base
 #
 # X windows login display manager
 # 
-rhgb = base
+rhgb = module
 # Layer: services
 # Module: rdisc
@ -1041,7 +1040,7 @@ rdisc = module
 #
 # Policy for rshd, rlogind, and telnetd.
 # 
-remotelogin = module
+remotelogin = base
 # Layer: services
 # Module: ricci
@ -1446,7 +1445,7 @@ updfstab = base
 #
 # Virtual Private Networking client
 # 
-vpn = base
+vpn = module
 # Layer: admin
 # Module: vbetool
@ -1663,3 +1662,12 @@ snort = module
 #  high-performance memory object caching system
 # 
 memcached = module
 # Layer: system
 # Module: netlabel
 # Required in base
 #
 # Basic netlabel types and interfaces.
 # 
 netlabel = module
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -26600,7 +26600,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.if serefpolicy-3.5.8/policy/modules/services/ssh.if
 --- nsaserefpolicy/policy/modules/services/ssh.if	2008-08-07 11:15:11.000000000 -0400
-+++ serefpolicy-3.5.8/policy/modules/services/ssh.if	2008-09-17 08:49:09.000000000 -0400
+++ serefpolicy-3.5.8/policy/modules/services/ssh.if	2008-09-18 08:51:19.000000000 -0400
@@ -36,6 +36,7 @@
 	gen_require(`
 		attribute ssh_server;
@ -26660,15 +26660,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	corenet_all_recvfrom_unlabeled($1_ssh_t)
 	corenet_all_recvfrom_netlabel($1_ssh_t)
-@@ -115,6 +118,7 @@
+@@ -115,6 +118,8 @@
 	corenet_tcp_sendrecv_all_ports($1_ssh_t)
 	corenet_tcp_connect_ssh_port($1_ssh_t)
 	corenet_sendrecv_ssh_client_packets($1_ssh_t)
 +	corenet_tcp_bind_all_nodes($1_ssh_t)
 +	corenet_tcp_bind_all_unreserved_ports($1_ssh_t)
 	dev_read_urand($1_ssh_t)
-@@ -212,7 +216,7 @@
+@@ -212,7 +217,7 @@
 	ssh_basic_client_template($1, $2, $3)
@ -26677,7 +26678,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	type $1_ssh_agent_t;
 	application_domain($1_ssh_agent_t, ssh_agent_exec_t)
-@@ -240,9 +244,9 @@
+@@ -240,9 +245,9 @@
 	manage_sock_files_pattern($1_ssh_t, $1_ssh_tmpfs_t, $1_ssh_tmpfs_t)
 	fs_tmpfs_filetrans($1_ssh_t, $1_ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@ -26690,7 +26691,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Allow the ssh program to communicate with ssh-agent.
 	stream_connect_pattern($1_ssh_t, $1_ssh_agent_tmp_t, $1_ssh_agent_tmp_t, $1_ssh_agent_t)
-@@ -254,6 +258,8 @@
+@@ -254,6 +259,8 @@
 	userdom_use_unpriv_users_fds($1_ssh_t)
 	userdom_dontaudit_list_user_home_dirs($1,$1_ssh_t)
 	userdom_search_user_home_dirs($1,$1_ssh_t)
@ -26699,7 +26700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	# Write to the user domain tty.
 	userdom_use_user_terminals($1,$1_ssh_t)
 	# needs to read krb tgt
-@@ -282,21 +288,10 @@
+@@ -282,21 +289,10 @@
 	')
 	optional_policy(`
@ -26722,7 +26723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	##############################
 	#
 	# $1_ssh_agent_t local policy
-@@ -383,10 +378,6 @@
+@@ -383,10 +379,6 @@
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
@ -26733,7 +26734,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	##############################
 	#
 	# $1_ssh_keysign_t local policy
-@@ -413,6 +404,25 @@
+@@ -413,6 +405,25 @@
 	')
 ')
@ -26759,7 +26760,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 #######################################
 ## <summary>
 ##	The template to define a ssh server.
-@@ -443,13 +453,14 @@
+@@ -443,13 +454,14 @@
 	type $1_var_run_t;
 	files_pid_file($1_var_run_t)
@ -26775,7 +26776,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	allow $1_t $1_devpts_t:chr_file { rw_chr_file_perms setattr getattr relabelfrom };
 	term_create_pty($1_t,$1_devpts_t)
-@@ -479,6 +490,10 @@
+@@ -479,6 +491,10 @@
 	corenet_tcp_bind_ssh_port($1_t)
 	corenet_tcp_connect_all_ports($1_t)
 	corenet_sendrecv_ssh_server_packets($1_t)
@ -26786,7 +26787,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	fs_dontaudit_getattr_all_fs($1_t)
-@@ -506,9 +521,14 @@
+@@ -506,9 +522,14 @@
 	userdom_dontaudit_relabelfrom_unpriv_users_ptys($1_t)
 	userdom_search_all_users_home_dirs($1_t)
@ -26801,7 +26802,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	tunable_policy(`use_samba_home_dirs',`
-@@ -517,11 +537,7 @@
+@@ -517,11 +538,7 @@
 	optional_policy(`
 		kerberos_use($1_t)
@ -26814,7 +26815,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 	optional_policy(`
-@@ -710,3 +726,22 @@
+@@ -710,3 +727,22 @@
 	dontaudit $1 sshd_key_t:file { getattr read };
 ')