- Add setrans contains from upstream

This commit is contained in:
Daniel J Walsh 2009-02-09 22:07:20 +00:00
parent 4ed140a4b7
commit bd0db4f147
4 changed files with 148 additions and 50 deletions

View File

@ -159,3 +159,4 @@ serefpolicy-3.6.1.tgz
serefpolicy-3.6.2.tgz
serefpolicy-3.6.3.tgz
serefpolicy-3.6.4.tgz
serefpolicy-3.6.5.tgz

View File

@ -284,8 +284,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man
You must set the allow_kerberos boolean to allow your system to work properly in a Kerberos environment.
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/man/man8/nfs_selinux.8 serefpolicy-3.6.4/man/man8/nfs_selinux.8
--- nsaserefpolicy/man/man8/nfs_selinux.8 2008-08-07 11:15:14.000000000 -0400
+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-03 22:57:28.000000000 -0500
@@ -26,5 +26,5 @@
+++ serefpolicy-3.6.4/man/man8/nfs_selinux.8 2009-02-09 10:19:24.000000000 -0500
@@ -1,14 +1,12 @@
-.TH "nfs_selinux" "8" "17 Jan 2005" "dwalsh@redhat.com" "nfs Selinux Policy documentation"
+.TH "nfs_selinux" "8" "9 Feb 2009" "dwalsh@redhat.com" "NFS SELinux Policy documentation"
.SH "NAME"
nfs_selinux \- Security Enhanced Linux Policy for NFS
.SH "DESCRIPTION"
-Security-Enhanced Linux secures the nfs server via flexible mandatory access
+Security Enhanced Linux secures the NFS server via flexible mandatory access
control.
.SH BOOLEANS
-SELinux policy is customizable based on least access required. So by
-default SElinux policy does not allow nfs to share files. If you want to
-setup this machine to share nfs partitions read only, you must set the boolean nfs_export_all_ro boolean.
+SELinux policy is customizable based on the least level of access required. By default, SELinux policy does not allow NFS to share files. If you want to share NFS partitions, and only allow read-only access to those NFS partitions, turn the nfs_export_all_ro boolean on:
.TP
setsebool -P nfs_export_all_ro 1
@@ -18,7 +16,10 @@
setsebool -P nfs_export_all_rw 1
.TP
-If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dir boolean.
+These booleans are not required when files to be shared are labeled with the public_content_t or public_content_rw_t types. NFS can share files labeled with the public_content_t or public_content_rw_t types even if the nfs_export_all_ro and nfs_export_all_rw booleans are off.
+
+.TP
+If you want to use a remote NFS server for the home directories on this machine, you must set the use_nfs_home_dirs boolean:
.TP
setsebool -P use_nfs_home_dirs 1
.TP
@@ -26,5 +27,5 @@
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
@ -712,7 +742,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.6.4/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2008-08-07 11:15:13.000000000 -0400
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-05 13:41:50.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/admin/rpm.fc 2009-02-09 15:39:27.000000000 -0500
@@ -3,6 +3,7 @@
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
@ -731,7 +761,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/share/yumex/yumex -- gen_context(system_u:object_r:rpm_exec_t,s0)
ifdef(`distro_redhat', `
@@ -21,14 +23,17 @@
@@ -21,14 +23,18 @@
/usr/sbin/pup -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
@ -745,6 +775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
-
-/var/log/rpmpkgs.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/log/yum\.log.* -- gen_context(system_u:object_r:rpm_log_t,s0)
+/var/run/yum.* -- gen_context(system_u:object_r:rpm_var_run_t,s0)
+/var/run/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_run_t,s0)
@ -8884,7 +8915,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-06 16:08:00.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/apache.te 2009-02-09 15:59:54.000000000 -0500
@@ -19,6 +19,8 @@
# Declarations
#
@ -9105,7 +9136,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
+tunable_policy(`allow_httpd_mod_auth_pam',`
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@ -9116,8 +9148,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
tunable_policy(`allow_httpd_mod_auth_pam',`
- auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
@ -9211,7 +9242,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
@@ -459,8 +575,13 @@
@@ -451,6 +567,10 @@
')
optional_policy(`
+ cvs_read_data(httpd_t)
+')
+
+optional_policy(`
cron_system_entry(httpd_t, httpd_exec_t)
')
@@ -459,8 +579,13 @@
')
optional_policy(`
@ -9227,7 +9269,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -472,18 +593,13 @@
@@ -468,22 +593,18 @@
mailman_domtrans_cgi(httpd_t)
# should have separate types for public and private archives
mailman_search_data(httpd_t)
+ mailman_read_data_files(httpd_t)
mailman_read_archive(httpd_t)
')
optional_policy(`
@ -9247,7 +9294,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -493,6 +609,12 @@
@@ -493,6 +614,12 @@
openca_kill(httpd_t)
')
@ -9260,7 +9307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
@@ -500,6 +622,7 @@
@@ -500,6 +627,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@ -9268,7 +9315,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
')
@@ -508,6 +631,7 @@
@@ -508,6 +636,7 @@
')
optional_policy(`
@ -9276,7 +9323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
@@ -535,6 +659,22 @@
@@ -535,6 +664,22 @@
userdom_use_user_terminals(httpd_helper_t)
@ -9299,7 +9346,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# Apache PHP script local policy
@@ -564,20 +704,25 @@
@@ -564,20 +709,25 @@
fs_search_auto_mountpoints(httpd_php_t)
@ -9331,7 +9378,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
@@ -595,23 +740,24 @@
@@ -595,23 +745,24 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@ -9360,7 +9407,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
@@ -624,6 +770,7 @@
@@ -624,6 +775,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@ -9368,7 +9415,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
@@ -641,12 +788,19 @@
@@ -641,12 +793,19 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@ -9391,7 +9438,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -672,15 +826,14 @@
@@ -672,15 +831,14 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@ -9410,7 +9457,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -699,12 +852,24 @@
@@ -699,12 +857,24 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -9437,7 +9484,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -712,6 +877,35 @@
@@ -712,6 +882,35 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@ -9473,7 +9520,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
@@ -724,6 +918,10 @@
@@ -724,6 +923,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@ -9484,7 +9531,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -735,6 +933,8 @@
@@ -735,6 +938,8 @@
# httpd_rotatelogs local policy
#
@ -9493,7 +9540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
@@ -754,6 +954,12 @@
@@ -754,6 +959,12 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@ -9506,7 +9553,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
# allow accessing files/dirs below the users home dir
@@ -762,3 +968,66 @@
@@ -762,3 +973,66 @@
userdom_search_user_home_dirs(httpd_suexec_t)
userdom_search_user_home_dirs(httpd_user_script_t)
')
@ -11779,6 +11826,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+manage_files_pattern(cups_pdf_t, cupsd_log_t, cupsd_log_t)
+miscfiles_read_fonts(cups_pdf_t)
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.if serefpolicy-3.6.4/policy/modules/services/cvs.if
--- nsaserefpolicy/policy/modules/services/cvs.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/cvs.if 2009-02-09 16:00:34.000000000 -0500
@@ -15,7 +15,9 @@
type cvs_data_t;
')
- allow $1 cvs_data_t:file { getattr read };
+ list_dirs_pattern($1, cvs_data_t, cvs_data_t)
+ read_files_pattern($1, cvs_data_t, cvs_data_t)
+ read_lnk_files_pattern($1, cvs_data_t, cvs_data_t)
')
########################################
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.6.4/policy/modules/services/cvs.te
--- nsaserefpolicy/policy/modules/services/cvs.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/cvs.te 2009-02-03 22:57:29.000000000 -0500
@ -13170,7 +13231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ftp.te serefpolicy-3.6.4/policy/modules/services/ftp.te
--- nsaserefpolicy/policy/modules/services/ftp.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/ftp.te 2009-02-09 09:53:23.000000000 -0500
@@ -26,7 +26,7 @@
## <desc>
## <p>
@ -13197,17 +13258,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(ftpd_t)
auth_domtrans_chk_passwd(ftpd_t)
@@ -223,6 +224,10 @@
@@ -222,8 +223,12 @@
userdom_manage_user_home_content_dirs(ftpd_t)
userdom_manage_user_home_content_files(ftpd_t)
userdom_manage_user_home_content_symlinks(ftpd_t)
userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
- userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
+
+ auth_read_all_dirs_except_shadow(ftpd_t)
+ auth_read_all_files_except_shadow(ftpd_t)
+ auth_read_all_symlinks_except_shadow(ftpd_t)
')
+userdom_user_home_dir_filetrans_user_home_content(ftpd_t, { dir file lnk_file })
tunable_policy(`ftp_home_dir && use_nfs_home_dirs',`
fs_manage_nfs_files(ftpd_t)
@@ -258,7 +263,9 @@
')
@ -14054,7 +14118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/usr/lib/mailman/mail/mailman -- gen_context(system_u:object_r:mailman_mail_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.if serefpolicy-3.6.4/policy/modules/services/mailman.if
--- nsaserefpolicy/policy/modules/services/mailman.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/mailman.if 2009-02-09 15:34:52.000000000 -0500
@@ -31,6 +31,12 @@
allow mailman_$1_t self:tcp_socket create_stream_socket_perms;
allow mailman_$1_t self:udp_socket create_socket_perms;
@ -14076,7 +14140,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_exec_all_executables(mailman_$1_t)
@@ -209,6 +216,7 @@
@@ -191,6 +198,7 @@
')
read_files_pattern($1, mailman_data_t, mailman_data_t)
+ read_lnk_files_pattern($1, mailman_data_t, mailman_data_t)
')
#######################################
@@ -209,6 +217,7 @@
type mailman_data_t;
')
@ -14084,7 +14156,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_files_pattern($1, mailman_data_t, mailman_data_t)
')
@@ -250,6 +258,25 @@
@@ -250,6 +259,25 @@
#######################################
## <summary>
@ -18916,7 +18988,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.6.4/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-04 08:49:43.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/prelude.te 2009-02-09 15:50:22.000000000 -0500
@@ -13,25 +13,57 @@
type prelude_spool_t;
files_type(prelude_spool_t)
@ -18986,7 +19058,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
corecmd_search_bin(prelude_t)
corenet_all_recvfrom_unlabeled(prelude_t)
@@ -56,15 +91,24 @@
@@ -56,15 +91,25 @@
corenet_tcp_sendrecv_generic_if(prelude_t)
corenet_tcp_sendrecv_generic_node(prelude_t)
corenet_tcp_bind_generic_node(prelude_t)
@ -18997,6 +19069,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(prelude_t)
dev_read_urand(prelude_t)
+kernel_read_system_state(prelude_t)
+kernel_read_sysctl(prelude_t)
+
# Init script handling
@ -19011,7 +19084,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_use_nsswitch(prelude_t)
@@ -86,7 +130,7 @@
@@ -86,7 +131,7 @@
#
# prelude_audisp local policy
#
@ -19020,7 +19093,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
allow prelude_audisp_t self:fifo_file rw_file_perms;
allow prelude_audisp_t self:unix_stream_socket create_stream_socket_perms;
allow prelude_audisp_t self:unix_dgram_socket create_socket_perms;
@@ -107,6 +151,7 @@
@@ -107,6 +152,7 @@
corenet_tcp_sendrecv_generic_if(prelude_audisp_t)
corenet_tcp_sendrecv_generic_node(prelude_audisp_t)
corenet_tcp_bind_generic_node(prelude_audisp_t)
@ -19028,7 +19101,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
@@ -114,12 +159,134 @@
@@ -114,12 +160,135 @@
# Init script handling
domain_use_interactive_fds(prelude_audisp_t)
@ -19127,6 +19200,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+dev_read_rand(prelude_lml_t)
+dev_read_urand(prelude_lml_t)
+
+kernel_read_system_state(prelude_lml_t)
+kernel_read_sysctl(prelude_lml_t)
+
+files_list_etc(prelude_lml_t)
@ -19163,7 +19237,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
########################################
#
# prewikka_cgi Declarations
@@ -128,6 +295,20 @@
@@ -128,6 +297,20 @@
optional_policy(`
apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t)
@ -20094,7 +20168,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.4/policy/modules/services/rpc.te
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:05:45.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/rpc.te 2009-02-09 09:51:37.000000000 -0500
@@ -23,7 +23,7 @@
gen_tunable(allow_nfsd_anon_write, false)
@ -20124,10 +20198,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`nfs_export_all_rw',`
fs_read_noxattr_fs_files(nfsd_t)
auth_manage_all_files_except_shadow(nfsd_t)
+ userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
+ dev_getattr_all_blk_files(nfsd_t)
+ dev_getattr_all_chr_files(nfsd_t)
')
+userdom_user_home_dir_filetrans_user_home_content(nfsd_t, { file dir })
tunable_policy(`nfs_export_all_ro',`
fs_read_noxattr_fs_files(nfsd_t)
@ -20172,7 +20246,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_write_login_records(rshd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.4/policy/modules/services/rsync.te
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-03 22:57:29.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/rsync.te 2009-02-09 15:32:24.000000000 -0500
@@ -119,5 +119,9 @@
tunable_policy(`rsync_export_all_ro',`
@ -20614,7 +20688,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-07 07:19:23.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/services/samba.te 2009-02-09 10:49:17.000000000 -0500
@@ -66,6 +66,13 @@
## </desc>
gen_tunable(samba_share_nfs, false)
@ -20825,7 +20899,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
optional_policy(`
@@ -381,8 +426,10 @@
@@ -376,13 +421,15 @@
tunable_policy(`samba_create_home_dirs',`
allow smbd_t self:capability chown;
userdom_create_user_home_dirs(smbd_t)
- userdom_home_filetrans_user_home_dir(smbd_t)
')
+userdom_home_filetrans_user_home_dir(smbd_t)
tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
@ -20836,6 +20916,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
auth_read_all_files_except_shadow(nmbd_t)
')
@@ -391,8 +438,8 @@
auth_manage_all_files_except_shadow(smbd_t)
fs_read_noxattr_fs_files(nmbd_t)
auth_manage_all_files_except_shadow(nmbd_t)
- userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
')
+userdom_user_home_dir_filetrans_user_home_content(nmbd_t, { file dir })
########################################
#
@@ -454,6 +501,7 @@
dev_getattr_mtrr_dev(nmbd_t)
@ -21004,7 +21094,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`samba_run_unconfined',`
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
+', `
+',`
+ can_exec(smbd_t, samba_unconfined_script_exec_t)
')
-')
@ -28666,7 +28756,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm/mono.* gen_context(system_u:object_r:user_tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.4/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-01-19 11:07:34.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-08 17:11:31.000000000 -0500
+++ serefpolicy-3.6.4/policy/modules/system/userdomain.if 2009-02-09 11:05:11.000000000 -0500
@@ -30,8 +30,9 @@
')
@ -29664,9 +29754,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
# the same domain and outside users) disabling this forces FTP passive mode
# and may change other protocols
tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_node($1_t)
- corenet_tcp_bind_generic_port($1_t)
+ corenet_tcp_bind_all_unreserved_ports($1_t)
+ corenet_tcp_bind_all_nodes($1_usertype)
+ corenet_tcp_bind_all_unreserved_ports($1_usertype)
')
optional_policy(`

View File

@ -19,8 +19,8 @@
%define CHECKPOLICYVER 2.0.16-3
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.6.4
Release: 5%{?dist}
Version: 3.6.5
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@ -184,7 +184,7 @@ fi;
%description
SELinux Reference Policy - modular.
Based off of reference policy: Checked out revision 2907.
Based off of reference policy: Checked out revision 2908.
%build
@ -444,6 +444,12 @@ exit 0
%endif
%changelog
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.5-1
- Add setrans contains from upstream
* Mon Feb 9 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-6
- Do transitions outside of the booleans
* Sun Feb 8 2009 Dan Walsh <dwalsh@redhat.com> 3.6.4-5
- Allow xdm to create user_tmp_t sockets for switch user to work

View File

@ -1 +1 @@
5c9f2ee48dab2742927fb099740e9fbc serefpolicy-3.6.4.tgz
5911f8b7b5cd991b6367110b0617ac4c serefpolicy-3.6.5.tgz