From 9a5467ea06bcfd051ae63762953a2929494b9432 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Nov 19 2007 22:05:03 +0000 Subject: - Allow nmbd to list inotifyfs_t - Dontaudit consolekit access to user homedir - dontaudit nscd getserv and shmemserv - Allow rsync_t dac overrides - Allow xfs_t to listen to sockets --- diff --git a/policy-20070703.patch b/policy-20070703.patch index 4811bbe..a478ff6 100644 --- a/policy-20070703.patch +++ b/policy-20070703.patch @@ -838,7 +838,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/man/ru/man8/ypbind_selinux.8 +selinux(8), ypbind(8), chcon(1), setsebool(8) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/flask/access_vectors serefpolicy-3.0.8/policy/flask/access_vectors --- nsaserefpolicy/policy/flask/access_vectors 2007-10-22 13:21:36.000000000 -0400 -+++ serefpolicy-3.0.8/policy/flask/access_vectors 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/flask/access_vectors 2007-11-19 16:57:52.000000000 -0500 @@ -639,6 +639,8 @@ send recv @@ -10198,17 +10198,26 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd + diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nscd.if serefpolicy-3.0.8/policy/modules/services/nscd.if --- nsaserefpolicy/policy/modules/services/nscd.if 2007-10-22 13:21:39.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2007-11-19 16:32:18.000000000 -0500 -@@ -77,7 +77,7 @@ ++++ serefpolicy-3.0.8/policy/modules/services/nscd.if 2007-11-19 17:03:29.000000000 -0500 +@@ -70,14 +70,15 @@ + interface(`nscd_socket_use',` + gen_require(` + type nscd_t, nscd_var_run_t; +- class nscd { getpwd getgrp gethost shmempwd shmemgrp shmemhost }; ++ class nscd { getserv getpwd getgrp gethost shmempwd shmemgrp shmemhost shmemserv }; + ') + + allow $1 self:unix_stream_socket create_socket_perms; allow $1 nscd_t:nscd { getpwd getgrp gethost }; dontaudit $1 nscd_t:fd use; - dontaudit $1 nscd_t:nscd { shmempwd shmemgrp shmemhost }; -+ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv }; ++ dontaudit $1 nscd_t:nscd { getserv shmempwd shmemgrp shmemhost shmemserv}; ++ files_search_pids($1) stream_connect_pattern($1,nscd_var_run_t,nscd_var_run_t,nscd_t) -@@ -204,3 +204,22 @@ +@@ -204,3 +205,22 @@ role $2 types nscd_t; dontaudit nscd_t $3:chr_file rw_term_perms; ') @@ -18355,7 +18364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo /tmp/gconfd-USER -d gen_context(system_u:object_r:ROLE_tmp_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.0.8/policy/modules/system/userdomain.if --- nsaserefpolicy/policy/modules/system/userdomain.if 2007-10-22 13:21:40.000000000 -0400 -+++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-19 15:21:25.000000000 -0500 ++++ serefpolicy-3.0.8/policy/modules/system/userdomain.if 2007-11-19 16:54:02.000000000 -0500 @@ -29,8 +29,9 @@ ') @@ -20445,7 +20454,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/users/xguest. +') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets.spt serefpolicy-3.0.8/policy/support/obj_perm_sets.spt --- nsaserefpolicy/policy/support/obj_perm_sets.spt 2007-10-22 13:21:43.000000000 -0400 -+++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-10-29 23:59:29.000000000 -0400 ++++ serefpolicy-3.0.8/policy/support/obj_perm_sets.spt 2007-11-19 16:59:48.000000000 -0500 @@ -216,7 +216,7 @@ define(`getattr_file_perms',`{ getattr }') define(`setattr_file_perms',`{ setattr }') @@ -20463,7 +20472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/support/obj_perm_sets +define(`all_capabilities', `{ chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control } +') + -+define(`all_nscd_perms', `{ getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost } ') ++define(`all_nscd_perms', `{ getserv getpwd getgrp gethost getstat admin shmempwd shmemgrp shmemhost shmemserv } ') +define(`all_dbus_perms', `{ acquire_svc send_msg } ') +define(`all_passwd_perms', `{ passwd chfn chsh rootok crontab } ') +define(`all_association_perms', `{ sendto recvfrom setcontext polmatch } ') diff --git a/selinux-policy.spec b/selinux-policy.spec index d883e02..f367870 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.0.8 -Release: 57%{?dist} +Release: 58%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz