diff --git a/policy-20070501.patch b/policy-20070501.patch index 123f5cd..bbdff07 100644 --- a/policy-20070501.patch +++ b/policy-20070501.patch @@ -1636,6 +1636,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files. + allow $1 root_t:dir rw_dir_perms; + allow $1 root_t:file { create getattr write }; +') +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-2.6.4/policy/modules/kernel/files.te +--- nsaserefpolicy/policy/modules/kernel/files.te 2007-04-23 09:35:56.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/kernel/files.te 2007-05-17 14:00:25.000000000 -0400 +@@ -54,6 +54,7 @@ + files_type(etc_t) + # compatibility aliases for removed types: + typealias etc_t alias automount_etc_t; ++typealias etc_t alias snmpd_etc_t; + + # + # etc_runtime_t is the type of various diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-2.6.4/policy/modules/kernel/filesystem.if --- nsaserefpolicy/policy/modules/kernel/filesystem.if 2007-03-26 16:24:09.000000000 -0400 +++ serefpolicy-2.6.4/policy/modules/kernel/filesystem.if 2007-05-08 09:59:33.000000000 -0400 @@ -3774,7 +3785,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ') diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-2.6.4/policy/modules/services/kerberos.te --- nsaserefpolicy/policy/modules/services/kerberos.te 2007-04-23 09:36:01.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-05-08 09:59:33.000000000 -0400 ++++ serefpolicy-2.6.4/policy/modules/services/kerberos.te 2007-05-18 08:58:24.000000000 -0400 @@ -5,6 +5,7 @@ # # Declarations @@ -3783,7 +3794,23 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb ## ##

-@@ -248,3 +249,36 @@ +@@ -126,6 +127,7 @@ + miscfiles_read_localization(kadmind_t) + + sysnet_read_config(kadmind_t) ++sysnet_use_ldap(kadmind_t) + + userdom_dontaudit_use_unpriv_user_fds(kadmind_t) + userdom_dontaudit_search_sysadm_home_dirs(kadmind_t) +@@ -227,6 +229,7 @@ + miscfiles_read_localization(krb5kdc_t) + + sysnet_read_config(krb5kdc_t) ++sysnet_use_ldap(krb5kdc_t) + + userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t) + userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t) +@@ -248,3 +251,36 @@ optional_policy(` udev_read_db(krb5kdc_t) ') @@ -5328,10 +5355,35 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar storage_raw_read_fixed_disk(fsdaemon_t) storage_raw_write_fixed_disk(fsdaemon_t) +diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-2.6.4/policy/modules/services/snmp.fc +--- nsaserefpolicy/policy/modules/services/snmp.fc 2006-11-16 17:15:20.000000000 -0500 ++++ serefpolicy-2.6.4/policy/modules/services/snmp.fc 2007-05-17 13:59:01.000000000 -0400 +@@ -1,11 +1,5 @@ + + # +-# /etc +-# +- +-/etc/snmp/snmp(trap)?d\.conf -- gen_context(system_u:object_r:snmpd_etc_t,s0) +- +-# + # /usr + # + /usr/sbin/snmp(trap)?d -- gen_context(system_u:object_r:snmpd_exec_t,s0) diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.te serefpolicy-2.6.4/policy/modules/services/snmp.te --- nsaserefpolicy/policy/modules/services/snmp.te 2007-05-07 10:32:44.000000000 -0400 -+++ serefpolicy-2.6.4/policy/modules/services/snmp.te 2007-05-08 09:59:33.000000000 -0400 -@@ -26,7 +26,7 @@ ++++ serefpolicy-2.6.4/policy/modules/services/snmp.te 2007-05-17 14:05:57.000000000 -0400 +@@ -9,9 +9,6 @@ + type snmpd_exec_t; + init_daemon_domain(snmpd_t,snmpd_exec_t) + +-type snmpd_etc_t; +-files_config_file(snmpd_etc_t) +- + type snmpd_log_t; + logging_log_file(snmpd_log_t) + +@@ -26,15 +23,13 @@ # Local policy # allow snmpd_t self:capability { dac_override kill net_admin sys_nice sys_tty_config }; @@ -5340,7 +5392,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp allow snmpd_t self:fifo_file rw_fifo_file_perms; allow snmpd_t self:unix_dgram_socket create_socket_perms; allow snmpd_t self:unix_stream_socket create_stream_socket_perms; -@@ -135,18 +135,19 @@ + allow snmpd_t self:tcp_socket create_stream_socket_perms; + allow snmpd_t self:udp_socket connected_stream_socket_perms; + +-allow snmpd_t snmpd_etc_t:file { getattr read }; +- + allow snmpd_t snmpd_log_t:file manage_file_perms; + logging_log_filetrans(snmpd_t,snmpd_log_t,file) + +@@ -135,18 +130,19 @@ optional_policy(` mta_read_config(snmpd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index e0b3c92..638cb08 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -17,7 +17,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 2.6.4 -Release: 6%{?dist} +Release: 7%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -359,6 +359,9 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Fri May 18 2007 Dan Walsh 2.6.4-7 +- Allow kerberos servers to use ldap for backing store + * Thu May 17 2007 Dan Walsh 2.6.4-6 - allow alsactl to read kernel state