Changeset 2774

Timestamp:

08/11/08 09:03:36 (4 months ago)

Author:

cpebenito

Message:

trunk: 3 patches from the fedora policy, cherry picked by David Hardeman.

Files:

• trunk/policy/modules/kernel/corenetwork.te.in (modified) (2 diffs)
• trunk/policy/modules/services/qmail.te (modified) (6 diffs)
• trunk/policy/modules/system/ipsec.if (modified) (1 diff)
• trunk/policy/modules/system/ipsec.te (modified) (2 diffs)
• trunk/policy/modules/system/iscsi.fc (modified) (1 diff)
• trunk/policy/modules/system/iscsi.te (modified) (3 diffs)
• trunk/policy/modules/system/sysnetwork.te (modified) (2 diffs)

trunk/policy/modules/kernel/corenetwork.te.in

@@ -1 +1 @@
-
-1.2.16
+ 1.2.17
-
-########################################
@@ -110 +110 @@
-network_port(isakmp, udp,500,s0)
-network_port(iscsi, tcp,3260,s0)
+network_port(isns, tcp,3205,s0, udp,3205,s0)
-network_port(jabber_client, tcp,5222,s0, tcp,5223,s0)
-network_port(jabber_interserver, tcp,5269,s0)

trunk/policy/modules/services/qmail.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -15 +15 @@
-
-type qmail_etc_t;
-typ
+config_fil
-
-type qmail_exec_t;
@@ -86 +86 @@
-libs_use_shared_libs(qmail_inject_t)
-
+miscfiles_read_localization(qmail_inject_t)
+
-qmail_read_config(qmail_inject_t)
-
@@ -101 +103 @@
-manage_files_pattern(qmail_local_t, qmail_alias_home_t, qmail_alias_home_t)
-
+can_exec(qmail_local_t, qmail_local_exec_t)
+
-allow qmail_local_t qmail_queue_exec_t:file read;
-
@@ -107 +111 @@
-kernel_read_system_state(qmail_local_t)
-
+corecmd_exec_bin(qmail_local_t)
-corecmd_exec_shell(qmail_local_t)
-
-files_read_etc_files(qmail_local_t)
-files_read_etc_runtime_files(qmail_local_t)
+
+auth_use_nsswitch(qmail_local_t)
+
+logging_send_syslog_msg(qmail_local_t)
-
-mta_append_spool(qmail_local_t)
@@ -155 +164 @@
-manage_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
-rw_fifo_files_pattern(qmail_queue_t, qmail_spool_t, qmail_spool_t)
+
+corecmd_exec_bin(qmail_queue_t)
+
+logging_send_syslog_msg(qmail_queue_t)
-
-optional_policy(`

trunk/policy/modules/system/ipsec.if

@@ -130 +130 @@
-
-        allow $1 ipsec_spd_t:association setcontext;
+')
+
+########################################
+## <summary>
+##      write the ipsec_var_run_t files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ipsec_write_pid',`
+        gen_require(`
+                type ipsec_var_run_t;
+        ')
+
+        files_search_pids($1)
+        write_files_pattern($1, ipsec_var_run_t, ipsec_var_run_t)
-')
-

trunk/policy/modules/system/ipsec.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -70 +70 @@
-read_lnk_files_pattern(ipsec_t,ipsec_key_file_t,ipsec_key_file_t)
-
-
-
-ipsec_var_run_t,
+
+
+ ipsec_var_run_t, 
-
-can_exec(ipsec_t, ipsec_mgmt_exec_t)

trunk/policy/modules/system/iscsi.fc

@@ -1 +1 @@
-/sbin/iscsid            --      gen_context(system_u:object_r:iscsid_exec_t,s0)
-
---
---
+
+
-/var/run/iscsid\.pid    --      gen_context(system_u:object_r:iscsi_var_run_t,s0)

trunk/policy/modules/system/iscsi.te

@@ -1 +1 @@
-
-1.4.0
+ 1.4.1
-
-########################################
@@ -30 +30 @@
-
-allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-
+signal 
-allow iscsid_t self:fifo_file { read write };
-allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -64 +64 @@
-corenet_tcp_connect_http_port(iscsid_t)
-corenet_tcp_connect_iscsi_port(iscsid_t)
+corenet_tcp_connect_isns_port(iscsid_t)
-
-dev_rw_sysfs(iscsid_t)

trunk/policy/modules/system/sysnetwork.te

@@ -1 +1 @@
-
-0
+1
-
-########################################
@@ -321 +321 @@
-
-optional_policy(`
+        ipsec_write_pid(ifconfig_t)
+')
+
+optional_policy(`
-        netutils_domtrans(dhcpc_t)
-')