From a384d73899c0a13cd10d7ba7ef41603634a69959 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Jan 09 2007 15:24:41 +0000 Subject: - Allow prelink when run from rpm to create tmp files Resolves: #221865 - Remove file_context for exportfs Resolves: #221181 - Allow spamassassin to create ~/.spamassissin Resolves: #203290 - Allow ssh access to the krb tickets - Allow sshd to change passwd - Stop newrole -l from working on non securetty Resolves: #200110 --- diff --git a/booleans-strict.conf b/booleans-strict.conf index 32deb34..ba35ade 100644 --- a/booleans-strict.conf +++ b/booleans-strict.conf @@ -218,3 +218,7 @@ allow_ptrace = false ## Control users use of ping and traceroute user_ping = true + +# Allow unlabeled packets to flow +# +allow_unlabeled_packets = true diff --git a/booleans-targeted.conf b/booleans-targeted.conf index b815e14..b3432a1 100644 --- a/booleans-targeted.conf +++ b/booleans-targeted.conf @@ -1,6 +1,6 @@ # Allow making anonymous memory executable, e.g.for runtime-code generation or executable stack. # -allow_execmem = false +allow_execmem = true # Allow making a modified private filemapping executable (text relocation). # @@ -8,7 +8,7 @@ allow_execmod = false # Allow making the stack executable via mprotect.Also requires allow_execmem. # -allow_execstack = false +allow_execstack = true # Allow ftpd to read cifs directories. # @@ -229,3 +229,7 @@ allow_daemons_dump_core = true # Allow mount command to mounton any directory # allow_mounton_anydir = true + +# Allow unlabeled packets to flow +# +allow_unlabeled_packets = true diff --git a/selinux-policy.spec b/selinux-policy.spec index 62f0116..c6829fd 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -16,12 +16,12 @@ %define CHECKPOLICYVER 1.30.11-1 Summary: SELinux policy configuration Name: selinux-policy -Version: 2.4.6 -Release: 21%{?dist} +Version: 2.5.1 +Release: 1%{?dist} License: GPL Group: System Environment/Base Source: serefpolicy-%{version}.tgz -patch: policy-20061106.patch +patch: policy-20070102.patch Source1: modules-targeted.conf Source2: booleans-targeted.conf Source3: Makefile.devel @@ -33,6 +33,9 @@ Source9: modules-strict.conf Source10: booleans-strict.conf Source12: setrans-strict.conf Source13: policygentool +Source14: securetty_contexts-targeted +Source15: securetty_contexts-mls +Source16: securetty_contexts-strict Url: http://serefpolicy.sourceforge.net BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -99,6 +102,7 @@ touch %{buildroot}%{_sysconfdir}/selinux/%1/policy/policy.%{POLICYVER} \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/homedir_template \ touch %{buildroot}%{_sysconfdir}/selinux/%1/contexts/files/file_contexts.homedirs \ +install -m0644 ${RPM_SOURCE_DIR}/securetty_contexts-%1 %{buildroot}%{_sysconfdir}/selinux/%1/contexts/securetty_contexts \ install -m0644 ${RPM_SOURCE_DIR}/setrans-%1.conf %{buildroot}%{_sysconfdir}/selinux/%1/setrans.conf \ ln -sf ../devel/include %{buildroot}%{_usr}/share/selinux/%1 \ %nil @@ -120,6 +124,7 @@ ln -sf ../devel/include %{buildroot}%{_usr}/share/selinux/%1 \ %ghost %{_sysconfdir}/selinux/%1/policy/policy.* \ %dir %{_sysconfdir}/selinux/%1/contexts \ %config %{_sysconfdir}/selinux/%1/contexts/customizable_types \ +%config(noreplace) %{_sysconfdir}/selinux/%1/contexts/securetty_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/dbus_contexts \ %config %{_sysconfdir}/selinux/%1/contexts/default_contexts \ %config(noreplace) %{_sysconfdir}/selinux/%1/contexts/default_type \ @@ -160,6 +165,7 @@ fi; %description SELinux Reference Policy - modular. +Based off of reference policy: Checked out revision 2175. %prep %setup -q -n serefpolicy-%{version} @@ -351,6 +357,23 @@ semodule -b base.pp -r bootloader -r clock -r dpkg -r fstools -r hotplug -r init %endif %changelog +* Mon Jan 8 2007 Dan Walsh 2.5.1-1 +- Allow prelink when run from rpm to create tmp files +Resolves: #221865 +- Remove file_context for exportfs +Resolves: #221181 +- Allow spamassassin to create ~/.spamassissin +Resolves: #203290 +- Allow ssh access to the krb tickets +- Allow sshd to change passwd +- Stop newrole -l from working on non securetty +Resolves: #200110 + + +* Wed Jan 3 2007 Dan Walsh 2.4.6-22 +- Fixes to run prelink in MLS machine +Resolves: #221233 + * Tue Jan 29 2007 Dan Walsh 2.4.6-21 - Allow spamassassin to read var_lib_t dir Resolves: #219234