rpms/selinux-policy/F-7 policy-20070501.patch, 1.41, 1.42 selinux-policy.spec, 1.481, 1.482

Wed Aug 1 20:41:31 UTC 2007

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4792

Modified Files:
	policy-20070501.patch selinux-policy.spec 
Log Message:
* Wed Aug 1 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-31
- Fix specification of nagios cgi scripts


policy-20070501.patch:

Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42

--- policy-20070501.patch	31 Jul 2007 21:01:35 -0000	1.41
+++ policy-20070501.patch	1 Aug 2007 20:41:28 -0000	1.42
@@ -3020,7 +3020,7 @@
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-07-31 16:50:17.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te	2007-08-01 16:31:44.000000000 -0400
 @@ -1,5 +1,5 @@
  
 -policy_module(apache,1.6.0)
@@ -3349,7 +3349,7 @@
  ')
  
  ########################################
-@@ -784,7 +890,25 @@
+@@ -784,7 +890,26 @@
  
  miscfiles_read_localization(httpd_rotatelogs_t)
  
@@ -3374,6 +3374,7 @@
 +
 +optional_policy(`
 +	dbus_system_bus_client_template(httpd,httpd_t)
++	dbus_send_system_bus(httpd_t)
 +	tunable_policy(`allow_httpd_dbus_avahi',`
 +		avahi_dbus_chat(httpd_t)
 +	')
@@ -3670,10 +3671,45 @@
  corenet_sendrecv_rndc_client_packets(ndc_t)
  
  fs_getattr_xattr_fs(ndc_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.fc serefpolicy-2.6.4/policy/modules/services/clamav.fc
+--- nsaserefpolicy/policy/modules/services/clamav.fc	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/clamav.fc	2007-08-01 11:30:20.000000000 -0400
+@@ -9,6 +9,8 @@
+ 
+ /var/run/amavis(d)?/clamd\.pid	--	gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/run/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamd\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
++/var/run/clamav\..*			gen_context(system_u:object_r:clamd_var_run_t,s0)
+ /var/lib/clamav(/.*)?			gen_context(system_u:object_r:clamd_var_lib_t,s0)
+ /var/log/clamav			-d	gen_context(system_u:object_r:clamd_var_log_t,s0)
+ /var/log/clamav/clamav.*	--	gen_context(system_u:object_r:clamd_var_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/clamav.te serefpolicy-2.6.4/policy/modules/services/clamav.te
 --- nsaserefpolicy/policy/modules/services/clamav.te	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/clamav.te	2007-07-31 16:39:53.000000000 -0400
-@@ -126,6 +126,7 @@
++++ serefpolicy-2.6.4/policy/modules/services/clamav.te	2007-08-01 11:29:40.000000000 -0400
+@@ -74,17 +74,19 @@
+ manage_files_pattern(clamd_t,clamd_var_lib_t,clamd_var_lib_t)
+ 
+ # log files
+-allow clamd_t clamd_var_log_t:dir setattr;
++manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
+ manage_files_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
+-logging_log_filetrans(clamd_t,clamd_var_log_t,file)
++logging_log_filetrans(clamd_t,clamd_var_log_t,{ dir file })
+ 
+ # pid file
++manage_dirs_pattern(clamd_t,clamd_var_log_t,clamd_var_log_t)
+ manage_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
+ manage_sock_files_pattern(clamd_t,clamd_var_run_t,clamd_var_run_t)
+-files_pid_filetrans(clamd_t,clamd_var_run_t,file)
++files_pid_filetrans(clamd_t,clamd_var_run_t,{ file dir })
+ 
+ kernel_dontaudit_list_proc(clamd_t)
+ kernel_read_sysctl(clamd_t)
++kernel_read_kernel_sysctls(clamd_t)
+ 
+ corenet_non_ipsec_sendrecv(clamd_t)
+ corenet_tcp_sendrecv_all_if(clamd_t)
+@@ -126,6 +128,7 @@
  	amavis_read_lib_files(clamd_t)
  	amavis_read_spool_files(clamd_t)
  	amavis_spool_filetrans(clamd_t,clamd_var_run_t,sock_file)
@@ -3681,7 +3717,7 @@
  ')
  
  ########################################
-@@ -213,6 +214,9 @@
+@@ -213,6 +216,9 @@
  read_files_pattern(clamscan_t,clamd_var_lib_t,clamd_var_lib_t)
  allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
  
@@ -3691,7 +3727,7 @@
  kernel_read_kernel_sysctls(clamscan_t)
  
  files_read_etc_files(clamscan_t)
-@@ -228,5 +232,13 @@
+@@ -228,5 +234,13 @@
  clamav_stream_connect(clamscan_t)
  
  optional_policy(`
@@ -4314,7 +4350,7 @@
  optional_policy(`
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-2.6.4/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dbus.if	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dbus.if	2007-08-01 16:31:15.000000000 -0400
 @@ -49,6 +49,12 @@
  ## </param>
  #
@@ -5426,6 +5462,20 @@
  	cron_dontaudit_write_pipes(system_mail_t)
  ')
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc
+--- nsaserefpolicy/policy/modules/services/nagios.fc	2007-05-07 14:51:01.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/nagios.fc	2007-08-01 16:25:39.000000000 -0400
+@@ -4,8 +4,8 @@
+ /usr/bin/nagios			--	gen_context(system_u:object_r:nagios_exec_t,s0)
+ /usr/bin/nrpe			--	gen_context(system_u:object_r:nrpe_exec_t,s0)
+ 
+-/usr/lib(64)?/cgi-bin/netsaint/.+ --	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+-/usr/lib(64)?/nagios/cgi/.+	--	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
++/usr/lib(64)?/cgi-bin/netsaint(/.*)?	gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
++/usr/lib(64)?/nagios/cgi(/.*)?		gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+ 
+ /var/log/nagios(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
+ /var/log/netsaint(/.*)?			gen_context(system_u:object_r:nagios_log_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te
 --- nsaserefpolicy/policy/modules/services/nagios.te	2007-05-07 14:51:01.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/services/nagios.te	2007-07-31 16:39:53.000000000 -0400
@@ -6808,8 +6858,8 @@
  	fs_search_auto_mountpoints($1_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-2.6.4/policy/modules/services/rpc.te
 --- nsaserefpolicy/policy/modules/services/rpc.te	2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-07-31 16:39:53.000000000 -0400
-@@ -59,10 +59,13 @@
++++ serefpolicy-2.6.4/policy/modules/services/rpc.te	2007-08-01 13:05:59.000000000 -0400
+@@ -59,10 +59,14 @@
  manage_files_pattern(rpcd_t,rpcd_var_run_t,rpcd_var_run_t)
  files_pid_filetrans(rpcd_t,rpcd_var_run_t,file)
  
@@ -6819,11 +6869,12 @@
  kernel_search_network_state(rpcd_t) 
  # for rpc.rquotad
  kernel_read_sysctl(rpcd_t)  
++kernel_read_fs_sysctls(rpcd_t)  
 +kernel_getattr_core_if(nfsd_t)
  
  fs_list_rpc(rpcd_t)
  fs_read_rpc_files(rpcd_t)
-@@ -79,6 +82,7 @@
+@@ -79,6 +83,7 @@
  
  optional_policy(`
  	nis_read_ypserv_config(rpcd_t)
@@ -6831,7 +6882,7 @@
  ')
  
  ########################################
-@@ -91,9 +95,13 @@
+@@ -91,9 +96,13 @@
  allow nfsd_t exports_t:file { getattr read };
  allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
  
@@ -6845,7 +6896,7 @@
  
  corenet_tcp_bind_all_rpc_ports(nfsd_t)
  corenet_udp_bind_all_rpc_ports(nfsd_t)
-@@ -123,6 +131,7 @@
+@@ -123,6 +132,7 @@
  tunable_policy(`nfs_export_all_rw',`
  	fs_read_noxattr_fs_files(nfsd_t) 
  	auth_manage_all_files_except_shadow(nfsd_t)
@@ -9686,13 +9737,12 @@
  
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.fc serefpolicy-2.6.4/policy/modules/system/mount.fc
 --- nsaserefpolicy/policy/modules/system/mount.fc	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.fc	2007-07-31 16:39:53.000000000 -0400
-@@ -1,4 +1,3 @@
++++ serefpolicy-2.6.4/policy/modules/system/mount.fc	2007-08-01 16:38:21.000000000 -0400
+@@ -1,4 +1,2 @@
  /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
  /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 -
 -/usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
-+/sbin/mount.ntfs-3g		--	gen_context(system_u:object_r:mount_ntfs_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.if serefpolicy-2.6.4/policy/modules/system/mount.if
 --- nsaserefpolicy/policy/modules/system/mount.if	2007-05-07 14:51:02.000000000 -0400
 +++ serefpolicy-2.6.4/policy/modules/system/mount.if	2007-07-31 16:39:53.000000000 -0400
@@ -9739,7 +9789,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-2.6.4/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/mount.te	2007-08-01 16:40:38.000000000 -0400
 @@ -9,6 +9,13 @@
  ifdef(`targeted_policy',`
  ## <desc>
@@ -9754,21 +9804,20 @@
  ## Allow mount to mount any file
  ## </p>
  ## </desc>
-@@ -18,8 +25,13 @@
+@@ -18,8 +25,12 @@
  type mount_t;
  type mount_exec_t;
  init_system_domain(mount_t,mount_exec_t)
 +application_executable_file(mount_exec_t)
  role system_r types mount_t;
  
-+type mount_ntfs_t;
-+type mount_ntfs_exec_t;
-+init_system_domain(mount_ntfs_t, mount_ntfs_exec_t)
++typealias mount_t alias mount_ntfs_t;
++typealias mount_exec_t alias mount_ntfs_exec_t;
 +
  type mount_loopback_t; # customizable
  files_type(mount_loopback_t)
  
-@@ -38,7 +50,7 @@
+@@ -38,14 +49,15 @@
  #
  
  # setuid/setgid needed to mount cifs 
@@ -9776,7 +9825,16 @@
 +allow mount_t self:capability { fsetid ipc_lock sys_rawio sys_resource sys_admin dac_override chown sys_tty_config setuid setgid };
  
  allow mount_t mount_loopback_t:file read_file_perms;
- allow mount_t self:netlink_route_socket r_netlink_socket_perms;
+-allow mount_t self:netlink_route_socket r_netlink_socket_perms;
+ 
+ allow mount_t mount_tmp_t:file manage_file_perms;
+ allow mount_t mount_tmp_t:dir manage_dir_perms;
+ 
++auth_use_nsswitch(mount_t)
++
+ can_exec(mount_t, mount_exec_t)
+ 
+ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
 @@ -53,6 +65,8 @@
  kernel_read_system_state(mount_t)
  kernel_read_kernel_sysctls(mount_t)
@@ -9812,7 +9870,31 @@
  	')
  ')
  
-@@ -204,4 +225,65 @@
+@@ -162,13 +183,8 @@
+ 
+ 	fs_search_rpc(mount_t)
+ 
+-	sysnet_dns_name_resolve(mount_t)
+-
+ 	rpc_stub(mount_t)
+ 
+-	optional_policy(`
+-		nis_use_ypbind(mount_t)
+-	')
+ ')
+ 
+ optional_policy(`
+@@ -192,9 +208,6 @@
+ 	samba_domtrans_smbmount(mount_t)
+ ')
+ 
+-optional_policy(`
+-	nscd_socket_use(mount_t)
+-')
+ 
+ ########################################
+ #
+@@ -204,4 +217,30 @@
  ifdef(`targeted_policy',`
  	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
  	unconfined_domain(unconfined_mount_t)
@@ -9820,63 +9902,28 @@
 +		hal_dbus_chat(unconfined_mount_t)
 +	')
 +
- ')
++')
 +
 +########################################
 +#
-+# mount_ntfs local policy
++# ntfs local policy
 +#
-+mount_ntfs_domtrans(mount_t)
-+
-+allow mount_ntfs_t self:capability { dac_override setuid sys_admin };
-+allow mount_ntfs_t self:fifo_file { read write };
-+allow mount_ntfs_t self:unix_stream_socket create_stream_socket_perms;
-+allow mount_ntfs_t self:unix_dgram_socket { connect create };
-+
-+corecmd_read_bin_symlinks(mount_ntfs_t)
-+corecmd_exec_shell(mount_ntfs_t)
-+
-+files_read_etc_files(mount_ntfs_t)
-+files_search_all(mount_ntfs_t)
-+files_mounton_non_security_dir(mount_ntfs_t)
-+
-+fs_mount_fusefs(mount_ntfs_t)
-+fs_unmount_fusefs(mount_ntfs_t)
-+
-+libs_use_ld_so(mount_ntfs_t)
-+libs_use_shared_libs(mount_ntfs_t)
-+
-+fusermount_domtrans(mount_ntfs_t)
-+fusermount_use_fds(mount_ntfs_t)
-+
-+init_dontaudit_use_fds(mount_ntfs_t)
-+
-+kernel_read_system_state(mount_ntfs_t)
++allow mount_t self:fifo_file { read write };
++allow mount_t self:unix_stream_socket create_stream_socket_perms;
++allow mount_t self:unix_dgram_socket { connect create };
 +
-+logging_send_syslog_msg(mount_ntfs_t)
++corecmd_exec_shell(mount_t)
 +
-+miscfiles_read_localization(mount_ntfs_t)
++fusermount_domtrans(mount_t)
++fusermount_use_fds(mount_t)
 +
-+modutils_domtrans_insmod(mount_ntfs_t)
-+
-+mount_domtrans(mount_ntfs_t)
-+
-+storage_raw_read_fixed_disk(mount_ntfs_t)
-+storage_raw_write_fixed_disk(mount_ntfs_t)
-+
-+optional_policy(`
-+	nscd_socket_use(mount_ntfs_t)
-+')
++# modutils_domtrans_insmod(mount_t)
 +
 +optional_policy(`
-+	hal_write_log(mount_ntfs_t)
-+	hal_use_fds(mount_ntfs_t)
-+	hal_rw_pipes(mount_ntfs_t)
-+')
-+
-+ifdef(`targeted_policy',`
-+	term_use_generic_ptys(mount_ntfs_t)
-+')
++	hal_write_log(mount_t)
++	hal_use_fds(mount_t)
++	hal_rw_pipes(mount_t)
+ ')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/netlabel.te serefpolicy-2.6.4/policy/modules/system/netlabel.te
 --- nsaserefpolicy/policy/modules/system/netlabel.te	2007-05-07 14:51:02.000000000 -0400


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.481
retrieving revision 1.482
diff -u -r1.481 -r1.482
--- selinux-policy.spec	31 Jul 2007 19:49:42 -0000	1.481
+++ selinux-policy.spec	1 Aug 2007 20:41:28 -0000	1.482
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 2.6.4
-Release: 30%{?dist}
+Release: 31%{?dist}
 License: GPL
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
 %endif
 
 %changelog
+* Wed Aug 1 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-31
+- Fix specification of nagios cgi scripts
+
 * Mon Jul 23 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-30
 - Fix prelink to handle execmod
 - Allow mount_ntfs to search file_type:dir


