rpms/selinux-policy/F-7 policy-20070501.patch, 1.44, 1.45 selinux-policy.spec, 1.484, 1.485
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Aug 7 13:28:25 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22410
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Mon Aug 6 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-34
- Fix nagios cgi
- allow squid to communicate with winbind
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -r1.44 -r1.45
--- policy-20070501.patch 6 Aug 2007 15:40:39 -0000 1.44
+++ policy-20070501.patch 7 Aug 2007 13:27:52 -0000 1.45
@@ -5490,22 +5490,39 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.fc serefpolicy-2.6.4/policy/modules/services/nagios.fc
--- nsaserefpolicy/policy/modules/services/nagios.fc 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-08-01 16:25:39.000000000 -0400
-@@ -4,8 +4,8 @@
++++ serefpolicy-2.6.4/policy/modules/services/nagios.fc 2007-08-06 19:11:52.000000000 -0400
+@@ -4,13 +4,13 @@
/usr/bin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
/usr/bin/nrpe -- gen_context(system_u:object_r:nrpe_exec_t,s0)
-/usr/lib(64)?/cgi-bin/netsaint/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-/usr/lib(64)?/nagios/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-+/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
-+/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
++/usr/lib(64)?/cgi-bin/netsaint(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
++/usr/lib(64)?/nagios/cgi(/.*)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
/var/log/nagios(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
/var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
+
+ ifdef(`distro_debian',`
+ /usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
+-/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
+ ')
++/usr/lib(64)?/cgi-bin/nagios(/.+)? gen_context(system_u:object_r:httpd_nagios_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagios.te serefpolicy-2.6.4/policy/modules/services/nagios.te
--- nsaserefpolicy/policy/modules/services/nagios.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-07-31 16:39:53.000000000 -0400
-@@ -73,8 +73,10 @@
++++ serefpolicy-2.6.4/policy/modules/services/nagios.te 2007-08-06 19:16:40.000000000 -0400
+@@ -10,10 +10,6 @@
+ type nagios_exec_t;
+ init_daemon_domain(nagios_t,nagios_exec_t)
+
+-type nagios_cgi_t;
+-type nagios_cgi_exec_t;
+-init_system_domain(nagios_cgi_t,nagios_cgi_exec_t)
+-
+ type nagios_etc_t;
+ files_config_file(nagios_etc_t)
+
+@@ -73,8 +69,10 @@
corenet_udp_sendrecv_all_nodes(nagios_t)
corenet_tcp_sendrecv_all_ports(nagios_t)
corenet_udp_sendrecv_all_ports(nagios_t)
@@ -5516,7 +5533,7 @@
domain_use_interactive_fds(nagios_t)
# for ps
-@@ -97,8 +99,6 @@
+@@ -97,8 +95,6 @@
miscfiles_read_localization(nagios_t)
@@ -5525,7 +5542,7 @@
userdom_dontaudit_use_unpriv_user_fds(nagios_t)
userdom_dontaudit_search_sysadm_home_dirs(nagios_t)
-@@ -121,7 +121,7 @@
+@@ -121,7 +117,7 @@
')
optional_policy(`
@@ -5534,6 +5551,66 @@
')
optional_policy(`
+@@ -141,42 +137,31 @@
+ #
+ # Nagios CGI local policy
+ #
++apache_content_template(nagios)
++typealias httpd_nagios_script_t alias nagios_cgi_t;
++typealias httpd_nagios_script_exec_t alias nagios_cgi_exec_t;
+
+-allow nagios_cgi_t self:process signal_perms;
+-allow nagios_cgi_t self:fifo_file rw_fifo_file_perms;
+-
+-read_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+-read_lnk_files_pattern(nagios_cgi_t,nagios_t,nagios_t)
+-
+-allow nagios_cgi_t nagios_etc_t:dir list_dir_perms;
+-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
+-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_etc_t)
++allow httpd_nagios_script_t self:process signal_perms;
+
+-allow nagios_cgi_t nagios_log_t:dir list_dir_perms;
+-read_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
+-read_lnk_files_pattern(nagios_cgi_t,nagios_etc_t,nagios_log_t)
++read_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
++read_lnk_files_pattern(httpd_nagios_script_t,nagios_t,nagios_t)
+
+-kernel_read_system_state(nagios_cgi_t)
++allow httpd_nagios_script_t nagios_etc_t:dir list_dir_perms;
++read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
++read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_etc_t)
+
+-corecmd_exec_bin(nagios_cgi_t)
++allow httpd_nagios_script_t nagios_log_t:dir list_dir_perms;
++read_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
++read_lnk_files_pattern(httpd_nagios_script_t,nagios_etc_t,nagios_log_t)
+
+-domain_dontaudit_read_all_domains_state(nagios_cgi_t)
++kernel_read_system_state(httpd_nagios_script_t)
+
+-files_read_etc_files(nagios_cgi_t)
+-files_read_etc_runtime_files(nagios_cgi_t)
+-files_read_kernel_symbol_table(nagios_cgi_t)
++domain_dontaudit_read_all_domains_state(httpd_nagios_script_t)
+
+-libs_use_ld_so(nagios_cgi_t)
+-libs_use_shared_libs(nagios_cgi_t)
++files_read_etc_runtime_files(httpd_nagios_script_t)
++files_read_kernel_symbol_table(httpd_nagios_script_t)
+
+-logging_send_syslog_msg(nagios_cgi_t)
+-logging_search_logs(nagios_cgi_t)
+-
+-miscfiles_read_localization(nagios_cgi_t)
+-
+-optional_policy(`
+- apache_append_log(nagios_cgi_t)
+-')
++logging_send_syslog_msg(httpd_nagios_script_t)
+
+ ########################################
+ #
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-2.6.4/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2007-05-07 14:51:01.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/networkmanager.fc 2007-07-31 16:39:53.000000000 -0400
@@ -6498,7 +6575,7 @@
# for scripts
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/procmail.te serefpolicy-2.6.4/policy/modules/services/procmail.te
--- nsaserefpolicy/policy/modules/services/procmail.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/procmail.te 2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/procmail.te 2007-08-06 18:56:39.000000000 -0400
@@ -10,6 +10,7 @@
type procmail_exec_t;
domain_type(procmail_t)
@@ -6516,7 +6593,15 @@
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-@@ -101,9 +104,16 @@
+@@ -50,6 +53,7 @@
+
+ fs_getattr_xattr_fs(procmail_t)
+ fs_search_auto_mountpoints(procmail_t)
++fs_rw_anon_inodefs_files(procmail_t)
+
+ auth_use_nsswitch(procmail_t)
+
+@@ -101,9 +105,16 @@
')
optional_policy(`
@@ -6533,7 +6618,7 @@
')
optional_policy(`
-@@ -119,8 +129,13 @@
+@@ -119,8 +130,13 @@
optional_policy(`
corenet_udp_bind_generic_port(procmail_t)
@@ -7230,7 +7315,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-2.6.4/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/samba.te 2007-08-06 18:49:51.000000000 -0400
@@ -28,6 +28,35 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -7527,10 +7612,12 @@
allow winbind_helper_t samba_var_t:dir search;
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
-@@ -764,3 +838,23 @@
+@@ -763,4 +837,25 @@
+ optional_policy(`
squid_read_log(winbind_helper_t)
squid_append_log(winbind_helper_t)
- ')
++ squid_rw_stream_sockets(winbind_helper_t)
++')
+
+########################################
+#
@@ -7549,7 +7636,7 @@
+
+tunable_policy(`samba_run_unconfined',`
+ domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
-+')
+ ')
+unconfined_domain(samba_unconfined_script_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sasl.te serefpolicy-2.6.4/policy/modules/services/sasl.te
--- nsaserefpolicy/policy/modules/services/sasl.te 2007-05-07 14:51:01.000000000 -0400
@@ -7845,6 +7932,32 @@
/var/spool/squid(/.*)? gen_context(system_u:object_r:squid_cache_t,s0)
+/usr/lib/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+/usr/lib64/squid/cachemgr\.cgi -- gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-2.6.4/policy/modules/services/squid.if
+--- nsaserefpolicy/policy/modules/services/squid.if 2007-05-07 14:50:57.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/squid.if 2007-08-06 18:50:10.000000000 -0400
+@@ -131,3 +131,22 @@
+ interface(`squid_use',`
+ refpolicywarn(`$0($*) has been deprecated.')
+ ')
++
++########################################
++## <summary>
++## Allow read and write squid
++## unix domain stream sockets.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`squid_rw_stream_sockets',`
++ gen_require(`
++ type squid_t;
++ ')
++
++ allow $1 squid_t:unix_stream_socket { read write };
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-2.6.4/policy/modules/services/squid.te
--- nsaserefpolicy/policy/modules/services/squid.te 2007-05-07 14:50:57.000000000 -0400
+++ serefpolicy-2.6.4/policy/modules/services/squid.te 2007-07-31 16:39:53.000000000 -0400
@@ -8492,7 +8605,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.te serefpolicy-2.6.4/policy/modules/system/authlogin.te
--- nsaserefpolicy/policy/modules/system/authlogin.te 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-07-31 16:39:53.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/system/authlogin.te 2007-08-07 09:22:22.000000000 -0400
@@ -9,6 +9,13 @@
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
@@ -8516,7 +8629,15 @@
dev_getattr_scanner_dev(pam_console_t)
dev_setattr_scanner_dev(pam_console_t)
dev_getattr_sound_dev(pam_console_t)
-@@ -244,7 +253,7 @@
+@@ -202,6 +211,7 @@
+
+ fs_list_auto_mountpoints(pam_console_t)
+ fs_list_noxattr_fs(pam_console_t)
++fs_getattr_all_fs(pam_console_t)
+
+ init_use_fds(pam_console_t)
+ init_use_script_ptys(pam_console_t)
+@@ -244,7 +254,7 @@
optional_policy(`
xserver_read_xdm_pid(pam_console_t)
@@ -8525,7 +8646,7 @@
')
########################################
-@@ -252,15 +261,14 @@
+@@ -252,15 +262,14 @@
# System check password local policy
#
@@ -8543,7 +8664,7 @@
userdom_dontaudit_use_unpriv_users_ttys(system_chkpwd_t)
userdom_dontaudit_use_unpriv_users_ptys(system_chkpwd_t)
userdom_dontaudit_use_sysadm_terms(system_chkpwd_t)
-@@ -302,6 +310,38 @@
+@@ -302,6 +311,38 @@
')
optional_policy(`
@@ -9176,18 +9297,19 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-2.6.4/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-07-31 16:39:53.000000000 -0400
-@@ -81,8 +81,8 @@
++++ serefpolicy-2.6.4/policy/modules/system/libraries.fc 2007-08-07 09:13:21.000000000 -0400
+@@ -81,8 +81,9 @@
/opt/cisco-vpnclient/lib/libvpnapi\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/netbeans(.*/)?jdk.*/linux/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/opt/cxoffice/lib/wine/.+\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
--/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
- /opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-+/opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++/opt/ibm/java.*/jre/.+\.jar -- gen_context(system_u:object_r:lib_t,s0)
++/opt/ibm/java.*/jre/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /opt/f-secure/fspms/libexec/librapi.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+-/opt/ibm/java2-ppc64-50/jre/bin/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
-@@ -132,13 +132,16 @@
+@@ -132,13 +133,16 @@
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -9205,7 +9327,7 @@
/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -157,6 +160,8 @@
+@@ -157,6 +161,8 @@
/usr/(local/)?lib(64)?/(sse2/)?libfame-.*\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libXcomp\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/NX/lib/libjpeg\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -9214,7 +9336,7 @@
/usr/X11R6/lib/libGL\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -254,6 +259,8 @@
+@@ -254,6 +260,8 @@
/usr/lib(64)?/libdivxdecore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libdivxencore\.so\.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.484
retrieving revision 1.485
diff -u -r1.484 -r1.485
--- selinux-policy.spec 6 Aug 2007 15:40:39 -0000 1.484
+++ selinux-policy.spec 7 Aug 2007 13:27:52 -0000 1.485
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 33%{?dist}
+Release: 34%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,10 @@
%endif
%changelog
+* Mon Aug 6 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-34
+- Fix nagios cgi
+- allow squid to communicate with winbind
+
* Mon Aug 6 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-33
- Allow mount to execute modprobe for ntfs mounts
More information about the fedora-extras-commits
mailing list