rpms/selinux-policy/F-7 policy-20070501.patch, 1.48, 1.49 selinux-policy.spec, 1.488, 1.489
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Aug 14 13:44:30 UTC 2007
- Previous message (by thread): rpms/bitbake/F-7 .cvsignore, 1.5, 1.6 bitbake.spec, 1.5, 1.6 sources, 1.5, 1.6
- Next message (by thread): rpms/hevea/devel .cvsignore, 1.2, 1.3 hevea.spec, 1.4, 1.5 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22634
Modified Files:
policy-20070501.patch selinux-policy.spec
Log Message:
* Tue Aug 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-38
- Fix nagios_cgi problems
policy-20070501.patch:
Index: policy-20070501.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/policy-20070501.patch,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- policy-20070501.patch 14 Aug 2007 00:16:44 -0000 1.48
+++ policy-20070501.patch 14 Aug 2007 13:44:27 -0000 1.49
@@ -1970,7 +1970,7 @@
/usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-2.6.4/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2007-05-07 14:51:02.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/kernel/files.if 2007-08-14 08:16:29.000000000 -0400
@@ -343,8 +343,7 @@
########################################
@@ -2021,7 +2021,16 @@
')
########################################
-@@ -992,7 +1008,7 @@
+@@ -890,6 +906,8 @@
+ attribute file_type;
+ ')
+
++ # Have to be able to read badly labeled files like file_context and ld.so.cache
++ files_read_all_files($1)
+ allow $1 { file_type $2 }:dir list_dir_perms;
+ relabel_dirs_pattern($1,{ file_type $2 },{ file_type $2 })
+ relabel_files_pattern($1,{ file_type $2 },{ file_type $2 })
+@@ -992,7 +1010,7 @@
attribute file_type;
')
@@ -2030,7 +2039,32 @@
')
########################################
-@@ -1320,7 +1336,7 @@
+@@ -1111,6 +1129,24 @@
+
+ ########################################
+ ## <summary>
++## search all mount points.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_search_all_mountpoints',`
++ gen_require(`
++ attribute mountpoint;
++ ')
++
++ allow $1 mountpoint:dir search_dir_perms;
++')
++
++########################################
++## <summary>
+ ## List the contents of the root directory.
+ ## </summary>
+ ## <param name="domain">
+@@ -1320,7 +1356,7 @@
type boot_t;
')
@@ -2039,7 +2073,7 @@
')
########################################
-@@ -3310,6 +3326,24 @@
+@@ -3310,6 +3346,24 @@
########################################
## <summary>
@@ -2064,7 +2098,7 @@
## Get the attributes of files in /usr.
## </summary>
## <param name="domain">
-@@ -3386,6 +3420,24 @@
+@@ -3386,6 +3440,24 @@
########################################
## <summary>
@@ -2089,7 +2123,7 @@
## Read symbolic links in /usr.
## </summary>
## <param name="domain">
-@@ -3432,6 +3484,24 @@
+@@ -3432,6 +3504,24 @@
########################################
## <summary>
@@ -2114,7 +2148,7 @@
## Do not audit attempts to search /usr/src.
## </summary>
## <param name="domain">
-@@ -3637,7 +3707,7 @@
+@@ -3637,7 +3727,7 @@
type var_t;
')
@@ -2123,7 +2157,7 @@
')
########################################
-@@ -3993,7 +4063,7 @@
+@@ -3993,7 +4083,7 @@
type var_lock_t;
')
@@ -2132,7 +2166,7 @@
')
########################################
-@@ -4012,7 +4082,7 @@
+@@ -4012,7 +4102,7 @@
type var_t, var_lock_t;
')
@@ -2141,7 +2175,7 @@
')
########################################
-@@ -4181,7 +4251,7 @@
+@@ -4181,7 +4271,7 @@
type var_run_t;
')
@@ -2150,7 +2184,7 @@
')
########################################
-@@ -4529,6 +4599,8 @@
+@@ -4529,6 +4619,8 @@
# Need to give access to /selinux/member
selinux_compute_member($1)
@@ -2159,7 +2193,7 @@
# Need sys_admin capability for mounting
allow $1 self:capability { chown fsetid sys_admin };
-@@ -4551,6 +4623,8 @@
+@@ -4551,6 +4643,8 @@
# Default type for mountpoints
allow $1 poly_t:dir { create mounton };
fs_unmount_xattr_fs($1)
@@ -2168,7 +2202,7 @@
')
########################################
-@@ -4588,3 +4662,28 @@
+@@ -4588,3 +4682,28 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -3046,7 +3080,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-2.6.4/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-07 09:42:35.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/apache.te 2007-08-14 06:47:44.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
@@ -3243,7 +3277,15 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
-@@ -606,6 +673,8 @@
+@@ -486,7 +553,6 @@
+
+ optional_policy(`
+ nagios_read_config(httpd_t)
+- nagios_domtrans_cgi(httpd_t)
+ ')
+
+ optional_policy(`
+@@ -606,6 +672,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -3252,7 +3294,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -668,6 +737,12 @@
+@@ -668,6 +736,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -3265,21 +3307,26 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -689,13 +764,6 @@
- nagios_domtrans_cgi(httpd_suexec_t)
+@@ -685,18 +759,6 @@
+ dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
-optional_policy(`
+- nagios_domtrans_cgi(httpd_suexec_t)
+-')
+-
+-optional_policy(`
- nis_use_ypbind(httpd_suexec_t)
-')
-
-optional_policy(`
- nscd_socket_use(httpd_suexec_t)
-')
-
+-
########################################
#
-@@ -706,7 +774,8 @@
+ # Apache system script local policy
+@@ -706,7 +768,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -3289,7 +3336,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -720,21 +789,64 @@
+@@ -720,21 +783,64 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -3309,15 +3356,15 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -3359,23 +3406,23 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -754,14 +866,8 @@
+@@ -754,14 +860,8 @@
# Apache unconfined script local policy
#
-unconfined_domain(httpd_unconfined_script_t)
-
- optional_policy(`
+-optional_policy(`
- cron_system_entry(httpd_t, httpd_exec_t)
-')
-
--optional_policy(`
+ optional_policy(`
- nscd_socket_use(httpd_unconfined_script_t)
+ unconfined_domain(httpd_unconfined_script_t)
')
########################################
-@@ -784,7 +890,26 @@
+@@ -784,7 +884,26 @@
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -4632,7 +4679,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dovecot.te serefpolicy-2.6.4/policy/modules/services/dovecot.te
--- nsaserefpolicy/policy/modules/services/dovecot.te 2007-05-07 14:50:57.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-08-13 07:17:55.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/dovecot.te 2007-08-14 08:16:15.000000000 -0400
@@ -15,6 +15,12 @@
domain_entry_file(dovecot_auth_t,dovecot_auth_exec_t)
role system_r types dovecot_auth_t;
@@ -4664,6 +4711,15 @@
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
+@@ -98,7 +104,7 @@
+ files_dontaudit_list_default(dovecot_t)
+ # Dovecot now has quota support and it uses getmntent() to find the mountpoints.
+ files_read_etc_runtime_files(dovecot_t)
+-files_getattr_all_mountpoints(dovecot_t)
++files_search_all_mountpoints(dovecot_t)
+
+ init_getattr_utmp(dovecot_t)
+
@@ -110,9 +116,6 @@
miscfiles_read_certs(dovecot_t)
miscfiles_read_localization(dovecot_t)
@@ -5336,7 +5392,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-2.6.4/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-05-07 14:51:01.000000000 -0400
-+++ serefpolicy-2.6.4/policy/modules/services/mailman.te 2007-08-13 19:33:45.000000000 -0400
++++ serefpolicy-2.6.4/policy/modules/services/mailman.te 2007-08-13 19:39:50.000000000 -0400
@@ -55,6 +55,7 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-7/selinux-policy.spec,v
retrieving revision 1.488
retrieving revision 1.489
diff -u -r1.488 -r1.489
--- selinux-policy.spec 14 Aug 2007 00:16:44 -0000 1.488
+++ selinux-policy.spec 14 Aug 2007 13:44:27 -0000 1.489
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 2.6.4
-Release: 37%{?dist}
+Release: 38%{?dist}
License: GPL
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -361,6 +361,9 @@
%endif
%changelog
+* Tue Aug 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-38
+- Fix nagios_cgi problems
+
* Mon Aug 13 2007 Dan Walsh <dwalsh at redhat.com> 2.6.4-37
- Allow clamd to read kernel system state
- Previous message (by thread): rpms/bitbake/F-7 .cvsignore, 1.5, 1.6 bitbake.spec, 1.5, 1.6 sources, 1.5, 1.6
- Next message (by thread): rpms/hevea/devel .cvsignore, 1.2, 1.3 hevea.spec, 1.4, 1.5 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list