rpms/selinux-policy/F-8 policy-20070703.patch, 1.130, 1.131 selinux-policy.spec, 1.574, 1.575
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Mon Nov 12 18:42:18 UTC 2007
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25840
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Nov 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-52
- Allow apache to read unconfined users content
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.130
retrieving revision 1.131
diff -u -r1.130 -r1.131
--- policy-20070703.patch 10 Nov 2007 14:14:21 -0000 1.130
+++ policy-20070703.patch 12 Nov 2007 18:42:15 -0000 1.131
@@ -1747,7 +1747,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/prelink.te serefpolicy-3.0.8/policy/modules/admin/prelink.te
--- nsaserefpolicy/policy/modules/admin/prelink.te 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/admin/prelink.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/admin/prelink.te 2007-11-12 10:26:38.000000000 -0500
@@ -26,7 +26,7 @@
# Local policy
#
@@ -1797,6 +1797,14 @@
optional_policy(`
amanda_manage_lib(prelink_t)
')
+@@ -88,3 +94,7 @@
+ optional_policy(`
+ cron_system_entry(prelink_t, prelink_exec_t)
+ ')
++
++optional_policy(`
++ unconfined_domain(prelink_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.fc serefpolicy-3.0.8/policy/modules/admin/rpm.fc
--- nsaserefpolicy/policy/modules/admin/rpm.fc 2007-10-22 13:21:42.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/admin/rpm.fc 2007-10-29 23:59:29.000000000 -0400
@@ -5319,7 +5327,7 @@
+/etc/rc\.d/init\.d/httpd -- gen_context(system_u:object_r:httpd_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.0.8/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.if 2007-11-12 10:17:21.000000000 -0500
@@ -18,10 +18,6 @@
attribute httpd_script_exec_type;
type httpd_t, httpd_suexec_t, httpd_log_t;
@@ -5421,6 +5429,40 @@
userdom_user_home_content($1,httpd_$1_content_t)
role $3 types httpd_$1_script_t;
+@@ -345,12 +297,12 @@
+ #
+ template(`apache_read_user_scripts',`
+ gen_require(`
+- type httpd_$1_script_exec_t;
++ attribute httpd_user_script_exec_type;
+ ')
+
+- allow $2 httpd_$1_script_exec_t:dir list_dir_perms;
+- read_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
+- read_lnk_files_pattern($2,httpd_$1_script_exec_t,httpd_$1_script_exec_t)
++ allow $2 httpd_user_script_exec_type:dir list_dir_perms;
++ read_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
++ read_lnk_files_pattern($2,httpd_user_script_exec_type,httpd_user_script_exec_type)
+ ')
+
+ ########################################
+@@ -371,12 +323,12 @@
+ #
+ template(`apache_read_user_content',`
+ gen_require(`
+- type httpd_$1_content_t;
++ attribute httpd_user_content_type;
+ ')
+
+- allow $2 httpd_$1_content_t:dir list_dir_perms;
+- read_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
+- read_lnk_files_pattern($2,httpd_$1_content_t,httpd_$1_content_t)
++ allow $2 httpd_user_content_type:dir list_dir_perms;
++ read_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
++ read_lnk_files_pattern($2,httpd_user_content_type,httpd_user_content_type)
+ ')
+
+ ########################################
@@ -436,6 +388,24 @@
########################################
@@ -5736,7 +5778,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-08 09:25:25.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2007-11-12 10:03:38.000000000 -0500
@@ -20,6 +20,9 @@
# Declarations
#
@@ -5822,22 +5864,7 @@
# httpd_modules_t is the type given to module files (libraries)
# that come with Apache /etc/httpd/modules and /usr/lib/apache
type httpd_modules_t;
-@@ -182,6 +223,14 @@
- type httpd_tmpfs_t;
- files_tmpfs_file(httpd_tmpfs_t)
-
-+# Unconfined domain for apache scripts.
-+# Only to be used as a last resort
-+type httpd_unconfined_script_t;
-+type httpd_unconfined_script_exec_t; # customizable
-+domain_type(httpd_unconfined_script_t)
-+domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
-+role system_r types httpd_unconfined_script_t;
-+
- # for apache2 memory mapped files
- type httpd_var_lib_t;
- files_type(httpd_var_lib_t)
-@@ -202,9 +251,11 @@
+@@ -202,9 +243,11 @@
# Apache server local policy
#
@@ -5850,7 +5877,7 @@
allow httpd_t self:fd use;
allow httpd_t self:sock_file read_sock_file_perms;
allow httpd_t self:fifo_file rw_fifo_file_perms;
-@@ -244,6 +295,7 @@
+@@ -244,6 +287,7 @@
allow httpd_t httpd_modules_t:dir list_dir_perms;
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
@@ -5858,7 +5885,7 @@
apache_domtrans_rotatelogs(httpd_t)
# Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -284,6 +336,7 @@
+@@ -284,6 +328,7 @@
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -5866,7 +5893,7 @@
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -330,6 +383,10 @@
+@@ -330,6 +375,10 @@
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -5877,18 +5904,18 @@
libs_use_ld_so(httpd_t)
libs_use_shared_libs(httpd_t)
-@@ -348,7 +405,9 @@
+@@ -348,7 +397,9 @@
userdom_use_unpriv_users_fds(httpd_t)
-mta_send_mail(httpd_t)
+tunable_policy(`httpd_enable_homedirs',`
-+ userdom_search_generic_user_home_dirs(httpd_t)
++ userdom_search_unpriv_users_home_dirs(httpd_t)
+')
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
-@@ -360,6 +419,7 @@
+@@ -360,6 +411,7 @@
#
tunable_policy(`allow_httpd_mod_auth_pam',`
auth_domtrans_chk_passwd(httpd_t)
@@ -5896,7 +5923,7 @@
')
')
-@@ -367,6 +427,16 @@
+@@ -367,6 +419,16 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -5913,17 +5940,10 @@
tunable_policy(`httpd_can_network_connect_db',`
# allow httpd to connect to mysql/posgresql
corenet_tcp_connect_postgresql_port(httpd_t)
-@@ -387,6 +457,17 @@
+@@ -387,6 +449,10 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
-+tunable_policy(`httpd_enable_cgi',`
-+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-+
-+ allow httpd_t httpd_unconfined_script_t:process { signal sigkill sigstop };
-+ allow httpd_t httpd_unconfined_script_exec_t:dir list_dir_perms;
-+')
-+
+tunable_policy(`allow_httpd_sys_script_anon_write',`
+ miscfiles_manage_public_files(httpd_sys_script_t)
+')
@@ -5931,7 +5951,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
-@@ -404,11 +485,21 @@
+@@ -404,11 +470,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -5953,7 +5973,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -430,6 +521,12 @@
+@@ -430,6 +506,12 @@
')
optional_policy(`
@@ -5966,7 +5986,7 @@
calamaris_read_www_files(httpd_t)
')
-@@ -442,8 +539,15 @@
+@@ -442,8 +524,15 @@
')
optional_policy(`
@@ -5983,7 +6003,7 @@
')
optional_policy(`
-@@ -457,11 +561,11 @@
+@@ -457,11 +546,11 @@
optional_policy(`
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
@@ -5996,7 +6016,7 @@
')
optional_policy(`
-@@ -481,6 +585,7 @@
+@@ -481,6 +570,7 @@
')
optional_policy(`
@@ -6004,7 +6024,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -512,10 +617,16 @@
+@@ -512,10 +602,16 @@
tunable_policy(`httpd_tty_comm',`
# cjp: this is redundant:
term_use_controlling_term(httpd_helper_t)
@@ -6022,7 +6042,7 @@
########################################
#
# Apache PHP script local policy
-@@ -553,6 +664,7 @@
+@@ -553,6 +649,7 @@
optional_policy(`
mysql_stream_connect(httpd_php_t)
@@ -6030,7 +6050,7 @@
')
optional_policy(`
-@@ -567,7 +679,6 @@
+@@ -567,7 +664,6 @@
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
@@ -6038,7 +6058,7 @@
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -581,6 +692,10 @@
+@@ -581,6 +677,10 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -6049,7 +6069,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -606,6 +721,10 @@
+@@ -606,6 +706,10 @@
miscfiles_read_localization(httpd_suexec_t)
@@ -6060,7 +6080,7 @@
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
-@@ -620,10 +739,13 @@
+@@ -620,7 +724,6 @@
corenet_udp_sendrecv_all_ports(httpd_suexec_t)
corenet_tcp_connect_all_ports(httpd_suexec_t)
corenet_sendrecv_all_client_packets(httpd_suexec_t)
@@ -6068,14 +6088,7 @@
sysnet_read_config(httpd_suexec_t)
')
-+tunable_policy(`httpd_enable_cgi',`
-+ domtrans_pattern(httpd_suexec_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
-+')
-+
- tunable_policy(`httpd_enable_cgi && httpd_unified',`
- domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
- ')
-@@ -634,6 +756,12 @@
+@@ -634,6 +737,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -6088,7 +6101,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -651,18 +779,6 @@
+@@ -651,18 +760,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -6107,7 +6120,7 @@
########################################
#
# Apache system script local policy
-@@ -672,7 +788,8 @@
+@@ -672,7 +769,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -6117,7 +6130,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -686,15 +803,66 @@
+@@ -686,15 +784,66 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -6185,28 +6198,15 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -707,6 +875,20 @@
+@@ -707,6 +856,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
+ mysql_read_config(httpd_sys_script_t)
-+')
-+
-+########################################
-+#
-+# Apache unconfined script local policy
-+#
-+
-+optional_policy(`
-+ nscd_socket_use(httpd_unconfined_script_t)
-+')
-+
-+optional_policy(`
-+ unconfined_domain(httpd_unconfined_script_t)
')
########################################
-@@ -728,3 +910,20 @@
+@@ -728,3 +878,20 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -8719,8 +8719,19 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/inetd.te serefpolicy-3.0.8/policy/modules/services/inetd.te
--- nsaserefpolicy/policy/modules/services/inetd.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-11-08 13:34:38.000000000 -0500
-@@ -53,6 +53,8 @@
++++ serefpolicy-3.0.8/policy/modules/services/inetd.te 2007-11-12 11:36:16.000000000 -0500
+@@ -30,6 +30,10 @@
+ type inetd_child_var_run_t;
+ files_pid_file(inetd_child_var_run_t)
+
++ifdef(`enable_mcs',`
++ init_ranged_daemon_domain(inetd_t,inetd_exec_t,s0 - mcs_systemhigh)
++')
++
+ ########################################
+ #
+ # Local policy
+@@ -53,6 +57,8 @@
allow inetd_t inetd_var_run_t:file manage_file_perms;
files_pid_filetrans(inetd_t,inetd_var_run_t,file)
@@ -8729,7 +8740,7 @@
kernel_read_kernel_sysctls(inetd_t)
kernel_list_proc(inetd_t)
kernel_read_proc_symlinks(inetd_t)
-@@ -80,16 +82,22 @@
+@@ -80,16 +86,22 @@
corenet_udp_bind_comsat_port(inetd_t)
corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
@@ -8752,7 +8763,7 @@
corenet_udp_bind_tftp_port(inetd_t)
corenet_tcp_bind_ssh_port(inetd_t)
-@@ -132,8 +140,10 @@
+@@ -132,8 +144,10 @@
miscfiles_read_localization(inetd_t)
# xinetd needs MLS override privileges to work
@@ -8763,7 +8774,7 @@
mls_process_set_level(inetd_t)
sysnet_read_config(inetd_t)
-@@ -141,6 +151,11 @@
+@@ -141,6 +155,11 @@
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
@@ -8775,7 +8786,7 @@
optional_policy(`
amanda_search_lib(inetd_t)
')
-@@ -154,6 +169,7 @@
+@@ -154,6 +173,7 @@
')
optional_policy(`
@@ -8783,7 +8794,7 @@
unconfined_domtrans(inetd_t)
')
-@@ -170,6 +186,9 @@
+@@ -170,6 +190,9 @@
# for identd
allow inetd_child_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
allow inetd_child_t self:capability { setuid setgid };
@@ -8793,7 +8804,7 @@
files_search_home(inetd_child_t)
manage_dirs_pattern(inetd_child_t,inetd_child_tmp_t,inetd_child_tmp_t)
-@@ -198,6 +217,8 @@
+@@ -198,6 +221,8 @@
files_read_etc_files(inetd_child_t)
@@ -8802,7 +8813,7 @@
libs_use_ld_so(inetd_child_t)
libs_use_shared_libs(inetd_child_t)
-@@ -205,20 +226,11 @@
+@@ -205,20 +230,11 @@
miscfiles_read_localization(inetd_child_t)
@@ -10224,6 +10235,17 @@
logrotate_exec(ntpd_t)
')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openct.te serefpolicy-3.0.8/policy/modules/services/openct.te
+--- nsaserefpolicy/policy/modules/services/openct.te 2007-10-22 13:21:39.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/openct.te 2007-11-12 10:47:16.000000000 -0500
+@@ -22,6 +22,7 @@
+ allow openct_t self:process signal_perms;
+
+ manage_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
++manage_sock_files_pattern(openct_t,openct_var_run_t,openct_var_run_t)
+ files_pid_filetrans(openct_t,openct_var_run_t,file)
+
+ kernel_read_kernel_sysctls(openct_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/openvpn.te serefpolicy-3.0.8/policy/modules/services/openvpn.te
--- nsaserefpolicy/policy/modules/services/openvpn.te 2007-10-22 13:21:36.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/openvpn.te 2007-10-29 23:59:29.000000000 -0400
@@ -11165,7 +11187,7 @@
optional_policy(`
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rlogin.te serefpolicy-3.0.8/policy/modules/services/rlogin.te
--- nsaserefpolicy/policy/modules/services/rlogin.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/rlogin.te 2007-11-12 10:52:51.000000000 -0500
@@ -36,6 +36,8 @@
allow rlogind_t rlogind_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty(rlogind_t,rlogind_devpts_t)
@@ -12716,7 +12738,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.0.8/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/ssh.te 2007-11-12 11:17:12.000000000 -0500
@@ -24,7 +24,7 @@
# Type for the ssh-agent executable.
@@ -13101,7 +13123,7 @@
dev_read_sysfs(xfs_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.fc serefpolicy-3.0.8/policy/modules/services/xserver.fc
--- nsaserefpolicy/policy/modules/services/xserver.fc 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.fc 2007-11-12 11:55:40.000000000 -0500
@@ -32,11 +32,6 @@
/etc/X11/wdm/Xstartup.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/X11/Xsession[^/]* -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -13122,9 +13144,11 @@
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/Xair -- gen_context(system_u:object_r:xserver_exec_t,s0)
-@@ -92,13 +88,16 @@
+@@ -91,14 +87,19 @@
+
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
++/var/lib/xorg(/.*)? gen_context(system_u:object_r:xserver_var_lib_t,s0)
-/var/log/[kw]dm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/[kw]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -13137,12 +13161,13 @@
/var/run/[gx]dm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdmctl(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xauth(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
++/var/run/xorg(/.*)? gen_context(system_u:object_r:xserver_var_run_t,s0)
ifdef(`distro_suse',`
/var/lib/pam_devperm/:0 -- gen_context(system_u:object_r:xdm_var_lib_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.if serefpolicy-3.0.8/policy/modules/services/xserver.if
--- nsaserefpolicy/policy/modules/services/xserver.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-08 10:56:23.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/services/xserver.if 2007-11-12 11:59:59.000000000 -0500
@@ -126,6 +126,8 @@
# read events - the synaptics touchpad driver reads raw events
dev_rw_input_dev($1_xserver_t)
@@ -13214,7 +13239,21 @@
xserver_use_user_fonts($1,$1_xserver_t)
xserver_rw_xdm_tmp_files($1_xauth_t)
-@@ -353,12 +356,6 @@
+@@ -324,13 +327,6 @@
+ userhelper_search_config($1_xserver_t)
+ ')
+
+- ifdef(`TODO',`
+- ifdef(`xdm.te', `
+- allow $1_t xdm_tmp_t:sock_file unlink;
+- allow $1_xserver_t xdm_var_run_t:dir search;
+- ')
+- ') dnl end TODO
+-
+ ##############################
+ #
+ # $1_xauth_t Local policy
+@@ -353,12 +349,6 @@
# allow ps to show xauth
ps_process_pattern($2,$1_xauth_t)
@@ -13227,7 +13266,7 @@
domain_use_interactive_fds($1_xauth_t)
files_read_etc_files($1_xauth_t)
-@@ -387,6 +384,14 @@
+@@ -387,6 +377,14 @@
')
optional_policy(`
@@ -13242,7 +13281,7 @@
nis_use_ypbind($1_xauth_t)
')
-@@ -536,17 +541,15 @@
+@@ -536,17 +534,15 @@
template(`xserver_user_client_template',`
gen_require(`
@@ -13266,7 +13305,7 @@
# for when /tmp/.X11-unix is created by the system
allow $2 xdm_t:fd use;
-@@ -555,25 +558,54 @@
+@@ -555,25 +551,54 @@
allow $2 xdm_tmp_t:sock_file { read write };
dontaudit $2 xdm_t:tcp_socket { read write };
@@ -13329,7 +13368,7 @@
')
')
-@@ -626,6 +658,24 @@
+@@ -626,6 +651,24 @@
########################################
## <summary>
@@ -13354,7 +13393,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -659,6 +709,73 @@
+@@ -659,6 +702,73 @@
########################################
## <summary>
@@ -13428,7 +13467,7 @@
## Transition to a user Xauthority domain.
## </summary>
## <desc>
-@@ -927,6 +1044,7 @@
+@@ -927,6 +1037,7 @@
files_search_tmp($1)
allow $1 xdm_tmp_t:dir list_dir_perms;
create_sock_files_pattern($1,xdm_tmp_t,xdm_tmp_t)
@@ -13436,7 +13475,7 @@
')
########################################
-@@ -987,6 +1105,37 @@
+@@ -987,6 +1098,37 @@
########################################
## <summary>
@@ -13474,7 +13513,7 @@
## Make an X session script an entrypoint for the specified domain.
## </summary>
## <param name="domain">
-@@ -1136,7 +1285,7 @@
+@@ -1136,7 +1278,7 @@
type xdm_xserver_tmp_t;
')
@@ -13483,7 +13522,7 @@
')
########################################
-@@ -1325,3 +1474,63 @@
+@@ -1325,3 +1467,82 @@
files_search_tmp($1)
stream_connect_pattern($1,xdm_xserver_tmp_t,xdm_xserver_tmp_t,xdm_xserver_t)
')
@@ -13528,6 +13567,25 @@
+
+########################################
+## <summary>
++## Connect to apmd over an unix stream socket.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`xserver_stream_connect',`
++ gen_require(`
++ type xdm_xserver_t, xserver_var_run_t;
++ ')
++
++ files_search_pids($1)
++ stream_connect_pattern($1,xserver_var_run_t,xserver_var_run_t,xdm_xserver_t)
++')
++
++########################################
++## <summary>
+## xdm xserver RW shared memory socket.
+## </summary>
+## <param name="domain">
@@ -13549,7 +13607,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2007-11-12 11:58:08.000000000 -0500
@@ -16,6 +16,13 @@
## <desc>
@@ -13564,7 +13622,27 @@
## Allow xdm logins as sysadm
## </p>
## </desc>
-@@ -96,7 +103,7 @@
+@@ -56,6 +63,9 @@
+ type xdm_var_run_t;
+ files_pid_file(xdm_var_run_t)
+
++type xserver_var_run_t;
++files_pid_file(xserver_var_run_t)
++
+ type xdm_tmp_t;
+ files_tmp_file(xdm_tmp_t)
+ typealias xdm_tmp_t alias ice_tmp_t;
+@@ -67,6 +77,9 @@
+ type xkb_var_lib_t;
+ files_type(xkb_var_lib_t)
+
++type xserver_var_lib_t;
++files_type(xserver_var_lib_t)
++
+ # Type for the executable used to start the X server, e.g. Xwrapper.
+ type xserver_exec_t;
+ corecmd_executable_file(xserver_exec_t)
+@@ -96,7 +109,7 @@
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
@@ -13573,7 +13651,7 @@
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
-@@ -132,15 +139,20 @@
+@@ -132,15 +145,20 @@
manage_fifo_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
manage_sock_files_pattern(xdm_t,xdm_tmpfs_t,xdm_tmpfs_t)
fs_tmpfs_filetrans(xdm_t,xdm_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
@@ -13595,7 +13673,7 @@
allow xdm_t xdm_xserver_t:process signal;
allow xdm_t xdm_xserver_t:unix_stream_socket connectto;
-@@ -185,6 +197,7 @@
+@@ -185,6 +203,7 @@
corenet_udp_sendrecv_all_ports(xdm_t)
corenet_tcp_bind_all_nodes(xdm_t)
corenet_udp_bind_all_nodes(xdm_t)
@@ -13603,7 +13681,7 @@
corenet_tcp_connect_all_ports(xdm_t)
corenet_sendrecv_all_client_packets(xdm_t)
# xdm tries to bind to biff_port_t
-@@ -197,6 +210,7 @@
+@@ -197,6 +216,7 @@
dev_getattr_mouse_dev(xdm_t)
dev_setattr_mouse_dev(xdm_t)
dev_rw_apm_bios(xdm_t)
@@ -13611,7 +13689,7 @@
dev_setattr_apm_bios_dev(xdm_t)
dev_rw_dri(xdm_t)
dev_rw_agp(xdm_t)
-@@ -246,6 +260,7 @@
+@@ -246,6 +266,7 @@
auth_domtrans_pam_console(xdm_t)
auth_manage_pam_pid(xdm_t)
auth_manage_pam_console_data(xdm_t)
@@ -13619,7 +13697,7 @@
auth_rw_faillog(xdm_t)
auth_write_login_records(xdm_t)
-@@ -257,6 +272,7 @@
+@@ -257,6 +278,7 @@
libs_exec_lib_files(xdm_t)
logging_read_generic_logs(xdm_t)
@@ -13627,7 +13705,7 @@
miscfiles_read_localization(xdm_t)
miscfiles_read_fonts(xdm_t)
-@@ -268,9 +284,14 @@
+@@ -268,9 +290,14 @@
userdom_create_all_users_keys(xdm_t)
# for .dmrc
userdom_read_unpriv_users_home_content_files(xdm_t)
@@ -13642,7 +13720,7 @@
xserver_rw_session_template(xdm,xdm_t,xdm_tmpfs_t)
-@@ -306,6 +327,11 @@
+@@ -306,6 +333,11 @@
optional_policy(`
consolekit_dbus_chat(xdm_t)
@@ -13654,7 +13732,7 @@
')
optional_policy(`
-@@ -348,12 +374,8 @@
+@@ -348,12 +380,8 @@
')
optional_policy(`
@@ -13668,7 +13746,7 @@
ifdef(`distro_rhel4',`
allow xdm_t self:process { execheap execmem };
-@@ -385,7 +407,7 @@
+@@ -385,7 +413,7 @@
allow xdm_xserver_t xdm_var_lib_t:file { getattr read };
dontaudit xdm_xserver_t xdm_var_lib_t:dir search;
@@ -13677,7 +13755,23 @@
# Label pid and temporary files with derived types.
manage_files_pattern(xdm_xserver_t,xdm_tmp_t,xdm_tmp_t)
-@@ -425,6 +447,14 @@
+@@ -397,6 +425,15 @@
+ can_exec(xdm_xserver_t, xkb_var_lib_t)
+ files_search_var_lib(xdm_xserver_t)
+
++manage_dirs_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
++manage_files_pattern(xdm_xserver_t,xserver_var_lib_t,xserver_var_lib_t)
++files_var_lib_filetrans(xdm_xserver_t,xserver_var_lib_t,dir)
++
++manage_dirs_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
++manage_files_pattern(xdm_xserver_t,xserver_var_run_t,xserver_var_run_t)
++manage_sock_files_pattern(xdm_xserver_t,xdm_var_run_t,xdm_var_run_t)
++files_pid_filetrans(xdm_xserver_t,xserver_var_run_t,dir)
++
+ # VNC v4 module in X server
+ corenet_tcp_bind_vnc_port(xdm_xserver_t)
+
+@@ -425,6 +462,14 @@
')
optional_policy(`
@@ -13692,7 +13786,7 @@
resmgr_stream_connect(xdm_t)
')
-@@ -434,47 +464,26 @@
+@@ -434,47 +479,26 @@
')
optional_policy(`
@@ -16372,7 +16466,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/raid.te serefpolicy-3.0.8/policy/modules/system/raid.te
--- nsaserefpolicy/policy/modules/system/raid.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/raid.te 2007-10-29 23:59:29.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/raid.te 2007-11-12 10:34:49.000000000 -0500
@@ -19,7 +19,7 @@
# Local policy
#
@@ -16390,6 +16484,17 @@
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
+@@ -83,5 +84,10 @@
+ ')
+
+ optional_policy(`
++ unconfined_domain(mdadm_t)
++')
++
++optional_policy(`
+ udev_read_db(mdadm_t)
+ ')
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.fc serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc
--- nsaserefpolicy/policy/modules/system/selinuxutil.fc 2007-10-22 13:21:40.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.fc 2007-10-29 23:59:29.000000000 -0400
@@ -16680,7 +16785,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.0.8/policy/modules/system/selinuxutil.te
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-11-09 14:27:22.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/selinuxutil.te 2007-11-12 11:41:10.000000000 -0500
@@ -76,7 +76,6 @@
type restorecond_exec_t;
init_daemon_domain(restorecond_t,restorecond_exec_t)
@@ -16700,7 +16805,15 @@
type semanage_store_t;
files_type(semanage_store_t)
-@@ -194,10 +197,19 @@
+@@ -170,6 +173,7 @@
+ files_read_etc_runtime_files(load_policy_t)
+
+ fs_getattr_xattr_fs(load_policy_t)
++fs_list_inotifyfs(load_policy_t)
+
+ mls_file_read_all_levels(load_policy_t)
+
+@@ -194,10 +198,19 @@
# cjp: cover up stray file descriptors.
dontaudit load_policy_t selinux_config_t:file write;
optional_policy(`
@@ -16721,7 +16834,7 @@
########################################
#
# Newrole local policy
-@@ -215,7 +227,7 @@
+@@ -215,7 +228,7 @@
allow newrole_t self:msg { send receive };
allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -16730,7 +16843,7 @@
read_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
read_lnk_files_pattern(newrole_t,selinux_config_t,selinux_config_t)
-@@ -252,8 +264,11 @@
+@@ -252,8 +265,11 @@
term_getattr_unallocated_ttys(newrole_t)
term_dontaudit_use_unallocated_ttys(newrole_t)
@@ -16742,7 +16855,7 @@
corecmd_list_bin(newrole_t)
corecmd_read_bin_symlinks(newrole_t)
-@@ -273,6 +288,7 @@
+@@ -273,6 +289,7 @@
libs_use_ld_so(newrole_t)
libs_use_shared_libs(newrole_t)
@@ -16750,7 +16863,7 @@
logging_send_syslog_msg(newrole_t)
miscfiles_read_localization(newrole_t)
-@@ -294,14 +310,6 @@
+@@ -294,14 +311,6 @@
files_polyinstantiate_all(newrole_t)
')
@@ -16765,7 +16878,7 @@
########################################
#
# Restorecond local policy
-@@ -309,11 +317,12 @@
+@@ -309,11 +318,12 @@
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
@@ -16779,7 +16892,7 @@
kernel_use_fds(restorecond_t)
kernel_rw_pipes(restorecond_t)
kernel_read_system_state(restorecond_t)
-@@ -343,15 +352,12 @@
+@@ -343,15 +353,12 @@
miscfiles_read_localization(restorecond_t)
@@ -16797,7 +16910,7 @@
#################################
#
-@@ -361,7 +367,7 @@
+@@ -361,7 +368,7 @@
allow run_init_t self:process setexec;
allow run_init_t self:capability setuid;
allow run_init_t self:fifo_file rw_file_perms;
@@ -16806,7 +16919,7 @@
# often the administrator runs such programs from a directory that is owned
# by a different user or has restrictive SE permissions, do not want to audit
-@@ -375,6 +381,7 @@
+@@ -375,6 +382,7 @@
term_dontaudit_list_ptys(run_init_t)
auth_domtrans_chk_passwd(run_init_t)
@@ -16814,7 +16927,7 @@
auth_dontaudit_read_shadow(run_init_t)
corecmd_exec_bin(run_init_t)
-@@ -423,77 +430,52 @@
+@@ -423,77 +431,52 @@
nscd_socket_use(run_init_t)
')
@@ -16918,7 +17031,7 @@
# cjp: need a more general way to handle this:
ifdef(`enable_mls',`
# read secadm tmp files
-@@ -521,6 +503,11 @@
+@@ -521,6 +504,11 @@
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:file r_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t selinux_config_t default_context_t }:lnk_file r_file_perms;
@@ -16930,7 +17043,7 @@
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
-@@ -537,6 +524,7 @@
+@@ -537,6 +525,7 @@
fs_getattr_xattr_fs(setfiles_t)
fs_list_all(setfiles_t)
@@ -16938,7 +17051,7 @@
fs_search_auto_mountpoints(setfiles_t)
fs_relabelfrom_noxattr_fs(setfiles_t)
-@@ -590,8 +578,16 @@
+@@ -590,8 +579,16 @@
fs_relabel_tmpfs_chr_file(setfiles_t)
')
@@ -17529,7 +17642,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/unconfined.te serefpolicy-3.0.8/policy/modules/system/unconfined.te
--- nsaserefpolicy/policy/modules/system/unconfined.te 2007-10-22 13:21:40.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-08 17:36:37.000000000 -0500
++++ serefpolicy-3.0.8/policy/modules/system/unconfined.te 2007-11-12 10:02:10.000000000 -0500
@@ -5,36 +5,52 @@
#
# Declarations
@@ -17590,7 +17703,7 @@
libs_run_ldconfig(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-@@ -42,37 +58,37 @@
+@@ -42,37 +58,39 @@
logging_run_auditctl(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
mount_run_unconfined(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -17620,7 +17733,9 @@
optional_policy(`
- bind_run_ndc(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
-+ apache_run_helper(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
++ apache_per_role_template(unconfined, unconfined_t, unconfined_r)
++ apache_run_helper(unconfined_t, unconfined_r, { unconfined_devpts_t unconfined_tty_device_t })
++ unconfined_domain(httpd_unconfined_script_t)
')
optional_policy(`
@@ -17637,7 +17752,7 @@
')
optional_policy(`
-@@ -107,22 +123,22 @@
+@@ -107,22 +125,22 @@
optional_policy(`
oddjob_dbus_chat(unconfined_t)
')
@@ -17666,7 +17781,7 @@
')
optional_policy(`
-@@ -130,15 +146,10 @@
+@@ -130,15 +148,10 @@
')
optional_policy(`
@@ -17684,7 +17799,7 @@
')
optional_policy(`
-@@ -155,32 +166,23 @@
+@@ -155,32 +168,23 @@
optional_policy(`
postfix_run_map(unconfined_t,unconfined_r,{ unconfined_devpts_t unconfined_tty_device_t })
@@ -17721,7 +17836,7 @@
')
optional_policy(`
-@@ -205,11 +207,22 @@
+@@ -205,11 +209,22 @@
')
optional_policy(`
@@ -17746,7 +17861,7 @@
')
########################################
-@@ -219,14 +232,28 @@
+@@ -219,14 +234,28 @@
allow unconfined_execmem_t self:process { execstack execmem };
unconfined_domain_noaudit(unconfined_execmem_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.574
retrieving revision 1.575
diff -u -r1.574 -r1.575
--- selinux-policy.spec 10 Nov 2007 13:18:35 -0000 1.574
+++ selinux-policy.spec 12 Nov 2007 18:42:15 -0000 1.575
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 51%{?dist}
+Release: 52%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -380,6 +380,9 @@
%endif
%changelog
+* Mon Nov 11 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-52
+- Allow apache to read unconfined users content
+
* Sat Nov 10 2007 Dan Walsh <dwalsh at redhat.com> 3.0.8-51
- Allow login programs to run mount
- Dontaudit writes to user_home_t for semanage
More information about the fedora-extras-commits
mailing list