rpms/selinux-policy/devel policy-20080509.patch, 1.20, 1.21 selinux-policy.spec, 1.675, 1.676
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jun 24 11:14:50 UTC 2008
- Previous message (by thread): rpms/system-config-language/devel .cvsignore, 1.10, 1.11 sources, 1.31, 1.32 system-config-language.spec, 1.42, 1.43 system-config-language-447008.patch, 1.2, NONE system-config-language-pirut_442901.patch, 1.1, NONE yumhelpers.glade, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/F-9 policy-20071130.patch, 1.179, 1.180 selinux-policy.spec, 1.686, 1.687
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23537
Modified Files:
policy-20080509.patch selinux-policy.spec
Log Message:
* Tue Jun 24 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-7
- Allow confined users to use postgres
- Allow system_mail_t to exec other mail clients
- Label mogrel_rails as an apache server
policy-20080509.patch:
Index: policy-20080509.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/policy-20080509.patch,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- policy-20080509.patch 23 Jun 2008 12:20:04 -0000 1.20
+++ policy-20080509.patch 24 Jun 2008 11:14:04 -0000 1.21
@@ -642,7 +642,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.4.2/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te 2008-06-12 23:37:53.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te 2008-06-24 06:26:50.000000000 -0400
@@ -78,6 +78,7 @@
dev_read_urand(mrtg_t)
@@ -651,6 +651,55 @@
files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
+@@ -101,6 +102,8 @@
+ init_read_utmp(mrtg_t)
+ init_dontaudit_write_utmp(mrtg_t)
+
++auth_use_nsswitch(mrtg_t)
++
+ libs_read_lib_files(mrtg_t)
+ libs_use_ld_so(mrtg_t)
+ libs_use_shared_libs(mrtg_t)
+@@ -111,12 +114,10 @@
+
+ selinux_dontaudit_getattr_dir(mrtg_t)
+
+-# Use the network.
+-sysnet_read_config(mrtg_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+
+ sysadm_use_terms(mrtg_t)
++sysadm_dontaudit_read_home_content_files(mrtg_t)
+
+ ifdef(`enable_mls',`
+ corenet_udp_sendrecv_lo_if(mrtg_t)
+@@ -140,14 +141,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(mrtg_t)
+-')
+-
+-optional_policy(`
+- nscd_dontaudit_search_pid(mrtg_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(mrtg_t)
+ ')
+
+@@ -162,10 +155,3 @@
+ optional_policy(`
+ udev_read_db(mrtg_t)
+ ')
+-
+-ifdef(`TODO',`
+- # should not need this!
+- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
+- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
+- dontaudit mrtg_t root_t:lnk_file getattr;
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:25:08.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/admin/netutils.te 2008-06-12 23:37:53.000000000 -0400
@@ -7923,8 +7972,8 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.4.2/policy/modules/roles/staff.te
--- nsaserefpolicy/policy/modules/roles/staff.te 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/staff.te 2008-06-12 23:37:52.000000000 -0400
-@@ -8,18 +8,30 @@
++++ serefpolicy-3.4.2/policy/modules/roles/staff.te 2008-06-24 07:05:16.000000000 -0400
+@@ -8,18 +8,34 @@
role staff_r;
@@ -7953,10 +8002,14 @@
+')
+
+optional_policy(`
++ postgresql_userdom_template(staff,staff_t,staff_r)
++')
++
++optional_policy(`
secadm_role_change_template(staff)
')
-@@ -28,3 +40,14 @@
+@@ -28,3 +44,14 @@
sysadm_dontaudit_use_terms(staff_t)
')
@@ -7973,7 +8026,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.4.2/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if 2008-06-14 07:13:35.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if 2008-06-24 06:22:32.000000000 -0400
@@ -334,10 +334,10 @@
#
interface(`sysadm_getattr_home_dirs',`
@@ -8135,7 +8188,7 @@
## <summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.4.2/policy/modules/roles/unprivuser.if
--- nsaserefpolicy/policy/modules/roles/unprivuser.if 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if 2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if 2008-06-24 05:57:35.000000000 -0400
@@ -62,6 +62,26 @@
files_home_filetrans($1,user_home_dir_t,dir)
')
@@ -8805,8 +8858,8 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.4.2/policy/modules/roles/unprivuser.te
--- nsaserefpolicy/policy/modules/roles/unprivuser.te 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te 2008-06-12 23:37:52.000000000 -0400
-@@ -13,3 +13,19 @@
++++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te 2008-06-24 07:05:40.000000000 -0400
+@@ -13,3 +13,23 @@
userdom_unpriv_user_template(user)
@@ -8819,6 +8872,10 @@
+')
+
+optional_policy(`
++ postgresql_userdom_template(user,user_t,user_r)
++')
++
++optional_policy(`
+ rpm_dontaudit_dbus_chat(user_t)
+')
+
@@ -9322,14 +9379,14 @@
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.4.2/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/apache.fc 2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/apache.fc 2008-06-24 07:09:51.000000000 -0400
@@ -1,4 +1,4 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
/etc/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/etc/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,7 +16,6 @@
+@@ -16,13 +16,13 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9337,7 +9394,14 @@
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +32,7 @@
+ /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+ /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+
++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+@@ -33,6 +33,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -9345,7 +9409,7 @@
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +48,14 @@
+@@ -48,11 +49,14 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9360,7 +9424,7 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +69,21 @@
+@@ -66,10 +70,21 @@
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -16036,8 +16100,8 @@
+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.4.2/policy/modules/services/gamin.if
--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.2/policy/modules/services/gamin.if 2008-06-12 23:37:52.000000000 -0400
-@@ -0,0 +1,39 @@
++++ serefpolicy-3.4.2/policy/modules/services/gamin.if 2008-06-24 06:34:46.000000000 -0400
+@@ -0,0 +1,57 @@
+
+## <summary>policy for gamin</summary>
+
@@ -16062,6 +16126,24 @@
+
+########################################
+## <summary>
++## Execute gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_exec',`
++ gen_require(`
++ type gamin_exec_t;
++ ')
++
++ can_exec($1,gamin_exec_t)
++')
++
++########################################
++## <summary>
+## Connect to gamin over an unix stream socket.
+## </summary>
+## <param name="domain">
@@ -17707,7 +17789,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-12 23:37:52.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/mta.te 2008-06-24 05:41:16.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -17725,13 +17807,15 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -37,30 +40,50 @@
+@@ -37,30 +40,52 @@
#
# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
++
++can_exec(system_mail_t, mailclient_exec_type)
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@@ -17777,7 +17861,7 @@
')
optional_policy(`
-@@ -73,7 +96,10 @@
+@@ -73,7 +98,10 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -17788,7 +17872,7 @@
')
optional_policy(`
-@@ -81,6 +107,11 @@
+@@ -81,6 +109,11 @@
')
optional_policy(`
@@ -17800,7 +17884,7 @@
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +167,38 @@
+@@ -136,11 +169,38 @@
')
optional_policy(`
@@ -17840,7 +17924,7 @@
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +212,4 @@
+@@ -154,3 +214,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -21027,7 +21111,7 @@
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.4.2/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-23 08:18:26.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/prelude.if 2008-06-24 06:33:22.000000000 -0400
@@ -42,7 +42,7 @@
## </summary>
## <param name="domain">
@@ -21037,7 +21121,7 @@
## </summary>
## </param>
#
-@@ -56,6 +56,80 @@
+@@ -56,6 +56,81 @@
########################################
## <summary>
@@ -21074,6 +21158,7 @@
+ ')
+
+ files_search_spool($1)
++ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
@@ -21118,7 +21203,7 @@
## All of the rules required to administrate
## an prelude environment
## </summary>
-@@ -64,6 +138,16 @@
+@@ -64,6 +139,16 @@
## Domain allowed access.
## </summary>
## </param>
@@ -21135,7 +21220,7 @@
## <rolecap/>
#
interface(`prelude_admin',`
-@@ -71,6 +155,11 @@
+@@ -71,6 +156,11 @@
type prelude_t, prelude_spool_t;
type prelude_var_run_t, prelude_var_lib_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
@@ -21147,7 +21232,7 @@
')
allow $1 prelude_t:process { ptrace signal_perms };
-@@ -79,11 +168,23 @@
+@@ -79,11 +169,23 @@
allow $1 prelude_audisp_t:process { ptrace signal_perms };
ps_process_pattern($1, prelude_audisp_t)
@@ -21179,7 +21264,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-23 08:09:53.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/services/prelude.te 2008-06-24 06:34:11.000000000 -0400
@@ -19,12 +19,31 @@
type prelude_var_lib_t;
files_type(prelude_var_lib_t)
@@ -21238,7 +21323,7 @@
dev_read_rand(prelude_audisp_t)
dev_read_urand(prelude_audisp_t)
-@@ -126,6 +150,76 @@
+@@ -126,6 +150,80 @@
miscfiles_read_localization(prelude_audisp_t)
@@ -21309,13 +21394,17 @@
+miscfiles_read_localization(prelude_lml_t)
+
+optional_policy(`
++ gamin_exec(prelude_lml_t)
++')
++
++optional_policy(`
+ apache_read_log(prelude_lml_t)
+')
+
########################################
#
# prewikka_cgi Declarations
-@@ -135,6 +229,10 @@
+@@ -135,6 +233,10 @@
apache_content_template(prewikka)
files_read_etc_files(httpd_prewikka_script_t)
@@ -28016,6 +28105,19 @@
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.4.2/policy/modules/system/application.te
+--- nsaserefpolicy/policy/modules/system/application.te 2008-06-12 23:25:07.000000000 -0400
++++ serefpolicy-3.4.2/policy/modules/system/application.te 2008-06-24 05:58:09.000000000 -0400
+@@ -7,6 +7,9 @@
+ # Executables to be run by user
+ attribute application_exec_type;
+
++unprivuser_append_home_content_files(application_domain_type)
++unprivuser_write_tmp_files(application_domain_type)
++
+ optional_policy(`
+ ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.4.2/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:25:07.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/system/authlogin.fc 2008-06-12 23:37:52.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/devel/selinux-policy.spec,v
retrieving revision 1.675
retrieving revision 1.676
diff -u -r1.675 -r1.676
--- selinux-policy.spec 23 Jun 2008 12:20:04 -0000 1.675
+++ selinux-policy.spec 24 Jun 2008 11:14:04 -0000 1.676
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.4.2
-Release: 6%{?dist}
+Release: 7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -375,6 +375,11 @@
%endif
%changelog
+* Tue Jun 24 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-7
+- Allow confined users to use postgres
+- Allow system_mail_t to exec other mail clients
+- Label mogrel_rails as an apache server
+
* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.4.2-6
- Apply unconfined_execmem_exec_t to haskell programs
- Previous message (by thread): rpms/system-config-language/devel .cvsignore, 1.10, 1.11 sources, 1.31, 1.32 system-config-language.spec, 1.42, 1.43 system-config-language-447008.patch, 1.2, NONE system-config-language-pirut_442901.patch, 1.1, NONE yumhelpers.glade, 1.1, NONE
- Next message (by thread): rpms/selinux-policy/F-9 policy-20071130.patch, 1.179, 1.180 selinux-policy.spec, 1.686, 1.687
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list