rpms/selinux-policy/F-9 policy-20071130.patch, 1.179, 1.180 selinux-policy.spec, 1.686, 1.687

Daniel J Walsh (dwalsh) fedora-extras-commits at redhat.com
Tue Jun 24 11:15:11 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23569

Modified Files:
	policy-20071130.patch selinux-policy.spec 
Log Message:
* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-71
- Allow system_mail_t to exec other mail clients
- Label mogrel_rails as an apache server


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.179
retrieving revision 1.180
diff -u -r1.179 -r1.180
--- policy-20071130.patch	23 Jun 2008 12:20:17 -0000	1.179
+++ policy-20071130.patch	24 Jun 2008 11:14:24 -0000	1.180
@@ -2079,7 +2079,7 @@
  ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.3.1/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/mrtg.te	2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/mrtg.te	2008-06-24 06:27:18.000000000 -0400
 @@ -78,6 +78,7 @@
  dev_read_urand(mrtg_t)
  
@@ -2088,6 +2088,53 @@
  
  files_read_usr_files(mrtg_t)
  files_search_var(mrtg_t)
+@@ -101,6 +102,8 @@
+ init_read_utmp(mrtg_t)
+ init_dontaudit_write_utmp(mrtg_t)
+ 
++auth_use_nsswitch(mrtg_t)
++
+ libs_read_lib_files(mrtg_t)
+ libs_use_ld_so(mrtg_t)
+ libs_use_shared_libs(mrtg_t)
+@@ -111,11 +114,9 @@
+ 
+ selinux_dontaudit_getattr_dir(mrtg_t)
+ 
+-# Use the network.
+-sysnet_read_config(mrtg_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+ userdom_use_sysadm_terms(mrtg_t)
++userdom_dontaudit_list_sysadm_home_dirs(mrtg_t)
+ 
+ ifdef(`enable_mls',`
+ 	corenet_udp_sendrecv_lo_if(mrtg_t)
+@@ -139,14 +140,6 @@
+ ')
+ 
+ optional_policy(`
+-	nis_use_ypbind(mrtg_t)
+-')
+-
+-optional_policy(`
+-	nscd_dontaudit_search_pid(mrtg_t)
+-')
+-
+-optional_policy(`
+ 	seutil_sigchld_newrole(mrtg_t)
+ ')
+ 
+@@ -162,9 +155,3 @@
+ 	udev_read_db(mrtg_t)
+ ')
+ 
+-ifdef(`TODO',`
+-	# should not need this!
+-	dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
+-	dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
+-	dontaudit mrtg_t root_t:lnk_file getattr;
+-')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/admin/netutils.te	2008-06-12 23:38:03.000000000 -0400
@@ -9294,7 +9341,7 @@
  # amavis local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc	2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc	2008-06-24 07:10:15.000000000 -0400
 @@ -1,10 +1,8 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
 -
@@ -9308,7 +9355,7 @@
  /etc/httpd/logs				gen_context(system_u:object_r:httpd_log_t,s0)
  /etc/httpd/modules			gen_context(system_u:object_r:httpd_modules_t,s0)
  /etc/vhosts			--	gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,7 +14,6 @@
+@@ -16,13 +14,13 @@
  
  /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  /usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9316,7 +9363,14 @@
  /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
  /usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +30,7 @@
+ /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+ /usr/lib(64)?/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
+ 
++/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
+@@ -33,6 +31,7 @@
  /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
  ')
  
@@ -9324,7 +9378,7 @@
  /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +46,14 @@
+@@ -48,11 +47,14 @@
  
  /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
  /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9339,7 +9393,7 @@
  /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
  /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +67,21 @@
+@@ -66,10 +68,21 @@
  /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
  /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
  
@@ -15995,8 +16049,8 @@
 +/usr/libexec/gam_server	--	gen_context(system_u:object_r:gamin_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.3.1/policy/modules/services/gamin.if
 --- nsaserefpolicy/policy/modules/services/gamin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.if	2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,39 @@
++++ serefpolicy-3.3.1/policy/modules/services/gamin.if	2008-06-24 06:43:23.000000000 -0400
+@@ -0,0 +1,57 @@
 +
 +## <summary>policy for gamin</summary>
 +
@@ -16021,6 +16075,24 @@
 +
 +########################################
 +## <summary>
++##	Execute gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++##	Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_exec',`
++	gen_require(`
++                type gamin_exec_t;
++	')
++
++	can_exec($1,gamin_exec_t)
++')
++
++########################################
++## <summary>
 +##	Connect to gamin over an unix stream socket.
 +## </summary>
 +## <param name="domain">
@@ -16038,8 +16110,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
 --- nsaserefpolicy/policy/modules/services/gamin.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.te	2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,40 @@
++++ serefpolicy-3.3.1/policy/modules/services/gamin.te	2008-06-24 06:30:34.000000000 -0400
+@@ -0,0 +1,41 @@
 +policy_module(gamin,1.0.0)
 +
 +########################################
@@ -16050,6 +16122,7 @@
 +type gamin_t;
 +type gamin_exec_t;
 +init_daemon_domain(gamin_t, gamin_exec_t)
++application_domain(gamin_t, gamin_exec_t)
 +
 +########################################
 +#
@@ -17754,7 +17827,7 @@
  ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-06-22 08:32:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te	2008-06-24 05:41:39.000000000 -0400
 @@ -6,6 +6,8 @@
  # Declarations
  #
@@ -17772,13 +17845,15 @@
  
  mta_base_mail_template(system)
  role system_r types system_mail_t;
-@@ -37,30 +40,49 @@
+@@ -37,30 +40,51 @@
  #
  
  # newalias required this, not sure if it is needed in 'if' file
 -allow system_mail_t self:capability { dac_override };
 +allow system_mail_t self:capability { dac_override fowner };
 +allow system_mail_t self:fifo_file rw_fifo_file_perms;
++
++can_exec(system_mail_t, mailclient_exec_type)
  
  read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
 +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@@ -17823,7 +17898,7 @@
  ')
  
  optional_policy(`
-@@ -73,7 +95,18 @@
+@@ -73,7 +97,18 @@
  
  optional_policy(`
  	cron_read_system_job_tmp_files(system_mail_t)
@@ -17842,7 +17917,7 @@
  ')
  
  optional_policy(`
-@@ -81,6 +114,11 @@
+@@ -81,6 +116,11 @@
  ')
  
  optional_policy(`
@@ -17854,7 +17929,7 @@
  	logrotate_read_tmp_files(system_mail_t)
  ')
  
-@@ -136,11 +174,38 @@
+@@ -136,11 +176,38 @@
  ')
  
  optional_policy(`
@@ -17894,7 +17969,7 @@
  optional_policy(`
  	# why is mail delivered to a directory of type arpwatch_data_t?
  	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +219,4 @@
+@@ -154,3 +221,4 @@
  		cron_read_system_job_tmp_files(mta_user_agent)
  	')
  ')
@@ -21111,8 +21186,8 @@
 +/etc/rc\.d/init\.d/prelude-lml --      gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
 --- nsaserefpolicy/policy/modules/services/prelude.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.if	2008-06-23 08:18:35.000000000 -0400
-@@ -0,0 +1,190 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.if	2008-06-24 06:33:34.000000000 -0400
+@@ -0,0 +1,191 @@
 +## <summary>Prelude hybrid intrusion detection system</summary>
 +
 +########################################
@@ -21204,6 +21279,7 @@
 +	')
 +
 +	files_search_spool($1)
++	list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
 +	rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
 +')
 +
@@ -21305,8 +21381,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-06-23 08:14:23.000000000 -0400
-@@ -0,0 +1,244 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-06-24 06:34:17.000000000 -0400
+@@ -0,0 +1,248 @@
 +
 +policy_module(prelude, 1.0.0)
 +
@@ -21526,6 +21602,10 @@
 +miscfiles_read_localization(prelude_lml_t)
 +
 +optional_policy(`
++	gamin_exec(prelude_lml_t)
++')
++
++optional_policy(`
 +	apache_read_log(prelude_lml_t)
 +')
 +
@@ -29053,6 +29133,18 @@
  kernel_read_kernel_sysctls(zebra_t)
  kernel_rw_net_sysctls(zebra_t)
  
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.3.1/policy/modules/system/application.te
+--- nsaserefpolicy/policy/modules/system/application.te	2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/application.te	2008-06-24 05:55:28.000000000 -0400
+@@ -7,6 +7,8 @@
+ # Executables to be run by user
+ attribute application_exec_type;
+ 
++userdom_append_unpriv_users_home_content_files(application_domain_type)
++
+ optional_policy(`
+ 	ssh_sigchld(application_domain_type)
+ 	ssh_rw_stream_sockets(application_domain_type)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.3.1/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2008-06-12 23:38:01.000000000 -0400
 +++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc	2008-06-12 23:38:02.000000000 -0400
@@ -34060,7 +34152,7 @@
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-06-14 07:17:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if	2008-06-24 06:25:05.000000000 -0400
 @@ -29,9 +29,14 @@
  	')
  


Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.686
retrieving revision 1.687
diff -u -r1.686 -r1.687
--- selinux-policy.spec	23 Jun 2008 12:20:17 -0000	1.686
+++ selinux-policy.spec	24 Jun 2008 11:14:24 -0000	1.687
@@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.3.1
-Release: 70%{?dist}
+Release: 71%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@@ -385,7 +385,11 @@
 %endif
 
 %changelog
-* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-69
+* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-71
+- Allow system_mail_t to exec other mail clients
+- Label mogrel_rails as an apache server
+
+* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-70
 - Apply unconfined_execmem_exec_t to haskell programs
 
 * Sun Jun 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-69

More information about the fedora-extras-commits mailing list