rpms/selinux-policy/F-9 policy-20071130.patch, 1.179, 1.180 selinux-policy.spec, 1.686, 1.687
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Jun 24 11:15:11 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23569
Modified Files:
policy-20071130.patch selinux-policy.spec
Log Message:
* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-71
- Allow system_mail_t to exec other mail clients
- Label mogrel_rails as an apache server
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.179
retrieving revision 1.180
diff -u -r1.179 -r1.180
--- policy-20071130.patch 23 Jun 2008 12:20:17 -0000 1.179
+++ policy-20071130.patch 24 Jun 2008 11:14:24 -0000 1.180
@@ -2079,7 +2079,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.3.1/policy/modules/admin/mrtg.te
--- nsaserefpolicy/policy/modules/admin/mrtg.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/admin/mrtg.te 2008-06-12 23:38:03.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/admin/mrtg.te 2008-06-24 06:27:18.000000000 -0400
@@ -78,6 +78,7 @@
dev_read_urand(mrtg_t)
@@ -2088,6 +2088,53 @@
files_read_usr_files(mrtg_t)
files_search_var(mrtg_t)
+@@ -101,6 +102,8 @@
+ init_read_utmp(mrtg_t)
+ init_dontaudit_write_utmp(mrtg_t)
+
++auth_use_nsswitch(mrtg_t)
++
+ libs_read_lib_files(mrtg_t)
+ libs_use_ld_so(mrtg_t)
+ libs_use_shared_libs(mrtg_t)
+@@ -111,11 +114,9 @@
+
+ selinux_dontaudit_getattr_dir(mrtg_t)
+
+-# Use the network.
+-sysnet_read_config(mrtg_t)
+-
+ userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
+ userdom_use_sysadm_terms(mrtg_t)
++userdom_dontaudit_list_sysadm_home_dirs(mrtg_t)
+
+ ifdef(`enable_mls',`
+ corenet_udp_sendrecv_lo_if(mrtg_t)
+@@ -139,14 +140,6 @@
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(mrtg_t)
+-')
+-
+-optional_policy(`
+- nscd_dontaudit_search_pid(mrtg_t)
+-')
+-
+-optional_policy(`
+ seutil_sigchld_newrole(mrtg_t)
+ ')
+
+@@ -162,9 +155,3 @@
+ udev_read_db(mrtg_t)
+ ')
+
+-ifdef(`TODO',`
+- # should not need this!
+- dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
+- dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
+- dontaudit mrtg_t root_t:lnk_file getattr;
+-')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.3.1/policy/modules/admin/netutils.te
--- nsaserefpolicy/policy/modules/admin/netutils.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/admin/netutils.te 2008-06-12 23:38:03.000000000 -0400
@@ -9294,7 +9341,7 @@
# amavis local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.3.1/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-12 23:38:04.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.fc 2008-06-24 07:10:15.000000000 -0400
@@ -1,10 +1,8 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
-
@@ -9308,7 +9355,7 @@
/etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
/etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
/etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,7 +14,6 @@
+@@ -16,13 +14,13 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -9316,7 +9363,14 @@
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +30,7 @@
+ /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
+ /usr/lib(64)?/httpd(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
+
++/usr/bin/mongrel_rails -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/apache-ssl(2)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+ /usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
+@@ -33,6 +31,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -9324,7 +9378,7 @@
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +46,14 @@
+@@ -48,11 +47,14 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -9339,7 +9393,7 @@
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +67,21 @@
+@@ -66,10 +68,21 @@
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
@@ -15995,8 +16049,8 @@
+/usr/libexec/gam_server -- gen_context(system_u:object_r:gamin_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.3.1/policy/modules/services/gamin.if
--- nsaserefpolicy/policy/modules/services/gamin.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.if 2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,39 @@
++++ serefpolicy-3.3.1/policy/modules/services/gamin.if 2008-06-24 06:43:23.000000000 -0400
+@@ -0,0 +1,57 @@
+
+## <summary>policy for gamin</summary>
+
@@ -16021,6 +16075,24 @@
+
+########################################
+## <summary>
++## Execute gamin.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed to transition.
++## </summary>
++## </param>
++#
++interface(`gamin_exec',`
++ gen_require(`
++ type gamin_exec_t;
++ ')
++
++ can_exec($1,gamin_exec_t)
++')
++
++########################################
++## <summary>
+## Connect to gamin over an unix stream socket.
+## </summary>
+## <param name="domain">
@@ -16038,8 +16110,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.te serefpolicy-3.3.1/policy/modules/services/gamin.te
--- nsaserefpolicy/policy/modules/services/gamin.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-06-12 23:38:04.000000000 -0400
-@@ -0,0 +1,40 @@
++++ serefpolicy-3.3.1/policy/modules/services/gamin.te 2008-06-24 06:30:34.000000000 -0400
+@@ -0,0 +1,41 @@
+policy_module(gamin,1.0.0)
+
+########################################
@@ -16050,6 +16122,7 @@
+type gamin_t;
+type gamin_exec_t;
+init_daemon_domain(gamin_t, gamin_exec_t)
++application_domain(gamin_t, gamin_exec_t)
+
+########################################
+#
@@ -17754,7 +17827,7 @@
## </summary>
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.3.1/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-22 08:32:51.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/mta.te 2008-06-24 05:41:39.000000000 -0400
@@ -6,6 +6,8 @@
# Declarations
#
@@ -17772,13 +17845,15 @@
mta_base_mail_template(system)
role system_r types system_mail_t;
-@@ -37,30 +40,49 @@
+@@ -37,30 +40,51 @@
#
# newalias required this, not sure if it is needed in 'if' file
-allow system_mail_t self:capability { dac_override };
+allow system_mail_t self:capability { dac_override fowner };
+allow system_mail_t self:fifo_file rw_fifo_file_perms;
++
++can_exec(system_mail_t, mailclient_exec_type)
read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
+read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@@ -17823,7 +17898,7 @@
')
optional_policy(`
-@@ -73,7 +95,18 @@
+@@ -73,7 +97,18 @@
optional_policy(`
cron_read_system_job_tmp_files(system_mail_t)
@@ -17842,7 +17917,7 @@
')
optional_policy(`
-@@ -81,6 +114,11 @@
+@@ -81,6 +116,11 @@
')
optional_policy(`
@@ -17854,7 +17929,7 @@
logrotate_read_tmp_files(system_mail_t)
')
-@@ -136,11 +174,38 @@
+@@ -136,11 +176,38 @@
')
optional_policy(`
@@ -17894,7 +17969,7 @@
optional_policy(`
# why is mail delivered to a directory of type arpwatch_data_t?
arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +219,4 @@
+@@ -154,3 +221,4 @@
cron_read_system_job_tmp_files(mta_user_agent)
')
')
@@ -21111,8 +21186,8 @@
+/etc/rc\.d/init\.d/prelude-lml -- gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.3.1/policy/modules/services/prelude.if
--- nsaserefpolicy/policy/modules/services/prelude.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-06-23 08:18:35.000000000 -0400
-@@ -0,0 +1,190 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.if 2008-06-24 06:33:34.000000000 -0400
+@@ -0,0 +1,191 @@
+## <summary>Prelude hybrid intrusion detection system</summary>
+
+########################################
@@ -21204,6 +21279,7 @@
+ ')
+
+ files_search_spool($1)
++ list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
+ rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
+')
+
@@ -21305,8 +21381,8 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
--- nsaserefpolicy/policy/modules/services/prelude.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-23 08:14:23.000000000 -0400
-@@ -0,0 +1,244 @@
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te 2008-06-24 06:34:17.000000000 -0400
+@@ -0,0 +1,248 @@
+
+policy_module(prelude, 1.0.0)
+
@@ -21526,6 +21602,10 @@
+miscfiles_read_localization(prelude_lml_t)
+
+optional_policy(`
++ gamin_exec(prelude_lml_t)
++')
++
++optional_policy(`
+ apache_read_log(prelude_lml_t)
+')
+
@@ -29053,6 +29133,18 @@
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.3.1/policy/modules/system/application.te
+--- nsaserefpolicy/policy/modules/system/application.te 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/application.te 2008-06-24 05:55:28.000000000 -0400
+@@ -7,6 +7,8 @@
+ # Executables to be run by user
+ attribute application_exec_type;
+
++userdom_append_unpriv_users_home_content_files(application_domain_type)
++
+ optional_policy(`
+ ssh_sigchld(application_domain_type)
+ ssh_rw_stream_sockets(application_domain_type)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.3.1/policy/modules/system/authlogin.fc
--- nsaserefpolicy/policy/modules/system/authlogin.fc 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/system/authlogin.fc 2008-06-12 23:38:02.000000000 -0400
@@ -34060,7 +34152,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.3.1/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-14 07:17:14.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/userdomain.if 2008-06-24 06:25:05.000000000 -0400
@@ -29,9 +29,14 @@
')
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/selinux-policy.spec,v
retrieving revision 1.686
retrieving revision 1.687
diff -u -r1.686 -r1.687
--- selinux-policy.spec 23 Jun 2008 12:20:17 -0000 1.686
+++ selinux-policy.spec 24 Jun 2008 11:14:24 -0000 1.687
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.3.1
-Release: 70%{?dist}
+Release: 71%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -385,7 +385,11 @@
%endif
%changelog
-* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-69
+* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-71
+- Allow system_mail_t to exec other mail clients
+- Label mogrel_rails as an apache server
+
+* Mon Jun 23 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-70
- Apply unconfined_execmem_exec_t to haskell programs
* Sun Jun 22 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-69
More information about the fedora-extras-commits
mailing list