Change request: SELinux tweaks.
Luke Macken
lmacken at redhat.com
Fri Nov 21 19:22:56 UTC 2008
Attached are some patches that will fix many AVC's that are currently
happening within our infrastructure.
Patch 0010-Fix-our-semanage_fcontext-function-to-work-on-symlin.patch
/should/ fix the problem introduced in
41acfbc83c80d12d915a0d6087e841aba2c7e78c that caused restorecon to flip
out when trying to apply context to a symlink.
The rest should all be fairly straight-forward fixes that involve
flipping booleans, setting context, and creating custom policy modules.
Apologies for the binary blobs in the diffs :)
luke
-------------- next part --------------
>From 88b27f114147315ca789b6dda1263353f8582fd5 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at puppet1.fedora.phx.redhat.com>
Date: Fri, 21 Nov 2008 15:15:58 +0000
Subject: [PATCH] Add a custom SELinux policy module for our noc systems.
This allows ping_t to read from a nagios_spool_t fifo.
diff --git a/configs/system/selinux/modules/noc.pp b/configs/system/selinux/modules/noc.pp
new file mode 100644
index 0000000000000000000000000000000000000000..1321793adc4bc4c484d1a66ffa6efcaeaba50480
GIT binary patch
literal 23375
zcmeI4S#u*fa>v{2yM5o++FN$}VB2bK&#uD{`(n**@5D}o=Lq+XUmOlbsR|U!Dpqmo
zkXjB$>?d&8U)N9L|1SZM5J_>^huGomMhIfzN+c4Qi9`Zb|NYf}{_oE`c<|sGiodJ)
z%?}?u_%G%ChMu4QF#D&f8DC_dwB=Yks{Dc?)qhEm at Ux0dTl~C!J~(}P`jkAvlMn$(
z_)En<4v}=@hPrAlr}<b`!?bUUOE>(A^8bjkdeL7 at J6Gp7boWp(UoKr!{+ynubY3;(
zFY5PK6^piMTrp6Q;-Yi;;6Mk=uDfb*v;bWIp1XS1wF}A_Mb#EV{mXjzeZ?kUxGA82
zT?ufFc;w}>tF8d^hpSwJOsBu2*bBFzr4NSNx#DW75s?19P)Zt%>G;A8`7m at O0nqy-
zk93?Dg<INim;u#omjeTX_!?VDz28(+GnLTCZ;_ghL)l(8q<>ox92h7q>8KWg87DE&
zVQ2yMYZO-f;2OyM2a4-alS2TJKM9faP%OiY0pT8|2aqs=rv>8xZ;%VKJ+%90km@#r
zZRw{J8rbByYe0baF(wWMg>uGP0r#U!CY=!I9BRg?6dQgCaiB-uOYAC13)Daw*0Mv6
zaX5A1sj;bENFs9+J6N%F{m`{Hz(LRwo~G--(>yX!u_0Kv=F8EIjz at qSVCxDn1VAE=
zL_%40z#!Qzl(@}vr0B-uPFsY?y>P|&^=g2IOc9z0K#2I*kh;ZQWWz0;TeMeh%4E_J
zb&_!dAdEXoVP2M2o3z&q%e-^VmOLYb$`@RKc%6}V#T at +TX{Yp3faovUu^HNiBzob?
zu^sZ(I2^g{uk&SVYC#DbAZ>_*^ZIf+t7_|(8S!fN7&P5aKn9*FyfuN|I7t{ba}yV;
zV&1(al7I<pCI;zlmTlDx`-wy;Si|g#))vQCpcy>FiV;L++O*T5%bOnPhq6}`-9J?u
zgqldGmIaT1I<B(W)-H%30en&ksAYq^qY}Wh5MY`=3z77)YYW%+XaRJoR9ulSNtr&e
z6ircoeRa{x3?T^*C|S(wk`gmf=F)Z${+o*M*WBexriQg$s<Ie6v|&`Q%9-_EkE4`f
zCS_f^8=tpQjnzff%+Uxe=;e*1MeJG)Rcj^;qgm&mE?C-TZFfn}^rZpy8egc71T}50
zETLn1oi-ZDWmVS<jDD4D#(HHb3azfL7L^Go+!U4p#tMVcg9dAhC9<XZ44-0<P;ynw
zNL77#QCV$<rDBrwON*sOQ#in~m;<LDa&OIH5qU%cMVLmQ%i3ELjX^Mg+=hc$1dxSW
zKq>;gKqMkzRx+8S#@?0&GXGYQi6s)2!oivSNzSZpucz&3D;o{5h}TNIxB`8Eu53?`
zqJlN7Y`Id(7%pA>{l)-NK)9ps0_gM at HsYF0_h{The**lKs=rw^Yu{D<2jK}!bZP;-
zo#g=j{{Ol9M>?YE;IqhUjW%D53jNUK*VR%Rh~g?L8#a+Kjb<22pQZ&f;#;6cXkl8N
zZD&Z+CoM?RA9czifQ(331~pK!C>+;l9VpzC%}ccR{#^N~#)*!JMw;p3ez&<024%V1
z3-ME>f0$vy-zhQ^M1od##!1pISkQ#Zwk2eiA<$Lju6d at A-5J$srlk%~3PmtTbdQkk
z9UG{)hs>0NwLm1qNfr~9RsL3|8H>a`6Xx`K7u-td2?Ev&mLQQ}t^j!zT)wzpxkJUg
zmU{{QvpGAiH))g4 at 5K!m^&+O^E|KYE<+=NvpZ$9A-4mFoJlRIUyF@}iH at _&{c--wZ
zj0h6=rTAsRT|4rk(tV`dT`Ozvq{GJ-Z<B|9s at B%X4$R88Le$R#?b`G6s;&m}(lSTv
zEW=)&$}=4pxDL|^Rovh7)AP0+*z>c~Bs~l_Q at O2Yl^tGCqLp(h(+p_LEtT?eQQ6kp
zc1y~T3r%o9i>(G#<et*`5shp+tQ^d{7Q2jvyUdHJJgZ$-l~xJGCg0K2 at B>rki~Tqr
z2&91qtoE}1Smpt2UQ+?qzO)$F<^UXQ&$~7+i at YCzit?~b9rLJhcU2YUp+M7tXcN-x
zl8peB_sOD?W+Go@&J6@{aVh&Y+Ab<dcI--xz9K%1+U32C3Z&@U=mjFESbzRy%RYlM
zsWR!P7K?Gn&ucTGQOcm>eE|SsqJ3M<k38`;(+C9UhFmgy^Rqx~*SDh#->6uNxhNYI
z{a>l#E=6B0|6z9hHih)vQ}m3OaH5z_iQmX*Qk at +P!X!s^g&<$32zGRKLV7Iy2@^wz
zqo1EKS^{F0&V=Nb4TxMOox9HK`n`M{^FSItB)}G_7Yi at pyXwV)4g|O~wYJP2D=)hH
z-b}?c<sEQhu$mJliYck1Qn+l-|6Ny6rlY&kvBuj}4ad^Y*k-Bc<z9BA(Y}S#c#diO
zv@(hYXS*QmpVcmi1l8;?T*oUctTa!q08z}&X?<2iiUDmL<`@hau#wU2yq&s!;HxBd
z>DX8jJ;fBPPCKxS34fuuYdLu_>+ad-5wYJbrthAq6=&qHH6y!Zxoo=k672VHZ{}(l
z>>mluFG1el_gd2S$gfXh1e^e4qyC5lEl$-8WoP>Do{wQri?@zpz+!a_!@iZkRz0!;
zX at 8Xbo)g{>C&cyfiAc-o36Y=^e_ibuWTCJ=k-J#r%jti(u8kf>+#W1zM1rmhvLaHK
zbF}rUSGelRJQLJn)n~&LH%)dh_YUq>k75l$Y{Fy3REXpdsC68s3w`hJOo%jZ;6gOJ
zOafw=vUfO{e$U|da}PZ_!Tv^MN1}*?XxxW;Tc|8KTJe6m7v>g=TFT$V_tv?;1<xu3
zm}Ofp@}ZdH$R^+dO=T!<<lak=2=fLcC at w4bp;>c?gx+u2SWe=s9_JD|OCw0E53AUw
z5kNKNHoviiabPQ)>Xj~!z?(3ZO1T}v5d^$M!;mF@>|5`&HxBg`wSA2C7~lXC+1&0O
z>Wl_Bv?$uek`q>~*5|H62SKKos|$G at H9;cg`HK?_jXoq3;hGEP7MSTKqTFLaP&gu>
zYea|q&V7kdKsKa^FvHH3uA!G|>u9K^A!cN)6P2lisVZ*BqHERANOZkDUyx*!5mtT$
zw!}!z;3w(Mlo!KUe9&+DOg8Ok?<Zwy?aq{@7XoF3GyCuVrO)J0hY0m(7u%lcIff>`
zsM>zoFE!Sw=@eS*s=2J1i|G*C#oq{*R)qd3IcGeEKuL at dZt)bF#x}(VPrvis2q;#e
zb<E at WEW}tI8<U at gGbM<zUi>954dlZv5l$>Six2wcnHXVwMUa1dGe5%E%#X@|{20#S
zgMN7?M)>h}Ge5$?yxlDO3WilU3o*hFrvJDrAGY6>ulhgPnIAeoQz3B;-$UBYw{Exa
ziS4%Q`;zVayWrnd|7G)c<0(2AMYr)W@@$POkZn6Z40sF910S~X{d8@^dFlMGtmlK_
z-+^c3xh*(%@xxvDcfc2&jSyS#UpoKJdAtMuo%L-5hvTyw&fW60yM7SUt$F{JVZSZc
zKe;3SE_w#?8~o7pUY;ZD*ZoDuVWdXGG<{o^vBb!dyM8M(=JJaHz)OE=9#g9q>C!A#
z*!VKoW`2AlD$NIkjG{CP5b<rAG#>>LUMWelzoG0|ndV at BcvsM7uD8e2T#S;{-SxD9
z at p3S*na9y}nwL^Fz3Q9RVUTiBrdjM3;$+;uJet<xlFRmO#<WJ-eR`uVtwZ;^;+1Bl
z-QT`OmDYkA)|Y?MlC<0Oen(mdi!QlvkQT8Ej-%f=0Z*%$#Tbud(*kzVTj!E#1y0yv
z2Rl#G(#i~TeFl`4-~)|dlB1QoswBStv<mRo9_q9Ndrk1GS(=Icbjy>O76NPSe at jc4
zWeI4SMdh^*EiJ+Mv+3wb%h at iZ?uoRFd5ya*?V-~mY~o0-ZCNuubhr2rQT4`n3I+`j
zw=-!zqE1;f`$@-gYh#Ca(_0FOI)>IQlRUQK*VKiX;c2c4ERY8bZ-U1f<PZxp%wsOo
zxzp_aAAJYm;p>J+4<BXEbX}wv+U_P>>cYC~nm(II13!L9;pc3cv}^17?<w`cX;!w2
zylS%HX6cmiozslHn{r%dtvsa1vHZJgumbPf>_wR_|JhxPb>3x&Pl6K3H-(ddJ^-DE
zMuX=!i*xpq8MkW^jN*cFT&y6`<csDp*N)2U^J?k(Z-4ahN1r8#trnlRiJ6zxK0%8d
zy9sklv>?~_xpSD6jti9;i*15bG%SvZlV__R=nd4okZ9e3Su|~qkJ(2^9^&EOwzk(-
zS0po$2%2KzwZVyGoa!fyySCq=mNK8X{xP^KFbS-!QG0maNI_ERz+lim$&0S-GrcmE
z_1Bf$MN+oexf`yXYchYKH1kd%b)7e5hFgdmt06b at w|=vJTrS&g0L}f~TdyCfJAF5S
zzJ|G5!O)97ZlPN>KsgkQoMoBxs9vOZ-AwP$_9xlUX8LN1mOtIyyHSbUX+xH0@`8=h
zq1n0JXtyr1xvQ6AoY~kEG&srnsu6E5{yw{wI?mjSC1YL~kwk!MCOFbw>ay39oL``u
zO&&e|-a!a|EQPP}&c;EnAtyLz{k$FPQiNwLD-wI!_C_*MW?73q6ZF+dr<>NjXNm*J
z{Tkh_=(^SKK?D9Q%tPdsxyUK{T^u^Y&sZ{b^IUY9W!Em!iAjf$rJLnrEq=*{u`#Z^
z%Inc(d7t%5S5&h~s{Q=N>aMt0yeD8ZkJr&N-)cPxf?pnr;tyZ&?)H%3J9T<VJ=420
zSt~|qU?1Je<|Xt~q4?vun5J>A?BP&NwQiT{jdfwzw at Fn^cP2 at kOR9Nse(v-hdsYY<
zl}}9z?45GsmLCUllujz7%k91S1BEI!_4LYKV#d~J84f at 4vK56#{GyTd^J+FUlV)6;
z at I|82(^IdOE#D at E>`dj^plkW?zHeB~8qM|ulAa9Rs4L2d at yRT&`|#`mNp#Cr6l>Z+
zxL?61RWI at fFw?1yxRK!L)bJ_C#p1>bIJ2 at +7Sh1fI?Xb8!StiB*V_yFN>npQPqc<?
zQMY2n&6zsKq|?g>nm)BHT73aQpP;%4Sggsk_sP)f+)VRuop;Sd#OU*jV7eI=(m<4;
zMMI$<=3cPt!lVO at YbSiMaMwv*0(em)(pCdp<d>4P=0*e-2D7}XUtxe3u9=F$-GqOp
z+A_(^ta@>h>3s*igXTo+McwOlUK90N*Dh<Hqc1{SxRdN(7lqzNk!HMTyUO+dc8FHo
zAOc8)qmxPaJ)uushv1tNS30>l+1bq+&i*GOwPbk8M;YQ`&$EB~;}uax<9M|kh%+ at k
z=Al`a&sRz?ZZ}q+(YS3iJYp at AF;e+=iL{ypdHHZ0v{4ykw7)8Z&!oaSO{#rwB-3iU
zs7xh#(f*oceoa;zk4=<5<1zWv3%gfurXOwod3uT*7n4t)d=Lon@?9|RTV1S~LA~_W
ziz=xXudPL%s>x+MnCMITIkA&9ae*##oe0==r3hiFUCs3^4ZWZ)MdD%1s|#s*Z}}MQ
z*CXHiv?7ZMhJc-X;z{Gv8Q)b4*e1xX#U;>d^2sZb>-!p`Hgrg3hWG|k(l+~y(QHNr
zCqymm9ZgawGV1TSH!Fh$=FL<cLbASkM?+>Nvbx1iyUko-#kD<ZSlZi02BEDAY3q%)
znRHI<@CjP}Mu at NgTWcvNr*&CIVhX||@NKEe1P3kFEO{T+b+UN}PeUmnZgh#&nznhe
z-sh*))+^Yj)bU%e-4&kgD+HOaYX}H<$cE{&e8_p3V7o>Z)WLImb9=iy6o1k15k>8K
zF3hUoU8dCpY3VNNQF})7U7g4hvbStbq==~Z_+=Ll*dyJ&1hz=%4{42yK3^*xV<BDs
z9&F8Gf5yiJs&k#jM=Jrqn=QPqj&1hU<hsDBo^h5qsM2=lkZxjQnB?WVq?LbV3<RVF
z;g5*xjzP)5xm3*)Z7IW};cFkMTMa?e5+{F?D0U}-iqV0yr>|9AkQ_}fM(hmyE}}<j
zM2XPq{yGHZ{Y$WYL*T;x)hj&_I{}-B)SWb2)8Tf*UBni2d*#4JA6`H3O2qqT_t4#w
zI{1(dnaed^U*9MIPjv#Q>>2_Nh8;ZMzXTEV$;-Bt{V$<^$qsKdGOc&O6a`&%0G^&C
z8}&`;v`gnVV%q-AbFDCKS<P-TedlX%d&Y1$!1i1wv^G3n2a!v@$bq~ga(D2_us!^<
zsw}b9E=D(kX{zzD8x5*^Pjip`b8im(OZM^SKd|-An*!3#2L_v`Pu+F0y0S`}3CY^|
zEc(V1=;VJS1(;+Rm at l+po1j`un(U=)x!KLjAWB$mnm+f8;#(hxrrN3HA$YD%1|lW+
zrSUDN{R9;mt=Ocd;djfKK8Y%Lvo=+CdAW5qam%}%K=+8O8wE;a6BNSA at 0>QElP%w{
mdPsf3X?@?rPQR^MrT*HDRtL_5QPTE4d3_hlyb2pcZ2k{H8Q2>D
literal 0
HcmV?d00001
diff --git a/configs/system/selinux/modules/noc.te b/configs/system/selinux/modules/noc.te
new file mode 100644
index 0000000..fd1b716
--- /dev/null
+++ b/configs/system/selinux/modules/noc.te
@@ -0,0 +1,10 @@
+policy_module(noc,1.0.0)
+
+require {
+ type nagios_spool_t;
+ type ping_t;
+ class fifo_file read;
+}
+
+#============= ping_t ==============
+allow ping_t nagios_spool_t:fifo_file read;
diff --git a/manifests/servergroups/noc.pp b/manifests/servergroups/noc.pp
index 862fa2a..337bad2 100644
--- a/manifests/servergroups/noc.pp
+++ b/manifests/servergroups/noc.pp
@@ -25,4 +25,6 @@ class noc {
}
selinux_bool { 'httpd_can_network_connect_db': bool => 'on' }
+ semodule { 'noc':
+ }
}
--
1.5.5.1
-------------- next part --------------
>From 970120e458e784396d57279b85fce7382b975929 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at puppet1.fedora.phx.redhat.com>
Date: Fri, 21 Nov 2008 15:17:30 +0000
Subject: [PATCH] Create a custom SELinux policy module for hosted, and enable
the rsync_export_all_ro boolean.
diff --git a/configs/system/selinux/modules/hosted.pp b/configs/system/selinux/modules/hosted.pp
new file mode 100644
index 0000000000000000000000000000000000000000..36f27ed44d9dfdc786366be0031e277fb9a0b012
GIT binary patch
literal 23544
zcmeI4S(6;OamVTPO<%I)`%=lYrKUX`aV3Wz^x|2GVt6CGM~GU#I2;`{Rp{yRR9E%Z
zF~e~<LZ854e<^<`KhghR0_es}_w+W8X@*6D#B>2jBoc|t1du at 0f4%sR|NVt~_wIe5
z_<M@~^U=L~|Eav+(etw(Xa7_+<MZs3wj65*$gd~@{%eW^((|?-T=~m-`tbPi at nf<H
zk3s}1;ja|`Bt+7U8|tb#pXOs(4b#3Y&fV}E%Ku}^>P3Gx?OdH-(ZYSje7ST@`Ad2N
z=(K9eU)Aq#Di&?ixMBd1;-Yi;;2`H06)(GLaMXZe5T3ev*0l at D=}6TUL;dS|_yffz
zU$`l#e_IJ?jdbMYva2pY^GB;(!%U;!Q0zt9(9#Co?Obs&RS!u2ekdgk#WZ~8hI|-0
zk|5}Pl1CcOi^46fI}Czg+vPyV;J^A-0{1mVRZ|IV{4S~aIF#*WL;CBA&_GA2Nkg?5
zOh1W%4?_#8-=eV65H_&+4;9zFCWinae;Oj`p;(3y1H&B*4=51?&kOni-4GW>duVr$
zAmBEFZRv*;9 at yZyOHe@fAqEZsg>xoaf%bz8CXEni9B#&;lo);qbKpnbOYJIY3*0~(
z*1AKENjR{`)Yw$drIER*9imvee(2gO at StdkOw)9bX&xD<SP?2*^X2G9$0NuMu{8x6
z0w_^OBB880aFFa4N?eyYQZ(afr!Gq5p1WfFYBNAZh6qapB2;{ANL>>zvXPd~E!qn=
zWiV+7n55qz2>p&)n3ttNllGQjnRl+)&}WoT`N9hlZ!_|)m_r{eZPi{1Q2j+aHbdKx
z#4da}wnN^Ugrm3pWxj09EGS_eqz;jATAxp6Rc*~OBHqj%f~UI~NXJuyw`R~AX9?YA
zY~n;!%)7V55-35;Bp}_ at vaOn7H<KuZYJ`2!+T{2OJVR!fF at nlWn|3;MdDDY^U-62n
z`{$~IQWFW)vfvR^hcz~v)&&(LKu at Xxwbmf-s0J`B1cc@<LL|NH+QRicRsdTn6IbL*
zQf5yqMODmSU!C<@hLA)Clq}}8Ee36gGMBZ3 at qea>e9c|HWN4V%Wh#rY!x~2Os+?Kx
z?KnmmVN%w)yYhJ}(^#EV%^ZusgkD}rTO_X4P_?#%p*QOs%mq{1tnJQenYPrSUi}O3
zXi(GU$`Uzd*QukPoL6;C$7ol{W~^5$MUmCj)uJ*5MVi7iKwl9sT2N<gvP8E8PxmQ?
z2qjm=^i<%>v&x|9mWoNzE;W|wP2oVxWDcHw$o*=L6_F<-aD-t5yH<N^rqKyHkXv_H
z7J+2p7O;vyD=>*jn3W7Bsj;`Ify}>AWXOqxrD$-r{v>Bsx0lm)w3&^Htcce}ytsgT
zkgnFA5Cwo$tZcec$^<T*{QbrNR=~J}?gD7^5NpIWo9=LN5B~|sS8D!d)vSG2?H`OM
zFwp4=;O$HY$oK!x*+23TONX3AS!=ZUqF305F2Agn+CUT+(b%wwjA<;xSo$<I7!h9s
zJ3<Y!>TEkhnl`CHn)ZMxi-0l`VHrSRWHC6d(L7MNDVvwL-ussFQ;QQF6OAm>+1+k)
zVGPD{yBFf;%Kk9Iguhi}B!~pf?(~zSpRnKwz_ul1lwr_C<t}-qklh*JRMS+4Cxs#e
zB)UgP_l^xz+(Tx{VYNUc#6gx2mR0^%hnW?Lc_z&1^)9%TuoDDUFRTQK1ak$*tKjm*
z-Rd1C=C#~Q$e)ebVZBK=<@`?EfYC0pl-#B=omP47ZpUZ0U3~WxCK^w+QOGWl(9g{;
ziZmW}dyODM1b!)gnQ+&Ryl8YED0kb;+B at 0s@%h`7p`WX{HHrhH^34$Sb5FbW{Isg8
z!MwDL5j)GUmj`&J0|VEwbix$(SN-&~Z3p)J>@-Oa!_`!7>se)o7nEq`oN8$XHpUj9
zyj)ba^|sxTGUP%N9>`*=0f^jFIzpn7ZHJY^@~&lF#>8Fb#Z;cvuB%D|!m!DAG&TC5
zl<{Iejt2s5paQeK)_+X%AU3b55Nlsr3~X~i4z;IUo0mo24`9W3Sf-A7RJpsT3iD84
z=^(TTX?DrRfXe%1F-bGAuQKNbinut}`ZlgzRFdr2l^Q)DK8)Jsz4Z#BXxsP&A(&Wy
z{$<lXoinX6?Wh)uamY_=TS8-$A;<dyK*T`%x*8vO;%kNx4Db!Tr2FP)f!VHaM=gA#
zVJ+t3Y&7(LEx>JtzFPkM?DB0Y>APp>=`rC*F&z at Wk<p+!I~YVr4(bX)zc3N(=<I~_
zQ1%lch7kupKclw<)GQqd=`R})xlB5Dnb-Au{W#=-G;&BlEK)BPUcz_Piv=GDNNKv-
zvh`Sb*4_1HD$XhIfD?n+oG?*LSsjhSd3*YAx{5L#-Gz=d-ll0dlznDxmU>?9WJem;
zw at 4b#F^!*Ai=x5VE{OHdY8ONTFgpy_ at d^_w)srhg6ti<$pB0g!LpKg{42Kr5QPAzY
z9a!J-Rg!h-*jN%f#SpAcJ6IVL{!($<bn<-G-LcOjQomhI- at T<)9FcEpM7HU2*>vwU
z*ze!o%+)f)KQfwMg1o=)t)%UdU!TV)I03=N{1FM7oT?ed&g|bEAH!f4uN}ic#p)P_
zeJg>jdK3lH{wVpqB)lO>i1Xtkv6j;lB0(qqy4o>lg~I$q?qZQIr~mG{HhLIwdoZmL
z3A!%Gj0h~}XzN+8aMgu*CV*nrXTuaXO?EK%4(?VDvKoTfgolc$63HP@>o`mo`rhA}
z5NqDRg=lt}1k^GW?{G5xUcm3>9(r_weMf9ZqlkpKxDWTXFj;c6;{9~b%`FzKl)s7Z
zSLgl~JhKpJmTkSrhhmN+n}7>6)uFhNd#^!a%p1_4IIZA^X3ilJdcS33I*Frtm`mtP
zjS#UutYVu+fYeml{KgW&L9B49SGqicY$8}H<#q^15Xcf0Lzd*RZ at tsrB-8_H`xw__
zpaV at 5bGvt_GaB$vqi7dPPFOWtpSlhk1e;>6F64DULPX5-7boZ%ZAd4=H5Zm!P^O!R
za*qW?;fR2yQ62I-_a%!0vSCHU8FsET4Zj4fqoJCLEF){3s7$3yRdGcYO$$Oj(e?Ix
zL6TlZT=@mm5+gf<pQJlcUJNJkLBHuU+0>)HAC#%pJ5ice2$T^{?63cmK9d7)i4j+<
zd!oD;`gyLGXr=>w1a=#Y_%<Cl#iDQ<z<d~%I$P4Qi!QTP%V9bQ at LGs9Bia39a!wK$
zN at 9#{6ptY*)+s)G{Jrl-L=glG0L1i(o{2FXf5}V3i4w$Ej?@rN?C<&y<%q=B^e at 7m
zC{2v%_)A_IPLv?V@(=V(II+L$Ka?Yhah(%OPU3 at pc_v0&F9>qg-^~9&Focs3BRqW|
zoY-Ig=jJo%2p at mROY@Nt0xRv45F_l1(8xyqix>YO&<%JrkZ=;>3eSrdKiirg8sCKX
zm^SmR*$w=$olSUOvYCGy{@dVRHh(*v8e!w;COyWUjeZ5TZRUp#Z{WG-!$!Uzu1!2I
zo&UmG-W&fdbVixmz;l~C+?Ia}e(~8Dv4Q`k^KTu;TkzisZ#~$bp6z&U*RSpHK}|Qt
z{hLPprk?)nmi*iJ8Q5?5L)ANZj<{d<7aPZVIj)h at 7kBAPjLiP)7er$&zsxGUf0*Vm
zw0fs6&0>O%@1@<$k1uDX`JmAHEX at K%e6c6Z$AE;lThi<glszlc93~*|mAaYhw+3l0
z>!Z~*`m})laz=48k5lwCFXd`_>o|p>lk%3PS!`V5U|he)nnJNs*}PbpLZr>7m-|u}
zn%8Z!G%IcX`i-s>3Tas1LrP21X49)CDGZCt<nBXS#D+Zf{>EW^3TBJfcsiUGu&LiT
zB257}?28R-J=jZu>E`-4DlNes8_^`EJhy=)#||k7_}9+zw1hRG at K>`mla>E9r)pXV
zuC*&LEn$?UplKGsYj<8+!usr{&nYcu=aPC#(lW+1Zv3>JPm9>xM1F1Rn#rNNCWol1
z-xs84umEvqmFA=Bl*Jtg=~!-c>^yOL%^=aJm4)3wgy$Fb+m0a3MCUel0V#w4ERY8Y
zeg_aC$RQTCFNnD`wRP41-}+#~{nrf-?mx($=u%5DwB1#<)U|roHGMXbaejE8!q3^-
zX>Zx}KTzt!<E(5KdDUdY)zT^Bd&e0&Oy#)FYI#f#WBK=0VTIn;*-0`@{=}V)b>3xY
zRzecVH${`7-h-U`#)D^9i&J*J8FzpZisD>zSgK&r<csDZm!rz;^J?k(?>_zb>1PRH
zt9j{dQs&jTPsk$2?&}<qEZFr!ZboLM<JxD&Je&{}*BpnW$&1yG^qy>9NVRUEEUtPE
zPuWv65B2cxgxgEDE0&o`1WPgT*5F7w4){^yF73CdW#=cZe+cag3<A?`v>skIQj`Gg
z84TMedC|3frWd=i{<4x&t7^`&Q#V{X*JS?MYvx^5YC3Pq4CfX1YC~@3?<QycxLmf~
z0GYd+w^pC3Iep!MwuZS|;n3?yZlSwBVA&UqTzZ-8s9yJX-Ar%#_D9*!X8N{^W=7pG
zyi$prenXaL^3{#9q1mb3ySFB?xvQ5FoY~kER5;4|s*!9j{w}+eInLbkC4F8Plf-~(
zCOooUYO>dpTy&6|O&&b_!CnM^EQ7E9&c;D6OD8mE{k$FPQjDiBD;9g+_Qo=CW?73r
z6YSMdr~BZ&7m7XD{Tj`#_`1>VULF1{j6;-`x!5WGo$WiqPna at wKVE#9WtT4Ui9v^v
zrJLnrEqTd?u`#K<$m`K%d7t%5S5&h~rv3EFU{_Ks*%LCV$4m2>ueBZo;V<_k at yE}3
z!+gl_ at H)LppXm*std*cNh>z}$^Q!!@Nc`zsLen@`_DHCPT6bXeUcD&n+XPg at ok<ht
z(rRAspF6#6pB2Ie at UdBeokMQY^3%YM(#eE$xxL-Lr&7hLo?qEZjM$niqv0RDZbjvh
zyr^gWyqXQoq!|}Sd^hR%_}H6e%eO%xJ5zZ!=;Z-q-&d?=jYfL{OOJ+b)J1C4_-K~b
zeR%eWq`GA*jy3Hd+Aolksu%kMn(0&r at o4aLYV?%jVsYgaoKaaB3t3>Gj<XC|F#9O#
z^^S$UWz`I_6Ri<j)U8DE=185gq|+-B8a~x6T79QMAIiE4RIJ&w^U28T+)U$enRm at Z
z%;@v8uyivjWPvEbiiSep&7El1g-HYI*H-)z;jWXu1oYxY<gGfm$j_x|&6OA|3TAm#
zzd{GkTr(Aiy9s~Hv}MwnS at rxV(_0yOQ_hLmi at MiK$ENDFE{E1WN8hbDb4S^~EDF6d
zBg=T!c9rY at bswvEg9#834tOTv_lP!iX at f6gT<Co1XlpZTJiDKa)zaZ9pN@!=J<t9f
zl~*Jgi{s65V9wO+n8#*KK3f^VxZPNN?Bn{P;Q at 1*79*8^<4Lnw(3g+KK^v7pi}qK=
z at R>|lr$M!^qGXzF7nPYrui9TR&9B*N{jq`4$3`ZfdS&<K&FrI%KTnU*<6`pZqYnck
zUcL#&eWQuBFsPN at S`m<1 at zz@GshV7i2UC4%Kj(^CO`KuNTqg#$T`5MGX;*c9 at k6iC
z%aC{+^Xg2N-miR&_v at bTd|I)^6hp|4KJl#a>5Q+x1!@yw*Xk1ZHTmQf+4V#9Q5!n6
zGDCgCQqueY^wHLgbWVg?*x8$;P;AuyXMR~3R$zXas-sfoSMP(!Y>BL9S*KkWt}x@;
z9yLtuZKDOD%?fGl8+9|;oY>$ato)S-VFI?=GEPqOvKEOc3QxdyWhxUIG+8s{eN at -U
z<{dhXq(HdwC4x0=^Ju-#Pr=qR*r&kwE!cK|C%XzEChQsl0Uona`XnE6UU}Gr$bva|
zX7878mWSdm8b0-?UC)`VYIx&nH9(rWi+a?a(cD@`S_#>^Ku0n}z&(7~$pi67cP~LK
z68^(llcLYpM#n@*SJVfav)G^U354oYcLw4r0mL_Jcv~Io?1JP{!wSwMOA=IRyR%O-
zu`)vP@=a39zt{!=vVzD*q;*TDw7 at wR<dL?N;nC=|PwB0?pkaxFf0HS8a{|EVz}eB(
z3Kk+qvx|{BL%)sbksDDXG`qhJLwQRSYTppLuz&SNPs~oxCMtC+&(?gnUU3_<h236^
zu-=E4B)k#vuG<}a_pA;+q<zM6P1jdf3dmEN04dwLfP-O+4EXO=1bgzbb+!JN(!XSb
z*D9IS+hd4=t=fZ5&ypMPW^~%6^BXa3|K_=7n6|8DSDC&>Hn<&q*dJkgswK2GJYR*8
ztH|hqyd!dV at L{tZ^0NY#+G-c0d&^W+|JaQN)4ij*r~a8=4*YZW@#jCX`OYr|WS#d6
zHcp?q%Vc(CmbN7%bLW%j8&9y4|5OGr$ucxwXu~$aw3s&8tK)LBo0mbHFleei^Mc}Q
z?@6ZWspdX(u1*FbC-|lEHK+Xq6B$>r38c|?&6z%lCio^apxeCMI-9uW-A=H3Le`Z6
zC$b3!VdZyDE6~V>Z&)p)KH(JJx3JZ3t6HhQ_C~Ee$H6#hd!M|%O=Mn03?eoE2N2ff
AiU0rr
literal 0
HcmV?d00001
diff --git a/configs/system/selinux/modules/hosted.te b/configs/system/selinux/modules/hosted.te
new file mode 100644
index 0000000..2d0a8df
--- /dev/null
+++ b/configs/system/selinux/modules/hosted.te
@@ -0,0 +1,8 @@
+policy_module(hosted,1.0.0)
+
+require {
+ type httpd_sys_script_t;
+}
+
+#============= httpd_sys_script_t ==============
+auth_getattr_shadow(httpd_sys_script_t)
diff --git a/manifests/servergroups/hosted.pp b/manifests/servergroups/hosted.pp
index 0172046..81548c2 100644
--- a/manifests/servergroups/hosted.pp
+++ b/manifests/servergroups/hosted.pp
@@ -74,4 +74,11 @@ class hosted {
semodule { 'git':
}
+ semodule { 'hosted':
+ }
+
+ selinux_bool { 'rsync_export_all_ro':
+ bool => 'on'
+ }
+
}
--
1.5.5.1
-------------- next part --------------
>From ea3f73b3971316a4ad8040769c08e232db6a728a Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at puppet1.fedora.phx.redhat.com>
Date: Fri, 21 Nov 2008 15:18:12 +0000
Subject: [PATCH] Set the context of /home/fedoramail/procmail.log to postfix_var_run_t on bastion
diff --git a/manifests/servergroups/gateway.pp b/manifests/servergroups/gateway.pp
index 03f6b16..a29995c 100644
--- a/manifests/servergroups/gateway.pp
+++ b/manifests/servergroups/gateway.pp
@@ -30,4 +30,9 @@ class gateway{
ensure => running,
hasstatus => true,
}
+
+ semanage_fcontext { '/home/fedoramail/procmail.log':
+ type => 'postfix_var_run_t'
+ }
+
}
--
1.5.5.1
-------------- next part --------------
>From 23642165938b5c6aea2f241e151c608cc2163101 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at puppet1.fedora.phx.redhat.com>
Date: Fri, 21 Nov 2008 15:18:33 +0000
Subject: [PATCH] Enable the rsync_export_all_ro SELinux boolean on cvs.
diff --git a/manifests/servergroups/cvs.pp b/manifests/servergroups/cvs.pp
index f3aad3e..c2c884f 100644
--- a/manifests/servergroups/cvs.pp
+++ b/manifests/servergroups/cvs.pp
@@ -24,5 +24,8 @@ class cvs {
hasstatus => true,
}
+ selinux_bool { 'rsync_export_all_ro':
+ bool => 'on'
+ }
}
--
1.5.5.1
-------------- next part --------------
>From f8e7911733b2a22729fabc0c175dda75d1d34e62 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at puppet1.fedora.phx.redhat.com>
Date: Fri, 21 Nov 2008 15:18:53 +0000
Subject: [PATCH] Enable the nfs_export_all_rw and httpd_use_nfs booleans on appRelEng
diff --git a/manifests/servergroups/appRelEng.pp b/manifests/servergroups/appRelEng.pp
index 88f2684..926f161 100644
--- a/manifests/servergroups/appRelEng.pp
+++ b/manifests/servergroups/appRelEng.pp
@@ -31,6 +31,8 @@ class appRelEng {
}
selinux_bool { 'use_nfs_home_dirs': bool => 'on' }
+ selinux_bool { 'nfs_export_all_rw': bool => 'on' }
+ selinux_bool { 'httpd_use_nfs': bool => 'on' }
selinux_bool { 'httpd_enable_homedirs': bool => 'on' }
selinux_bool { 'httpd_can_network_connect_db': bool => 'on' }
--
1.5.5.1
-------------- next part --------------
>From a0b54ada732c3f9141c6be0c94c9e1230ae8a1c7 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at redhat.com>
Date: Fri, 21 Nov 2008 19:01:28 +0000
Subject: [PATCH] Update our masher SELinux policy module to allow cvs/rpm usage
diff --git a/configs/system/selinux/modules/masher.pp b/configs/system/selinux/modules/masher.pp
index 6dfc9e2be5b4866a95a414f137fd8fb2054bdc71..4fccc6d9fadba7a527a40c132a8237a5f6f85b19 100644
GIT binary patch
delta 394
zcmZ3nlX1p=Mxp-yH9r{{7#Ns<SOkbuT{jBdG~s0jGC`OPh*>5-FcqK7Z_38X1>~`U
zc>Kv_#qp^Xsmbvryg)G~keE<WL2i6mVo`ifW>S0!D^QpnB+QkRnHOIIGK&$!<;f^1
zDM*Pg0U5;xHVUK-Vid?S=E=6EU5uQQADBx|<~P at 1<d|GwCO=u*%w;mSnZo3LFfB9r
zy_pA)FT=<-`Gc7|qX1BiG&@LlumaO$Ju^o}2aqnH_yjX&Mg=t4M6h`L<Y4mz#`?(t
zHp-L#oAONFZy_-`--=^1v&B8m2$;_cit>Rz1O*QagPe`<J4_TrgTetN1dt^`p#cns
T$!{H1c|b<M{JfdPX^9j7YCvGC
delta 150
zcmbQSpK--bMxp-yH9r{{7#Ns<SOkbmoi+;HG~s0iGC`OPL{D}w6`#y+%ErnL<S~MH
zJQ*b=1u5|*AZez_mrc7EStiGsIZr-oE;D(rnaAW<ONGg*<}N^5W^$`Jh%Ynwu4Muv
n`{a$L!js?H2~3VP=h>WV^^cR0d2)`6<m8Jk;+vUVr%3?-6)Gw>
diff --git a/configs/system/selinux/modules/masher.te b/configs/system/selinux/modules/masher.te
index b133a5c..d31f1d2 100644
--- a/configs/system/selinux/modules/masher.te
+++ b/configs/system/selinux/modules/masher.te
@@ -2,6 +2,14 @@ policy_module(masher,1.0.0)
gen_require(`
type httpd_t;
+ type rpm_var_lib_t;
')
domain_read_all_domains_state(httpd_t)
+
+cvs_exec(httpd_t)
+rpm_exec(httpd_t)
+
+allow httpd_t rpm_var_lib_t:dir { getattr search };
+allow httpd_t rpm_var_lib_t:file { read_file_perms };
+
--
1.5.5.1
-------------- next part --------------
>From b056b1f93b6d05b3de48675deebf372a2cdf53d7 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at redhat.com>
Date: Fri, 21 Nov 2008 19:03:50 +0000
Subject: [PATCH] Add a collab SELinux module for our mailman setup
diff --git a/configs/system/selinux/modules/collab.pp b/configs/system/selinux/modules/collab.pp
new file mode 100644
index 0000000000000000000000000000000000000000..7afa4d1019fde644afcd205f4f658135e92cbcf2
GIT binary patch
literal 23390
zcmeI4S(78VamUB<J-+YTDtRoMWA(IVC5IpM;$CSqp^fk!;nDiVp<q;3fz5IktGIRa
z;c$dLfy4f~ep>&334la5*<8-ioRDS^jb`CWBodj4L;_X+^W}g2-!D9P at Zf8Tf2jDa
z4<9`EZ{_`to?rYh`<JR2ud<KZa;zOyenpY$zotkaU9@$bpZ>C*J~)1Q{FH3MlMsPQ
z_*=z450P}^hPrCbr}<b`!?bUUb2t2k^8bvodeNUvJ6Gq|^zcwIUoKr!{*s=kbXqm#
zuj=<V6^piMTrp6Q;-Yi;;6UdW6)(GLaI^qp0G_&f*0l at D8A#O at L;dS|_+!N;U$`lt
ze_IJ~jd<kcva2ot^QWs^gG{G?px6typ`{Oo+qvRmsu7U>qfkm3jOqBy4f!y1BmvO-
zB#(5Q7lm8eaF_(uZI=TBgZ>&@Nxk1yR5O*($M2Dvk3-pBHl%-F5gZsOE$OHhff*+;
z&|zo+^;;BH{ooqN{3nX*QIkUek-rF$^iV9ri~->urU#HPf~N)J0B?{BvpuxCXOQYP
zgKg=j6dKs%xl2HR_aP<@28D9QS^@WiOeUQW=p1UssT3Q20db&5-b?H%Nek3K8rHHy
zj&V43;i<8yt|XDUi5;w1x_;=|Yv3Sg2~X2?;AtM2sMruJT=T`~M#m$-4X||u7y=*>
zM<SuDI$)6O7E0XYIZ|}vai=Xp<gQ#Xezh8)Ayb4V0uUlTHl%K_7uj%2=N9dSn=+Yn
zM4e>Z00`rbQka*e)h6vV!!qw&vmwt2q4EV6AYNzWT`>ngdfF<z6d?MGc5H^WA&Fl2
zVr+-JH4aB^`^$XUnp#l821pws;j})V&Z^qFWk$T3Jp at g66Oe(Y3U5uIH%=0U&D_L=
zs+f0gi6meGn~6cX>t$Ot!)_u`3f3_DqP4~G6=(*}uwn#}nKtco=<=oq`o8QHMfb1N
z2B9Vrs%60=pbo2SHnj^PNC2Ny0&3YH at 2CVYEd-e6uR|og?ApThJz4-=Div4cOH!s!
zEJah)UtgW|GDAqh14<V2x}?NRl)1DWg#SxL_-pR+B~!!NE>&5K9ojIeSLMulug6i!
zFq5**-L=nKsmAK8YUXGJ7WDF3(js=PhN?9ahS98ZP!}w1v$i{@XZq5BdW|pCM}nF*
zSC-H*y-pjA<h-hD21dV1He<cA6opn-SBuI76mAO30Aq#0=s|<E#S+<4eTGjlNGQ1~
zW~8dVJgclW!%{Ix`lZEEqbVF<S<Hdc54pGIu!uY&fg(&J&}HqdiN+upKyJgqECR^F
zEg%(vULX>YFe{l%Qe$sR1DXGz$ixx}OX1+m{v>Bsx0lm)w3Us9Sj1~3UR;1aKv%XW
zNKwHWR<>LzWek at t{(fTsDInZIcL8*I2pe%trh7E*p+5osO4Z-2nziq${)6xYCOWkM
z-p+CWfB$T*{*jJoI`}N|TBFSuqe4G)`DL}#2BNr#%7#s3Orsgb(x+*`jQAGl5n7m5
zXWJRl^hpcS^hcet2p}U8mO%}aEDFapS_cX at W%Cm4y>BQ#)i}{H(MU6$-S0LR!k{d-
zdm(<V^ba#k_?99wK_qB(XPhMcf(1>eY+FKR83J8Y?viH;*_~0HW?Jg-q)-HdME3~k
z-m!s-d&o>VSPMi#oMbU!S><nanz2aCGht4zcfqZMo*-boU<ncl<_eHk!R3qll{-|-
zYq^);Kby0|dXsMR`MtOSqh7?6+$J)etUPzW^RrtozIy at _l_%RMc$Y}%=jIoM8xOm^
zh7mymzZAbLxNApVRJxCpyKQCdopktk^)`9v=W1<@?7*yiJw*LH(5^i{t?FtpFD-M#
z&NA%fsXWtxf$K1xP{sXqKRs>RfjvJvP13_~J(b&fR at vbNC0aSBGR=U-+)^no7nN<j
zZMUQhxzGd$wAgA;MeZpbA<@XT!^*+DYq85%xXZkl%Cp*aRcVz_Z1NpV4L>ktzSxiB
zfj}B)z-ll1k7XXf<~0>y?MsV+Z4SV}_OxsBvdH at Zs3;H1)G?15cNbM*9tt!ah&Cb3
zF4+iBd7msQX(sYj=G;IK7w58XqwS)SWXG=5=quvGs9oOMs6dLojb0#viuLDTw(K)F
zlPZ&rYOxrH{IoU`8l?<6-WLEMCfc{v{KykuGmSuiZpbCWH$Mx+c6~d_ at QsSKn2WMe
z(SK7Fw<-E+`A at UUw<)CWo}y>Ogd at dtO8iDflj`hX5GFaOD+KvMMX;l at 6VgNJPnZ}&
z9Q^!@(Gn1|bS5OfY(V5P>D*;r*YD-ykO$K6Apy2Xy;yh&-&HRbbRfW`skLSHSb5gn
z_hu at tDer(2gVmfcQA|l4mBM*@`X9QAG9BH8jy2w<YB-dB#x_emFZZ$|jrJ{^#&b;L
zr<GAOINJqb|EzXFB&cSG;W}PnVWoL;1&CsHPV2KGQVi(UVUEF&0UH_J&fBT$2fj*T
zmyV4k(Nj#p>a+vPnD94>+m at 57S$EGqkBI$tF at 5(;tvDlpry1EM%VpEOmtentdox$d
zVE;&HehKpazSokrM}B=8Bj5xW8}&ydXmP4$C_B at C_k0Y4TD)-#0~V`e81}6Mw(5};
zNc*GY_nh#CI3cc&PefWyPlyDa`0HxNAPa@{iQL5^Urztib#3%8;`U%!BNB97kQI at -
zoTIH*y~0%&=9!=tt3Dg1xM{M3xp#24dJt;}ViO)Kra~l#K&|62UFds%XF{ZT0~ey%
zWfBm}l)b~r^m_)spL^)h3HJ9QI}$}CMB_f(+d^f@(TexeU71 at fYAJsc-&^PY7CfsE
zV3uvY$cJK%Bb$H=G?k&ak$W#eBFr0*pt!8yhi1(o5_-R7V>yYldYDV-ER7(sKCEJ!
zMgY~6+x*57#(}MHs#m%^0&l`tD&=+vM-cE54MUdrv2VT8-Z<1()b=sjV}JupWOKWB
zs52Vi(4uG;OHNp|TA#WO9R!(Tt}f(t)C7r`=Pyn$H2RQCgljICTVSS}h;okwLE(si
zt`QybJNE at f0ojlu!VEiCx`tk=t)rouhM1AHPE at 86rmDCmi>_5eBhmHtd_j^?Mp*d;
z*b*Z-gP){3QC<uu at j<`oGugDGy`Pk+wL4LoUI>&CPVB$`mp+q29U|1DU2J=z=NJ}w
zB?Zw;`JE2Xo)+6`R!uc@#dKIKr$cNVe<O6-68fj)obVU|B{4?m#ZxF7+Y}!>{myqI
zpjd_0F^}hy5Mz1#B|i-(N)Tgt?1a2DP!1Esda>*zKIoTcVyyEeL0<CP`Dq_%{iqVi
zi{T_b=$B_=gdcxz=SMggxwp%{gl!d0LX0qk=|6AFhxxbVtNu^7=7-KtR7hOI_mDR8
zt=kQJV!O at yzGO51F8FuVf7$%)c!~~2(M^1eJR9Q*WZTRS1Kxo1z=w@|KV6$}UON9v
z>v?bZci<U$ZUfF;{BT$P9q>hGBg6*$m(IU)9`AsEXMG#N{`hQ%bGLkLuOGy8W8S}R
z*l)`9Pw&XTi=Kh}20t{tm*)ukb$`)un5xk{P2ZViEHSe1uHVg!x%^@V at akWh$JFX|
zx-^S*Hog*eJ3qb`mF5FNrcs&&i1<!TnvVhrFP5a)UsLw1OmkR(yhG at AuD8n5TuhVI
z4feEv at p3$HJC6hGG%uxUdf_*%!yx6TOtaWC#L2jMg*2_jRhP{>jcJXv`}AI2T8Hj+
z(JReLyT5svDy;=Ktgis2C26<mEswMgc3pDqAT44q97lia96YUNc4Iu4O$*phZ=6o1
z6*y;$9c(>QODi+X^+`}#f+sYBNe)=<s*-s8(<;DU`>E3s>@~r!W@#oy_YHq$S_rJQ
z7cMPfmL;HR7M0hYw6p{l&~0~5T8`nGIw{gJ<~8oQw3AMYu#6+UHf7ED(B0reMAe(*
zDHt?B+|;D`h&pA__$M99t&JV!O>Zb9>VVcw!#uX)m$9bCcv_|+3*-UG8{)ABImE)u
z^O(z|ZZ*FDSD!_A_`2cI!$;XOT^%Wgw!6-jy1eeXrq3qQ!;c?Q_!%20?clopdrEz9
zoRzJ{-ekk|(kbIR#~J%L<+#pTc}S0A`FGV|1>U#Wi85XOt2-O(yvq=x1SOJh3MT`-
z2RaXp1~0A`r|c~=ZrUUm#bxENSV5x6=gniTAeGr?)zbCfe*V$(PZPveOVHcI%u8&a
zphb?|ia8`&kn8*0Kg>$U<;sjDH$f_z7l*{jv(*puHfml-wC=zx8aRi?>^YK$c=$K3
z?N!zl$xI}IrkHqba3mS0`cdO9?YF3<(kHHe4DJd{0xN9P9-cQ+kW|_;7_^V`qHFt1
zuTN$DWhK{9)tqIgZn$)=$^7Ng%sYhCb>5U2E+THPhTP2G0M7bxxoo=uG<SDzy*^iW
z`i2614Rg1Gp_hK#LN{!HvM(4p&NAsyy;SeInck=EkFuf7^aT|yg1X0dtrEG`hAhwI
z5gVmLvs1g>Ze3(^S1-jlv#}{?aFq2`Bi>&8V|FQZoVlwdV_q1MM1X20IMQC~ve%Ow
zVW68$9zFivUI>3Ag|G3>#zC(nCpc&QydCROgl8-(5_{VAMlw-mS&Kds^wm+PTi3m3
ziap5v8r`nwy3y}m1O7D3L*$mZ$SL}r?K{KISTc1BU38gcmoCzYNr#Z7o8 at CIe#wTh
zF|NGG>(OO-pY=;uRI^H|{q)-EuDDpdCtx&>SJN}!YCQ>pU+#<I53hKSd&uykI=!%-
z={=gP6{9q;k8Wu5Li({#{PA2&(>Pc5aHytQH%;~Sx-jh9q^hPnlO)b1)x1PMcY3Ei
zD+G<o$EF2#PPuW*j{`YMCl%7=_744?LKT~OdSx#$V{5bwhaY*_iozp)(a8FFH5-~q
zGcJz!I??g*u~*BMZ<9iHrt)mi6 at 7T$H>_rjW_tojkA`m4b!Ei(XqMM~c=muKx at 9Yh
zHSHkWFW{4^7x at F2=~TzvNbq!O_>|*faqR`1Sy?FyX<%v{XBoU;`cc^HO$L22su`pw
zT0^#|Te0HpnL5R!(~Ah2KD8}ceGNgMqq+`QtjV<V$<XWEO!IJ=cg;k^=<~B+x)~PI
zK$M_GL!lq$PO$63qyvp>D}1qV*GXOicu^zLRs&q*=aRJMS_BpbGr87ZVSs0 at nTo>Q
zgny>mGRe%Wx;o1A?t|V(b0YSl?)7S~iF&Oon6=N**CEc_QTFePLT{!>GoH0w<@%rO
zqZMxv0VKjP$|U?A(WkCP at coGko#GsA?Pd*U_mh!YGCbu24RNvO*}n<$iYTLTyjl*#
znVKH+(5%ZBD<v4W8>>%h+%y^<v6jggsr-9ITFrvId^ir;s0=dNUlqcqQemAY)xJHF
zX|-KcrV_nqf5kGtCaaCdCQ6_5n0(@e-K#g#k2e22Jw=X-$tO=f2!wd~E|~X?F4oMT
zUV7_AmDG#Z)*?^U<T4&i^d<eA-pQIcLzlTu1Z=xfgfP{v=K8LNURIYP at i6AqnKZq(
ze2n(%k?(w3k;Mc<z>Yrlr19yDZ>$Au6J*!o66iJg_!Y_ZeT`8YI;1i~e1j=zTYko9
zHY0-*q84_JCMgsd_4mS?mB9k at W~vS(Szo=oAu|(M-D0QRWUjE{+8#A5?QJ82&{l=C
z^{uv<bWZH>30nSIh_C=#YbhtEby-GY3c at 4sZK=ux2QAhtc^}qwvUvwjLn$C`bcxlP
zwt2GN=cm=yE7&L0 at msL%6`t)X1evgF2ncw{hUv3>$a%3~vql!w!3%qfd$T+gf8Ovx
zMeTad%&OtNrqu*#=`QL~dq(qM9mx{1H*Sukh^Y7YWfu?FBi+3Own*p?X^o3MTPq!7
zAzcI?Y|UbS#)k%~Q=QC5D*?c_TX<a^+w7{z)qzz#<1BGdrR~l>-NeQ)$;)?1EC2c!
z2uKUU9}(9rgOY)Bu9`>MQieyv*FIRc8iJ-JPX2A8*!=`5MhDK0zE*WXax}ddu`}@7
zh#sjCB|@wF>kyQ8F~Rl?feZUruk=Lh1Z*NwchYQ4hno$z5nIsh^#dDycoo4b5$~nl
zL3dB;;6vJHF4uT{b)x`0)d`@oZ3s9Rw(x-eDn!sHFWXl3zl8oJJG{}zwB8<56m-=d
zczTlDs&7iCT{^!J)AnzkYlUgcYIdFJn_q+5F^2sCwx=?owc+_Hh+OzZ4&)t?yMxb%
z?ckqPWr?kJF}fX0Q;m<^Xi(idntSYDcyr+2vX4IdfvtDm6p(h_GuS+R;x3cbl~vkI
zNY>70(KntzC;zz=V3K8EKG%kAf@(2ovKO at FW;ZW`C}Fi}`oc4cZ at nj)YNwX_;JG>(
zh?L-$#y6by6I5ihVw0MN-wkK_B&y)swW+$z%dNAC8{X{%x<_Q)C{QAspb%Dm=d=Nx
qZ1{%NL+TSw>-!$I`fb%J_1E5NwdXt-C2jAM*LShZtFS at D=Kle4c-|ZU
literal 0
HcmV?d00001
diff --git a/configs/system/selinux/modules/collab.te b/configs/system/selinux/modules/collab.te
new file mode 100644
index 0000000..f6a6196
--- /dev/null
+++ b/configs/system/selinux/modules/collab.te
@@ -0,0 +1,11 @@
+policy_module(collab,1.0.0)
+
+require {
+ type mailman_mail_t;
+ type initrc_tmp_t;
+ class file ioctl;
+}
+
+#============= mailman_mail_t ==============
+allow mailman_mail_t initrc_tmp_t:file ioctl;
+
diff --git a/manifests/servergroups/collab.pp b/manifests/servergroups/collab.pp
index 988d57e..e46e392 100644
--- a/manifests/servergroups/collab.pp
+++ b/manifests/servergroups/collab.pp
@@ -31,4 +31,7 @@ class collab {
type => 'mailman_data_t'
}
+ semodule { 'collab':
+ }
+
}
--
1.5.5.1
-------------- next part --------------
>From 5a58dc586baec0eef83dc36558dfe14a50d64dce Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at redhat.com>
Date: Fri, 21 Nov 2008 19:04:22 +0000
Subject: [PATCH] Set the proper context of /cvs and /srv/cache on cvs
diff --git a/manifests/servergroups/cvs.pp b/manifests/servergroups/cvs.pp
index c2c884f..6f0a721 100644
--- a/manifests/servergroups/cvs.pp
+++ b/manifests/servergroups/cvs.pp
@@ -28,4 +28,12 @@ class cvs {
bool => 'on'
}
+ semanage_fcontext { '/cvs':
+ type => 'httpd_sys_content_t'
+ }
+
+ semanage_fcontext { '/srv/cache(/.*)?':
+ type => 'httpd_sys_script_rw_t'
+ }
+
}
--
1.5.5.1
-------------- next part --------------
>From a0e6a8f2453dd1f990acdc4c78790d1985323518 Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at redhat.com>
Date: Fri, 21 Nov 2008 19:05:08 +0000
Subject: [PATCH] Set the httpd_sys_script_rw_t context to various bodhi locations
diff --git a/manifests/services/bodhi.pp b/manifests/services/bodhi.pp
index 5a7a5d6..a0789a0 100644
--- a/manifests/services/bodhi.pp
+++ b/manifests/services/bodhi.pp
@@ -163,6 +163,14 @@ class bodhi-masher inherits bodhi-wsgi-server {
mode => '0440'
}
+ semanage_fcontext { '/home/masher/.cvspass':
+ type => 'httpd_sys_script_rw_t'
+ }
+
+ semanage_fcontext { '/usr/share/bodhi/comps(/.*)?':
+ type => 'httpd_sys_script_rw_t'
+ }
+
}
class bodhi-dev inherits bodhi-wsgi-server {
--
1.5.5.1
-------------- next part --------------
>From 67016e61225de15224afeeccd49653101869be8c Mon Sep 17 00:00:00 2001
From: Luke Macken <lmacken at redhat.com>
Date: Fri, 21 Nov 2008 19:06:53 +0000
Subject: [PATCH] Fix our semanage_fcontext function to work on symlinks
diff --git a/manifests/filetypes/selinux.pp b/manifests/filetypes/selinux.pp
index 97140ec..dcafde3 100644
--- a/manifests/filetypes/selinux.pp
+++ b/manifests/filetypes/selinux.pp
@@ -7,7 +7,7 @@ define selinux_bool($bool) {
}
define semanage_fcontext($type) {
- exec { "/usr/sbin/semanage fcontext -a -t $type '$name'; /sbin/restorecon -R `/usr/bin/dirname '$name' | /bin/sed 's/(//'`":
+ exec { "/usr/sbin/semanage fcontext -a -t $type '$name'; /sbin/restorecon -R `/usr/bin/dirname '$name/' | /bin/sed 's/(.*//'`":
unless => "/usr/sbin/matchpathcon `/usr/bin/dirname '$name' | /bin/sed 's/(//'` | grep -qe $type",
cwd => '/',
}
--
1.5.5.1
More information about the Fedora-infrastructure-list
mailing list