[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/devel policy-20050706.patch, 1.3, 1.4 selinux-policy-targeted.spec, 1.341, 1.342



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv13581

Modified Files:
	policy-20050706.patch selinux-policy-targeted.spec 
Log Message:
* Thu Jul 7 2005 Dan Walsh <dwalsh redhat com> 1.25.1-5
- Allow cgi script to append to httpd_log_t
- More fixes for samba net command


policy-20050706.patch:
 domains/admin.te                     |    5 +++++
 domains/program/getty.te             |    7 +++++++
 domains/program/netutils.te          |    2 ++
 domains/program/passwd.te            |    5 +++++
 domains/program/unused/apache.te     |    1 +
 domains/program/unused/apmd.te       |    7 +++++--
 domains/program/unused/bluetooth.te  |    3 ++-
 domains/program/unused/ciped.te      |    3 +--
 domains/program/unused/cups.te       |    7 +++++--
 domains/program/unused/cyrus.te      |    5 +----
 domains/program/unused/dhcpc.te      |    1 +
 domains/program/unused/dovecot.te    |    1 +
 domains/program/unused/hald.te       |    3 ++-
 domains/program/unused/hotplug.te    |    4 +++-
 domains/program/unused/hwclock.te    |    3 ---
 domains/program/unused/nscd.te       |    1 +
 domains/program/unused/pppd.te       |    7 ++++---
 domains/program/unused/prelink.te    |    3 ---
 domains/program/unused/radvd.te      |    3 ++-
 domains/program/unused/rpcd.te       |    6 +++++-
 domains/program/unused/samba.te      |   33 +++++++++++++++++++++++++++++++--
 domains/program/unused/squid.te      |    3 +++
 domains/program/unused/winbind.te    |   12 +++++++++++-
 file_contexts/program/cups.fc        |    2 ++
 file_contexts/program/rpcd.fc        |    3 ++-
 file_contexts/program/samba.fc       |    1 +
 file_contexts/program/winbind.fc     |    1 +
 file_contexts/types.fc               |   14 +++++++-------
 macros/admin_macros.te               |    3 ---
 macros/base_user_macros.te           |    4 +---
 macros/global_macros.te              |    1 +
 macros/program/apache_macros.te      |    5 ++---
 macros/program/chkpwd_macros.te      |    7 +++++++
 macros/program/dbusd_macros.te       |    2 +-
 macros/program/evolution_macros.te   |    6 ------
 macros/program/games_domain.te       |    3 ---
 macros/program/java_macros.te        |    2 --
 macros/program/mail_client_macros.te |   10 ++++++++--
 macros/program/mozilla_macros.te     |    2 --
 macros/program/mplayer_macros.te     |    2 +-
 macros/program/xserver_macros.te     |    4 ----
 net_contexts                         |    2 ++
 targeted/domains/unconfined.te       |    5 +++++
 tunables/distro.tun                  |    2 +-
 tunables/tunable.tun                 |    4 ++--
 types/network.te                     |    1 -
 46 files changed, 142 insertions(+), 69 deletions(-)

Index: policy-20050706.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050706.patch,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- policy-20050706.patch	6 Jul 2005 22:34:08 -0000	1.3
+++ policy-20050706.patch	7 Jul 2005 12:38:35 -0000	1.4
@@ -244,6 +244,34 @@
  log_domain(nscd)
  r_dir_file(nscd_t, cert_t)
 +allow nscd_t tun_tap_device_t:chr_file { read write };
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.25.1/domains/program/unused/pppd.te
+--- nsapolicy/domains/program/unused/pppd.te	2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.1/domains/program/unused/pppd.te	2005-07-07 07:09:25.000000000 -0400
+@@ -36,8 +36,7 @@
+ can_ypbind(pppd_t)
+ 
+ # Use capabilities.
+-allow pppd_t self:capability { net_admin setuid setgid fsetid };
+-
++allow pppd_t self:capability { net_admin setuid setgid fsetid fowner net_raw dac_override };
+ lock_domain(pppd)
+ 
+ # Access secret files
+@@ -93,7 +92,7 @@
+ # for pppoe
+ can_create_pty(pppd)
+ allow pppd_t self:file { read getattr };
+-allow pppd_t self:capability { fowner net_raw };
++
+ allow pppd_t self:packet_socket create_socket_perms;
+ 
+ file_type_auto_trans(pppd_t, etc_t, net_conf_t, file)
+@@ -101,3 +100,5 @@
+ allow pppd_t sysctl_net_t:dir search;
+ allow pppd_t sysctl_net_t:file r_file_perms;
+ allow pppd_t self:netlink_route_socket r_netlink_socket_perms;
++allow pppd_t initrc_var_run_t:file r_file_perms;
++dontaudit pppd_t initrc_var_run_t:file { lock write };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/prelink.te policy-1.25.1/domains/program/unused/prelink.te
 --- nsapolicy/domains/program/unused/prelink.te	2005-04-27 10:28:52.000000000 -0400
 +++ policy-1.25.1/domains/program/unused/prelink.te	2005-07-06 17:34:19.000000000 -0400
@@ -299,6 +327,60 @@
  
  can_udp_send(nfsd_t, portmap_t)
  can_udp_send(portmap_t, nfsd_t)
+diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/samba.te policy-1.25.1/domains/program/unused/samba.te
+--- nsapolicy/domains/program/unused/samba.te	2005-07-06 17:15:07.000000000 -0400
++++ policy-1.25.1/domains/program/unused/samba.te	2005-07-07 06:25:59.000000000 -0400
+@@ -47,6 +47,8 @@
+ 
+ # Use the network.
+ can_network(smbd_t)
++can_ldap(smbd_t)
++can_kerberos(smbd_t)
+ allow smbd_t ipp_port_t:tcp_socket name_connect;
+ 
+ allow smbd_t urandom_device_t:chr_file { getattr read };
+@@ -61,8 +63,10 @@
+ 
+ # Permissions for Samba cache files in /var/cache/samba and /var/lib/samba
+ allow smbd_t var_lib_t:dir search;
+-allow smbd_t samba_var_t:dir create_dir_perms;
+-allow smbd_t samba_var_t:file create_file_perms;
++create_dir_file(smbd_t, samba_var_t)
++
++# Needed for shared printers
++allow smbd_t var_spool_t:dir search;
+ 
+ # Permissions to write log files.
+ allow smbd_t samba_log_t:file { create ra_file_perms };
+@@ -182,3 +186,28 @@
+ allow smbmount_t userdomain:fd use;
+ allow smbmount_t local_login_t:fd use;
+ ')
++# Derive from app. domain. Transition from mount.
++application_domain(samba_net, `, nscd_client_domain, privfd')
++file_type_auto_trans(samba_net_t, samba_etc_t, samba_secrets_t, file)
++read_locale(samba_net_t) 
++allow samba_net_t samba_etc_t:file r_file_perms;
++r_dir_file(samba_net_t, samba_var_t)
++can_network_udp(samba_net_t)
++access_terminal(samba_net_t, sysadm)
++allow samba_net_t self:unix_dgram_socket create_socket_perms;
++allow samba_net_t self:unix_stream_socket create_stream_socket_perms;
++rw_dir_create_file(samba_net_t, samba_var_t)
++allow samba_net_t etc_t:file { getattr read };
++can_network_client(samba_net_t)
++allow samba_net_t smbd_port_t:tcp_socket name_connect;
++can_ldap(samba_net_t)
++allow samba_net_t newrole_t:fd use;
++can_kerberos(samba_net_t)
++allow samba_net_t urandom_device_t:chr_file r_file_perms;
++allow samba_net_t proc_t:dir search;
++allow samba_net_t proc_t:lnk_file read;
++allow samba_net_t self:dir search;
++allow samba_net_t self:file read;
++allow samba_net_t self:process signal;
++tmp_domain(samba_net)
++dontaudit samba_net_t sysadm_home_dir_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/squid.te policy-1.25.1/domains/program/unused/squid.te
 --- nsapolicy/domains/program/unused/squid.te	2005-07-06 17:15:07.000000000 -0400
 +++ policy-1.25.1/domains/program/unused/squid.te	2005-07-06 17:29:15.000000000 -0400
@@ -311,8 +393,8 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.25.1/domains/program/unused/winbind.te
 --- nsapolicy/domains/program/unused/winbind.te	2005-05-25 11:28:10.000000000 -0400
-+++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-06 17:29:15.000000000 -0400
-@@ -21,6 +21,9 @@
++++ policy-1.25.1/domains/program/unused/winbind.te	2005-07-06 19:23:53.000000000 -0400
+@@ -21,8 +21,11 @@
  type samba_log_t, file_type, sysadmfile, logfile;
  type samba_var_t, file_type, sysadmfile;
  type samba_secrets_t, file_type, sysadmfile;
@@ -320,8 +402,11 @@
 +allow smbd_t winbind_var_run_t:dir r_dir_perms;
 +allow smbd_t winbind_var_run_t:sock_file getattr;
  ')
- rw_dir_file(winbind_t, samba_etc_t)
+-rw_dir_file(winbind_t, samba_etc_t)
++file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
  rw_dir_create_file(winbind_t, samba_log_t)
+ allow winbind_t samba_secrets_t:file rw_file_perms;
+ allow winbind_t self:unix_dgram_socket create_socket_perms;
 @@ -33,3 +36,10 @@
  can_kerberos(winbind_t)
  allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
@@ -342,6 +427,33 @@
  /var/cache/foomatic(/.*)? 	--	system_u:object_r:cupsd_rw_etc_t
 +/var/run/hp.*\.pid		--	system_u:object_r:hplip_var_run_t
 +/var/run/hp.*\.port		--	system_u:object_r:hplip_var_run_t
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/rpcd.fc policy-1.25.1/file_contexts/program/rpcd.fc
+--- nsapolicy/file_contexts/program/rpcd.fc	2005-02-24 14:51:09.000000000 -0500
++++ policy-1.25.1/file_contexts/program/rpcd.fc	2005-07-07 08:36:47.000000000 -0400
+@@ -1,6 +1,6 @@
+ # RPC daemons
+ /sbin/rpc\..*		--	system_u:object_r:rpcd_exec_t
+-/usr/sbin/rpc\..*	--	system_u:object_r:rpcd_exec_t
++/usr/sbin/rpc.idmapd	--	system_u:object_r:rpcd_exec_t
+ /usr/sbin/rpc\.nfsd	--	system_u:object_r:nfsd_exec_t
+ /usr/sbin/exportfs	--	system_u:object_r:nfsd_exec_t
+ /usr/sbin/rpc\.gssd	--	system_u:object_r:gssd_exec_t
+@@ -9,3 +9,4 @@
+ /var/run/rpc\.statd\.pid	--	system_u:object_r:rpcd_var_run_t
+ /var/run/rpc\.statd(/.*)?	system_u:object_r:rpcd_var_run_t
+ /etc/exports		--	system_u:object_r:exports_t
++
+diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/samba.fc policy-1.25.1/file_contexts/program/samba.fc
+--- nsapolicy/file_contexts/program/samba.fc	2005-02-24 14:51:08.000000000 -0500
++++ policy-1.25.1/file_contexts/program/samba.fc	2005-07-06 18:52:13.000000000 -0400
+@@ -1,6 +1,7 @@
+ # samba scripts
+ /usr/sbin/smbd		--	system_u:object_r:smbd_exec_t
+ /usr/sbin/nmbd		--	system_u:object_r:nmbd_exec_t
++/usr/bin/net		--	system_u:object_r:samba_net_exec_t
+ /etc/samba(/.*)?		system_u:object_r:samba_etc_t
+ /var/log/samba(/.*)?		system_u:object_r:samba_log_t
+ /var/cache/samba(/.*)?		system_u:object_r:samba_var_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.25.1/file_contexts/program/winbind.fc
 --- nsapolicy/file_contexts/program/winbind.fc	2005-02-24 14:51:09.000000000 -0500
 +++ policy-1.25.1/file_contexts/program/winbind.fc	2005-07-06 17:29:15.000000000 -0400
@@ -423,8 +535,18 @@
  allow $1 null_device_t:chr_file rw_file_perms;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/apache_macros.te policy-1.25.1/macros/program/apache_macros.te
 --- nsapolicy/macros/program/apache_macros.te	2005-07-06 17:15:07.000000000 -0400
-+++ policy-1.25.1/macros/program/apache_macros.te	2005-07-06 17:29:15.000000000 -0400
-@@ -108,6 +108,7 @@
++++ policy-1.25.1/macros/program/apache_macros.te	2005-07-07 06:44:49.000000000 -0400
+@@ -78,9 +78,6 @@
+ 
+ allow httpd_$1_script_t { urandom_device_t random_device_t }:chr_file r_file_perms;
+ 
+-# for nscd
+-dontaudit httpd_$1_script_t var_t:dir search;
+-
+ ###########################################################################
+ # Allow the script interpreters to run the scripts.  So
+ # the perl executable will be able to run a perl script
+@@ -108,6 +105,7 @@
  
  if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
  create_dir_file(httpd_$1_script_t, httpdcontent)
@@ -432,10 +554,18 @@
  }
  
  #
+@@ -126,6 +124,7 @@
+ ############################################
+ # Allow scripts to append to http logs
+ #########################################
++allow httpd_$1_script_t { var_t var_log_t httpd_log_t }:dir  search;
+ allow httpd_$1_script_t httpd_log_t:file { getattr append };
+ 
+ # apache should set close-on-exec
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/chkpwd_macros.te policy-1.25.1/macros/program/chkpwd_macros.te
 --- nsapolicy/macros/program/chkpwd_macros.te	2005-06-01 06:11:23.000000000 -0400
-+++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-06 17:29:15.000000000 -0400
-@@ -32,6 +32,8 @@
++++ policy-1.25.1/macros/program/chkpwd_macros.te	2005-07-06 19:35:03.000000000 -0400
+@@ -32,9 +32,16 @@
  domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
  allow auth_chkpwd sbin_t:dir search;
  allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
@@ -444,6 +574,14 @@
  dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
  dontaudit auth_chkpwd shadow_t:file { getattr read };
  can_ypbind(auth_chkpwd)
++can_kerberos(auth_chkpwd)
++can_ldap(auth_chkpwd)
++ifdef(`winbind.te', `
++r_dir_file(auth_chkpwd, winbind_var_run_t)
++')
+ ', `
+ domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
+ allow $1_t sbin_t:dir search;
 diff --exclude-from=exclude -N -u -r nsapolicy/macros/program/dbusd_macros.te policy-1.25.1/macros/program/dbusd_macros.te
 --- nsapolicy/macros/program/dbusd_macros.te	2005-07-06 17:15:07.000000000 -0400
 +++ policy-1.25.1/macros/program/dbusd_macros.te	2005-07-06 17:29:15.000000000 -0400


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/selinux-policy-targeted.spec,v
retrieving revision 1.341
retrieving revision 1.342
diff -u -r1.341 -r1.342
--- selinux-policy-targeted.spec	6 Jul 2005 23:40:41 -0000	1.341
+++ selinux-policy-targeted.spec	7 Jul 2005 12:38:35 -0000	1.342
@@ -11,7 +11,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.25.1
-Release: 4
+Release: 5
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -237,6 +237,10 @@
 exit 0
 
 %changelog
+* Thu Jul 7 2005 Dan Walsh <dwalsh redhat com> 1.25.1-5
+- Allow cgi script to append to httpd_log_t
+- More fixes for samba net command
+
 * Wed Jul 6 2005 Dan Walsh <dwalsh redhat com> 1.25.1-4
 - Add boolean to allow sysadm_t to ptrace
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]