[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/selinux-policy-targeted/FC-3 policy-20050104.patch, 1.50, 1.51 selinux-policy-targeted.spec, 1.218, 1.219



Author: dwalsh

Update of /cvs/dist/rpms/selinux-policy-targeted/FC-3
In directory cvs.devel.redhat.com:/tmp/cvs-serv29630

Modified Files:
	policy-20050104.patch selinux-policy-targeted.spec 
Log Message:
* Tue Jul 12 2005 Dan Walsh <dwalsh redhat com> 1.17.30-3.17
- Allow nscd to use tun_tap device
- Add winbind_helper
- Allow apache to work with ldap


policy-20050104.patch:
 Makefile                              |   50 +++--
 attrib.te                             |   29 +++
 domains/admin.te                      |    2 
 domains/program/crond.te              |    7 
 domains/program/ldconfig.te           |   24 ++
 domains/program/login.te              |    2 
 domains/program/logrotate.te          |   24 +-
 domains/program/mount.te              |    2 
 domains/program/ssh.te                |    7 
 domains/program/syslogd.te            |   40 ++--
 domains/program/unused/acct.te        |    6 
 domains/program/unused/apache.te      |  310 ++++++++++++++++++++++------------
 domains/program/unused/arpwatch.te    |   26 ++
 domains/program/unused/cups.te        |   58 +++++-
 domains/program/unused/dhcpc.te       |    5 
 domains/program/unused/dhcpd.te       |   24 +-
 domains/program/unused/dovecot.te     |    3 
 domains/program/unused/ftpd.te        |    2 
 domains/program/unused/hald.te        |    3 
 domains/program/unused/howl.te        |    2 
 domains/program/unused/innd.te        |    7 
 domains/program/unused/ipsec.te       |    9 
 domains/program/unused/iptables.te    |    3 
 domains/program/unused/mailman.te     |   29 ++-
 domains/program/unused/mdadm.te       |    3 
 domains/program/unused/mta.te         |   25 ++
 domains/program/unused/mysqld.te      |   29 +--
 domains/program/unused/named.te       |   39 ++--
 domains/program/unused/nscd.te        |   64 +++----
 domains/program/unused/ntpd.te        |   27 ++
 domains/program/unused/portmap.te     |   21 ++
 domains/program/unused/postfix.te     |    2 
 domains/program/unused/postgresql.te  |   62 +++++-
 domains/program/unused/procmail.te    |    1 
 domains/program/unused/pxe.te         |    1 
 domains/program/unused/rpcd.te        |    2 
 domains/program/unused/rpm.te         |    5 
 domains/program/unused/rsync.te       |    2 
 domains/program/unused/samba.te       |    4 
 domains/program/unused/sendmail.te    |    2 
 domains/program/unused/slrnpull.te    |    1 
 domains/program/unused/snmpd.te       |   31 ++-
 domains/program/unused/spamd.te       |    2 
 domains/program/unused/squid.te       |   30 ++-
 domains/program/unused/udev.te        |    5 
 domains/program/unused/updfstab.te    |    1 
 domains/program/unused/winbind.te     |   48 +++++
 domains/program/unused/xdm.te         |    4 
 domains/program/unused/ypbind.te      |   15 -
 domains/program/unused/ypserv.te      |    7 
 domains/user.te                       |    6 
 file_contexts/distros.fc              |  174 ++++++++++++++++---
 file_contexts/program/apache.fc       |   28 ++-
 file_contexts/program/arpwatch.fc     |    3 
 file_contexts/program/cups.fc         |    5 
 file_contexts/program/dhcpd.fc        |   25 ++
 file_contexts/program/ipsec.fc        |   11 -
 file_contexts/program/mailman.fc      |   15 -
 file_contexts/program/mta.fc          |    5 
 file_contexts/program/mysqld.fc       |    4 
 file_contexts/program/named.fc        |   18 +
 file_contexts/program/nscd.fc         |    3 
 file_contexts/program/ntpd.fc         |   10 -
 file_contexts/program/portmap.fc      |    9 
 file_contexts/program/postgresql.fc   |   23 --
 file_contexts/program/sendmail.fc     |    1 
 file_contexts/program/snmpd.fc        |    4 
 file_contexts/program/squid.fc        |    2 
 file_contexts/program/syslogd.fc      |    3 
 file_contexts/program/winbind.fc      |   11 +
 file_contexts/types.fc                |  213 +++++++++--------------
 flask/access_vectors                  |   31 +++
 flask/security_classes                |    6 
 genfs_contexts                        |    2 
 macros/base_user_macros.te            |    9 
 macros/core_macros.te                 |   98 +++++++---
 macros/global_macros.te               |   99 +++-------
 macros/network_macros.te              |  172 ++++++++++++++++++
 macros/program/apache_macros.te       |  144 ++++++++-------
 macros/program/kerberos_macros.te     |   11 +
 macros/program/mount_macros.te        |    2 
 macros/program/mozilla_macros.te      |    2 
 macros/program/mta_macros.te          |    5 
 macros/program/newrole_macros.te      |    2 
 macros/program/spamassassin_macros.te |    5 
 macros/program/ssh_agent_macros.te    |    2 
 macros/program/ssh_macros.te          |    2 
 macros/program/su_macros.te           |    2 
 macros/program/userhelper_macros.te   |    3 
 macros/program/xauth_macros.te        |    2 
 macros/program/xserver_macros.te      |    4 
 macros/program/ypbind_macros.te       |   24 --
 man/man8/httpd_selinux.8              |  114 ++++++++++++
 man/man8/named_selinux.8              |   29 +++
 net_contexts                          |  103 ++++++++---
 targeted/assert.te                    |    6 
 targeted/domains/program/hotplug.te   |    4 
 targeted/domains/program/initrc.te    |    2 
 targeted/domains/program/sendmail.te  |   17 +
 targeted/domains/unconfined.te        |   55 +++++-
 targeted/types/apache.te              |    5 
 tunables/distro.tun                   |    2 
 tunables/tunable.tun                  |   21 --
 types/device.te                       |    9 
 types/file.te                         |   91 ++++++---
 types/network.te                      |   58 ++++--
 types/procfs.te                       |    4 
 107 files changed, 2000 insertions(+), 827 deletions(-)

Index: policy-20050104.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/policy-20050104.patch,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -r1.50 -r1.51
--- policy-20050104.patch	29 Jun 2005 16:43:31 -0000	1.50
+++ policy-20050104.patch	12 Jul 2005 12:04:07 -0000	1.51
@@ -377,7 +377,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.17.30/domains/program/unused/apache.te
 --- nsapolicy/domains/program/unused/apache.te	2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/unused/apache.te	2005-06-10 06:52:30.000000000 -0400
++++ policy-1.17.30/domains/program/unused/apache.te	2005-07-12 07:55:02.000000000 -0400
 @@ -19,7 +19,17 @@
  #  the user CGI scripts, then relabel rule for user_r should be removed.
  #
@@ -504,7 +504,7 @@
  uses_shlib(httpd_t)
  allow httpd_t { usr_t lib_t }:file { getattr read ioctl };
  allow httpd_t usr_t:lnk_file { getattr read };
-@@ -130,21 +103,41 @@
+@@ -130,21 +103,42 @@
  
  # execute perl
  allow httpd_t { bin_t sbin_t }:dir r_dir_perms;
@@ -521,16 +521,17 @@
 +can_kerberos(httpd_t)
 +can_resolve(httpd_t)
  can_ypbind(httpd_t)
++can_ldap(httpd_t)
 +allow httpd_t { http_port_t http_cache_port_t }:tcp_socket name_bind;
-+
-+if (httpd_can_network_connect) {
-+can_network_client(httpd_t)
-+allow httpd_t port_type:tcp_socket name_connect;
-+}
  
 -###################
 -# Allow httpd to search users diretories
 -######################
++if (httpd_can_network_connect) {
++can_network_client(httpd_t)
++allow httpd_t port_type:tcp_socket name_connect;
++}
++
 +##########################################
 +# Legacy: remove when it's fixed         #
 +# Allow libphp5.so with text relocations #
@@ -552,7 +553,7 @@
  
  #################################################
  # Allow the httpd_t to read the web servers config files
-@@ -159,11 +152,6 @@
+@@ -159,11 +153,6 @@
  r_dir_file(initrc_t, httpd_config_t)
  ##################################################
  
@@ -564,7 +565,7 @@
  ###############################
  # Allow httpd_t to put files in /var/cache/httpd etc
  ##############################
-@@ -193,12 +181,17 @@
+@@ -193,12 +182,17 @@
  # need ioctl for php
  ###############################################
  allow httpd_t etc_t:file { read getattr ioctl };
@@ -583,7 +584,7 @@
  
  ##################################################
  #
-@@ -224,7 +217,6 @@
+@@ -224,7 +218,6 @@
  # access to /tmp
  tmp_domain(httpd)
  tmp_domain(httpd_php)
@@ -591,7 +592,7 @@
  
  # Creation of lock files for apache2
  lock_domain(httpd)
-@@ -232,64 +224,177 @@
+@@ -232,64 +225,179 @@
  # connect to mysql
  ifdef(`mysqld.te', `
  can_unix_connect(httpd_php_t, mysqld_t)
@@ -767,7 +768,9 @@
 +
 +if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 +domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
++ifdef(`targeted_policy', `', `
 +domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
++')
 +}
 +if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
 +domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
@@ -1468,8 +1471,8 @@
 +dontaudit ndc_t sysadm_tty_device_t:chr_file { ioctl };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/nscd.te policy-1.17.30/domains/program/unused/nscd.te
 --- nsapolicy/domains/program/unused/nscd.te	2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/domains/program/unused/nscd.te	2005-06-15 17:01:52.000000000 -0400
-@@ -3,76 +3,75 @@
++++ policy-1.17.30/domains/program/unused/nscd.te	2005-07-12 07:51:50.000000000 -0400
+@@ -3,76 +3,76 @@
  # Author:  Russell Coker <russell coker com au>
  # X-Debian-Packages: nscd
  #
@@ -1577,6 +1580,7 @@
 +allow nscd_t { urandom_device_t random_device_t }:chr_file { getattr read };
 +log_domain(nscd)
 +r_dir_file(nscd_t, cert_t)
++allow nscd_t tun_tap_device_t:chr_file { read write };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.17.30/domains/program/unused/ntpd.te
 --- nsapolicy/domains/program/unused/ntpd.te	2004-10-09 21:07:28.000000000 -0400
 +++ policy-1.17.30/domains/program/unused/ntpd.te	2005-06-10 06:52:30.000000000 -0400
@@ -2134,8 +2138,8 @@
 +allow updfstab_t fs_t:filesystem { getattr };
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/winbind.te policy-1.17.30/domains/program/unused/winbind.te
 --- nsapolicy/domains/program/unused/winbind.te	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.17.30/domains/program/unused/winbind.te	2005-06-10 06:52:30.000000000 -0400
-@@ -0,0 +1,35 @@
++++ policy-1.17.30/domains/program/unused/winbind.te	2005-07-12 07:56:27.000000000 -0400
+@@ -0,0 +1,48 @@
 +#DESC winbind - Name  Service  Switch  daemon for resolving names from NT servers
 +#
 +# Author: Dan Walsh (dwalsh redhat com)
@@ -2148,6 +2152,7 @@
 +
 +daemon_domain(winbind, `, privhome, auth_chkpwd, nscd_client_domain')
 +log_domain(winbind)
++tmp_domain(winbind)
 +allow winbind_t etc_t:file r_file_perms;
 +allow winbind_t etc_t:lnk_file read;
 +can_network(winbind_t)
@@ -2160,7 +2165,7 @@
 +type samba_var_t, file_type, sysadmfile;
 +type samba_secrets_t, file_type, sysadmfile;
 +')
-+rw_dir_file(winbind_t, samba_etc_t)
++file_type_auto_trans(winbind_t, samba_etc_t, samba_secrets_t, file)
 +rw_dir_create_file(winbind_t, samba_log_t)
 +allow winbind_t samba_secrets_t:file rw_file_perms;
 +allow winbind_t self:unix_dgram_socket create_socket_perms;
@@ -2171,6 +2176,18 @@
 +can_kerberos(winbind_t)
 +allow winbind_t self:netlink_route_socket r_netlink_socket_perms;
 +allow winbind_t winbind_var_run_t:sock_file create_file_perms;
++allow initrc_t winbind_var_run_t:file r_file_perms;
++
++application_domain(winbind_helper, `, nscd_client_domain')
++access_terminal(winbind_helper_t, sysadm)
++read_locale(winbind_helper_t) 
++r_dir_file(winbind_helper_t, samba_etc_t)
++r_dir_file(winbind_t, samba_etc_t)
++allow winbind_helper_t self:unix_dgram_socket create_socket_perms;
++allow winbind_helper_t self:unix_stream_socket create_stream_socket_perms;
++allow winbind_helper_t winbind_var_run_t:dir r_dir_perms;
++can_winbind(winbind_helper_t)
++allow winbind_helper_t privfd:fd use;
 diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/xdm.te policy-1.17.30/domains/program/unused/xdm.te
 --- nsapolicy/domains/program/unused/xdm.te	2004-10-09 21:07:28.000000000 -0400
 +++ policy-1.17.30/domains/program/unused/xdm.te	2005-06-10 06:52:30.000000000 -0400
@@ -2459,7 +2476,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/apache.fc policy-1.17.30/file_contexts/program/apache.fc
 --- nsapolicy/file_contexts/program/apache.fc	2004-10-09 21:07:28.000000000 -0400
-+++ policy-1.17.30/file_contexts/program/apache.fc	2005-06-10 06:52:30.000000000 -0400
++++ policy-1.17.30/file_contexts/program/apache.fc	2005-07-12 07:59:29.000000000 -0400
 @@ -1,6 +1,7 @@
  # apache
  HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
@@ -2468,7 +2485,15 @@
  /var/www/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
  /usr/lib/cgi-bin(/.*)?		system_u:object_r:httpd_sys_script_exec_t
  /var/www/perl(/.*)?		system_u:object_r:httpd_sys_script_exec_t
-@@ -22,17 +23,30 @@
+@@ -15,24 +16,39 @@
+ /usr/lib(64)?/apache(/.*)?		system_u:object_r:httpd_modules_t
+ /usr/lib(64)?/apache2/modules(/.*)?	system_u:object_r:httpd_modules_t
+ /usr/lib(64)?/httpd(/.*)?		system_u:object_r:httpd_modules_t
+-/usr/sbin/httpd		--	system_u:object_r:httpd_exec_t
++/usr/sbin/httpd(\.worker)?	--	system_u:object_r:httpd_exec_t
+ /usr/sbin/apache(2)?	--	system_u:object_r:httpd_exec_t
+ /usr/sbin/suexec	--	system_u:object_r:httpd_suexec_exec_t
+ /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- system_u:object_r:httpd_suexec_exec_t
  /usr/lib(64)?/apache(2)?/suexec(2)? -- system_u:object_r:httpd_suexec_exec_t
  /var/log/httpd(/.*)?		system_u:object_r:httpd_log_t
  /var/log/apache(2)?(/.*)?	system_u:object_r:httpd_log_t
@@ -2493,7 +2518,7 @@
 -/usr/share/apache2/.*	--	system_u:object_r:bin_t
 +/usr/share/apache2/[^/]*	--	system_u:object_r:bin_t
 +/usr/sbin/httpd2-.*		--	system_u:object_r:httpd_exec_t
-+')
+ ')
 +/var/lib/squirrelmail/prefs(/.*)?	system_u:object_r:httpd_squirrelmail_t
 +/var/spool/squirrelmail(/.*)?	system_u:object_r:squirrelmail_spool_t
 +/usr/bin/htsslpass --	system_u:object_r:httpd_helper_exec_t
@@ -2503,7 +2528,9 @@
 +/var/spool/gosa(/.*)?		system_u:object_r:httpd_sys_script_rw_t
 +ifdef(`targeted_policy', `', `
 +/var/spool/cron/apache		-- 	system_u:object_r:user_cron_spool_t
- ')
++')
++/usr/sbin/apachectl		-- 	system_u:object_r:initrc_exec_t
++
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/arpwatch.fc policy-1.17.30/file_contexts/program/arpwatch.fc
 --- nsapolicy/file_contexts/program/arpwatch.fc	1969-12-31 19:00:00.000000000 -0500
 +++ policy-1.17.30/file_contexts/program/arpwatch.fc	2005-06-10 06:52:30.000000000 -0400
@@ -2826,8 +2853,8 @@
  /var/run/syslogd\.pid	--	system_u:object_r:syslogd_var_run_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/program/winbind.fc policy-1.17.30/file_contexts/program/winbind.fc
 --- nsapolicy/file_contexts/program/winbind.fc	1969-12-31 19:00:00.000000000 -0500
-+++ policy-1.17.30/file_contexts/program/winbind.fc	2005-06-10 06:52:30.000000000 -0400
-@@ -0,0 +1,10 @@
++++ policy-1.17.30/file_contexts/program/winbind.fc	2005-07-12 07:59:13.000000000 -0400
+@@ -0,0 +1,11 @@
 +/usr/sbin/winbindd	--	system_u:object_r:winbind_exec_t
 +/var/run/winbindd(/.*)?		system_u:object_r:winbind_var_run_t
 +ifdef(`samba.te', `', `
@@ -2838,6 +2865,7 @@
 +/var/cache/samba(/.*)?		system_u:object_r:samba_var_t
 +')
 +/var/cache/samba/winbindd_privileged(/.*)?	system_u:object_r:winbind_var_run_t
++/usr/bin/ntlm_auth --	system_u:object_r:winbind_helper_exec_t
 diff --exclude-from=exclude -N -u -r nsapolicy/file_contexts/types.fc policy-1.17.30/file_contexts/types.fc
 --- nsapolicy/file_contexts/types.fc	2004-10-09 21:07:28.000000000 -0400
 +++ policy-1.17.30/file_contexts/types.fc	2005-06-25 17:08:05.000000000 -0400


Index: selinux-policy-targeted.spec
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/FC-3/selinux-policy-targeted.spec,v
retrieving revision 1.218
retrieving revision 1.219
diff -u -r1.218 -r1.219
--- selinux-policy-targeted.spec	29 Jun 2005 16:43:31 -0000	1.218
+++ selinux-policy-targeted.spec	12 Jul 2005 12:04:18 -0000	1.219
@@ -8,7 +8,7 @@
 Summary: SELinux %{type} policy configuration
 Name: selinux-policy-%{type}
 Version: 1.17.30
-Release: 3.16
+Release: 3.17
 License: GPL
 Group: System Environment/Base
 Source: http://www.nsa.gov/selinux/archives/policy-%{version}.tgz
@@ -214,6 +214,11 @@
 exit 0
 
 %changelog
+* Tue Jul 12 2005 Dan Walsh <dwalsh redhat com> 1.17.30-3.17
+- Allow nscd to use tun_tap device
+- Add winbind_helper
+- Allow apache to work with ldap
+
 * Wed Jun 29 2005 Dan Walsh <dwalsh redhat com> 1.17.30-3.16
 - Allow unconfined_t to execmod file_type
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]