rpms/selinux-policy-targeted/devel policy-20050916.patch,1.13,1.14
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Sep 29 20:07:21 UTC 2005
Author: dwalsh
Update of /cvs/dist/rpms/selinux-policy-targeted/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv12508
Modified Files:
policy-20050916.patch
Log Message:
* Thu Sep 29 2005 Dan Walsh <dwalsh at redhat.com> 1.27.1-11
- Allow reading of public_content_rw_t without setting boolean
- Fix man pages
- Fix pppd
policy-20050916.patch:
Makefile | 22 +++++----
domains/program/crond.te | 2
domains/program/fsadm.te | 7 ++
domains/program/hostname.te | 2
domains/program/ifconfig.te | 5 +-
domains/program/initrc.te | 17 ++++++-
domains/program/ldconfig.te | 3 -
domains/program/load_policy.te | 7 +-
domains/program/login.te | 21 +++++---
domains/program/modutil.te | 14 +++--
domains/program/mount.te | 5 +-
domains/program/netutils.te | 3 -
domains/program/passwd.te | 1
domains/program/restorecon.te | 3 -
domains/program/setfiles.te | 4 -
domains/program/ssh.te | 6 ++
domains/program/su.te | 9 +++
domains/program/syslogd.te | 6 +-
domains/program/unused/NetworkManager.te | 3 -
domains/program/unused/alsa.te | 2
domains/program/unused/amanda.te | 74 +++++++------------------------
domains/program/unused/anaconda.te | 5 --
domains/program/unused/apache.te | 17 ++++---
domains/program/unused/apmd.te | 13 +++++
domains/program/unused/auditd.te | 2
domains/program/unused/automount.te | 4 +
domains/program/unused/bluetooth.te | 61 +++++++++++++++++++++++++
domains/program/unused/cups.te | 18 +++++--
domains/program/unused/cvs.te | 3 +
domains/program/unused/cyrus.te | 2
domains/program/unused/dbusd.te | 4 +
domains/program/unused/dhcpc.te | 5 +-
domains/program/unused/dhcpd.te | 3 -
domains/program/unused/dovecot.te | 4 +
domains/program/unused/hald.te | 2
domains/program/unused/hotplug.te | 5 +-
domains/program/unused/hwclock.te | 2
domains/program/unused/ipsec.te | 2
domains/program/unused/kudzu.te | 5 +-
domains/program/unused/mta.te | 8 +++
domains/program/unused/mysqld.te | 6 +-
domains/program/unused/named.te | 29 ++++++++++--
domains/program/unused/nscd.te | 1
domains/program/unused/ntpd.te | 10 ++--
domains/program/unused/openct.te | 16 ++++++
domains/program/unused/pamconsole.te | 2
domains/program/unused/pegasus.te | 31 ++++++++++++
domains/program/unused/ping.te | 3 -
domains/program/unused/postfix.te | 24 ++++++----
domains/program/unused/pppd.te | 8 ++-
domains/program/unused/procmail.te | 11 +++-
domains/program/unused/readahead.te | 21 ++++++++
domains/program/unused/rlogind.te | 4 +
domains/program/unused/roundup.te | 29 ++++++++++++
domains/program/unused/rpcd.te | 12 ++++-
domains/program/unused/samba.te | 11 +++-
domains/program/unused/snmpd.te | 5 +-
domains/program/unused/squid.te | 3 -
domains/program/unused/udev.te | 10 +++-
domains/program/unused/utempter.te | 2
domains/program/unused/webalizer.te | 3 +
domains/program/unused/winbind.te | 1
domains/program/unused/xdm.te | 3 +
domains/program/unused/yppasswdd.te | 40 ++++++++++++++++
domains/program/unused/ypserv.te | 1
domains/program/useradd.te | 5 +-
file_contexts/distros.fc | 1
file_contexts/program/bluetooth.fc | 3 +
file_contexts/program/dhcpc.fc | 2
file_contexts/program/dhcpd.fc | 1
file_contexts/program/ftpd.fc | 5 +-
file_contexts/program/games.fc | 11 +++-
file_contexts/program/ipsec.fc | 1
file_contexts/program/openct.fc | 2
file_contexts/program/pegasus.fc | 11 ++++
file_contexts/program/pppd.fc | 2
file_contexts/program/readahead.fc | 1
file_contexts/program/roundup.fc | 2
file_contexts/program/rpm.fc | 4 +
file_contexts/program/rsync.fc | 2
file_contexts/program/xdm.fc | 2
file_contexts/program/yppasswdd.fc | 2
file_contexts/program/ypserv.fc | 1
file_contexts/types.fc | 2
genfs_contexts | 2
macros/core_macros.te | 3 +
macros/global_macros.te | 16 +++++-
macros/network_macros.te | 17 ++++++-
macros/program/apache_macros.te | 13 ++++-
macros/program/cdrecord_macros.te | 2
macros/program/i18n_input_macros.te | 21 ++++++++
macros/program/mta_macros.te | 4 -
macros/program/newrole_macros.te | 2
macros/program/pyzor_macros.te | 2
macros/program/razor_macros.te | 2
macros/program/su_macros.te | 4 -
macros/program/uml_macros.te | 2
macros/user_macros.te | 1
man/man8/ftpd_selinux.8 | 19 ++++---
man/man8/httpd_selinux.8 | 9 +++
man/man8/rsync_selinux.8 | 12 +++--
man/man8/samba_selinux.8 | 9 +++
mcs | 16 ++++++
net_contexts | 6 ++
targeted/appconfig/root_default_contexts | 4 +
targeted/domains/program/ssh.te | 3 +
targeted/domains/program/xdm.te | 4 +
targeted/domains/unconfined.te | 18 ++++++-
tunables/distro.tun | 2
tunables/tunable.tun | 4 -
types/devpts.te | 4 +
types/file.te | 15 ++++--
types/network.te | 12 ++---
types/security.te | 5 ++
114 files changed, 739 insertions(+), 221 deletions(-)
Index: policy-20050916.patch
===================================================================
RCS file: /cvs/dist/rpms/selinux-policy-targeted/devel/policy-20050916.patch,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- policy-20050916.patch 29 Sep 2005 01:56:28 -0000 1.13
+++ policy-20050916.patch 29 Sep 2005 20:07:17 -0000 1.14
@@ -45,7 +45,7 @@
allow hostname_t initrc_t:fd use;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/ifconfig.te policy-1.27.1/domains/program/ifconfig.te
--- nsapolicy/domains/program/ifconfig.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/ifconfig.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/ifconfig.te 2005-09-29 14:02:40.000000000 -0400
@@ -52,7 +52,8 @@
allow ifconfig_t self:udp_socket create_socket_perms;
@@ -56,6 +56,15 @@
ifdef(`gnome-pty-helper.te', `allow ifconfig_t sysadm_gph_t:fd use;')
allow ifconfig_t tun_tap_device_t:chr_file { read write };
+@@ -60,7 +61,7 @@
+ # ifconfig attempts to search some sysctl entries.
+ # Do not audit those attempts; comment out these rules if it is desired to
+ # see the denials.
+-dontaudit ifconfig_t { sysctl_t sysctl_net_t }:dir search;
++allow ifconfig_t { sysctl_t sysctl_net_t }:dir search;
+
+ allow ifconfig_t fs_t:filesystem getattr;
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/initrc.te policy-1.27.1/domains/program/initrc.te
--- nsapolicy/domains/program/initrc.te 2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/initrc.te 2005-09-27 17:14:40.000000000 -0400
@@ -569,7 +578,7 @@
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apache.te policy-1.27.1/domains/program/unused/apache.te
--- nsapolicy/domains/program/unused/apache.te 2005-09-16 11:17:08.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/apache.te 2005-09-28 11:16:13.000000000 -0400
++++ policy-1.27.1/domains/program/unused/apache.te 2005-09-29 16:06:57.000000000 -0400
@@ -113,9 +113,12 @@
can_network_server(httpd_t)
can_kerberos(httpd_t)
@@ -606,6 +615,22 @@
} else {
dontaudit httpd_t admin_tty_type:chr_file rw_file_perms;
}
+@@ -367,13 +370,13 @@
+ allow httpd_suexec_t autofs_t:dir { search getattr };
+ tmp_domain(httpd_suexec)
+
+-if (httpd_enable_cgi && httpd_unified ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
++if (httpd_enable_cgi && httpd_unified) {
+ domain_auto_trans(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
+ ifdef(`targeted_policy', `', `
+ domain_auto_trans(sysadm_t, httpdcontent, httpd_sys_script_t)
+ ')
+ }
+-if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting ifdef(`targeted_policy', ` && ! httpd_disable_trans')) {
++if (httpd_enable_cgi && httpd_unified && httpd_builtin_scripting) {
+ domain_auto_trans(httpd_t, httpdcontent, httpd_sys_script_t)
+ create_dir_file(httpd_t, httpdcontent)
+ }
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/apmd.te policy-1.27.1/domains/program/unused/apmd.te
--- nsapolicy/domains/program/unused/apmd.te 2005-09-16 11:17:08.000000000 -0400
+++ policy-1.27.1/domains/program/unused/apmd.te 2005-09-27 17:14:40.000000000 -0400
@@ -1162,21 +1187,24 @@
+allow nscd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/ntpd.te policy-1.27.1/domains/program/unused/ntpd.te
--- nsapolicy/domains/program/unused/ntpd.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/ntpd.te 2005-09-27 17:14:40.000000000 -0400
-@@ -26,9 +26,10 @@
++++ policy-1.27.1/domains/program/unused/ntpd.te 2005-09-29 14:06:08.000000000 -0400
+@@ -26,11 +26,11 @@
# for SSP
allow ntpd_t urandom_device_t:chr_file { getattr read };
-allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot };
-+# sys_resource and setrlimit is for locking memory
-+allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_resource };
- dontaudit ntpd_t self:capability { net_admin };
+-dontaudit ntpd_t self:capability { net_admin };
-allow ntpd_t self:process { setcap setsched };
++# sys_resource and setrlimit is for locking memory
++allow ntpd_t self:capability { chown dac_override kill setgid setuid sys_time net_bind_service ipc_lock sys_chroot sys_nice sys_resource };
++dontaudit ntpd_t self:capability { fsetid net_admin };
+allow ntpd_t self:process { setcap setsched setrlimit };
# ntpdate wants sys_nice
- dontaudit ntpd_t self:capability { fsetid sys_nice };
+-dontaudit ntpd_t self:capability { fsetid sys_nice };
-@@ -54,7 +55,7 @@
+ # for some reason it creates a file in /tmp
+ tmp_domain(ntpd)
+@@ -54,7 +54,7 @@
# for cron jobs
# system_crond_t is not right, cron is not doing what it should
ifdef(`crond.te', `
@@ -1392,7 +1420,7 @@
+
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/pppd.te policy-1.27.1/domains/program/unused/pppd.te
--- nsapolicy/domains/program/unused/pppd.te 2005-09-16 11:17:09.000000000 -0400
-+++ policy-1.27.1/domains/program/unused/pppd.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/domains/program/unused/pppd.te 2005-09-29 14:04:48.000000000 -0400
@@ -14,7 +14,7 @@
#
bool pppd_for_user false;
@@ -1415,7 +1443,7 @@
can_exec(pppd_t, { shell_exec_t bin_t sbin_t etc_t ifconfig_exec_t })
allow pppd_t { bin_t sbin_t }:dir search;
allow pppd_t { sbin_t bin_t }:lnk_file read;
-+dontaudit ifconfig_t pppd_t:fd use;
++allow ifconfig_t pppd_t:fd use;
# Access /dev/ppp.
allow pppd_t ppp_device_t:chr_file rw_file_perms;
@@ -1428,6 +1456,11 @@
can_network_client_tcp(pptp_t)
allow pptp_t { reserved_port_type port_t }:tcp_socket name_connect;
can_exec(pptp_t, hostname_exec_t)
+@@ -144,3 +145,4 @@
+ # Allow /etc/ppp/ip-{up,down} to run most anything
+ type pppd_script_exec_t, file_type, sysadmfile;
+ domain_auto_trans(pppd_t, pppd_script_exec_t, initrc_t)
++allow pppd_t initrc_t:process noatsecure;
diff --exclude-from=exclude -N -u -r nsapolicy/domains/program/unused/procmail.te policy-1.27.1/domains/program/unused/procmail.te
--- nsapolicy/domains/program/unused/procmail.te 2005-09-12 16:40:28.000000000 -0400
+++ policy-1.27.1/domains/program/unused/procmail.te 2005-09-27 17:14:40.000000000 -0400
@@ -2018,7 +2051,7 @@
')
diff --exclude-from=exclude -N -u -r nsapolicy/macros/global_macros.te policy-1.27.1/macros/global_macros.te
--- nsapolicy/macros/global_macros.te 2005-09-16 11:17:11.000000000 -0400
-+++ policy-1.27.1/macros/global_macros.te 2005-09-27 17:14:40.000000000 -0400
++++ policy-1.27.1/macros/global_macros.te 2005-09-29 08:46:50.000000000 -0400
@@ -157,6 +157,11 @@
r_dir_file($1, locale_t)
')
@@ -2056,7 +2089,7 @@
#
define(`anonymous_domain', `
-r_dir_file($1_t, ftpd_anon_t)
-+r_dir_file($1_t, public_content_t)
++r_dir_file($1_t, { public_content_t public_content_rw_t } )
bool allow_$1_anon_write false;
if (allow_$1_anon_write) {
-create_dir_file($1_t,ftpd_anon_rw_t)
@@ -2360,24 +2393,29 @@
@mv Makefile.new Makefile
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/ftpd_selinux.8 policy-1.27.1/man/man8/ftpd_selinux.8
--- nsapolicy/man/man8/ftpd_selinux.8 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-09-27 17:14:40.000000000 -0400
-@@ -8,23 +8,23 @@
++++ policy-1.27.1/man/man8/ftpd_selinux.8 2005-09-29 08:56:00.000000000 -0400
+@@ -8,23 +8,24 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
-If you want to share files anonymously, you must label the files and directories ftpd_anon_t. So if you created a special directory /var/ftp, you
-+If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you
- would need to label the directory with the chcon tool.
+-would need to label the directory with the chcon tool.
++If you want to share files anonymously, you must label the files and directories public_content_t. So if you created a special directory /var/ftp, you would need to label the directory with the chcon tool.
.TP
-chcon -R -t ftpd_anon_t /var/ftp
+chcon -R -t public_content_t /var/ftp
.TP
- If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you
- would need to label the directory with the chcon tool.
+-If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you
+-would need to label the directory with the chcon tool.
++If you want to setup a directory where you can upload files to you must label the files and directories ftpd_anon_rw_t. So if you created a special directory /var/ftp/incoming, you would need to label the directory with the chcon tool.
.TP
-chcon -t ftpd_anon_rw_t /var/ftp/incoming
+-
+chcon -t public_content_rw_t /var/ftp/incoming
-
++.TP
++You must also turn on the boolean allow_ftp_anon_write.
++.TP
++setsebool -P allow_ftp_anon_write=1
.TP
If you want to make this permanant, i.e. survive a relabel, you must add an entry to the file_contexts.local file.
.TP
@@ -2390,10 +2428,29 @@
.SH BOOLEANS
SELinux ftp daemon policy is customizable based on least access required. So by
+diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/httpd_selinux.8 policy-1.27.1/man/man8/httpd_selinux.8
+--- nsapolicy/man/man8/httpd_selinux.8 2005-09-12 16:40:29.000000000 -0400
++++ policy-1.27.1/man/man8/httpd_selinux.8 2005-09-29 08:52:56.000000000 -0400
+@@ -45,6 +45,15 @@
+ .SH NOTE
+ With certain policies you can define addional file contexts based on roles like user or staff. httpd_user_script_exec_t can be defined where it would only have access to "user" contexts.
+
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for httpd you would execute:
++
++setsebool -P allow_httpd_anon_write=1
++
++or
++
++setsebool -P allow_httpd_sys_script_anon_write=1
++
+ .SH BOOLEANS
+ SELinux policy is customizable based on least access required. So by
+ default SElinux prevents certain http scripts from working. httpd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run httpd with the tightest access possible.
diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/rsync_selinux.8 policy-1.27.1/man/man8/rsync_selinux.8
--- nsapolicy/man/man8/rsync_selinux.8 2005-09-12 16:40:29.000000000 -0400
-+++ policy-1.27.1/man/man8/rsync_selinux.8 2005-09-27 17:14:40.000000000 -0400
-@@ -8,16 +8,16 @@
++++ policy-1.27.1/man/man8/rsync_selinux.8 2005-09-29 08:53:31.000000000 -0400
+@@ -8,16 +8,22 @@
.SH FILE_CONTEXTS
SELinux requires files to have an extended attribute to define the file type.
Policy governs the access daemons have to these files.
@@ -2410,9 +2467,41 @@
.br
-/var/rsync(/.*)? system_u:object_r:ftpd_anon_t
+/var/rsync(/.*)? system_u:object_r:public_content_t
++
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for rsync you would execute:
++
++setsebool -P allow_rsync_anon_write=1
++
+
+ .SH BOOLEANS
+ .TP
+diff --exclude-from=exclude -N -u -r nsapolicy/man/man8/samba_selinux.8 policy-1.27.1/man/man8/samba_selinux.8
+--- nsapolicy/man/man8/samba_selinux.8 2005-09-12 16:40:29.000000000 -0400
++++ policy-1.27.1/man/man8/samba_selinux.8 2005-09-29 08:51:44.000000000 -0400
+@@ -20,6 +20,11 @@
+ .br
+ /var/eng(/.*)? system_u:object_r:samba_share_t
++.SH SHARING FILES
++If you want to share files with multiple domains (Apache, FTP, rsync, Samba), you can set a file context of public_content_t and public_content_rw_t. These context allow any of the above domains to read the content. If you want a particular domain to write to the public_content_rw_t domain, you must set the appropriate boolean. allow_DOMAIN_anon_write. So for samba you would execute:
++
++setsebool -P allow_smb_anon_write=1
++
.SH BOOLEANS
+ .br
+ SELinux policy is customizable based on least access required. So by
+@@ -44,6 +49,10 @@
+ service smb restart
.TP
+ system-config-securitylevel is a GUI tool available to customize SELinux policy settings.
++
++
++
++
+ .SH AUTHOR
+ This manual page was written by Dan Walsh <dwalsh at redhat.com>.
+
diff --exclude-from=exclude -N -u -r nsapolicy/mcs policy-1.27.1/mcs
--- nsapolicy/mcs 2005-09-15 16:13:03.000000000 -0400
+++ policy-1.27.1/mcs 2005-09-27 17:14:40.000000000 -0400
More information about the fedora-cvs-commits
mailing list