rpms/selinux-policy/F-8 policy-20070703.patch, 1.229, 1.230 selinux-policy.spec, 1.650, 1.651
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Oct 29 18:23:48 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19179
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Mon Oct 27 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-123
- Update to latest audit policy
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.229
retrieving revision 1.230
diff -u -r1.229 -r1.230
--- policy-20070703.patch 20 Oct 2008 20:32:06 -0000 1.229
+++ policy-20070703.patch 29 Oct 2008 18:23:46 -0000 1.230
@@ -7615,7 +7615,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.0.8/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-10-20 16:22:16.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/apache.te 2008-10-27 16:17:18.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(apache,1.7.1)
@@ -8112,7 +8112,7 @@
manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
-@@ -728,3 +870,46 @@
+@@ -728,3 +870,56 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -8159,6 +8159,16 @@
+optional_policy(`
+ postgresql_stream_connect(httpd_bugzilla_script_t)
+')
++
++# Removal of fastcgi, will cause problems without the following
++typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
++typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
++typealias httpd_sys_script_rw_t alias httpd_fastcgi_content_rw_t;
++typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
++typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
++typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
++typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
++typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apcupsd.if serefpolicy-3.0.8/policy/modules/services/apcupsd.if
--- nsaserefpolicy/policy/modules/services/apcupsd.if 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/services/apcupsd.if 2008-10-20 16:22:16.000000000 -0400
@@ -11467,17 +11477,16 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.fc serefpolicy-3.0.8/policy/modules/services/exim.fc
--- nsaserefpolicy/policy/modules/services/exim.fc 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2008-10-20 16:22:16.000000000 -0400
-@@ -0,0 +1,5 @@
-+
++++ serefpolicy-3.0.8/policy/modules/services/exim.fc 2008-10-27 15:57:32.000000000 -0400
+@@ -0,0 +1,4 @@
+/usr/sbin/exim -- gen_context(system_u:object_r:exim_exec_t,s0)
+/var/log/exim(/.*)? gen_context(system_u:object_r:exim_log_t,s0)
+/var/run/exim.pid -- gen_context(system_u:object_r:exim_var_run_t,s0)
+/var/spool/exim(/.*)? gen_context(system_u:object_r:exim_spool_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.if serefpolicy-3.0.8/policy/modules/services/exim.if
--- nsaserefpolicy/policy/modules/services/exim.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.if 2008-10-20 16:22:16.000000000 -0400
-@@ -0,0 +1,177 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.if 2008-10-27 15:57:37.000000000 -0400
+@@ -0,0 +1,196 @@
+## <summary>Exim mail transfer agent</summary>
+
+########################################
@@ -11577,6 +11586,26 @@
+
+########################################
+## <summary>
++## Allow the specified domain to manage exim's log files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`exim_manage_log',`
++ gen_require(`
++ type exim_log_t;
++ ')
++
++ manage_files_pattern($1, exim_log_t, exim_log_t)
++ logging_search_logs($1)
++')
++
++########################################
++## <summary>
+## Allow the specified domain to append
+## exim log files.
+## </summary>
@@ -11637,28 +11666,27 @@
+
+########################################
+## <summary>
-+## Allow the specified domain to read exim's log files.
++## Create, read, write, and delete
++## exim spool dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
-+## <rolecap/>
+#
-+interface(`exim_manage_log',`
++interface(`exim_manage_spool_dirs',`
+ gen_require(`
-+ type exim_log_t;
++ type exim_spool_t;
+ ')
+
-+ manage_files_pattern($1, exim_log_t, exim_log_t)
-+ logging_search_logs($1)
++ manage_dirs_pattern($1, exim_spool_t, exim_spool_t)
++ files_search_spool($1)
+')
-+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim.te serefpolicy-3.0.8/policy/modules/services/exim.te
--- nsaserefpolicy/policy/modules/services/exim.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.0.8/policy/modules/services/exim.te 2008-10-20 16:22:16.000000000 -0400
-@@ -0,0 +1,214 @@
++++ serefpolicy-3.0.8/policy/modules/services/exim.te 2008-10-27 15:57:29.000000000 -0400
+@@ -0,0 +1,224 @@
+
+policy_module(exim,1.0.0)
+
@@ -11789,6 +11817,7 @@
+miscfiles_read_certs(exim_t)
+
+fs_getattr_xattr_fs(exim_t)
++fs_list_inotifyfs(exim_t)
+
+mta_read_aliases(exim_t)
+mta_read_config(exim_t)
@@ -11818,6 +11847,10 @@
+')
+
+optional_policy(`
++ dovecot_auth_stream_connect(exim_t)
++')
++
++optional_policy(`
+ tunable_policy(`exim_can_connect_db',`
+ mysql_stream_connect(exim_t)
+ ')
@@ -11843,10 +11876,15 @@
+')
+
+optional_policy(`
++ cron_read_pipes(exim_t)
++ cron_rw_system_job_pipes(exim_t)
++')
++
++optional_policy(`
+ cyrus_stream_connect(exim_t)
+')
+
-+## receipt & validation
++# receipt & validation
+
+optional_policy(`
+ clamav_domtrans_clamscan(exim_t)
@@ -18545,7 +18583,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/samba.te serefpolicy-3.0.8/policy/modules/services/samba.te
--- nsaserefpolicy/policy/modules/services/samba.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-10-20 16:22:16.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/samba.te 2008-10-21 13:55:53.000000000 -0400
@@ -57,6 +57,13 @@
## </desc>
gen_tunable(samba_share_nfs,false)
@@ -18673,7 +18711,7 @@
domain_use_interactive_fds(smbd_t)
domain_dontaudit_list_all_domains_state(smbd_t)
-@@ -321,12 +329,12 @@
+@@ -321,12 +329,14 @@
miscfiles_read_localization(smbd_t)
miscfiles_read_public_files(smbd_t)
@@ -18683,12 +18721,14 @@
userdom_dontaudit_use_unpriv_user_fds(smbd_t)
userdom_use_unpriv_users_fds(smbd_t)
++usermanage_read_crack_db(smbd_t)
++
+term_use_ptmx(smbd_t)
+
ifdef(`hide_broken_symptoms', `
files_dontaudit_getattr_default_dirs(smbd_t)
files_dontaudit_getattr_boot_dirs(smbd_t)
-@@ -347,6 +355,25 @@
+@@ -347,6 +357,25 @@
tunable_policy(`samba_share_nfs',`
fs_manage_nfs_dirs(smbd_t)
fs_manage_nfs_files(smbd_t)
@@ -18714,7 +18754,7 @@
')
optional_policy(`
-@@ -398,7 +425,7 @@
+@@ -398,7 +427,7 @@
allow nmbd_t self:msgq create_msgq_perms;
allow nmbd_t self:sem create_sem_perms;
allow nmbd_t self:shm create_shm_perms;
@@ -18723,7 +18763,7 @@
allow nmbd_t self:tcp_socket create_stream_socket_perms;
allow nmbd_t self:udp_socket create_socket_perms;
allow nmbd_t self:unix_dgram_socket { create_socket_perms sendto };
-@@ -410,8 +437,7 @@
+@@ -410,8 +439,7 @@
read_files_pattern(nmbd_t,samba_etc_t,samba_etc_t)
manage_dirs_pattern(nmbd_t,samba_log_t,samba_log_t)
@@ -18733,7 +18773,7 @@
read_files_pattern(nmbd_t,samba_log_t,samba_log_t)
create_files_pattern(nmbd_t,samba_log_t,samba_log_t)
-@@ -421,6 +447,8 @@
+@@ -421,6 +449,8 @@
allow nmbd_t smbd_var_run_t:dir rw_dir_perms;
@@ -18742,7 +18782,7 @@
kernel_getattr_core_if(nmbd_t)
kernel_getattr_message_if(nmbd_t)
kernel_read_kernel_sysctls(nmbd_t)
-@@ -446,6 +474,7 @@
+@@ -446,6 +476,7 @@
dev_getattr_mtrr_dev(nmbd_t)
fs_getattr_all_fs(nmbd_t)
@@ -18750,7 +18790,7 @@
fs_search_auto_mountpoints(nmbd_t)
domain_use_interactive_fds(nmbd_t)
-@@ -462,17 +491,11 @@
+@@ -462,17 +493,11 @@
miscfiles_read_localization(nmbd_t)
@@ -18768,7 +18808,7 @@
seutil_sigchld_newrole(nmbd_t)
')
-@@ -506,6 +529,8 @@
+@@ -506,6 +531,8 @@
manage_lnk_files_pattern(smbmount_t,samba_var_t,samba_var_t)
files_list_var_lib(smbmount_t)
@@ -18777,7 +18817,7 @@
kernel_read_system_state(smbmount_t)
corenet_all_recvfrom_unlabeled(smbmount_t)
-@@ -533,6 +558,7 @@
+@@ -533,6 +560,7 @@
storage_raw_write_fixed_disk(smbmount_t)
term_list_ptys(smbmount_t)
@@ -18785,7 +18825,7 @@
corecmd_list_bin(smbmount_t)
-@@ -553,16 +579,11 @@
+@@ -553,16 +581,11 @@
logging_search_logs(smbmount_t)
@@ -18804,7 +18844,7 @@
')
########################################
-@@ -570,24 +591,28 @@
+@@ -570,24 +593,28 @@
# SWAT Local policy
#
@@ -18841,7 +18881,7 @@
allow swat_t smbd_var_run_t:file read;
manage_dirs_pattern(swat_t,swat_tmp_t,swat_tmp_t)
-@@ -597,7 +622,11 @@
+@@ -597,7 +624,11 @@
manage_files_pattern(swat_t,swat_var_run_t,swat_var_run_t)
files_pid_filetrans(swat_t,swat_var_run_t,file)
@@ -18854,7 +18894,7 @@
kernel_read_kernel_sysctls(swat_t)
kernel_read_system_state(swat_t)
-@@ -622,23 +651,25 @@
+@@ -622,23 +653,25 @@
dev_read_urand(swat_t)
@@ -18882,7 +18922,7 @@
optional_policy(`
cups_read_rw_config(swat_t)
cups_stream_connect(swat_t)
-@@ -652,13 +683,16 @@
+@@ -652,13 +685,16 @@
kerberos_use(swat_t)
')
@@ -18905,7 +18945,7 @@
########################################
#
-@@ -672,7 +706,6 @@
+@@ -672,7 +708,6 @@
allow winbind_t self:fifo_file { read write };
allow winbind_t self:unix_dgram_socket create_socket_perms;
allow winbind_t self:unix_stream_socket create_stream_socket_perms;
@@ -18913,7 +18953,7 @@
allow winbind_t self:tcp_socket create_stream_socket_perms;
allow winbind_t self:udp_socket create_socket_perms;
-@@ -709,6 +742,8 @@
+@@ -709,6 +744,8 @@
manage_sock_files_pattern(winbind_t,winbind_var_run_t,winbind_var_run_t)
files_pid_filetrans(winbind_t,winbind_var_run_t,file)
@@ -18922,7 +18962,7 @@
kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
-@@ -733,7 +768,9 @@
+@@ -733,7 +770,9 @@
fs_getattr_all_fs(winbind_t)
fs_search_auto_mountpoints(winbind_t)
@@ -18932,7 +18972,7 @@
domain_use_interactive_fds(winbind_t)
-@@ -746,9 +783,6 @@
+@@ -746,9 +785,6 @@
miscfiles_read_localization(winbind_t)
@@ -18942,7 +18982,7 @@
userdom_dontaudit_use_unpriv_user_fds(winbind_t)
userdom_dontaudit_search_sysadm_home_dirs(winbind_t)
userdom_priveleged_home_dir_manager(winbind_t)
-@@ -758,10 +792,6 @@
+@@ -758,10 +794,6 @@
')
optional_policy(`
@@ -18953,7 +18993,7 @@
seutil_sigchld_newrole(winbind_t)
')
-@@ -784,6 +814,8 @@
+@@ -784,6 +816,8 @@
allow winbind_helper_t samba_var_t:dir search;
files_list_var_lib(winbind_helper_t)
@@ -18962,7 +19002,7 @@
stream_connect_pattern(winbind_helper_t,winbind_var_run_t,winbind_var_run_t,winbind_t)
term_list_ptys(winbind_helper_t)
-@@ -798,12 +830,13 @@
+@@ -798,12 +832,13 @@
miscfiles_read_localization(winbind_helper_t)
optional_policy(`
@@ -18977,7 +19017,7 @@
')
########################################
-@@ -812,6 +845,13 @@
+@@ -812,6 +847,13 @@
#
optional_policy(`
@@ -18991,7 +19031,7 @@
type samba_unconfined_script_t;
type samba_unconfined_script_exec_t;
domain_type(samba_unconfined_script_t)
-@@ -828,3 +868,37 @@
+@@ -828,3 +870,37 @@
domtrans_pattern(smbd_t, samba_unconfined_script_exec_t, samba_unconfined_script_t)
')
')
@@ -23220,8 +23260,8 @@
# Sulogin local policy
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.fc serefpolicy-3.0.8/policy/modules/system/logging.fc
--- nsaserefpolicy/policy/modules/system/logging.fc 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-10-20 16:22:16.000000000 -0400
-@@ -1,12 +1,17 @@
++++ serefpolicy-3.0.8/policy/modules/system/logging.fc 2008-10-27 14:57:18.000000000 -0400
+@@ -1,21 +1,29 @@
-
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
@@ -23240,7 +23280,22 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
-@@ -26,12 +31,22 @@
+ /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
+ /usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+-/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+-ifdef(`distro_gentoo', `
++/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
++/usr/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+-')
++/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
++
++/var/lib/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
++/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+
+ ifdef(`distro_suse', `
+ /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+@@ -26,15 +34,26 @@
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -23256,14 +23311,21 @@
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
')
+-/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+-/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
+-/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+ifdef(`distro_redhat',`
-+/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
++/var/named/chroot/var/log -d gen_context(system_u:object_r:var_log_t,s0)
+')
+
- /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
- /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
- /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-@@ -43,3 +58,10 @@
++/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
++/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
++/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
++/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
+ /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
+ /var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
+ /var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+@@ -43,3 +62,8 @@
/var/spool/postfix/pid -d gen_context(system_u:object_r:var_run_t,s0)
/var/tinydns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -23271,12 +23333,10 @@
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_script_exec_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
+
-+
-+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.0.8/policy/modules/system/logging.if
--- nsaserefpolicy/policy/modules/system/logging.if 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-10-20 16:22:16.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.if 2008-10-27 16:42:26.000000000 -0400
@@ -34,6 +34,51 @@
#
interface(`logging_send_audit_msgs',`
@@ -23369,7 +23429,33 @@
## Execute syslogd in the syslog domain.
## </summary>
## <param name="domain">
-@@ -465,12 +524,11 @@
+@@ -336,6 +395,25 @@
+
+ ########################################
+ ## <summary>
++## Read syslog configuration files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`logging_read_syslog_config',`
++ gen_require(`
++ type syslog_conf_t;
++ ')
++
++ allow $1 syslog_conf_t:file read_file_perms;
++')
++
++########################################
++## <summary>
+ ## Allows the domain to open a file in the
+ ## log directory, but does not allow the listing
+ ## of the contents of the log directory.
+@@ -465,12 +543,11 @@
interface(`logging_read_all_logs',`
gen_require(`
attribute logfile;
@@ -23384,7 +23470,7 @@
')
########################################
-@@ -514,6 +572,8 @@
+@@ -514,6 +591,8 @@
files_search_var($1)
manage_files_pattern($1,logfile,logfile)
read_lnk_files_pattern($1,logfile,logfile)
@@ -23393,7 +23479,7 @@
')
########################################
-@@ -539,6 +599,26 @@
+@@ -559,6 +638,25 @@
########################################
## <summary>
@@ -23414,13 +23500,12 @@
+ dontaudit $1 var_log_t:file write;
+')
+
-+
+########################################
+## <summary>
- ## Write generic log files.
+ ## Read and write generic log files.
## </summary>
## <param name="domain">
-@@ -597,3 +677,273 @@
+@@ -597,3 +695,271 @@
files_search_var($1)
manage_files_pattern($1,var_log_t,var_log_t)
')
@@ -23583,7 +23668,7 @@
+ type syslogd_script_exec_t;
+ ')
+
-+ init_labeled_script_domtrans($1,syslogd_script_exec_t)
++ init_labeled_script_domtrans($1, syslogd_script_exec_t)
+')
+
+########################################
@@ -23669,7 +23754,7 @@
+ role system_r types $1;
+
+ domtrans_pattern(audisp_t,$2,$1)
-+
++ allow audisp_t $1:process { sigkill sigstop signull signal };
+ allow audisp_t $2:file getattr;
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
@@ -23687,20 +23772,18 @@
+interface(`logging_stream_connect_audisp',`
+ gen_require(`
+ type audisp_t, audisp_var_run_t;
-+ type auditd_t, auditd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1,audisp_var_run_t,audisp_var_run_t,audisp_t)
-+ stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.te serefpolicy-3.0.8/policy/modules/system/logging.te
--- nsaserefpolicy/policy/modules/system/logging.te 2008-06-12 23:37:57.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-10-20 16:22:16.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/system/logging.te 2008-10-27 14:57:07.000000000 -0400
@@ -1,5 +1,5 @@
-policy_module(logging,1.7.3)
-+policy_module(logging,1.9.0)
++policy_module(logging,1.9.1)
########################################
#
@@ -23724,7 +23807,7 @@
type syslogd_var_run_t;
files_pid_file(syslogd_var_run_t)
-@@ -55,23 +61,42 @@
+@@ -55,23 +61,43 @@
logging_log_file(var_log_t)
files_mountpoint(var_log_t)
@@ -23736,6 +23819,7 @@
+
ifdef(`enable_mls',`
init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
++ init_ranged_daemon_domain(syslogd_t,syslogd_exec_t,mls_systemhigh)
')
+type audisp_t;
@@ -23770,7 +23854,7 @@
files_read_etc_files(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
-@@ -91,6 +116,7 @@
+@@ -91,6 +117,7 @@
locallogin_dontaudit_use_fds(auditctl_t)
@@ -23778,7 +23862,7 @@
logging_send_syslog_msg(auditctl_t)
########################################
-@@ -98,16 +124,15 @@
+@@ -98,16 +125,16 @@
# Auditd local policy
#
@@ -23790,6 +23874,7 @@
allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
allow auditd_t self:fifo_file rw_file_perms;
++allow auditd_t self:tcp_socket create_stream_socket_perms;
allow auditd_t auditd_etc_t:dir list_dir_perms;
-allow auditd_t auditd_etc_t:file r_file_perms;
@@ -23797,15 +23882,41 @@
manage_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
manage_lnk_files_pattern(auditd_t,auditd_log_t,auditd_log_t)
-@@ -141,6 +166,7 @@
+@@ -126,9 +153,18 @@
+
+ fs_getattr_all_fs(auditd_t)
+ fs_search_auto_mountpoints(auditd_t)
++fs_rw_anon_inodefs_files(auditd_t)
+
+ selinux_search_fs(auditctl_t)
+
++corenet_all_recvfrom_unlabeled(auditd_t)
++corenet_all_recvfrom_netlabel(auditd_t)
++corenet_tcp_sendrecv_all_if(auditd_t)
++corenet_tcp_sendrecv_all_nodes(auditd_t)
++corenet_tcp_sendrecv_all_ports(auditd_t)
++corenet_tcp_bind_all_nodes(auditd_t)
++corenet_tcp_bind_audit_port(auditd_t)
++
+ # Needs to be able to run dispatcher. see /etc/audit/auditd.conf
+ # Probably want a transition, and a new auditd_helper app
+ corecmd_exec_bin(auditd_t)
+@@ -141,7 +177,10 @@
init_telinit(auditd_t)
+logging_set_audit_parameters(auditd_t)
logging_send_syslog_msg(auditd_t)
++logging_domtrans_audisp(auditd_t)
++logging_audisp_signal(auditd_t)
libs_use_ld_so(auditd_t)
-@@ -153,9 +179,21 @@
+ libs_use_shared_libs(auditd_t)
+@@ -150,12 +189,25 @@
+
+ mls_file_read_all_levels(auditd_t)
+ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ directory
++mls_fd_use_all_levels(auditd_t)
seutil_dontaudit_read_config(auditd_t)
@@ -23827,7 +23938,7 @@
optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
-@@ -194,6 +232,7 @@
+@@ -194,6 +246,7 @@
fs_getattr_all_fs(klogd_t)
fs_search_auto_mountpoints(klogd_t)
@@ -23835,7 +23946,7 @@
domain_use_interactive_fds(klogd_t)
-@@ -212,6 +251,12 @@
+@@ -212,6 +265,12 @@
userdom_dontaudit_search_sysadm_home_dirs(klogd_t)
@@ -23848,7 +23959,15 @@
optional_policy(`
udev_read_db(klogd_t)
')
-@@ -241,12 +286,16 @@
+@@ -232,7 +291,6 @@
+ dontaudit syslogd_t self:capability sys_tty_config;
+ # setpgid for metalog
+ allow syslogd_t self:process { signal_perms setpgid };
+-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
+ # receive messages to be logged
+ allow syslogd_t self:unix_dgram_socket create_socket_perms;
+ allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
+@@ -241,20 +299,30 @@
allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
@@ -23865,7 +23984,11 @@
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
-@@ -255,6 +304,9 @@
++mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
++mls_fd_use_all_levels(syslogd_t)
++
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
manage_files_pattern(syslogd_t,syslogd_tmp_t,syslogd_tmp_t)
files_tmp_filetrans(syslogd_t,syslogd_tmp_t,{ dir file })
@@ -23875,15 +23998,33 @@
allow syslogd_t syslogd_var_run_t:file manage_file_perms;
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
-@@ -300,6 +352,7 @@
+@@ -262,6 +330,7 @@
+ manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
+ files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
+
++kernel_read_system_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
+ kernel_read_proc_symlinks(syslogd_t)
+ # Allow access to /proc/kmsg for syslog-ng
+@@ -269,6 +338,8 @@
+ kernel_clear_ring_buffer(syslogd_t)
+ kernel_change_ring_buffer_level(syslogd_t)
+
++files_read_kernel_symbol_table(syslogd_t)
++
+ dev_filetrans(syslogd_t,devlog_t,sock_file)
+ dev_read_sysfs(syslogd_t)
+
+@@ -300,6 +371,8 @@
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
++corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
-@@ -312,6 +365,8 @@
+@@ -312,18 +385,20 @@
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
@@ -23892,20 +24033,49 @@
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
-@@ -341,6 +396,12 @@
+
++auth_use_nsswitch(syslogd_t)
++
+ libs_use_ld_so(syslogd_t)
+ libs_use_shared_libs(syslogd_t)
+
+ # cjp: this doesnt make sense
+ logging_send_syslog_msg(syslogd_t)
+
+-sysnet_read_config(syslogd_t)
+-
+ miscfiles_read_localization(syslogd_t)
+
+ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
+@@ -341,20 +416,22 @@
files_var_lib_filetrans(syslogd_t,devlog_t,sock_file)
')
+-optional_policy(`
+- inn_manage_log(syslogd_t)
+ifdef(`distro_ubuntu',`
+ optional_policy(`
+ unconfined_domain(syslogd_t)
+ ')
-+')
-+
+ ')
+
+ optional_policy(`
+- nis_use_ypbind(syslogd_t)
++ inn_manage_log(syslogd_t)
+ ')
+
+ optional_policy(`
+- nscd_socket_use(syslogd_t)
++ seutil_sigchld_newrole(syslogd_t)
+ ')
+
optional_policy(`
- inn_manage_log(syslogd_t)
+- seutil_sigchld_newrole(syslogd_t)
++ postgresql_stream_connect(syslogd_t)
')
-@@ -365,3 +426,69 @@
+
+ optional_policy(`
+@@ -365,3 +442,66 @@
# log to the xconsole
xserver_rw_console(syslogd_t)
')
@@ -23918,10 +24088,13 @@
+# Init script handling
+domain_use_interactive_fds(audisp_t)
+
++allow audisp_t self:capability { dac_override sys_nice };
++allow audisp_t self:process setsched;
++
+## internal communication is often done using fifo and unix sockets.
+allow audisp_t self:fifo_file rw_file_perms;
-+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t self:unix_dgram_socket create_socket_perms;
++allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
@@ -23936,18 +24109,11 @@
+
+miscfiles_read_localization(audisp_t)
+
-+corecmd_search_bin(audisp_t)
-+
-+sysnet_dns_name_resolve(audisp_t)
-+
-+logging_domtrans_audisp(auditd_t)
-+logging_audisp_signal(auditd_t)
++mls_file_write_all_levels(audisp_t)
+
-+#gen_require(`
-+# type zos_remote_exec_t, zos_remote_t;
-+#')
++corecmd_search_bin(audisp_t)
+
-+#logging_audisp_system_domain(zos_remote_t, zos_remote_exec_t)
++sysnet_dns_name_resolve(audisp_t)
+
+########################################
+#
@@ -23975,6 +24141,7 @@
+miscfiles_read_localization(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
++
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/lvm.fc serefpolicy-3.0.8/policy/modules/system/lvm.fc
--- nsaserefpolicy/policy/modules/system/lvm.fc 2008-06-12 23:37:57.000000000 -0400
+++ serefpolicy-3.0.8/policy/modules/system/lvm.fc 2008-10-20 16:22:16.000000000 -0400
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.650
retrieving revision 1.651
diff -u -r1.650 -r1.651
--- selinux-policy.spec 21 Oct 2008 13:19:45 -0000 1.650
+++ selinux-policy.spec 29 Oct 2008 18:23:47 -0000 1.651
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 122%{?dist}
+Release: 123%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -382,6 +382,9 @@
%endif
%changelog
+* Mon Oct 27 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-123
+- Update to latest audit policy
+
* Tue Oct 21 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-122
- Remove mod_fcgid-selinux package
More information about the fedora-extras-commits
mailing list