rpms/selinux-policy/F-9 policy-20071130.patch,1.204,1.205
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Sep 8 14:21:50 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27729
Modified Files:
policy-20071130.patch
Log Message:
* Tue Sep 2 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-89
- Fix init script paths
policy-20071130.patch:
Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.204
retrieving revision 1.205
diff -u -r1.204 -r1.205
--- policy-20071130.patch 4 Sep 2008 20:59:27 -0000 1.204
+++ policy-20071130.patch 8 Sep 2008 14:21:48 -0000 1.205
@@ -8274,7 +8274,7 @@
# /emul
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.3.1/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2008-06-12 23:38:02.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-09-04 16:31:45.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/kernel/files.if 2008-09-08 09:36:03.000000000 -0400
@@ -110,6 +110,11 @@
## </param>
#
@@ -8552,7 +8552,7 @@
')
')
-@@ -4756,3 +4927,53 @@
+@@ -4756,3 +4927,71 @@
allow $1 { file_type -security_file_type }:dir manage_dir_perms;
')
@@ -8606,6 +8606,24 @@
+ filetrans_pattern($1,root_t,default_t,dir)
+')
+
++########################################
++## <summary>
++## manage generic symbolic links
++## in the /var/run directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`files_manage_generic_pids_symlinks',`
++ gen_require(`
++ type var_run_t;
++ ')
++
++ manage_lnk_files_pattern($1,var_run_t,var_run_t)
++')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.te serefpolicy-3.3.1/policy/modules/kernel/files.te
--- nsaserefpolicy/policy/modules/kernel/files.te 2008-06-12 23:38:02.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/kernel/files.te 2008-09-04 16:31:45.000000000 -0400
@@ -10354,7 +10372,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-09-04 16:31:45.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-09-05 14:43:04.000000000 -0400
@@ -20,6 +20,8 @@
# Declarations
#
@@ -10593,7 +10611,7 @@
tunable_policy(`httpd_can_network_relay',`
# allow httpd to work as a relay
corenet_tcp_connect_gopher_port(httpd_t)
-@@ -382,12 +458,22 @@
+@@ -382,12 +458,26 @@
corenet_sendrecv_http_cache_client_packets(httpd_t)
')
@@ -10604,24 +10622,28 @@
+ filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file })
+ can_exec(httpd_sys_script_t, httpd_sys_content_t)
+')
-+
-+tunable_policy(`allow_httpd_sys_script_anon_write',`
-+ miscfiles_manage_public_files(httpd_sys_script_t)
-+')
- manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
- manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
- manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
++tunable_policy(`allow_httpd_sys_script_anon_write',`
++ miscfiles_manage_public_files(httpd_sys_script_t)
++')
++
+tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
+ domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
+ filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
+ manage_dirs_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
+ manage_lnk_files_pattern(httpd_t, httpdcontent, httpd_sys_content_rw_t)
++
++ manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
++ manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
++ manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
')
tunable_policy(`httpd_enable_ftp_server',`
-@@ -399,11 +485,21 @@
+@@ -399,11 +489,21 @@
fs_read_nfs_symlinks(httpd_t)
')
@@ -10643,7 +10665,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -437,8 +533,13 @@
+@@ -437,8 +537,13 @@
')
optional_policy(`
@@ -10659,7 +10681,7 @@
')
optional_policy(`
-@@ -450,19 +551,13 @@
+@@ -450,19 +555,13 @@
')
optional_policy(`
@@ -10680,7 +10702,7 @@
')
optional_policy(`
-@@ -472,13 +567,22 @@
+@@ -472,13 +571,22 @@
openca_kill(httpd_t)
')
@@ -10707,7 +10729,7 @@
')
optional_policy(`
-@@ -486,6 +590,7 @@
+@@ -486,6 +594,7 @@
')
optional_policy(`
@@ -10715,7 +10737,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -521,6 +626,22 @@
+@@ -521,6 +630,22 @@
userdom_use_sysadm_terms(httpd_helper_t)
')
@@ -10738,7 +10760,7 @@
########################################
#
# Apache PHP script local policy
-@@ -550,18 +671,26 @@
+@@ -550,18 +675,26 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -10768,7 +10790,7 @@
')
########################################
-@@ -585,6 +714,8 @@
+@@ -585,6 +718,8 @@
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -10777,7 +10799,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -593,9 +724,7 @@
+@@ -593,9 +728,7 @@
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -10788,7 +10810,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -628,6 +757,7 @@
+@@ -628,6 +761,7 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -10796,7 +10818,7 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
')
-@@ -638,6 +768,12 @@
+@@ -638,6 +772,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -10809,7 +10831,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +791,6 @@
+@@ -655,10 +795,6 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -10820,7 +10842,7 @@
########################################
#
# Apache system script local policy
-@@ -668,7 +800,8 @@
+@@ -668,7 +804,8 @@
dontaudit httpd_sys_script_t httpd_config_t:dir search;
@@ -10830,7 +10852,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +815,44 @@
+@@ -682,15 +819,44 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -10842,15 +10864,15 @@
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+tunable_policy(`httpd_use_nfs', `
- fs_read_nfs_files(httpd_sys_script_t)
- fs_read_nfs_symlinks(httpd_sys_script_t)
- ')
-
-+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+')
+
++tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs', `
+ fs_read_nfs_files(httpd_sys_script_t)
+ fs_read_nfs_symlinks(httpd_sys_script_t)
+ ')
+
+tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+ allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
+ allow httpd_sys_script_t self:udp_socket create_socket_perms;
@@ -10876,7 +10898,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -703,6 +865,10 @@
+@@ -703,6 +869,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -10887,7 +10909,7 @@
')
########################################
-@@ -724,3 +890,68 @@
+@@ -724,3 +894,71 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -10939,6 +10961,9 @@
+
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+ can_exec(httpd_user_script_t, httpd_user_content_t)
++ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
++ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+')
+
+# allow accessing files/dirs below the users home dir
@@ -18060,7 +18085,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerneloops.te serefpolicy-3.3.1/policy/modules/services/kerneloops.te
--- nsaserefpolicy/policy/modules/services/kerneloops.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/kerneloops.te 2008-09-04 16:31:45.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/kerneloops.te 2008-09-08 08:38:57.000000000 -0400
@@ -0,0 +1,57 @@
+policy_module(kerneloops,1.0.0)
+
@@ -18082,7 +18107,7 @@
+# kerneloops local policy
+#
+allow kerneloops_t self:capability sys_nice;
-+allow kerneloops_t self:process { setsched getsched };
++allow kerneloops_t self:process { setsched getsched signal };
+
+# Init script handling
+domain_use_interactive_fds(kerneloops_t)
@@ -21195,6 +21220,17 @@
+optional_policy(`
+ unconfined_ptrace(polkit_resolve_t)
+')
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portmap.te serefpolicy-3.3.1/policy/modules/services/portmap.te
+--- nsaserefpolicy/policy/modules/services/portmap.te 2008-06-12 23:38:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/portmap.te 2008-09-05 15:18:22.000000000 -0400
+@@ -41,6 +41,7 @@
+ manage_files_pattern(portmap_t,portmap_var_run_t,portmap_var_run_t)
+ files_pid_filetrans(portmap_t,portmap_var_run_t,file)
+
++kernel_read_system_state(portmap_t)
+ kernel_read_kernel_sysctls(portmap_t)
+ kernel_list_proc(portmap_t)
+ kernel_read_proc_symlinks(portmap_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/portslave.te serefpolicy-3.3.1/policy/modules/services/portslave.te
--- nsaserefpolicy/policy/modules/services/portslave.te 2008-06-12 23:38:01.000000000 -0400
+++ serefpolicy-3.3.1/policy/modules/services/portslave.te 2008-09-04 16:31:45.000000000 -0400
@@ -31803,7 +31839,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/init.te serefpolicy-3.3.1/policy/modules/system/init.te
--- nsaserefpolicy/policy/modules/system/init.te 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-09-04 16:31:45.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/init.te 2008-09-08 09:34:54.000000000 -0400
@@ -10,6 +10,20 @@
# Declarations
#
@@ -31957,7 +31993,17 @@
manage_dirs_pattern(initrc_t,initrc_state_t,initrc_state_t)
manage_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
-@@ -257,7 +296,7 @@
+@@ -212,7 +251,8 @@
+ manage_fifo_files_pattern(initrc_t,initrc_state_t,initrc_state_t)
+
+ allow initrc_t initrc_var_run_t:file manage_file_perms;
+-files_pid_filetrans(initrc_t,initrc_var_run_t,file)
++files_pid_filetrasn(initrc_t,initrc_var_run_t,file)
++files_manage_generic_pids_symlinks(initrc_t)
+
+ can_exec(initrc_t,initrc_tmp_t)
+ allow initrc_t initrc_tmp_t:file manage_file_perms;
+@@ -257,7 +297,7 @@
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
dev_setattr_all_chr_files(initrc_t)
@@ -31966,7 +32012,7 @@
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
-@@ -283,7 +322,6 @@
+@@ -283,7 +323,6 @@
mls_process_read_up(initrc_t)
mls_process_write_down(initrc_t)
mls_rangetrans_source(initrc_t)
@@ -31974,7 +32020,7 @@
selinux_get_enforce_mode(initrc_t)
-@@ -496,6 +534,31 @@
+@@ -496,6 +535,31 @@
')
')
@@ -32006,7 +32052,7 @@
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
-@@ -554,16 +617,12 @@
+@@ -554,16 +618,12 @@
dbus_read_config(initrc_t)
optional_policy(`
@@ -32027,7 +32073,7 @@
')
optional_policy(`
-@@ -639,12 +698,6 @@
+@@ -639,12 +699,6 @@
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -32040,7 +32086,7 @@
optional_policy(`
ifdef(`distro_redhat',`
-@@ -705,6 +758,9 @@
+@@ -705,6 +759,9 @@
# why is this needed:
rpm_manage_db(initrc_t)
@@ -32050,7 +32096,7 @@
')
optional_policy(`
-@@ -717,9 +773,11 @@
+@@ -717,9 +774,11 @@
squid_manage_logs(initrc_t)
')
@@ -32065,7 +32111,7 @@
')
optional_policy(`
-@@ -738,6 +796,11 @@
+@@ -738,6 +797,11 @@
uml_setattr_util_sockets(initrc_t)
')
@@ -32077,7 +32123,7 @@
optional_policy(`
unconfined_domain(initrc_t)
-@@ -752,6 +815,10 @@
+@@ -752,6 +816,10 @@
')
optional_policy(`
@@ -32088,7 +32134,7 @@
vmware_read_system_config(initrc_t)
vmware_append_system_config(initrc_t)
')
-@@ -774,3 +841,4 @@
+@@ -774,3 +842,4 @@
optional_policy(`
zebra_read_config(initrc_t)
')
@@ -32215,7 +32261,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.3.1/policy/modules/system/libraries.fc
--- nsaserefpolicy/policy/modules/system/libraries.fc 2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-09-04 16:31:45.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/libraries.fc 2008-09-08 09:14:37.000000000 -0400
@@ -69,8 +69,10 @@
ifdef(`distro_gentoo',`
# despite the extensions, they are actually libs
@@ -32275,7 +32321,16 @@
/usr/lib(64)?/.*/libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/local/(.*/)?libflashplayer\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
HOME_DIR/.*/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
-@@ -287,11 +294,15 @@
+@@ -263,6 +270,8 @@
+ /usr/lib(64)?/vmware/lib(/.*)?/HConfig\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/lib(64)?/vmware/(.*/)?VmPerl\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+
++/usr/lib(64)?/(virtualbox(-ose)?/)?(components/)?VBox.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
++
+ # Java, Sun Microsystems (JPackage SRPM)
+ /usr/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ /usr/local/(.*/)?jre.*/.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+@@ -287,11 +296,15 @@
/usr/lib/acroread/(.*/)?lib/[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -32291,7 +32346,7 @@
/var/ftp/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/ftp/lib(64)?/ld[^/]*\.so(\.[^/]*)* -- gen_context(system_u:object_r:ld_so_t,s0)
-@@ -304,3 +315,13 @@
+@@ -304,3 +317,13 @@
/var/spool/postfix/lib(64)?(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/usr(/.*)? gen_context(system_u:object_r:lib_t,s0)
/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
More information about the fedora-extras-commits
mailing list