rpms/selinux-policy/F-10 policy-20080710.patch,1.137,1.138
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Feb 18 10:00:44 UTC 2009
- Previous message (by thread): rpms/celt/devel .cvsignore, 1.2, 1.3 celt.spec, 1.1, 1.2 sources, 1.2, 1.3
- Next message (by thread): rpms/celt/F-9 .cvsignore,1.1,1.2 celt.spec,1.1,1.2 sources,1.2,1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: mgrepl
Update of /cvs/extras/rpms/selinux-policy/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7866
Modified Files:
policy-20080710.patch
Log Message:
- Fix kismet policy
policy-20080710.patch:
Index: policy-20080710.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-10/policy-20080710.patch,v
retrieving revision 1.137
retrieving revision 1.138
diff -u -r1.137 -r1.138
--- policy-20080710.patch 11 Feb 2009 10:05:32 -0000 1.137
+++ policy-20080710.patch 18 Feb 2009 10:00:43 -0000 1.138
@@ -559,10 +559,32 @@
term_use_all_terms(consoletype_t)
init_use_fds(consoletype_t)
+diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.if serefpolicy-3.5.13/policy/modules/admin/kismet.if
+--- nsaserefpolicy/policy/modules/admin/kismet.if 2008-10-17 14:49:14.000000000 +0200
++++ serefpolicy-3.5.13/policy/modules/admin/kismet.if 2009-02-18 10:16:20.000000000 +0100
+@@ -16,6 +16,7 @@
+ ')
+
+ domtrans_pattern($1, kismet_exec_t, kismet_t)
++ allow kismet_t $1:process signull;
+ ')
+
+ ########################################
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kismet.te serefpolicy-3.5.13/policy/modules/admin/kismet.te
--- nsaserefpolicy/policy/modules/admin/kismet.te 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2009-02-10 15:07:15.000000000 +0100
-@@ -25,11 +25,13 @@
++++ serefpolicy-3.5.13/policy/modules/admin/kismet.te 2009-02-18 10:11:52.000000000 +0100
+@@ -20,16 +20,24 @@
+ type kismet_log_t;
+ logging_log_file(kismet_log_t)
+
++type kismet_tmpfs_t;
++files_tmpfs_file(kismet_tmpfs_t)
++
++type kismet_tmp_t;
++files_tmp_file(kismet_tmp_t)
++
+ ########################################
+ #
# kismet local policy
#
@@ -578,12 +600,19 @@
manage_files_pattern(kismet_t, kismet_log_t, kismet_log_t)
allow kismet_t kismet_log_t:dir setattr;
-@@ -43,15 +45,35 @@
+@@ -43,15 +51,50 @@
allow kismet_t kismet_var_run_t:dir manage_dir_perms;
files_pid_filetrans(kismet_t, kismet_var_run_t, { file dir })
-kernel_search_debugfs(kismet_t)
--
++manage_dirs_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++manage_files_pattern(kismet_t, kismet_tmpfs_t, kismet_tmpfs_t)
++fs_tmpfs_filetrans(kismet_t, kismet_tmpfs_t, { dir file })
++
++manage_dirs_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++manage_files_pattern(kismet_t, kismet_tmp_t, kismet_tmp_t)
++files_tmp_filetrans(kismet_t, kismet_tmp_t, { file dir })
+
corecmd_exec_bin(kismet_t)
+corecmd_exec_shell(kismet_t)
+
@@ -595,6 +624,7 @@
+corenet_tcp_bind_all_nodes(kismet_t)
+corenet_tcp_bind_kismet_port(kismet_t)
+corenet_tcp_connect_kismet_port(kismet_t)
++corenet_tcp_connect_pulseaudio_port(kismet_t)
+
+kernel_search_debugfs(kismet_t)
+kernel_read_system_state(kismet_t)
@@ -603,12 +633,18 @@
files_read_etc_files(kismet_t)
+files_read_usr_files(kismet_t)
++
++fs_getattr_tmpfs(kismet_t)
libs_use_ld_so(kismet_t)
libs_use_shared_libs(kismet_t)
miscfiles_read_localization(kismet_t)
+
++userdom_read_generic_user_tmpfs_files(kismet_t)
++
++sysadm_dontaudit_manage_home_files(kismet_t)
++
+optional_policy(`
+ dbus_system_bus_client_template(kismet, kismet_t)
+
@@ -8689,6 +8725,7 @@
+
+ dontaudit $1 fusefs_t:file manage_file_perms;
+')
+Binary files nsaserefpolicy/policy/modules/kernel/.filesystem.if.swp and serefpolicy-3.5.13/policy/modules/kernel/.filesystem.if.swp differ
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.5.13/policy/modules/kernel/filesystem.te
--- nsaserefpolicy/policy/modules/kernel/filesystem.te 2008-10-17 14:49:14.000000000 +0200
+++ serefpolicy-3.5.13/policy/modules/kernel/filesystem.te 2009-02-10 15:07:15.000000000 +0100
@@ -9396,7 +9433,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.5.13/policy/modules/roles/sysadm.if
--- nsaserefpolicy/policy/modules/roles/sysadm.if 2008-10-17 14:49:14.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/roles/sysadm.if 2009-02-18 10:14:24.000000000 +0100
@@ -334,10 +334,10 @@
#
interface(`sysadm_getattr_home_dirs',`
@@ -9537,7 +9574,7 @@
')
########################################
-@@ -516,13 +534,33 @@
+@@ -516,12 +534,52 @@
#
interface(`sysadm_dontaudit_read_home_content_files',`
gen_require(`
@@ -9551,7 +9588,7 @@
+ dontaudit $1 admin_home_t:dir list_dir_perms;
+ dontaudit $1 admin_home_t:file read_file_perms;
+
- ')
++')
+########################################
+## <summary>
+## Do not audit attempts to read sym links in the sysadm
@@ -9572,10 +9609,29 @@
+
+')
+
++######################################
++## <summary>
++## Do not audit attempts to manage files in the sysadm
++## home directory.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain to not audit.
++## </summary>
++## </param>
++#
++interface(`sysadm_dontaudit_manage_home_files',`
++ gen_require(`
++ type admin_home_t;
++ ')
++
++ dontaudit $1 admin_home_t:dir manage_dir_perms;
++ dontaudit $1 admin_home_t:file manage_file_perms;
++ dontaudit $1 admin_home_t:lnk_file manage_lnk_file_perms;
+ ')
########################################
- ## <summary>
-@@ -536,12 +574,12 @@
+@@ -536,12 +594,12 @@
#
interface(`sysadm_read_tmp_files',`
gen_require(`
@@ -11488,7 +11544,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2009-02-10 15:08:27.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/apache.te 2009-02-18 10:20:44.000000000 +0100
@@ -20,6 +20,8 @@
# Declarations
#
@@ -11715,7 +11771,8 @@
+## </desc>
+gen_tunable(allow_httpd_mod_auth_pam, false)
+
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+- auth_domtrans_chk_passwd(httpd_t)
+ auth_domtrans_chkpwd(httpd_t)
+')
+
@@ -11726,13 +11783,12 @@
+## </desc>
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
+optional_policy(`
- tunable_policy(`allow_httpd_mod_auth_pam',`
-- auth_domtrans_chk_passwd(httpd_t)
++tunable_policy(`allow_httpd_mod_auth_pam',`
+ samba_domtrans_winbind_helper(httpd_t)
')
')
-@@ -370,20 +450,69 @@
+@@ -370,20 +450,68 @@
corenet_tcp_connect_all_ports(httpd_t)
')
@@ -11768,7 +11824,6 @@
+tunable_policy(`httpd_enable_cgi && httpd_unified',`
+
+ allow httpd_user_script_t httpdcontent:file entrypoint;
-+
+ manage_dirs_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_content_t,httpd_user_content_t)
+ manage_files_pattern(httpd_user_script_t, httpd_user_script_ra_t,httpd_user_script_ra_t)
@@ -11803,7 +11858,7 @@
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -394,20 +523,28 @@
+@@ -394,20 +522,28 @@
corenet_tcp_bind_ftp_port(httpd_t)
')
@@ -11836,7 +11891,7 @@
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -441,8 +578,13 @@
+@@ -441,8 +577,13 @@
')
optional_policy(`
@@ -11852,7 +11907,7 @@
')
optional_policy(`
-@@ -454,18 +596,13 @@
+@@ -454,18 +595,13 @@
')
optional_policy(`
@@ -11872,7 +11927,7 @@
')
optional_policy(`
-@@ -475,6 +612,12 @@
+@@ -475,6 +611,12 @@
openca_kill(httpd_t)
')
@@ -11885,7 +11940,7 @@
optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
-@@ -482,6 +625,7 @@
+@@ -482,6 +624,7 @@
tunable_policy(`httpd_can_network_connect_db',`
postgresql_tcp_connect(httpd_t)
@@ -11893,7 +11948,7 @@
')
')
-@@ -490,6 +634,7 @@
+@@ -490,6 +633,7 @@
')
optional_policy(`
@@ -11901,7 +11956,7 @@
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -519,9 +664,28 @@
+@@ -519,9 +663,28 @@
logging_send_syslog_msg(httpd_helper_t)
tunable_policy(`httpd_tty_comm',`
@@ -11930,7 +11985,7 @@
########################################
#
# Apache PHP script local policy
-@@ -551,22 +715,30 @@
+@@ -551,22 +714,30 @@
fs_search_auto_mountpoints(httpd_php_t)
@@ -11965,7 +12020,7 @@
')
########################################
-@@ -584,12 +756,14 @@
+@@ -584,12 +755,14 @@
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
@@ -11981,7 +12036,7 @@
kernel_read_kernel_sysctls(httpd_suexec_t)
kernel_list_proc(httpd_suexec_t)
kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -597,10 +771,9 @@
+@@ -597,10 +770,9 @@
dev_read_urand(httpd_suexec_t)
fs_search_auto_mountpoints(httpd_suexec_t)
@@ -11994,7 +12049,7 @@
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -616,6 +789,7 @@
+@@ -616,6 +788,7 @@
logging_send_syslog_msg(httpd_suexec_t)
miscfiles_read_localization(httpd_suexec_t)
@@ -12002,7 +12057,7 @@
tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -633,12 +807,21 @@
+@@ -633,12 +806,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -12014,20 +12069,20 @@
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
tunable_policy(`httpd_enable_cgi && httpd_unified',`
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
--')
-
--tunable_policy(`httpd_enable_homedirs',`
-- userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
++ allow httpd_sys_script_t httpdcontent:file entrypoint;
+ manage_dirs_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
+ manage_lnk_files_pattern(httpd_sys_script_t, httpdcontent, httpdcontent)
-+')
+ ')
+-
+-tunable_policy(`httpd_enable_homedirs',`
+- userdom_read_unpriv_users_home_content_files(httpd_suexec_t)
+tunable_policy(`httpd_enable_cgi',`
+ domtrans_pattern(httpd_suexec_t, httpd_user_script_t, httpd_user_script_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -647,6 +830,12 @@
+@@ -647,6 +829,12 @@
fs_exec_nfs_files(httpd_suexec_t)
')
@@ -12040,7 +12095,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_suexec_t)
fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -664,20 +853,20 @@
+@@ -664,20 +852,20 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -12066,7 +12121,7 @@
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
-@@ -691,12 +880,27 @@
+@@ -691,12 +879,27 @@
# Should we add a boolean?
apache_domtrans_rotatelogs(httpd_sys_script_t)
@@ -12096,7 +12151,7 @@
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -704,6 +908,31 @@
+@@ -704,6 +907,31 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -12128,7 +12183,7 @@
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -716,10 +945,10 @@
+@@ -716,10 +944,10 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -12143,7 +12198,7 @@
')
########################################
-@@ -727,6 +956,8 @@
+@@ -727,6 +955,8 @@
# httpd_rotatelogs local policy
#
@@ -12152,7 +12207,7 @@
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -741,3 +972,66 @@
+@@ -741,3 +971,66 @@
logging_search_logs(httpd_rotatelogs_t)
miscfiles_read_localization(httpd_rotatelogs_t)
@@ -19058,7 +19113,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.te serefpolicy-3.5.13/policy/modules/services/networkmanager.te
--- nsaserefpolicy/policy/modules/services/networkmanager.te 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/services/networkmanager.te 2009-02-12 23:07:03.000000000 +0100
@@ -19,6 +19,9 @@
type NetworkManager_tmp_t;
files_tmp_file(NetworkManager_tmp_t)
@@ -35247,7 +35302,7 @@
+/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.5.13/policy/modules/system/userdomain.if
--- nsaserefpolicy/policy/modules/system/userdomain.if 2008-10-17 14:49:13.000000000 +0200
-+++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-02-10 15:07:15.000000000 +0100
++++ serefpolicy-3.5.13/policy/modules/system/userdomain.if 2009-02-18 10:13:15.000000000 +0100
@@ -28,10 +28,14 @@
class context contains;
')
@@ -37467,7 +37522,7 @@
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
-@@ -5513,3 +5700,601 @@
+@@ -5513,3 +5700,622 @@
interface(`userdom_unconfined',`
refpolicywarn(`$0($*) has been deprecated.')
')
@@ -37812,6 +37867,27 @@
+
+#######################################
+## <summary>
++## Read user tmpfs files.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`userdom_read_generic_user_tmpfs_files',`
++ gen_require(`
++ type user_tmpfs_t;
++ ')
++
++ read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
++ allow $1 user_tmpfs_t:dir list_dir_perms;
++ fs_search_tmpfs($1)
++')
++
++#######################################
++## <summary>
+## The template for creating a unprivileged user roughly
+## equivalent to a regular linux user.
+## </summary>
- Previous message (by thread): rpms/celt/devel .cvsignore, 1.2, 1.3 celt.spec, 1.1, 1.2 sources, 1.2, 1.3
- Next message (by thread): rpms/celt/F-9 .cvsignore,1.1,1.2 celt.spec,1.1,1.2 sources,1.2,1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list