From d2285e6e8b9bd7e4086779f3f31d6b34ad12b25c Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 15 Nov 2007 16:02:26 +0000 Subject: [PATCH] * Thu Nov 15 2007 Dan Walsh 2.0.31-15 - Fix File Labeling add --- policycoreutils-gui.patch | 71 +++------------------------------------ policycoreutils.spec | 7 ++-- 2 files changed, 10 insertions(+), 68 deletions(-) diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 0d4d77f..cd3ec95 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -234,7 +234,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py poli + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.31/gui/fcontextPage.py --- nsapolicycoreutils/gui/fcontextPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.31/gui/fcontextPage.py 2007-11-05 16:29:06.000000000 -0500 ++++ policycoreutils-2.0.31/gui/fcontextPage.py 2007-11-15 11:00:13.000000000 -0500 @@ -0,0 +1,217 @@ +## fcontextPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -424,7 +424,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py poli + iter = self.fcontextFileTypeCombo.get_active_iter() + ftype=list_model.get_value(iter,0) + self.wait() -+ (rc, out) = commands.getstatusoutput("semanage fcontext -a -t %s -r %s -f '%s' %s" % (type, mls, ftype, fspec)) ++ (rc, out) = commands.getstatusoutput("semanage fcontext -a -t %s -r %s -f '%s' '%s'" % (type, mls, ftype, fspec)) + self.ready() + if rc != 0: + self.error(out) @@ -443,7 +443,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py poli + iter = self.fcontextFileTypeCombo.get_active_iter() + ftype=list_model.get_value(iter,0) + self.wait() -+ (rc, out) = commands.getstatusoutput("semanage fcontext -m -t %s -r %s -f '%s' %s" % (type, mls, ftype, fspec)) ++ (rc, out) = commands.getstatusoutput("semanage fcontext -m -t %s -r %s -f '%s' '%s'" % (type, mls, ftype, fspec)) + self.ready() + if rc != 0: + self.error(out) @@ -5648,39 +5648,17 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policyc + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.31/gui/selinux.tbl --- nsapolicycoreutils/gui/selinux.tbl 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.31/gui/selinux.tbl 2007-11-02 15:54:42.000000000 -0400 -@@ -0,0 +1,295 @@ -+! allow_console_login _("Login") _("Allow direct login to the console device. Required for System 390") ++++ policycoreutils-2.0.31/gui/selinux.tbl 2007-11-07 16:11:37.000000000 -0500 +@@ -0,0 +1,234 @@ +acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon") -+allow_cvs_read_shadow _("CVS") _("Allow cvs daemon to read shadow") +allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /") +allow_daemons_use_tty _("Admin") _("Allow all daemons the ability to use unallocated ttys") -+allow_execheap _("Memory Protection") _("Allow unconfined executables to make their heap memory executable. Doing this is a really bad idea. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") -+allow_execmem _("Memory Protection") _("Allow unconfined executables to map a memory region as both executable and writable, this is dangerous and the executable should be reported in bugzilla") -+allow_execmod _("Memory Protection") _("Allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t") -+allow_execstack _("Memory Protection") _("Allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla") -+allow_ftpd_full_access _("FTP") _("Allow ftpd to full access to the system") -+allow_ftpd_anon_write _("FTP") _("Allow ftpd to upload files to directories labeled public_content_rw_t") -+allow_ftpd_use_cifs _("FTP") _("Allow ftp servers to use cifs used for public file transfer services") -+allow_ftpd_use_nfs _("FTP") _("Allow ftp servers to use nfs used for public file transfer services") -+allow_gpg_execstack _("Memory Protection") _("Allow gpg executable stack") +allow_gadmin_exec_content _("User Privs") _("Allow gadmin SELinux user accounts to execute files in his home directory or /tmp") -+allow_gssd_read_tmp _("NFS") _("Allow gssd to read temp directory") +allow_guest_exec_content _("User Privs") _("Allow guest SELinux user accounts to execute files in his home directory or /tmp") -+allow_httpd_anon_write _("HTTPD Service") _("Allow httpd daemon to write files in directories labeled public_content_rw_t") -+allow_httpd_dbus_avahi _("HTTPD Service") _("Allow Apache to communicate with avahi service") -+allow_httpd_mod_auth_pam _("HTTPD Service") _("Allow Apache to use mod_auth_pam") -+allow_httpd_sys_script_anon_write _("HTTPD Service") _("Allow httpd scripts to write files in directories labeled public_content_rw_t") +allow_java_execstack _("Memory Protection") _("Allow java executable stack") -+allow_kerberos _("Kerberos") _("Allow daemons to use kerberos files") +allow_mount_anyfile _("Mount") _("Allow mount to mount any file") +allow_mounton_anydir _("Mount") _("Allow mount to mount any directory") +allow_mplayer_execstack _("Memory Protection") _("Allow mplayer executable stack") -+allow_nfsd_anon_write _("NFS") _("Allow nfs servers to modify public files used for public file transfer services") -+allow_polyinstantiation _("Polyinstantiation") _("Enable polyinstantiated directory support") -+allow_ptrace _("Compatibility") _("Allow sysadm_t to debug or ptrace applications") -+allow_rsync_anon_write _("rsync") _("Allow rsync to write files in directories labeled public_content_rw_t") -+allow_smbd_anon_write _("Samba") _("Allow Samba to write files in directories labeled public_content_rw_t") +allow_ssh_keysign _("SSH") _("Allow ssh to run ssh-keysign") +allow_staff_exec_content _("User Privs") _("Allow staff SELinux user accounts to execute files in his home directory or /tmp") +allow_sysadm_exec_content _("User Privs") _("Allow sysadm SELinux user accounts to execute files in his home directory or /tmp") @@ -5693,7 +5671,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +allow_write_xshm _("XServer") _("Allow clients to write to X shared memory") +allow_xguest_exec_content _("User Privs") _("Allow xguest SELinux user accounts to execute files in his home directory or /tmp") +allow_ypbind _("NIS") _("Allow daemons to run with NIS") -+allow_zebra_write_config _("Zebra") _("Allow zebra daemon to write it configuration files") +browser_confine_staff _("Web Applications") _("Transition staff SELinux user to Web Browser Domain") +browser_confine_sysadm _("Web Applications") _("Transition sysadm SELinux user to Web Browser Domain") +browser_confine_user _("Web Applications") _("Transition user SELinux user to Web Browser Domain") @@ -5726,7 +5703,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +courier_tcpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for courier daemon") +cpucontrol_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpucontrol daemon") +cpuspeed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for cpuspeed daemon") -+cron_can_relabel _("Cron") _("Allow system cron jobs to relabel filesystem for restoring file contexts") +crond_disable_trans _("Cron") _("Disable SELinux protection for crond daemon") +cupsd_config_disable_trans _("Printing") _("Disable SELinux protection for cupsd back end server") +cupsd_disable_trans _("Printing") _("Disable SELinux protection for cupsd daemon") @@ -5753,15 +5729,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +dnsmasq_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dnsmasq daemon") +dovecot_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for dovecot daemon") +entropyd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for entropyd daemon") -+fcron_crond _("Cron") _("Enable extra rules in the cron domain to support fcron") +fetchmail_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fetchmail") +fingerd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fingerd daemon") +freshclam_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for freshclam daemon") +fsdaemon_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for fsdaemon daemon") -+ftpd_disable_trans _("FTP") _("Disable SELinux protection for ftpd daemon") -+ftpd_is_daemon _("FTP") _("Allow ftpd to run directly without inetd") -+ftp_home_dir _("FTP") _("Allow ftp to read/write files in the user home directories") -+global_ssp _("Admin") _("This should be enabled when all programs are compiled with ProPolice/SSP stack smashing protection. All domains will be allowed to read from /dev/urandom") +gpm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for gpm daemon") +gssd_disable_trans _("NFS") _("Disable SELinux protection for gss daemon") +hald_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for Hal daemon") @@ -5770,20 +5741,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +hotplug_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hotplug daemon") +howl_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for howl daemon") +hplip_disable_trans _("Printing") _("Disable SELinux protection for cups hplip daemon") -+httpd_builtin_scripting _("HTTPD Service") _("Allow HTTPD to support built-in scripting") -+httpd_can_sendmail _("HTTPD Service") _("Allow HTTPD to send mail") -+httpd_can_network_connect_db _("HTTPD Service") _("Allow HTTPD scripts and modules to network connect to databases") -+httpd_can_network_connect _("HTTPD Service") _("Allow HTTPD scripts and modules to connect to the network") -+httpd_can_network_relay _("HTTPD Service") _("Allow httpd to act as a relay") -+httpd_disable_trans _("HTTPD Service") _("Disable SELinux protection for httpd daemon") -+httpd_enable_cgi _("HTTPD Service") _("Allow HTTPD cgi support") -+httpd_enable_ftp_server _("HTTPD Service") _("Allow HTTPD to run as a ftp server") -+httpd_enable_homedirs _("HTTPD Service") _("Allow HTTPD to read home directories") +httpd_rotatelogs_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for httpd rotatelogs") -+httpd_ssi_exec _("HTTPD Service") _("Allow HTTPD to run SSI executables in the same domain as system CGI scripts") +httpd_suexec_disable_trans _("HTTPD Service") _("Disable SELinux protection for http suexec") -+httpd_tty_comm _("HTTPD Service") _("Unify HTTPD to communicate with the terminal. Needed for handling certificates") -+httpd_unified _("HTTPD Service") _("Unify HTTPD handling of all content files") +hwclock_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for hwclock daemon") +i18n_input_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for i18n daemon") +imazesrv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for imazesrv daemon") @@ -5813,12 +5772,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +mysqld_disable_trans _("Databases") _("Disable SELinux protection for mysqld daemon") +nagios_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nagios daemon") +named_disable_trans _("Name Service") _("Disable SELinux protection for named daemon") -+named_write_master_zones _("Name Service") _("Allow named to overwrite master zone files") +nessusd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nessusd daemon") +NetworkManager_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for NetworkManager") +nfsd_disable_trans _("NFS") _("Disable SELinux protection for nfsd daemon") -+nfs_export_all_ro _("NFS") _("Allow NFS to share any file/directory read only") -+nfs_export_all_rw _("NFS") _("Allow NFS to share any file/directory read/write") +nmbd_disable_trans _("Samba") _("Disable SELinux protection for nmbd daemon") +nrpe_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for nrpe daemon") +nscd_disable_trans _("Name Service") _("Disable SELinux protection for nscd daemon") @@ -5834,10 +5790,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +portslave_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for portslave daemon") +postfix_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for postfix") +postgresql_disable_trans _("Databases") _("Disable SELinux protection for postgresql daemon") -+openvpn_enable_homedirs _("Network Configuration") _("Allow openvpn service access to users home directories") -+pppd_can_insmod _("pppd") _("Allow pppd daemon to insert modules into the kernel") -+pppd_disable_trans _("pppd") _("Disable SELinux protection for pppd daemon") -+pppd_disable_trans _("pppd") _("Disable SELinux protection for the mozilla ppp daemon") +pppd_for_user _("pppd") _("Allow pppd to be run for a regular user") +pptp_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for pptp") +prelink_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for prelink daemon") @@ -5851,7 +5803,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +rdisc_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rdisc") +readahead_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for readahead") +read_default_t _("Admin") _("Allow programs to read files in non-standard locations (default_t)") -+read_untrusted_content _("Web Applications") _("Allow programs to read untrusted content without relabel") +restorecond_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for restorecond") +rhgb_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rhgb daemon") +ricci_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ricci") @@ -5861,7 +5812,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +rshd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for rshd") +rsync_disable_trans _("rsync") _("Disable SELinux protection for rsync daemon") +run_ssh_inetd _("SSH") _("Allow ssh to run from inetd instead of as a daemon") -+samba_enable_home_dirs _("Samba") _("Allow Samba to share users home directories") +samba_share_nfs _("Samba") _("Allow Samba to share nfs directories") +allow_saslauthd_read_shadow _("SASL authentication server") _("Allow sasl authentication server to read /etc/shadow") +allow_xserver_execmem _("XServer") _("Allow X-Windows server to map a memory region as both executable and writable") @@ -5907,8 +5857,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +unlimitedUtils _("Admin") _("Allow privileged utilities like hotplug and insmod to run unconfined") +updfstab_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for updfstab daemon") +uptimed_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uptimed daemon") -+use_lpd_server _("Printing") _("Use lpd server instead of cups") -+use_nfs_home_dirs _("NFS") _("Support NFS home directories") +user_canbe_sysadm _("User Privs") _("Allow user_r to reach sysadm_r via su, sudo, or userhelper. Otherwise, only staff_r can do so") +user_can_mount _("Mount") _("Allow users to execute the mount command") +user_direct_mouse _("User Privs") _("Allow regular users direct mouse access (only allow the X server)") @@ -5919,12 +5867,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +user_rw_usb _("User Privs") _("Allow users to rw usb devices") +user_tcp_server _("User Privs") _("Allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols") +user_ttyfile_stat _("User Privs") _("Allow user to stat ttyfiles") -+use_samba_home_dirs _("Samba") _("Allow users to login with CIFS home directories") +uucpd_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for uucpd daemon") +vmware_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for vmware daemon") +watchdog_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for watchdog daemon") +winbind_disable_trans _("Samba") _("Disable SELinux protection for winbind daemon") -+write_untrusted_content _("Web Applications") _("Allow web applications to write untrusted content to disk (implies read)") +xdm_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xdm daemon") +xdm_sysadm_login _("XServer") _("Allow xdm logins as sysadm_r:sysadm_t") +xend_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for xen daemon") @@ -5935,13 +5881,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +yppasswdd_disable_trans _("NIS") _("Disable SELinux protection for NIS Password Daemon") +ypserv_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for ypserv daemon") +ypxfr_disable_trans _("NIS") _("Disable SELinux protection for NIS Transfer Daemon") -+zebra_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for zebra daemon") -+httpd_use_cifs _("HTTPD Service") _("Allow httpd to access samba/cifs file systems") -+httpd_use_nfs _("HTTPD Service") _("Allow httpd to access nfs file systems") -+samba_domain_controller _("Samba") _("Allow samba to act as the domain controller, add users, groups and change passwords") -+samba_export_all_ro _("Samba") _("Allow Samba to share any file/directory read only") -+samba_export_all_rw _("Samba") _("Allow Samba to share any file/directory read/write") -+samba_run_unconfined _("Samba") _("Allow Samba to run unconfined scripts in /var/lib/samba/scripts directory") +webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories") +webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories") + diff --git a/policycoreutils.spec b/policycoreutils.spec index 798f171..3da266a 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.31 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -207,7 +207,10 @@ if [ "$1" -ge "1" ]; then fi %changelog -* Thu Nov 9 2007 Dan Walsh 2.0.31-14 +* Thu Nov 15 2007 Dan Walsh 2.0.31-15 +- Fix File Labeling add + +* Thu Nov 8 2007 Dan Walsh 2.0.31-14 - Fix semanage to handle state where policy.xml is not installed * Mon Nov 5 2007 Dan Walsh 2.0.31-13