* Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137

- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t - Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
2015-07-15 11:45:00 +02:00 · 2015-07-15 11:45:00 +02:00 · 04f749c8f0
commit 04f749c8f0
parent ee724ad113
2 changed files with 69 additions and 55 deletions
--- a/policy-rawhide-contrib.patch
+++ b/policy-rawhide-contrib.patch
@ -5208,7 +5208,7 @@ index f6eb485..164501c 100644
 +	filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
 ')
 diff --git a/apache.te b/apache.te
-index 6649962..fc23c8a 100644
+index 6649962..4516b9a 100644
 --- a/apache.te
 +++ b/apache.te
@@ -5,280 +5,346 @@ policy_module(apache, 2.7.2)
@ -6218,26 +6218,19 @@ index 6649962..fc23c8a 100644
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -624,68 +804,46 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
+@@ -624,68 +804,56 @@ tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
 -tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs && httpd_builtin_scripting',`
 -	fs_exec_nfs_files(httpd_t)
-')
-
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 +tunable_policy(`httpd_use_nfs',`
- 	fs_list_auto_mountpoints(httpd_t)
-	fs_read_cifs_files(httpd_t)
-	fs_read_cifs_symlinks(httpd_t)
+	fs_list_auto_mountpoints(httpd_t)
 +	fs_manage_nfs_dirs(httpd_t)
 +	fs_manage_nfs_files(httpd_t)
 +	fs_manage_nfs_symlinks(httpd_t)
- ')
- 
-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
-	fs_exec_cifs_files(httpd_t)
+')
+
 +
 +optional_policy(`
 +    tunable_policy(`httpd_use_nfs',`
@ -6245,35 +6238,52 @@ index 6649962..fc23c8a 100644
 +    ')
 ')
 
+ tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
+-	fs_list_auto_mountpoints(httpd_t)
+ 	fs_read_cifs_files(httpd_t)
+ 	fs_read_cifs_symlinks(httpd_t)
+ ')
+ 
+-tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs && httpd_builtin_scripting',`
+-	fs_exec_cifs_files(httpd_t)
+tunable_policy(`httpd_can_sendmail',`
+	# allow httpd to connect to mail servers
+	corenet_tcp_connect_smtp_port(httpd_t)
+	corenet_sendrecv_smtp_client_packets(httpd_t)
+	corenet_tcp_connect_pop_port(httpd_t)
+	corenet_sendrecv_pop_client_packets(httpd_t)
+ ')
+ 
 -tunable_policy(`httpd_execmem',`
 -	allow httpd_t self:process { execmem execstack };
-+tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
-+	fs_read_cifs_files(httpd_t)
-+	fs_read_cifs_symlinks(httpd_t)
- ')
- 
- tunable_policy(`httpd_can_sendmail',`
+-')
+-
+-tunable_policy(`httpd_can_sendmail',`
 -	corenet_sendrecv_smtp_client_packets(httpd_t)
-+	# allow httpd to connect to mail servers
- 	corenet_tcp_connect_smtp_port(httpd_t)
+-	corenet_tcp_connect_smtp_port(httpd_t)
 -	corenet_tcp_sendrecv_smtp_port(httpd_t)
 -	corenet_sendrecv_pop_client_packets(httpd_t)
-+	corenet_sendrecv_smtp_client_packets(httpd_t)
- 	corenet_tcp_connect_pop_port(httpd_t)
+-	corenet_tcp_connect_pop_port(httpd_t)
 -	corenet_tcp_sendrecv_pop_port(httpd_t)
 -
-+	corenet_sendrecv_pop_client_packets(httpd_t)
- 	mta_send_mail(httpd_t)
- 	mta_signal_system_mail(httpd_t)
-+    postfix_rw_spool_maildrop_files(httpd_t)
+-	mta_send_mail(httpd_t)
+-	mta_signal_system_mail(httpd_t)
+optional_policy(`
+    tunable_policy(`httpd_can_sendmail',`
+	    mta_send_mail(httpd_t)
+	    mta_signal_system_mail(httpd_t)
+    ')
 ')
 
-optional_policy(`
+ optional_policy(`
 -	tunable_policy(`httpd_can_network_connect_zabbix',`
 -		zabbix_tcp_connect(httpd_t)
 -	')
-')
-
+    tunable_policy(`httpd_can_sendmail',`
+    postfix_rw_spool_maildrop_files(httpd_t)
+    ')
+ ')
+ 
 -optional_policy(`
 -	tunable_policy(`httpd_can_sendmail && httpd_can_check_spam',`
 -		spamassassin_domtrans_client(httpd_t)
@ -6311,7 +6321,7 @@ index 6649962..fc23c8a 100644
 ')
 
 tunable_policy(`httpd_setrlimit',`
-@@ -695,49 +853,48 @@ tunable_policy(`httpd_setrlimit',`
+@@ -695,49 +863,48 @@ tunable_policy(`httpd_setrlimit',`
 
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
@ -6392,7 +6402,7 @@ index 6649962..fc23c8a 100644
 ')
 
 optional_policy(`
-@@ -749,24 +906,32 @@ optional_policy(`
+@@ -749,24 +916,32 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6431,7 +6441,7 @@ index 6649962..fc23c8a 100644
 ')
 
 optional_policy(`
-@@ -775,6 +940,10 @@ optional_policy(`
+@@ -775,6 +950,10 @@ optional_policy(`
 	tunable_policy(`httpd_dbus_avahi',`
 		avahi_dbus_chat(httpd_t)
 	')
@ -6442,7 +6452,7 @@ index 6649962..fc23c8a 100644
 ')
 
 optional_policy(`
-@@ -786,35 +955,60 @@ optional_policy(`
+@@ -786,35 +965,60 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6516,7 +6526,7 @@ index 6649962..fc23c8a 100644
 
 	tunable_policy(`httpd_manage_ipa',`
 		memcached_manage_pid_files(httpd_t)
-@@ -822,8 +1016,30 @@ optional_policy(`
+@@ -822,8 +1026,30 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6547,7 +6557,7 @@ index 6649962..fc23c8a 100644
 
 	tunable_policy(`httpd_can_network_connect_db',`
 		mysql_tcp_connect(httpd_t)
-@@ -832,6 +1048,8 @@ optional_policy(`
+@@ -832,6 +1058,8 @@ optional_policy(`
 
 optional_policy(`
 	nagios_read_config(httpd_t)
@ -6556,7 +6566,7 @@ index 6649962..fc23c8a 100644
 ')
 
 optional_policy(`
-@@ -842,20 +1060,40 @@ optional_policy(`
+@@ -842,20 +1070,40 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6603,7 +6613,7 @@ index 6649962..fc23c8a 100644
 ')
 
 optional_policy(`
-@@ -863,16 +1101,31 @@ optional_policy(`
+@@ -863,16 +1111,31 @@ optional_policy(`
 ')
 
 optional_policy(`
@ -6623,21 +6633,21 @@ index 6649962..fc23c8a 100644
 optional_policy(`
 	smokeping_read_lib_files(httpd_t)
 +    smokeping_read_pid_files(httpd_t)
+')
+
+optional_policy(`
+	files_dontaudit_rw_usr_dirs(httpd_t)
+    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
 ')
 
 optional_policy(`
 -	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 -	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
-+	files_dontaudit_rw_usr_dirs(httpd_t)
-+    snmp_dontaudit_manage_snmp_var_lib_files(httpd_t)
-+')
-+
-+optional_policy(`
 +    thin_stream_connect(httpd_t)
 ')
 
 optional_policy(`
-@@ -883,65 +1136,189 @@ optional_policy(`
+@@ -883,65 +1146,189 @@ optional_policy(`
 	yam_read_content(httpd_t)
 ')
 
@ -6849,7 +6859,7 @@ index 6649962..fc23c8a 100644
 files_dontaudit_search_pids(httpd_suexec_t)
 files_search_home(httpd_suexec_t)
 
-@@ -950,123 +1327,74 @@ auth_use_nsswitch(httpd_suexec_t)
+@@ -950,123 +1337,74 @@ auth_use_nsswitch(httpd_suexec_t)
 logging_search_logs(httpd_suexec_t)
 logging_send_syslog_msg(httpd_suexec_t)
 
@ -7004,7 +7014,7 @@ index 6649962..fc23c8a 100644
 	mysql_read_config(httpd_suexec_t)
 
 	tunable_policy(`httpd_can_network_connect_db',`
-@@ -1083,172 +1411,107 @@ optional_policy(`
+@@ -1083,172 +1421,107 @@ optional_policy(`
 	')
 ')
 
@ -7171,7 +7181,8 @@ index 6649962..fc23c8a 100644
 -#
 -# System script local policy
 -#
-
+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
+ 
 -allow httpd_sys_script_t self:tcp_socket { accept listen };
 -
 -allow httpd_sys_script_t httpd_t:tcp_socket { read write };
@ -7187,8 +7198,7 @@ index 6649962..fc23c8a 100644
 -kernel_read_kernel_sysctls(httpd_sys_script_t)
 -
 -fs_search_auto_mountpoints(httpd_sys_script_t)
-+corenet_all_recvfrom_netlabel(httpd_sys_script_t)
- 
+-
 -files_read_var_symlinks(httpd_sys_script_t)
 -files_search_var_lib(httpd_sys_script_t)
 -files_search_spool(httpd_sys_script_t)
@ -7242,7 +7252,7 @@ index 6649962..fc23c8a 100644
 ')
 
 tunable_policy(`httpd_read_user_content',`
-@@ -1256,64 +1519,74 @@ tunable_policy(`httpd_read_user_content',`
+@@ -1256,64 +1529,74 @@ tunable_policy(`httpd_read_user_content',`
 ')
 
 tunable_policy(`httpd_use_cifs',`
@ -7339,7 +7349,7 @@ index 6649962..fc23c8a 100644
 
 ########################################
 #
-@@ -1321,8 +1594,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
+@@ -1321,8 +1604,15 @@ miscfiles_read_localization(httpd_rotatelogs_t)
 #
 
 optional_policy(`
@ -7356,7 +7366,7 @@ index 6649962..fc23c8a 100644
 ')
 
 ########################################
-@@ -1330,49 +1610,38 @@ optional_policy(`
+@@ -1330,49 +1620,38 @@ optional_policy(`
 # User content local policy
 #
 
@ -7421,7 +7431,7 @@ index 6649962..fc23c8a 100644
 kernel_read_system_state(httpd_passwd_t)
 
 corecmd_exec_bin(httpd_passwd_t)
-@@ -1382,38 +1651,109 @@ dev_read_urand(httpd_passwd_t)
+@@ -1382,38 +1661,109 @@ dev_read_urand(httpd_passwd_t)
 
 domain_use_interactive_fds(httpd_passwd_t)
 
@ -36113,7 +36123,7 @@ index eb87f23..d3d32c3 100644
 
 	init_labeled_script_domtrans($1, innd_initrc_exec_t)
 diff --git a/inn.te b/inn.te
-index d39f0cc..889dfd5 100644
+index d39f0cc..d141652 100644
 --- a/inn.te
 +++ b/inn.te
@@ -15,6 +15,9 @@ files_config_file(innd_etc_t)
@ -36144,7 +36154,7 @@ index d39f0cc..889dfd5 100644
 -setattr_files_pattern(innd_t, innd_log_t, innd_log_t)
 +manage_files_pattern(innd_t, innd_log_t, innd_log_t)
 +manage_dirs_pattern(innd_t, innd_log_t, innd_log_t)
-+logging_log_filetrans(innd_t, innd_var_run_t, { dir file })
+logging_log_filetrans(innd_t, innd_log_t, { dir file })
 
 manage_dirs_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
 manage_files_pattern(innd_t, innd_var_lib_t, innd_var_lib_t)
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -19,7 +19,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.13.1
-Release: 136%{?dist}
+Release: 137%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -602,6 +602,10 @@ SELinux Reference policy mls base module.
 %endif

 %changelog
+* Wed Jul 15 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-137
+- inn daemon should create innd_log_t objects in var_log_t instead of innd_var_run_t
+- Fix rule definitions for httpd_can_sendmail boolean. We need to distinguish between base and contrib.
+
 * Tue Jul 14 2015 Lukas Vrabec <lvrabec@redhat.com> 3.13.1-136
 - Add samba_unconfined_script_exec_t to samba_admin header.
 - Add jabberd_lock_t label to jabberd_admin header.