- Allow postgresl to bind to udp nodes
This commit is contained in:
parent
2a650ea1aa
commit
0d6e623017
|
@ -4424,8 +4424,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/nsplugin.te serefpolicy-3.5.13/policy/modules/apps/nsplugin.te
|
||||||
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/apps/nsplugin.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-10-30 16:17:36.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/apps/nsplugin.te 2008-11-06 12:46:21.000000000 -0500
|
||||||
@@ -0,0 +1,267 @@
|
@@ -0,0 +1,272 @@
|
||||||
+
|
+
|
||||||
+policy_module(nsplugin, 1.0.0)
|
+policy_module(nsplugin, 1.0.0)
|
||||||
+
|
+
|
||||||
|
@ -4510,6 +4510,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+corenet_tcp_connect_http_cache_port(nsplugin_t)
|
+corenet_tcp_connect_http_cache_port(nsplugin_t)
|
||||||
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
|
+corenet_tcp_sendrecv_generic_if(nsplugin_t)
|
||||||
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
|
+corenet_tcp_sendrecv_all_nodes(nsplugin_t)
|
||||||
|
+corenet_tcp_connect_ipp_port(nsplugin_t)
|
||||||
+
|
+
|
||||||
+domain_dontaudit_read_all_domains_state(nsplugin_t)
|
+domain_dontaudit_read_all_domains_state(nsplugin_t)
|
||||||
+
|
+
|
||||||
|
@ -4570,6 +4571,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
|
+ cups_stream_connect(nsplugin_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
+optional_policy(`
|
||||||
+ dbus_system_bus_client_template(nsplugin, nsplugin_t)
|
+ dbus_system_bus_client_template(nsplugin, nsplugin_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -10841,8 +10846,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.13/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/apache.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-10-29 08:27:18.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/apache.te 2008-11-06 08:30:48.000000000 -0500
|
||||||
@@ -20,6 +20,8 @@
|
@@ -20,6 +19,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -10851,7 +10856,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
## Allow Apache to modify public files
|
## Allow Apache to modify public files
|
||||||
@@ -31,10 +33,17 @@
|
@@ -31,10 +32,17 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
|
@ -10871,7 +10876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
@@ -45,7 +54,14 @@
|
@@ -45,7 +53,14 @@
|
||||||
|
|
||||||
## <desc>
|
## <desc>
|
||||||
## <p>
|
## <p>
|
||||||
|
@ -10887,7 +10892,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
## </p>
|
## </p>
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_can_network_connect, false)
|
gen_tunable(httpd_can_network_connect, false)
|
||||||
@@ -109,14 +125,35 @@
|
@@ -109,14 +124,35 @@
|
||||||
## </desc>
|
## </desc>
|
||||||
gen_tunable(httpd_unified, false)
|
gen_tunable(httpd_unified, false)
|
||||||
|
|
||||||
|
@ -10925,7 +10930,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
# user script domains
|
# user script domains
|
||||||
attribute httpd_script_domains;
|
attribute httpd_script_domains;
|
||||||
@@ -141,6 +178,9 @@
|
@@ -141,6 +177,9 @@
|
||||||
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
|
domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
|
||||||
role system_r types httpd_helper_t;
|
role system_r types httpd_helper_t;
|
||||||
|
|
||||||
|
@ -10935,7 +10940,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
type httpd_lock_t;
|
type httpd_lock_t;
|
||||||
files_lock_file(httpd_lock_t)
|
files_lock_file(httpd_lock_t)
|
||||||
|
|
||||||
@@ -181,6 +221,10 @@
|
@@ -181,6 +220,10 @@
|
||||||
# setup the system domain for system CGI scripts
|
# setup the system domain for system CGI scripts
|
||||||
apache_content_template(sys)
|
apache_content_template(sys)
|
||||||
|
|
||||||
|
@ -10946,7 +10951,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
type httpd_tmp_t;
|
type httpd_tmp_t;
|
||||||
files_tmp_file(httpd_tmp_t)
|
files_tmp_file(httpd_tmp_t)
|
||||||
|
|
||||||
@@ -202,12 +246,16 @@
|
@@ -202,12 +245,16 @@
|
||||||
prelink_object_file(httpd_modules_t)
|
prelink_object_file(httpd_modules_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -10964,7 +10969,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow httpd_t self:fd use;
|
allow httpd_t self:fd use;
|
||||||
@@ -249,6 +297,7 @@
|
@@ -249,6 +296,7 @@
|
||||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||||
|
@ -10972,7 +10977,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
apache_domtrans_rotatelogs(httpd_t)
|
apache_domtrans_rotatelogs(httpd_t)
|
||||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||||
@@ -260,9 +309,9 @@
|
@@ -260,9 +308,9 @@
|
||||||
|
|
||||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||||
|
|
||||||
|
@ -10985,7 +10990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||||
@@ -278,6 +327,7 @@
|
@@ -278,6 +326,7 @@
|
||||||
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
||||||
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
|
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
|
||||||
|
|
||||||
|
@ -10993,7 +10998,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||||
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||||
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
|
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
|
||||||
@@ -289,6 +339,7 @@
|
@@ -289,6 +338,7 @@
|
||||||
kernel_read_kernel_sysctls(httpd_t)
|
kernel_read_kernel_sysctls(httpd_t)
|
||||||
# for modules that want to access /proc/meminfo
|
# for modules that want to access /proc/meminfo
|
||||||
kernel_read_system_state(httpd_t)
|
kernel_read_system_state(httpd_t)
|
||||||
|
@ -11001,7 +11006,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||||
corenet_all_recvfrom_netlabel(httpd_t)
|
corenet_all_recvfrom_netlabel(httpd_t)
|
||||||
@@ -299,6 +350,7 @@
|
@@ -299,6 +349,7 @@
|
||||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||||
corenet_tcp_bind_all_nodes(httpd_t)
|
corenet_tcp_bind_all_nodes(httpd_t)
|
||||||
|
@ -11009,7 +11014,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
corenet_tcp_bind_http_port(httpd_t)
|
corenet_tcp_bind_http_port(httpd_t)
|
||||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||||
corenet_sendrecv_http_server_packets(httpd_t)
|
corenet_sendrecv_http_server_packets(httpd_t)
|
||||||
@@ -312,12 +364,11 @@
|
@@ -312,12 +363,11 @@
|
||||||
|
|
||||||
fs_getattr_all_fs(httpd_t)
|
fs_getattr_all_fs(httpd_t)
|
||||||
fs_search_auto_mountpoints(httpd_t)
|
fs_search_auto_mountpoints(httpd_t)
|
||||||
|
@ -11024,7 +11029,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
domain_use_interactive_fds(httpd_t)
|
domain_use_interactive_fds(httpd_t)
|
||||||
|
|
||||||
@@ -335,6 +386,10 @@
|
@@ -335,6 +385,10 @@
|
||||||
files_read_var_lib_symlinks(httpd_t)
|
files_read_var_lib_symlinks(httpd_t)
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||||
|
@ -11035,7 +11040,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
libs_use_ld_so(httpd_t)
|
libs_use_ld_so(httpd_t)
|
||||||
libs_use_shared_libs(httpd_t)
|
libs_use_shared_libs(httpd_t)
|
||||||
@@ -351,18 +406,33 @@
|
@@ -351,18 +405,33 @@
|
||||||
|
|
||||||
userdom_use_unpriv_users_fds(httpd_t)
|
userdom_use_unpriv_users_fds(httpd_t)
|
||||||
|
|
||||||
|
@ -11056,8 +11061,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(allow_httpd_mod_auth_pam, false)
|
+gen_tunable(allow_httpd_mod_auth_pam, false)
|
||||||
+
|
+
|
||||||
tunable_policy(`allow_httpd_mod_auth_pam',`
|
+tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||||
- auth_domtrans_chk_passwd(httpd_t)
|
|
||||||
+ auth_domtrans_chkpwd(httpd_t)
|
+ auth_domtrans_chkpwd(httpd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
|
@ -11068,12 +11072,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
|
+gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+tunable_policy(`allow_httpd_mod_auth_pam',`
|
tunable_policy(`allow_httpd_mod_auth_pam',`
|
||||||
|
- auth_domtrans_chk_passwd(httpd_t)
|
||||||
+ samba_domtrans_winbind_helper(httpd_t)
|
+ samba_domtrans_winbind_helper(httpd_t)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -370,20 +440,54 @@
|
@@ -370,20 +439,54 @@
|
||||||
corenet_tcp_connect_all_ports(httpd_t)
|
corenet_tcp_connect_all_ports(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -11129,35 +11134,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||||
@@ -394,11 +498,12 @@
|
@@ -394,20 +497,26 @@
|
||||||
corenet_tcp_bind_ftp_port(httpd_t)
|
corenet_tcp_bind_ftp_port(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
-tunable_policy(`httpd_enable_homedirs',`
|
-tunable_policy(`httpd_enable_homedirs',`
|
||||||
- userdom_read_unpriv_users_home_content_files(httpd_t)
|
- userdom_read_unpriv_users_home_content_files(httpd_t)
|
||||||
+tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
-')
|
||||||
+ fs_read_nfs_files(httpd_t)
|
-
|
||||||
+ fs_read_nfs_symlinks(httpd_t)
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
')
|
|
||||||
|
|
||||||
-tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
|
||||||
+tunable_policy(`httpd_use_nfs',`
|
|
||||||
fs_read_nfs_files(httpd_t)
|
fs_read_nfs_files(httpd_t)
|
||||||
fs_read_nfs_symlinks(httpd_t)
|
fs_read_nfs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -408,6 +513,11 @@
|
|
||||||
|
+tunable_policy(`httpd_use_nfs',`
|
||||||
|
+ fs_manage_nfs_files(httpd_t)
|
||||||
|
+ fs_manage_nfs_symlinks(httpd_t)
|
||||||
|
+')
|
||||||
|
+
|
||||||
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
|
fs_read_cifs_files(httpd_t)
|
||||||
fs_read_cifs_symlinks(httpd_t)
|
fs_read_cifs_symlinks(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
+tunable_policy(`httpd_use_cifs',`
|
+tunable_policy(`httpd_use_cifs',`
|
||||||
+ fs_read_cifs_files(httpd_t)
|
+ fs_manage_cifs_files(httpd_t)
|
||||||
+ fs_read_cifs_symlinks(httpd_t)
|
+ fs_manage_cifs_symlinks(httpd_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
tunable_policy(`httpd_ssi_exec',`
|
tunable_policy(`httpd_ssi_exec',`
|
||||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||||
allow httpd_sys_script_t httpd_t:fd use;
|
allow httpd_sys_script_t httpd_t:fd use;
|
||||||
@@ -441,8 +551,13 @@
|
@@ -441,8 +550,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -11173,7 +11181,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -454,18 +569,13 @@
|
@@ -454,18 +568,13 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -11193,7 +11201,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
@@ -475,6 +585,12 @@
|
@@ -475,6 +584,12 @@
|
||||||
openca_kill(httpd_t)
|
openca_kill(httpd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -11206,7 +11214,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# Allow httpd to work with postgresql
|
# Allow httpd to work with postgresql
|
||||||
postgresql_stream_connect(httpd_t)
|
postgresql_stream_connect(httpd_t)
|
||||||
@@ -482,6 +598,7 @@
|
@@ -482,6 +597,7 @@
|
||||||
|
|
||||||
tunable_policy(`httpd_can_network_connect_db',`
|
tunable_policy(`httpd_can_network_connect_db',`
|
||||||
postgresql_tcp_connect(httpd_t)
|
postgresql_tcp_connect(httpd_t)
|
||||||
|
@ -11214,7 +11222,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
@@ -490,6 +607,7 @@
|
@@ -490,6 +606,7 @@
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
|
@ -11222,7 +11230,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -519,9 +637,28 @@
|
@@ -519,9 +636,28 @@
|
||||||
logging_send_syslog_msg(httpd_helper_t)
|
logging_send_syslog_msg(httpd_helper_t)
|
||||||
|
|
||||||
tunable_policy(`httpd_tty_comm',`
|
tunable_policy(`httpd_tty_comm',`
|
||||||
|
@ -11251,7 +11259,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
@@ -551,22 +688,27 @@
|
@@ -551,22 +687,27 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_php_t)
|
fs_search_auto_mountpoints(httpd_php_t)
|
||||||
|
|
||||||
|
@ -11285,7 +11293,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -584,12 +726,14 @@
|
@@ -584,12 +725,14 @@
|
||||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
|
@ -11301,7 +11309,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||||
kernel_list_proc(httpd_suexec_t)
|
kernel_list_proc(httpd_suexec_t)
|
||||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||||
@@ -598,9 +742,7 @@
|
@@ -598,9 +741,7 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||||
|
|
||||||
|
@ -11312,7 +11320,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
files_read_etc_files(httpd_suexec_t)
|
files_read_etc_files(httpd_suexec_t)
|
||||||
files_read_usr_files(httpd_suexec_t)
|
files_read_usr_files(httpd_suexec_t)
|
||||||
@@ -633,12 +775,25 @@
|
@@ -633,12 +774,25 @@
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -11341,20 +11349,20 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -647,6 +802,12 @@
|
@@ -647,6 +801,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
+tunable_policy(`httpd_use_cifs',`
|
+tunable_policy(`httpd_use_cifs',`
|
||||||
+ fs_read_cifs_files(httpd_suexec_t)
|
+ fs_manage_cifs_files(httpd_suexec_t)
|
||||||
+ fs_read_cifs_symlinks(httpd_suexec_t)
|
+ fs_manage_cifs_symlinks(httpd_suexec_t)
|
||||||
+ fs_exec_cifs_files(httpd_suexec_t)
|
+ fs_exec_cifs_files(httpd_suexec_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -664,20 +825,20 @@
|
@@ -664,20 +824,20 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -11380,7 +11388,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||||
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
read_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||||
@@ -691,12 +852,15 @@
|
@@ -691,12 +851,15 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
|
@ -11393,12 +11401,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
-tunable_policy(`httpd_enable_homedirs',`
|
-tunable_policy(`httpd_enable_homedirs',`
|
||||||
- userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
|
- userdom_read_unpriv_users_home_content_files(httpd_sys_script_t)
|
||||||
+tunable_policy(`httpd_use_nfs',`
|
+tunable_policy(`httpd_use_nfs',`
|
||||||
+ fs_read_nfs_files(httpd_sys_script_t)
|
+ fs_manage_nfs_files(httpd_sys_script_t)
|
||||||
+ fs_read_nfs_symlinks(httpd_sys_script_t)
|
+ fs_manage_nfs_symlinks(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||||
@@ -704,6 +868,30 @@
|
@@ -704,6 +867,30 @@
|
||||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -11422,14 +11430,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
+tunable_policy(`httpd_use_cifs',`
|
+tunable_policy(`httpd_use_cifs',`
|
||||||
+ fs_read_cifs_files(httpd_sys_script_t)
|
+ fs_manage_cifs_files(httpd_sys_script_t)
|
||||||
+ fs_read_cifs_symlinks(httpd_sys_script_t)
|
+ fs_manage_cifs_symlinks(httpd_sys_script_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -716,10 +904,10 @@
|
@@ -716,10 +903,10 @@
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
mysql_stream_connect(httpd_sys_script_t)
|
mysql_stream_connect(httpd_sys_script_t)
|
||||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||||
|
@ -11444,7 +11452,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -727,6 +915,8 @@
|
@@ -727,6 +914,8 @@
|
||||||
# httpd_rotatelogs local policy
|
# httpd_rotatelogs local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -11453,7 +11461,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||||
@@ -741,3 +931,66 @@
|
@@ -741,3 +930,66 @@
|
||||||
logging_search_logs(httpd_rotatelogs_t)
|
logging_search_logs(httpd_rotatelogs_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
|
@ -13635,7 +13643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
|
+/usr/lib/cups/backend/cups-pdf -- gen_context(system_u:object_r:cups_pdf_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.13/policy/modules/services/cups.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.if serefpolicy-3.5.13/policy/modules/services/cups.if
|
||||||
--- nsaserefpolicy/policy/modules/services/cups.if 2008-08-07 11:15:11.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/cups.if 2008-08-07 11:15:11.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/cups.if 2008-10-28 11:16:34.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/cups.if 2008-11-06 12:45:55.000000000 -0500
|
||||||
@@ -20,6 +20,30 @@
|
@@ -20,6 +20,30 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -19786,7 +19794,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
+')
|
+')
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.13/policy/modules/services/postgresql.te
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgresql.te serefpolicy-3.5.13/policy/modules/services/postgresql.te
|
||||||
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-10-16 17:21:16.000000000 -0400
|
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-10-16 17:21:16.000000000 -0400
|
||||||
+++ serefpolicy-3.5.13/policy/modules/services/postgresql.te 2008-10-28 10:56:19.000000000 -0400
|
+++ serefpolicy-3.5.13/policy/modules/services/postgresql.te 2008-11-06 08:49:50.000000000 -0500
|
||||||
@@ -32,6 +32,9 @@
|
@@ -32,6 +32,9 @@
|
||||||
type postgresql_etc_t;
|
type postgresql_etc_t;
|
||||||
files_config_file(postgresql_etc_t)
|
files_config_file(postgresql_etc_t)
|
||||||
|
@ -19814,7 +19822,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
kernel_read_kernel_sysctls(postgresql_t)
|
kernel_read_kernel_sysctls(postgresql_t)
|
||||||
kernel_read_system_state(postgresql_t)
|
kernel_read_system_state(postgresql_t)
|
||||||
@@ -288,7 +292,7 @@
|
@@ -174,6 +178,7 @@
|
||||||
|
corenet_udp_sendrecv_all_nodes(postgresql_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(postgresql_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(postgresql_t)
|
||||||
|
+corenet_udp_bind_all_nodes(postgresql_t)
|
||||||
|
corenet_tcp_bind_all_nodes(postgresql_t)
|
||||||
|
corenet_tcp_bind_postgresql_port(postgresql_t)
|
||||||
|
corenet_tcp_connect_auth_port(postgresql_t)
|
||||||
|
@@ -288,7 +293,7 @@
|
||||||
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
|
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
|
||||||
|
|
||||||
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
|
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
|
||||||
|
@ -19823,7 +19839,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||||
|
|
||||||
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
|
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
|
||||||
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
|
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
|
||||||
@@ -329,7 +333,7 @@
|
@@ -329,7 +334,7 @@
|
||||||
|
|
||||||
# unconfined domain is not allowed to invoke user defined procedure directly.
|
# unconfined domain is not allowed to invoke user defined procedure directly.
|
||||||
# They have to confirm and relabel it at first.
|
# They have to confirm and relabel it at first.
|
||||||
|
|
|
@ -20,7 +20,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.5.13
|
Version: 3.5.13
|
||||||
Release: 17%{?dist}
|
Release: 18%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -457,6 +457,9 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-18
|
||||||
|
- Allow postgresl to bind to udp nodes
|
||||||
|
|
||||||
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-17
|
* Wed Nov 5 2008 Dan Walsh <dwalsh@redhat.com> 3.5.13-17
|
||||||
- Allow lvm to dbus chat with hal
|
- Allow lvm to dbus chat with hal
|
||||||
- Allow rlogind to read nfs_t
|
- Allow rlogind to read nfs_t
|
||||||
|
|
Loading…
Reference in New Issue