- fix squid

- Fix rpm running as uid
2007-07-02 01:49:51 +00:00 · 2007-07-02 01:49:51 +00:00 · 1b77809f5e
parent b786a2b04a
commit 1b77809f5e
1 changed files with 106 additions and 24 deletions
--- a/policy-20070525.patch
+++ b/policy-20070525.patch
@ -1792,7 +1792,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.f
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/vmware.te serefpolicy-3.0.1/policy/modules/apps/vmware.te
 --- nsaserefpolicy/policy/modules/apps/vmware.te	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/apps/vmware.te	2007-06-21 13:41:35.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/apps/vmware.te	2007-07-01 21:06:08.000000000 -0400
+@@ -29,7 +29,7 @@
+ 
+ allow vmware_host_t self:capability { setuid net_raw };
+ dontaudit vmware_host_t self:capability sys_tty_config;
+-allow vmware_host_t self:process signal_perms;
+allow vmware_host_t self:process { execstack execmem signal_perms };
+ allow vmware_host_t self:fifo_file rw_fifo_file_perms;
+ allow vmware_host_t self:unix_stream_socket create_stream_socket_perms;
+ allow vmware_host_t self:rawip_socket create_socket_perms;
@@ -55,6 +55,8 @@
 corenet_tcp_sendrecv_all_ports(vmware_host_t)
 corenet_udp_sendrecv_all_ports(vmware_host_t)
@ -2350,7 +2359,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.0.1/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2007-05-29 14:10:48.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-06-27 10:04:58.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/kernel/filesystem.if	2007-07-01 21:12:31.000000000 -0400
@@ -1096,6 +1096,24 @@
 
 ########################################
@ -3602,7 +3611,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/audi
 fs_getattr_all_fs(entropyd_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/automount.te serefpolicy-3.0.1/policy/modules/services/automount.te
 --- nsaserefpolicy/policy/modules/services/automount.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/automount.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/automount.te	2007-07-01 21:23:33.000000000 -0400
@@ -69,6 +69,7 @@
 files_mounton_all_mountpoints(automount_t)
 files_mount_all_file_type_fs(automount_t)
@ -3619,6 +3628,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/auto
 dev_read_urand(automount_t)
 
 domain_use_interactive_fds(automount_t)
+@@ -146,10 +148,6 @@
+ userdom_dontaudit_search_sysadm_home_dirs(automount_t)
+ 
+ optional_policy(`
+-	corecmd_exec_bin(automount_t)
+-')
+-
+-optional_policy(`
+ 	bind_search_cache(automount_t)
+ ')
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/avahi.te serefpolicy-3.0.1/policy/modules/services/avahi.te
 --- nsaserefpolicy/policy/modules/services/avahi.te	2007-06-15 14:54:33.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/avahi.te	2007-06-27 10:05:15.000000000 -0400
@ -4214,7 +4234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups.te serefpolicy-3.0.1/policy/modules/services/cups.te
 --- nsaserefpolicy/policy/modules/services/cups.te	2007-06-15 14:54:33.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cups.te	2007-06-21 05:59:32.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/cups.te	2007-07-01 21:17:10.000000000 -0400
@@ -81,12 +81,11 @@
 # /usr/lib/cups/backend/serial needs sys_admin(?!)
 allow cupsd_t self:capability { sys_admin dac_override dac_read_search kill setgid setuid fsetid net_bind_service fowner chown dac_override sys_resource sys_tty_config };
@ -4229,7 +4249,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 allow cupsd_t self:tcp_socket create_stream_socket_perms;
 allow cupsd_t self:udp_socket create_socket_perms;
 allow cupsd_t self:appletalk_socket create_socket_perms;
-@@ -149,9 +148,11 @@
+@@ -149,14 +148,16 @@
 corenet_tcp_bind_reserved_port(cupsd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(cupsd_t)
 corenet_tcp_connect_all_ports(cupsd_t)
@ -4241,6 +4261,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 
 dev_rw_printer(cupsd_t)
 dev_read_urand(cupsd_t)
+ dev_read_sysfs(cupsd_t)
+-dev_read_usbfs(cupsd_t)
+dev_rw_usbfs(cupsd_t)
+ dev_getattr_printer_dev(cupsd_t)
+ 
+ domain_read_all_domains_state(cupsd_t)
@@ -175,6 +176,7 @@
 term_search_ptys(cupsd_t)
 
@ -4333,9 +4359,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cups
 	cron_system_entry(cupsd_config_t, cupsd_config_exec_t)
 ')
 
+@@ -558,7 +591,7 @@
+ dev_read_urand(hplip_t)
+ dev_read_rand(hplip_t)
+ dev_rw_generic_usb_dev(hplip_t)
+-dev_read_usbfs(hplip_t)
+dev_rw_usbfs(hplip_t)
+ 
+ fs_getattr_all_fs(hplip_t)
+ fs_search_auto_mountpoints(hplip_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.te serefpolicy-3.0.1/policy/modules/services/cvs.te
 --- nsaserefpolicy/policy/modules/services/cvs.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/cvs.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/cvs.te	2007-07-01 21:36:29.000000000 -0400
@@ -16,6 +16,7 @@
 type cvs_t;
 type cvs_exec_t;
@ -4352,6 +4387,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cvs.
 
 corecmd_exec_bin(cvs_t)
 corecmd_exec_shell(cvs_t)
+@@ -80,6 +82,7 @@
+ libs_use_shared_libs(cvs_t)
+ 
+ logging_send_syslog_msg(cvs_t)
+logging_send_audit_msg(cvs_t)
+ 
+ miscfiles_read_localization(cvs_t)
+ 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/dbus.if serefpolicy-3.0.1/policy/modules/services/dbus.if
 --- nsaserefpolicy/policy/modules/services/dbus.if	2007-06-15 14:54:33.000000000 -0400
 +++ serefpolicy-3.0.1/policy/modules/services/dbus.if	2007-06-19 17:06:27.000000000 -0400
@ -5438,7 +5481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 	corenet_tcp_connect_portmap_port($1)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.te serefpolicy-3.0.1/policy/modules/services/nis.te
 --- nsaserefpolicy/policy/modules/services/nis.te	2007-05-29 14:10:57.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/nis.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/services/nis.te	2007-06-28 07:25:31.000000000 -0400
@@ -112,6 +112,14 @@
 userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
 userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
@ -5454,7 +5497,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 optional_policy(`
 	seutil_sigchld_newrole(ypbind_t)
 ')
-@@ -154,8 +162,8 @@
+@@ -125,6 +133,7 @@
+ # yppasswdd local policy
+ #
+ 
+allow yppasswdd_t self:capability dac_override;
+ dontaudit yppasswdd_t self:capability sys_tty_config;
+ allow yppasswdd_t self:fifo_file rw_fifo_file_perms;
+ allow yppasswdd_t self:process { setfscreate signal_perms };
+@@ -154,8 +163,8 @@
 corenet_udp_sendrecv_all_ports(yppasswdd_t)
 corenet_tcp_bind_all_nodes(yppasswdd_t)
 corenet_udp_bind_all_nodes(yppasswdd_t)
@ -5465,7 +5516,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 corenet_dontaudit_tcp_bind_all_reserved_ports(yppasswdd_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(yppasswdd_t)
 corenet_sendrecv_generic_server_packets(yppasswdd_t)
-@@ -244,6 +252,8 @@
+@@ -244,6 +253,8 @@
 corenet_udp_bind_all_nodes(ypserv_t)
 corenet_tcp_bind_reserved_port(ypserv_t)
 corenet_udp_bind_reserved_port(ypserv_t)
@ -5474,7 +5525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nis.
 corenet_dontaudit_tcp_bind_all_reserved_ports(ypserv_t)
 corenet_dontaudit_udp_bind_all_reserved_ports(ypserv_t)
 corenet_sendrecv_generic_server_packets(ypserv_t)
-@@ -311,6 +321,8 @@
+@@ -311,6 +322,8 @@
 corenet_udp_bind_all_nodes(ypxfr_t)
 corenet_tcp_bind_reserved_port(ypxfr_t)
 corenet_udp_bind_reserved_port(ypxfr_t)
@ -6818,12 +6869,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +/usr/lib64/squid/cachemgr\.cgi	--	gen_context(system_u:object_r:httpd_squid_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.0.1/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/services/squid.te	2007-06-19 17:06:27.000000000 -0400
-@@ -179,3 +179,12 @@
- #squid requires the following when run in diskd mode, the recommended setting
- allow squid_t tmpfs_t:file { read write };
- ') dnl end TODO
-+
+++ serefpolicy-3.0.1/policy/modules/services/squid.te	2007-07-01 21:13:36.000000000 -0400
+@@ -108,6 +108,8 @@
+ 
+ fs_getattr_all_fs(squid_t)
+ fs_search_auto_mountpoints(squid_t)
+#squid requires the following when run in diskd mode, the recommended setting
+fs_rw_tmpfs_files(squid_t)
+ 
+ selinux_dontaudit_getattr_dir(squid_t)
+ 
+@@ -175,7 +177,11 @@
+ 	udev_read_db(squid_t)
+ ')
+ 
+-ifdef(`TODO',`
+-#squid requires the following when run in diskd mode, the recommended setting
+-allow squid_t tmpfs_t:file { read write };
+-') dnl end TODO
 +optional_policy(`
 +	apache_content_template(squid)
 +	corenet_tcp_connect_http_cache_port(httpd_squid_script_t)
@ -8920,7 +8983,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.0.1/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2007-06-11 16:05:30.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/mount.te	2007-06-19 17:06:27.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/mount.te	2007-07-01 20:53:16.000000000 -0400
@@ -8,6 +8,13 @@
 
 ## <desc>
@ -8971,7 +9034,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 
 allow mount_t mount_loopback_t:file read_file_perms;
 allow mount_t self:netlink_route_socket r_netlink_socket_perms;
-@@ -128,10 +138,15 @@
+@@ -52,6 +62,8 @@
+ kernel_read_system_state(mount_t)
+ kernel_read_kernel_sysctls(mount_t)
+ kernel_dontaudit_getattr_core_if(mount_t)
+kernel_search_debugfs(mount_t)
+kernel_read_unlabeled_state(mount_t)
+ 
+ dev_getattr_all_blk_files(mount_t)
+ dev_list_all_dev_nodes(mount_t)
+@@ -102,6 +114,8 @@
+ init_use_fds(mount_t)
+ init_use_script_ptys(mount_t)
+ init_dontaudit_getattr_initctl(mount_t)
+init_stream_connect_script(mount_t)
+init_rw_script_stream_sockets(mount_t)
+ 
+ libs_use_ld_so(mount_t)
+ libs_use_shared_libs(mount_t)
+@@ -128,10 +142,15 @@
 	')
 ')
 
@ -8988,7 +9069,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 ')
 
 optional_policy(`
-@@ -201,4 +216,53 @@
+@@ -201,4 +220,53 @@
 optional_policy(`
 	files_etc_filetrans_etc_runtime(unconfined_mount_t,file)
 	unconfined_domain(unconfined_mount_t)
@ -9362,7 +9443,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnet
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.te serefpolicy-3.0.1/policy/modules/system/udev.te
 --- nsaserefpolicy/policy/modules/system/udev.te	2007-05-30 11:47:29.000000000 -0400
-+++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-27 08:08:02.000000000 -0400
+++ serefpolicy-3.0.1/policy/modules/system/udev.te	2007-06-28 07:26:24.000000000 -0400
@@ -68,8 +68,9 @@
 allow udev_t udev_tbl_t:file manage_file_perms;
 dev_filetrans(udev_t,udev_tbl_t,file)
@ -9374,7 +9455,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 
 kernel_read_system_state(udev_t)
 kernel_getattr_core_if(udev_t)
-@@ -83,16 +84,22 @@
+@@ -83,16 +84,23 @@
 kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
 
@ -9389,6 +9470,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 dev_rw_generic_files(udev_t)
 dev_delete_generic_files(udev_t)
 +dev_search_usbfs_dirs(udev_t)
+dev_relabel_all_dev_nodes(udev_t)
 
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these 
@ -9397,7 +9479,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 files_read_etc_runtime_files(udev_t)
 files_read_etc_files(udev_t)
 files_exec_etc_files(udev_t)
-@@ -142,9 +149,16 @@
+@@ -142,9 +150,16 @@
 seutil_read_file_contexts(udev_t)
 seutil_domtrans_setfiles(udev_t)
 
@ -9414,7 +9496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 userdom_dontaudit_search_all_users_home_content(udev_t)
 
 ifdef(`distro_gentoo',`
-@@ -178,6 +192,10 @@
+@@ -178,6 +193,10 @@
 ')
 
 optional_policy(`
@ -9425,7 +9507,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/udev.t
 	hal_dgram_send(udev_t)
 ')
 
-@@ -188,5 +206,24 @@
+@@ -188,5 +207,24 @@
 ')
 
 optional_policy(`