- Fix munin file context

2007-12-19 09:27:15 +00:00 · 2007-12-19 09:27:15 +00:00 · 2f257cb996
commit 2f257cb996
parent 194f6c15a0
2 changed files with 40 additions and 18 deletions
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -765,8 +765,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.2.4/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2007-12-12 11:35:28.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/admin/logrotate.te	2007-12-13 17:37:33.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/admin/logrotate.te	2007-12-18 16:55:23.000000000 -0500
-@@ -96,6 +96,7 @@
+@@ -96,9 +96,11 @@
 files_read_etc_files(logrotate_t)
 files_read_etc_runtime_files(logrotate_t)
 files_read_all_pids(logrotate_t)
@ -774,6 +774,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
 # Write to /var/spool/slrnpull - should be moved into its own type.
 files_manage_generic_spool(logrotate_t)
 files_manage_generic_spool_dirs(logrotate_t)
 +files_getattr_generic_locks(logrotate_t)
 # cjp: why is this needed?
 init_domtrans_script(logrotate_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.2.4/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2007-10-23 07:37:52.000000000 -0400
 +++ serefpolicy-3.2.4/policy/modules/admin/logwatch.te	2007-12-13 17:37:33.000000000 -0500
@ -3691,7 +3695,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.2.4/policy/modules/kernel/files.if
 --- nsaserefpolicy/policy/modules/kernel/files.if	2007-10-29 18:02:31.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/kernel/files.if	2007-12-13 17:37:34.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/kernel/files.if	2007-12-18 16:54:32.000000000 -0500
@@ -1266,6 +1266,24 @@
 ########################################
@ -5382,7 +5386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron.te serefpolicy-3.2.4/policy/modules/services/cron.te
 --- nsaserefpolicy/policy/modules/services/cron.te	2007-12-06 13:12:03.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/cron.te	2007-12-18 08:34:29.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/cron.te	2007-12-18 16:51:52.000000000 -0500
@@ -50,6 +50,7 @@
 type crond_tmp_t;
@ -5461,7 +5465,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 	optional_policy(`
 		# Debian logcheck has the home dir set to its cache
 		logwatch_search_cache_dir(crond_t)
-@@ -180,16 +187,39 @@
+@@ -180,21 +187,45 @@
 	')
 ')
@ -5501,7 +5505,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 	amavis_search_lib(crond_t)
 ')
-@@ -267,9 +297,16 @@
+ optional_policy(`
 -	hal_dbus_send(crond_t)
 +	hal_dbus_chat(crond_t)
 +	hal_dbus_chat(system_crond_t)
 ')
 optional_policy(`
@@ -267,9 +298,16 @@
 filetrans_pattern(system_crond_t,crond_tmp_t,system_crond_tmp_t,{ file lnk_file })
 files_tmp_filetrans(system_crond_t,system_crond_tmp_t,file)
@ -5519,7 +5530,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 kernel_read_kernel_sysctls(system_crond_t)
 kernel_read_system_state(system_crond_t)
-@@ -323,7 +360,7 @@
+@@ -323,7 +361,7 @@
 init_read_utmp(system_crond_t)
 init_dontaudit_rw_utmp(system_crond_t)
 # prelink tells init to restart it self, we either need to allow or dontaudit
@ -5528,7 +5539,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 auth_use_nsswitch(system_crond_t)
-@@ -333,6 +370,7 @@
+@@ -333,6 +371,7 @@
 libs_exec_ld_so(system_crond_t)
 logging_read_generic_logs(system_crond_t)
@ -5536,7 +5547,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 logging_send_syslog_msg(system_crond_t)
 miscfiles_read_localization(system_crond_t)
-@@ -383,6 +421,14 @@
+@@ -383,6 +422,14 @@
 ')
 optional_policy(`
@ -5551,7 +5562,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 	mrtg_append_create_logs(system_crond_t)
 ')
-@@ -415,8 +461,7 @@
+@@ -415,8 +462,7 @@
 ')
 optional_policy(`
@ -5561,7 +5572,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/cron
 ')
 optional_policy(`
-@@ -424,8 +469,13 @@
+@@ -424,8 +470,13 @@
 ')
 optional_policy(`
@ -7354,22 +7365,22 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.fc serefpolicy-3.2.4/policy/modules/services/munin.fc
 --- nsaserefpolicy/policy/modules/services/munin.fc	2007-04-30 10:41:38.000000000 -0400
-+++ serefpolicy-3.2.4/policy/modules/services/munin.fc	2007-12-18 14:51:15.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/munin.fc	2007-12-19 03:52:33.000000000 -0500
@@ -8,4 +8,5 @@
 /var/lib/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/log/munin.*		--	gen_context(system_u:object_r:munin_log_t,s0)
 /var/run/munin(/.*)?			gen_context(system_u:object_r:munin_var_run_t,s0)
 -/var/www/munin(/.*)?			gen_context(system_u:object_r:munin_var_lib_t,s0)
-+/var/www/html/munin(/.*)?		gen_context(system_u:object_r:http_munin_content_t,s0)
+/var/www/html/munin(/.*)?		gen_context(system_u:object_r:httpd_munin_content_t,s0)
-+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:http_munin_script_exec_t,s0)
+/var/www/html/munin/cgi(/.*)?		gen_context(system_u:object_r:httpd_munin_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/munin.te serefpolicy-3.2.4/policy/modules/services/munin.te
 --- nsaserefpolicy/policy/modules/services/munin.te	2007-11-15 13:40:14.000000000 -0500
-+++ serefpolicy-3.2.4/policy/modules/services/munin.te	2007-12-18 14:50:13.000000000 -0500
+++ serefpolicy-3.2.4/policy/modules/services/munin.te	2007-12-19 04:07:12.000000000 -0500
@@ -37,6 +37,9 @@
 allow munin_t self:unix_dgram_socket { create_socket_perms sendto };
 allow munin_t self:tcp_socket create_stream_socket_perms;
 allow munin_t self:udp_socket create_socket_perms;
-+allow munin_t self:fifo_file create_fifo_file_perms;
+allow munin_t self:fifo_file manage_fifo_file_perms;
 +
 +can_exec(munin_t, munin_exec_t)
@ -7383,7 +7394,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/muni
 dev_read_sysfs(munin_t)
 dev_read_urand(munin_t)
-@@ -118,3 +122,9 @@
+@@ -91,6 +95,7 @@
 logging_send_syslog_msg(munin_t)
 +miscfiles_read_fonts(munin_t)
 miscfiles_read_localization(munin_t)
 sysnet_read_config(munin_t)
@@ -118,3 +123,9 @@
 optional_policy(`
 	udev_read_db(munin_t)
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.4
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -382,6 +382,9 @@ exit 0
 %endif
 %changelog
 * Wed Dec 19 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-5
 - Fix munin file context
 * Tue Dec 18 2007 Dan Walsh <dwalsh@redhat.com> 3.2.4-4
 - Allow cron to run unconfined apps