- Fix label on /var/lib/dokwiki

- Change permissive domains to enforcing - Fix libvirt policy to allow it to run on mls
2010-05-27 16:14:50 +00:00 · 2010-05-27 16:14:50 +00:00 · 65c6e4c421
parent be973dc3e8
commit 65c6e4c421
2 changed files with 38 additions and 51 deletions
--- a/policy-F14.patch
+++ b/policy-F14.patch
@ -226,8 +226,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/accountsd.te serefpolicy-3.8.1/policy/modules/admin/accountsd.te
 --- nsaserefpolicy/policy/modules/admin/accountsd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/admin/accountsd.te	2010-05-26 16:28:29.000000000 -0400
-@@ -0,0 +1,56 @@
+++ serefpolicy-3.8.1/policy/modules/admin/accountsd.te	2010-05-27 12:01:15.000000000 -0400
+@@ -0,0 +1,55 @@
 +policy_module(accountsd,1.0.0)
 +
 +########################################
@ -239,8 +239,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +type accountsd_exec_t;
 +dbus_system_domain(accountsd_t, accountsd_exec_t)
 +
-+permissive accountsd_t;
-+
 +type accountsd_var_lib_t;
 +files_type(accountsd_var_lib_t)
 +
@ -271,6 +269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/account
 +logging_set_loginuid(accountsd_t)
 +
 +usermanage_domtrans_useradd(accountsd_t)
+usermanage_domtrans_passwd(accountsd_t)
 +
 +optional_policy(`
 +	consolekit_read_log(accountsd_t)
@ -1129,8 +1128,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdown.te serefpolicy-3.8.1/policy/modules/admin/shutdown.te
 --- nsaserefpolicy/policy/modules/admin/shutdown.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/admin/shutdown.te	2010-05-26 16:28:29.000000000 -0400
-@@ -0,0 +1,63 @@
+++ serefpolicy-3.8.1/policy/modules/admin/shutdown.te	2010-05-27 12:00:05.000000000 -0400
+@@ -0,0 +1,61 @@
 +policy_module(shutdown,1.0.0)
 +
 +########################################
@ -1149,8 +1148,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/shutdow
 +type shutdown_var_run_t;
 +files_pid_file(shutdown_var_run_t)
 +
-+permissive shutdown_t;
-+
 +########################################
 +#
 +# shutdown local policy
@ -1325,7 +1322,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/usermanage.if serefpolicy-3.8.1/policy/modules/admin/usermanage.if
 --- nsaserefpolicy/policy/modules/admin/usermanage.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/admin/usermanage.if	2010-05-26 16:28:29.000000000 -0400
+++ serefpolicy-3.8.1/policy/modules/admin/usermanage.if	2010-05-27 12:00:25.000000000 -0400
@@ -18,6 +18,10 @@
 	files_search_usr($1)
 	corecmd_search_bin($1)
@ -5994,8 +5991,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepathysofiasip.te serefpolicy-3.8.1/policy/modules/apps/telepathysofiasip.te
 --- nsaserefpolicy/policy/modules/apps/telepathysofiasip.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/apps/telepathysofiasip.te	2010-05-26 16:28:29.000000000 -0400
-@@ -0,0 +1,45 @@
+++ serefpolicy-3.8.1/policy/modules/apps/telepathysofiasip.te	2010-05-27 11:58:52.000000000 -0400
+@@ -0,0 +1,43 @@
 +
 +policy_module(telepathysofiasip,1.0.0)
 +
@ -6008,8 +6005,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/telepath
 +type telepathysofiasip_exec_t;
 +application_domain(telepathysofiasip_t, telepathysofiasip_exec_t)
 +
-+permissive telepathysofiasip_t;
-+
 +########################################
 +#
 +# telepathy-sofiasip local policy
@ -11330,8 +11325,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aiccu.te serefpolicy-3.8.1/policy/modules/services/aiccu.te
 --- nsaserefpolicy/policy/modules/services/aiccu.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/services/aiccu.te	2010-05-26 16:28:29.000000000 -0400
-@@ -0,0 +1,44 @@
+++ serefpolicy-3.8.1/policy/modules/services/aiccu.te	2010-05-27 11:58:06.000000000 -0400
+@@ -0,0 +1,42 @@
 +policy_module(aiccu,1.0.0)
 +
 +########################################
@ -11343,8 +11338,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aicc
 +type aiccu_exec_t;
 +init_daemon_domain(aiccu_t, aiccu_exec_t)
 +
-+permissive aiccu_t;
-+
 +type aiccu_initrc_exec_t;
 +init_script_file(aiccu_initrc_exec_t)
 +
@ -11388,7 +11381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/aise
 +userdom_rw_unpriv_user_shared_mem(aisexec_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.8.1/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2010-04-06 15:15:38.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/services/apache.fc	2010-05-26 16:28:29.000000000 -0400
+++ serefpolicy-3.8.1/policy/modules/services/apache.fc	2010-05-27 12:12:06.000000000 -0400
@@ -24,7 +24,6 @@
 
 /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
@ -11409,7 +11402,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 
 /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
-+/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_rw_t,s0)
+/var/lib/dokuwiki(/.*)?			gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 /var/lib/drupal(/.*)?			gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/httpd(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@ -12633,8 +12626,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boinc.te serefpolicy-3.8.1/policy/modules/services/boinc.te
 --- nsaserefpolicy/policy/modules/services/boinc.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/services/boinc.te	2010-05-27 10:11:10.000000000 -0400
-@@ -0,0 +1,95 @@
+++ serefpolicy-3.8.1/policy/modules/services/boinc.te	2010-05-27 11:58:08.000000000 -0400
+@@ -0,0 +1,93 @@
 +
 +policy_module(boinc,1.0.0)
 +
@ -12647,8 +12640,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/boin
 +type boinc_exec_t;
 +init_daemon_domain(boinc_t, boinc_exec_t)
 +
-+permissive boinc_t;
-+
 +type boinc_initrc_exec_t;
 +init_script_file(boinc_initrc_exec_t)
 +
@ -17229,8 +17220,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/piranha.te serefpolicy-3.8.1/policy/modules/services/piranha.te
 --- nsaserefpolicy/policy/modules/services/piranha.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/services/piranha.te	2010-05-26 16:28:29.000000000 -0400
-@@ -0,0 +1,187 @@
+++ serefpolicy-3.8.1/policy/modules/services/piranha.te	2010-05-27 11:58:27.000000000 -0400
+@@ -0,0 +1,182 @@
 +
 +policy_module(piranha,1.0.0)
 +
@ -17259,11 +17250,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/pira
 +
 +piranha_domain_template(web)
 +
-+permissive piranha_fos_t;
-+permissive piranha_lvs_t;
-+permissive piranha_pulse_t;
-+permissive piranha_web_t;
-+
 +type piranha_etc_rw_t;
 +files_type(piranha_etc_rw_t)
 +
@ -18684,8 +18670,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpidd.te serefpolicy-3.8.1/policy/modules/services/qpidd.te
 --- nsaserefpolicy/policy/modules/services/qpidd.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.8.1/policy/modules/services/qpidd.te	2010-05-26 16:28:29.000000000 -0400
-@@ -0,0 +1,61 @@
+++ serefpolicy-3.8.1/policy/modules/services/qpidd.te	2010-05-27 11:58:34.000000000 -0400
+@@ -0,0 +1,59 @@
 +policy_module(qpidd,1.0.0)
 +
 +########################################
@ -18697,8 +18683,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/qpid
 +type qpidd_exec_t;
 +init_daemon_domain(qpidd_t, qpidd_exec_t)
 +
-+permissive qpidd_t;
-+
 +type qpidd_initrc_exec_t;
 +init_script_file(qpidd_initrc_exec_t)
 +
@ -25250,7 +25234,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.te serefpolicy-3.8.1/policy/modules/system/mount.te
 --- nsaserefpolicy/policy/modules/system/mount.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.8.1/policy/modules/system/mount.te	2010-05-26 16:28:29.000000000 -0400
+++ serefpolicy-3.8.1/policy/modules/system/mount.te	2010-05-27 12:01:47.000000000 -0400
@@ -18,8 +18,15 @@
 init_system_domain(mount_t, mount_exec_t)
 role system_r types mount_t;
@ -25267,7 +25251,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
-@@ -29,6 +36,19 @@
+@@ -29,6 +36,17 @@
 # policy--duplicate type declaration
 type unconfined_mount_t;
 application_domain(unconfined_mount_t, mount_exec_t)
@ -25282,12 +25266,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 +type showmount_exec_t;
 +application_domain(showmount_t, showmount_exec_t)
 +role system_r types showmount_t;
-+
-+permissive showmount_t;
 
 ########################################
 #
-@@ -36,7 +56,11 @@
+@@ -36,7 +54,11 @@
 #
 
 # setuid/setgid needed to mount cifs 
@ -25300,7 +25282,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 
 allow mount_t mount_loopback_t:file read_file_perms;
 
-@@ -47,30 +71,50 @@
+@@ -47,30 +69,50 @@
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
@ -25353,7 +25335,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 files_mount_all_file_type_fs(mount_t)
 files_unmount_all_file_type_fs(mount_t)
 # for when /etc/mtab loses its type
-@@ -80,15 +124,18 @@
+@@ -80,15 +122,18 @@
 files_read_usr_files(mount_t)
 files_list_mnt(mount_t)
 
@ -25375,7 +25357,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 
 mls_file_read_all_levels(mount_t)
 mls_file_write_all_levels(mount_t)
-@@ -99,6 +146,7 @@
+@@ -99,6 +144,7 @@
 storage_raw_write_fixed_disk(mount_t)
 storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
@ -25383,7 +25365,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 
 term_use_all_terms(mount_t)
 
-@@ -107,6 +155,8 @@
+@@ -107,6 +153,8 @@
 init_use_fds(mount_t)
 init_use_script_ptys(mount_t)
 init_dontaudit_getattr_initctl(mount_t)
@ -25392,7 +25374,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 
 logging_send_syslog_msg(mount_t)
 
-@@ -117,6 +167,12 @@
+@@ -117,6 +165,12 @@
 seutil_read_config(mount_t)
 
 userdom_use_all_users_fds(mount_t)
@ -25405,7 +25387,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 
 ifdef(`distro_redhat',`
 	optional_policy(`
-@@ -132,10 +188,17 @@
+@@ -132,10 +186,17 @@
 	')
 ')
 
@ -25423,7 +25405,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 ')
 
 optional_policy(`
-@@ -165,6 +228,8 @@
+@@ -165,6 +226,8 @@
 	fs_search_rpc(mount_t)
 
 	rpc_stub(mount_t)
@ -25432,7 +25414,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 ')
 
 optional_policy(`
-@@ -172,6 +237,25 @@
+@@ -172,6 +235,25 @@
 ')
 
 optional_policy(`
@ -25458,7 +25440,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 	ifdef(`hide_broken_symptoms',`
 		# for a bug in the X server
 		rhgb_dontaudit_rw_stream_sockets(mount_t)
-@@ -179,6 +263,11 @@
+@@ -179,6 +261,11 @@
 	')
 ')
 
@ -25470,7 +25452,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 # for kernel package installation
 optional_policy(`
 	rpm_rw_pipes(mount_t)
-@@ -186,6 +275,19 @@
+@@ -186,6 +273,19 @@
 
 optional_policy(`
 	samba_domtrans_smbmount(mount_t)
@ -25490,7 +25472,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/mount.
 ')
 
 ########################################
-@@ -194,6 +296,42 @@
+@@ -194,6 +294,42 @@
 #
 
 optional_policy(`
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.8.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -469,6 +469,11 @@ exit 0
 %endif

 %changelog
+* Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-2
+- Fix label on /var/lib/dokwiki
+- Change permissive domains to enforcing
+- Fix libvirt policy to allow it to run on mls
+
 * Tue May 25 2010 Dan Walsh <dwalsh@redhat.com> 3.8.1-1
 - Update to upstream