- Fixes for logrotate, alsa
This commit is contained in:
Daniel J Walsh
parent
bb6af9637f
commit
8f2532e249
@ -10389,7 +10389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
+')
|
||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.1/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2008-07-10 11:38:46.000000000 -0400
|
||||
+++ serefpolicy-3.5.1/policy/modules/services/apache.te 2008-07-25 07:41:00.000000000 -0400
|
||||
+++ serefpolicy-3.5.1/policy/modules/services/apache.te 2008-07-25 07:51:49.000000000 -0400
|
||||
@@ -20,6 +20,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -10399,20 +10399,27 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow Apache to modify public files
|
||||
@@ -31,10 +33,10 @@
|
||||
@@ -31,10 +33,17 @@
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
-## Allow Apache to use mod_auth_pam
|
||||
+## Allow Apache to communicate with avahi service via dbus
|
||||
+## Allow httpd scripts and modules execmem/execstack
|
||||
## </p>
|
||||
## </desc>
|
||||
-gen_tunable(allow_httpd_mod_auth_pam,false)
|
||||
+gen_tunable(httpd_execmem,false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow Apache to communicate with avahi service via dbus
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(allow_httpd_dbus_avahi,false)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
@@ -45,7 +47,14 @@
|
||||
@@ -45,7 +54,14 @@
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
@ -10428,7 +10435,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(httpd_can_network_connect,false)
|
||||
@@ -109,14 +118,33 @@
|
||||
@@ -109,14 +125,33 @@
|
||||
## </desc>
|
||||
gen_tunable(httpd_unified,false)
|
||||
|
||||
@ -10464,7 +10471,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
# user script domains
|
||||
attribute httpd_script_domains;
|
||||
@@ -147,6 +175,9 @@
|
||||
@@ -147,6 +182,9 @@
|
||||
type httpd_log_t;
|
||||
logging_log_file(httpd_log_t)
|
||||
|
||||
@ -10474,7 +10481,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
# httpd_modules_t is the type given to module files (libraries)
|
||||
# that come with Apache /etc/httpd/modules and /usr/lib/apache
|
||||
type httpd_modules_t;
|
||||
@@ -180,6 +211,9 @@
|
||||
@@ -180,6 +218,9 @@
|
||||
|
||||
# setup the system domain for system CGI scripts
|
||||
apache_content_template(sys)
|
||||
@ -10484,7 +10491,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
@@ -202,12 +236,16 @@
|
||||
@@ -202,12 +243,16 @@
|
||||
prelink_object_file(httpd_modules_t)
|
||||
')
|
||||
|
||||
@ -10502,7 +10509,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
@@ -249,6 +287,7 @@
|
||||
@@ -249,6 +294,7 @@
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
mmap_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
||||
read_files_pattern(httpd_t,httpd_modules_t,httpd_modules_t)
|
||||
@ -10510,7 +10517,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
apache_domtrans_rotatelogs(httpd_t)
|
||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||
@@ -289,6 +328,7 @@
|
||||
@@ -289,6 +335,7 @@
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
@ -10518,7 +10525,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -312,12 +352,11 @@
|
||||
@@ -312,12 +359,11 @@
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
@ -10533,7 +10540,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -335,6 +374,10 @@
|
||||
@@ -335,6 +381,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -10544,7 +10551,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
libs_use_ld_so(httpd_t)
|
||||
libs_use_shared_libs(httpd_t)
|
||||
@@ -351,25 +394,50 @@
|
||||
@@ -351,25 +401,50 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -10599,7 +10606,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_can_network_relay',`
|
||||
# allow httpd to work as a relay
|
||||
corenet_tcp_connect_gopher_port(httpd_t)
|
||||
@@ -382,23 +450,34 @@
|
||||
@@ -382,23 +457,34 @@
|
||||
corenet_sendrecv_http_cache_client_packets(httpd_t)
|
||||
')
|
||||
|
||||
@ -10642,7 +10649,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
fs_read_nfs_files(httpd_t)
|
||||
fs_read_nfs_symlinks(httpd_t)
|
||||
')
|
||||
@@ -408,6 +487,11 @@
|
||||
@@ -408,6 +494,11 @@
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
')
|
||||
|
||||
@ -10654,7 +10661,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t,httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -441,8 +525,13 @@
|
||||
@@ -441,8 +532,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10670,7 +10677,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -454,19 +543,13 @@
|
||||
@@ -454,19 +550,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10691,7 +10698,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -476,6 +559,12 @@
|
||||
@@ -476,6 +566,12 @@
|
||||
openca_kill(httpd_t)
|
||||
')
|
||||
|
||||
@ -10704,7 +10711,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
@@ -483,6 +572,7 @@
|
||||
@@ -483,6 +579,7 @@
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
@ -10712,7 +10719,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
')
|
||||
|
||||
@@ -491,6 +581,7 @@
|
||||
@@ -491,6 +588,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -10720,7 +10727,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -520,9 +611,28 @@
|
||||
@@ -520,9 +618,28 @@
|
||||
logging_send_syslog_msg(httpd_helper_t)
|
||||
|
||||
tunable_policy(`httpd_tty_comm',`
|
||||
@ -10749,7 +10756,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -552,22 +662,27 @@
|
||||
@@ -552,22 +669,27 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -10783,7 +10790,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -591,6 +706,8 @@
|
||||
@@ -591,6 +713,8 @@
|
||||
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
@ -10792,7 +10799,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||
kernel_list_proc(httpd_suexec_t)
|
||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||
@@ -599,9 +716,7 @@
|
||||
@@ -599,9 +723,7 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||
|
||||
@ -10803,7 +10810,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -634,12 +749,21 @@
|
||||
@@ -634,12 +756,21 @@
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -10828,7 +10835,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -648,6 +772,12 @@
|
||||
@@ -648,6 +779,12 @@
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -10841,7 +10848,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_suexec_t)
|
||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||
@@ -665,10 +795,6 @@
|
||||
@@ -665,10 +802,6 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -10852,7 +10859,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -678,7 +804,8 @@
|
||||
@@ -678,7 +811,8 @@
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
|
||||
@ -10862,7 +10869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
|
||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
||||
@@ -692,19 +819,44 @@
|
||||
@@ -692,19 +826,44 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -10910,7 +10917,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -717,10 +869,10 @@
|
||||
@@ -717,10 +876,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -10925,7 +10932,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -728,6 +880,8 @@
|
||||
@@ -728,6 +887,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -10934,7 +10941,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||
manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -742,3 +896,48 @@
|
||||
@@ -742,3 +903,48 @@
|
||||
logging_search_logs(httpd_rotatelogs_t)
|
||||
|
||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||
|
||||
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.5.1
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -375,6 +375,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jul 25 2008 Dan Walsh <dwalsh@redhat.com> 3.5.1-3
|
||||
- Fixes for logrotate, alsa
|
||||
|
||||
* Thu Jul 25 2008 Dan Walsh <dwalsh@redhat.com> 3.5.1-2
|
||||
- Eliminate vbetool duplicate entry
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user