This commit is contained in:
parent
06686c20a2
commit
bb36d75512
|
@ -7892,7 +7892,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
|
||||||
#
|
#
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/kernel.if serefpolicy-3.3.1/policy/modules/kernel/kernel.if
|
||||||
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/kernel/kernel.if 2007-10-29 18:02:31.000000000 -0400
|
||||||
+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-10 13:50:44.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/kernel/kernel.if 2008-04-11 14:40:04.000000000 -0400
|
||||||
@@ -851,9 +851,8 @@
|
@@ -851,9 +851,8 @@
|
||||||
type proc_t, proc_afs_t;
|
type proc_t, proc_afs_t;
|
||||||
')
|
')
|
||||||
|
@ -8971,7 +8971,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
|
||||||
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
--- nsaserefpolicy/policy/modules/services/apache.te 2007-12-19 05:32:17.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-07 14:54:08.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/services/apache.te 2008-04-11 14:48:54.000000000 -0400
|
||||||
@@ -20,6 +20,8 @@
|
@@ -20,6 +20,8 @@
|
||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
@ -9302,13 +9302,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||||
')
|
')
|
||||||
@@ -521,6 +610,19 @@
|
@@ -521,6 +610,20 @@
|
||||||
userdom_use_sysadm_terms(httpd_helper_t)
|
userdom_use_sysadm_terms(httpd_helper_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
+optional_policy(`
|
+optional_policy(`
|
||||||
+ type httpd_unconfined_script_t;
|
+ type httpd_unconfined_script_t;
|
||||||
+ type httpd_unconfined_script_exec_t;
|
+ type httpd_unconfined_script_exec_t;
|
||||||
|
+ domain_type(httpd_unconfined_script_t)
|
||||||
+ domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
|
+ domain_entry_file(httpd_unconfined_script_t,httpd_unconfined_script_exec_t)
|
||||||
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
+ domtrans_pattern(httpd_t, httpd_unconfined_script_exec_t, httpd_unconfined_script_t)
|
||||||
+ unconfined_domain(httpd_unconfined_script_t)
|
+ unconfined_domain(httpd_unconfined_script_t)
|
||||||
|
@ -9322,7 +9323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache PHP script local policy
|
# Apache PHP script local policy
|
||||||
@@ -550,18 +652,24 @@
|
@@ -550,18 +653,24 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_php_t)
|
fs_search_auto_mountpoints(httpd_php_t)
|
||||||
|
|
||||||
|
@ -9350,7 +9351,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -585,6 +693,8 @@
|
@@ -585,6 +694,8 @@
|
||||||
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
|
||||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||||
|
|
||||||
|
@ -9359,7 +9360,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
kernel_read_kernel_sysctls(httpd_suexec_t)
|
kernel_read_kernel_sysctls(httpd_suexec_t)
|
||||||
kernel_list_proc(httpd_suexec_t)
|
kernel_list_proc(httpd_suexec_t)
|
||||||
kernel_read_proc_symlinks(httpd_suexec_t)
|
kernel_read_proc_symlinks(httpd_suexec_t)
|
||||||
@@ -593,9 +703,7 @@
|
@@ -593,9 +704,7 @@
|
||||||
|
|
||||||
fs_search_auto_mountpoints(httpd_suexec_t)
|
fs_search_auto_mountpoints(httpd_suexec_t)
|
||||||
|
|
||||||
|
@ -9370,7 +9371,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
|
|
||||||
files_read_etc_files(httpd_suexec_t)
|
files_read_etc_files(httpd_suexec_t)
|
||||||
files_read_usr_files(httpd_suexec_t)
|
files_read_usr_files(httpd_suexec_t)
|
||||||
@@ -628,6 +736,7 @@
|
@@ -628,6 +737,7 @@
|
||||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -9378,7 +9379,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||||
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
@@ -638,6 +747,12 @@
|
@@ -638,6 +748,12 @@
|
||||||
fs_exec_nfs_files(httpd_suexec_t)
|
fs_exec_nfs_files(httpd_suexec_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -9391,7 +9392,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_suexec_t)
|
fs_read_cifs_files(httpd_suexec_t)
|
||||||
fs_read_cifs_symlinks(httpd_suexec_t)
|
fs_read_cifs_symlinks(httpd_suexec_t)
|
||||||
@@ -655,10 +770,6 @@
|
@@ -655,10 +771,6 @@
|
||||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -9402,7 +9403,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Apache system script local policy
|
# Apache system script local policy
|
||||||
@@ -668,7 +779,8 @@
|
@@ -668,7 +780,8 @@
|
||||||
|
|
||||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||||
|
|
||||||
|
@ -9412,7 +9413,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
|
|
||||||
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
|
||||||
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
|
||||||
@@ -682,15 +794,44 @@
|
@@ -682,15 +795,44 @@
|
||||||
# Should we add a boolean?
|
# Should we add a boolean?
|
||||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||||
|
|
||||||
|
@ -9458,7 +9459,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||||
fs_read_cifs_files(httpd_sys_script_t)
|
fs_read_cifs_files(httpd_sys_script_t)
|
||||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||||
@@ -700,9 +841,15 @@
|
@@ -700,9 +842,15 @@
|
||||||
clamav_domtrans_clamscan(httpd_sys_script_t)
|
clamav_domtrans_clamscan(httpd_sys_script_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -9474,7 +9475,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -724,3 +871,47 @@
|
@@ -724,3 +872,47 @@
|
||||||
logging_search_logs(httpd_rotatelogs_t)
|
logging_search_logs(httpd_rotatelogs_t)
|
||||||
|
|
||||||
miscfiles_read_localization(httpd_rotatelogs_t)
|
miscfiles_read_localization(httpd_rotatelogs_t)
|
||||||
|
@ -29586,7 +29587,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
+')
|
+')
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.3.1/policy/modules/system/selinuxutil.te
|
||||||
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/selinuxutil.te 2008-02-06 10:33:22.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-04 17:19:53.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/system/selinuxutil.te 2008-04-11 14:03:28.000000000 -0400
|
||||||
@@ -75,7 +75,6 @@
|
@@ -75,7 +75,6 @@
|
||||||
type restorecond_exec_t;
|
type restorecond_exec_t;
|
||||||
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
init_daemon_domain(restorecond_t,restorecond_exec_t)
|
||||||
|
@ -29673,7 +29674,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
auth_dontaudit_read_shadow(run_init_t)
|
auth_dontaudit_read_shadow(run_init_t)
|
||||||
|
|
||||||
init_spec_domtrans_script(run_init_t)
|
init_spec_domtrans_script(run_init_t)
|
||||||
@@ -435,67 +432,21 @@
|
@@ -435,67 +432,22 @@
|
||||||
# semodule local policy
|
# semodule local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -29692,13 +29693,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
-kernel_read_kernel_sysctls(semanage_t)
|
-kernel_read_kernel_sysctls(semanage_t)
|
||||||
-
|
-
|
||||||
-corecmd_exec_bin(semanage_t)
|
-corecmd_exec_bin(semanage_t)
|
||||||
+seutil_semanage_policy(semanage_t)
|
-
|
||||||
+can_exec(semanage_t, semanage_exec_t)
|
|
||||||
|
|
||||||
-dev_read_urand(semanage_t)
|
-dev_read_urand(semanage_t)
|
||||||
+# Admins are creating pp files in random locations
|
-
|
||||||
+auth_read_all_files_except_shadow(semanage_t)
|
|
||||||
|
|
||||||
-domain_use_interactive_fds(semanage_t)
|
-domain_use_interactive_fds(semanage_t)
|
||||||
-
|
-
|
||||||
-files_read_etc_files(semanage_t)
|
-files_read_etc_files(semanage_t)
|
||||||
|
@ -29713,13 +29710,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
-selinux_get_enforce_mode(semanage_t)
|
-selinux_get_enforce_mode(semanage_t)
|
||||||
-selinux_getattr_fs(semanage_t)
|
-selinux_getattr_fs(semanage_t)
|
||||||
-# for setsebool:
|
-# for setsebool:
|
||||||
-selinux_set_boolean(semanage_t)
|
+seutil_semanage_policy(semanage_t)
|
||||||
-
|
selinux_set_boolean(semanage_t)
|
||||||
|
+can_exec(semanage_t, semanage_exec_t)
|
||||||
|
|
||||||
-term_use_all_terms(semanage_t)
|
-term_use_all_terms(semanage_t)
|
||||||
-
|
-
|
||||||
-# Running genhomedircon requires this for finding all users
|
-# Running genhomedircon requires this for finding all users
|
||||||
-auth_use_nsswitch(semanage_t)
|
-auth_use_nsswitch(semanage_t)
|
||||||
-
|
+# Admins are creating pp files in random locations
|
||||||
|
+auth_read_all_files_except_shadow(semanage_t)
|
||||||
|
|
||||||
-libs_use_ld_so(semanage_t)
|
-libs_use_ld_so(semanage_t)
|
||||||
-libs_use_shared_libs(semanage_t)
|
-libs_use_shared_libs(semanage_t)
|
||||||
-
|
-
|
||||||
|
@ -29748,7 +29749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
ifdef(`distro_debian',`
|
ifdef(`distro_debian',`
|
||||||
files_read_var_lib_files(semanage_t)
|
files_read_var_lib_files(semanage_t)
|
||||||
files_read_var_lib_symlinks(semanage_t)
|
files_read_var_lib_symlinks(semanage_t)
|
||||||
@@ -507,6 +458,11 @@
|
@@ -507,6 +459,11 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -29760,7 +29761,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
# cjp: need a more general way to handle this:
|
# cjp: need a more general way to handle this:
|
||||||
ifdef(`enable_mls',`
|
ifdef(`enable_mls',`
|
||||||
# read secadm tmp files
|
# read secadm tmp files
|
||||||
@@ -514,26 +470,44 @@
|
@@ -514,26 +471,44 @@
|
||||||
# Handle pp files created in homedir and /tmp
|
# Handle pp files created in homedir and /tmp
|
||||||
userdom_read_sysadm_home_content_files(semanage_t)
|
userdom_read_sysadm_home_content_files(semanage_t)
|
||||||
userdom_read_sysadm_tmp_files(semanage_t)
|
userdom_read_sysadm_tmp_files(semanage_t)
|
||||||
|
@ -29810,7 +29811,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
kernel_read_system_state(setfiles_t)
|
kernel_read_system_state(setfiles_t)
|
||||||
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
|
||||||
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
kernel_relabelfrom_unlabeled_files(setfiles_t)
|
||||||
@@ -555,9 +529,13 @@
|
@@ -555,9 +530,13 @@
|
||||||
files_read_etc_files(setfiles_t)
|
files_read_etc_files(setfiles_t)
|
||||||
files_list_all(setfiles_t)
|
files_list_all(setfiles_t)
|
||||||
files_relabel_all_files(setfiles_t)
|
files_relabel_all_files(setfiles_t)
|
||||||
|
@ -29824,7 +29825,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
|
||||||
fs_search_auto_mountpoints(setfiles_t)
|
fs_search_auto_mountpoints(setfiles_t)
|
||||||
fs_relabelfrom_noxattr_fs(setfiles_t)
|
fs_relabelfrom_noxattr_fs(setfiles_t)
|
||||||
|
|
||||||
@@ -617,16 +595,8 @@
|
@@ -617,16 +596,8 @@
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -34435,8 +34436,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.i
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
|
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.te serefpolicy-3.3.1/policy/modules/system/virt.te
|
||||||
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
--- nsaserefpolicy/policy/modules/system/virt.te 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-04 12:06:56.000000000 -0400
|
+++ serefpolicy-3.3.1/policy/modules/system/virt.te 2008-04-11 14:40:17.000000000 -0400
|
||||||
@@ -0,0 +1,173 @@
|
@@ -0,0 +1,174 @@
|
||||||
+
|
+
|
||||||
+policy_module(virt,1.0.0)
|
+policy_module(virt,1.0.0)
|
||||||
+
|
+
|
||||||
|
@ -34491,7 +34492,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||||
+#
|
+#
|
||||||
+# virtd local policy
|
+# virtd local policy
|
||||||
+#
|
+#
|
||||||
+allow virtd_t self:capability { sys_module dac_override kill net_admin setgid };
|
+allow virtd_t self:capability { dac_override kill net_admin setgid };
|
||||||
+allow virtd_t self:process { sigkill signal };
|
+allow virtd_t self:process { sigkill signal };
|
||||||
+allow virtd_t self:fifo_file rw_file_perms;
|
+allow virtd_t self:fifo_file rw_file_perms;
|
||||||
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
+allow virtd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
@ -34541,6 +34542,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/virt.t
|
||||||
+kernel_rw_net_sysctls(virtd_t)
|
+kernel_rw_net_sysctls(virtd_t)
|
||||||
+kernel_read_xen_state(virtd_t)
|
+kernel_read_xen_state(virtd_t)
|
||||||
+kernel_write_xen_state(virtd_t)
|
+kernel_write_xen_state(virtd_t)
|
||||||
|
+kernel_load_module(virtd_t)
|
||||||
+
|
+
|
||||||
+# Init script handling
|
+# Init script handling
|
||||||
+domain_use_interactive_fds(virtd_t)
|
+domain_use_interactive_fds(virtd_t)
|
||||||
|
|
|
@ -17,7 +17,7 @@
|
||||||
Summary: SELinux policy configuration
|
Summary: SELinux policy configuration
|
||||||
Name: selinux-policy
|
Name: selinux-policy
|
||||||
Version: 3.3.1
|
Version: 3.3.1
|
||||||
Release: 33%{?dist}
|
Release: 34%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: serefpolicy-%{version}.tgz
|
Source: serefpolicy-%{version}.tgz
|
||||||
|
@ -157,7 +157,7 @@ fi
|
||||||
%define loadpolicy() \
|
%define loadpolicy() \
|
||||||
( cd /usr/share/selinux/%1; \
|
( cd /usr/share/selinux/%1; \
|
||||||
semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
|
semodule -b base.pp %{expand:%%moduleList %1} -s %1; \
|
||||||
) > /dev/null 2>&1; \
|
); \
|
||||||
|
|
||||||
%define relabel() \
|
%define relabel() \
|
||||||
. %{_sysconfdir}/selinux/config; \
|
. %{_sysconfdir}/selinux/config; \
|
||||||
|
@ -383,6 +383,8 @@ exit 0
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-34
|
||||||
|
|
||||||
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-33
|
* Thu Apr 10 2008 Dan Walsh <dwalsh@redhat.com> 3.3.1-33
|
||||||
- Allow dhcpd to read kernel network state
|
- Allow dhcpd to read kernel network state
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue