- Fixes for logrotate, alsa

2008-07-25 11:42:14 +00:00 · 2008-07-25 11:42:14 +00:00 · bb6af9637f
commit bb6af9637f
parent f12d5b90db
1 changed files with 105 additions and 40 deletions
--- a/policy-20080710.patch
+++ b/policy-20080710.patch
@ -337,6 +337,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/global_tunables seref
 +gen_tunable(allow_console_login,false)
 +
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/alsa.te serefpolicy-3.5.1/policy/modules/admin/alsa.te
 --- nsaserefpolicy/policy/modules/admin/alsa.te	2008-07-10 11:38:46.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/admin/alsa.te	2008-07-25 06:59:42.000000000 -0400
@@ -51,6 +51,8 @@
 auth_use_nsswitch(alsa_t)
 +init_use_fds(alsa_t)
 +
 libs_use_ld_so(alsa_t)
 libs_use_shared_libs(alsa_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/amanda.fc serefpolicy-3.5.1/policy/modules/admin/amanda.fc
 --- nsaserefpolicy/policy/modules/admin/amanda.fc	2008-06-12 23:25:08.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/admin/amanda.fc	2008-07-24 06:54:04.000000000 -0400
@ -650,7 +662,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/kudzu.t
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrotate.te serefpolicy-3.5.1/policy/modules/admin/logrotate.te
 --- nsaserefpolicy/policy/modules/admin/logrotate.te	2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/admin/logrotate.te	2008-07-24 06:54:04.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/admin/logrotate.te	2008-07-25 06:42:53.000000000 -0400
@@ -71,6 +71,7 @@
 fs_search_auto_mountpoints(logrotate_t)
@ -671,6 +683,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logrota
 # cjp: why is this needed?
 init_domtrans_script(logrotate_t)
@@ -140,9 +143,8 @@
 ')
 optional_policy(`
 -	apache_read_config(logrotate_t)
 -	apache_domtrans(logrotate_t)
 	apache_signull(logrotate_t)
 +	apache_manage_all_content(logrotate_t)
 ')
 optional_policy(`
@@ -184,6 +186,5 @@
 ')
 optional_policy(`
 -	# cjp: why?
 -	squid_domtrans(logrotate_t)
 +	squid_signal(logrotate_t)
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.5.1/policy/modules/admin/logwatch.te
 --- nsaserefpolicy/policy/modules/admin/logwatch.te	2008-07-10 11:38:46.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/admin/logwatch.te	2008-07-24 08:00:57.000000000 -0400
@ -9734,7 +9765,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +/etc/rc\.d/init\.d/httpd	--	gen_context(system_u:object_r:httpd_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.5.1/policy/modules/services/apache.if
 --- nsaserefpolicy/policy/modules/services/apache.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/apache.if	2008-07-24 06:54:04.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/services/apache.if	2008-07-25 06:30:35.000000000 -0400
@@ -13,21 +13,16 @@
 #
 template(`apache_content_template',`
@ -10358,7 +10389,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.5.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/apache.te	2008-07-24 06:54:04.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/services/apache.te	2008-07-25 07:41:00.000000000 -0400
@@ -20,6 +20,8 @@
 # Declarations
 #
@ -10579,14 +10610,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 +	filetrans_pattern(httpd_sys_script_t,httpd_sys_content_t,httpd_sys_content_rw_t, { file dir lnk_file })
 +	can_exec(httpd_sys_script_t, httpd_sys_content_t)
 +')
 +
 +tunable_policy(`allow_httpd_sys_script_anon_write',`
 +	miscfiles_manage_public_files(httpd_sys_script_t)
 +') 
 -	manage_dirs_pattern(httpd_t,httpdcontent,httpdcontent)
 -	manage_files_pattern(httpd_t,httpdcontent,httpdcontent)
 -	manage_lnk_files_pattern(httpd_t,httpdcontent,httpdcontent)
 +tunable_policy(`allow_httpd_sys_script_anon_write',`
 +	miscfiles_manage_public_files(httpd_sys_script_t)
 +') 
 +
 +tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 +	domtrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_script_t)
 +	filetrans_pattern(httpd_t, httpd_sys_content_t, httpd_sys_content_rw_t, { file dir lnk_file })
@ -10660,27 +10691,28 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 optional_policy(`
-@@ -476,14 +559,15 @@
+@@ -476,6 +559,12 @@
 	openca_kill(httpd_t)
 ')
-+tunable_policy(`httpd_can_network_connect_db',`
+tunable_policy(`httpd_execmem',`
-+	postgresql_tcp_connect(httpd_t)
+	allow httpd_t self:process { execmem execstack };
-+	postgresql_tcp_connect(httpd_sys_script_t)
+	allow httpd_sys_script_t self:process { execmem execstack };
 +	allow httpd_suexec_t self:process { execmem execstack };
 +') 
 +
 optional_policy(`
 	# Allow httpd to work with postgresql
 	postgresql_stream_connect(httpd_t)
- 	postgresql_unpriv_client(httpd_t)
+@@ -483,6 +572,7 @@
-
+ 
-	tunable_policy(`httpd_can_network_connect_db',`
+ 	tunable_policy(`httpd_can_network_connect_db',`
-		postgresql_tcp_connect(httpd_t)
+ 		postgresql_tcp_connect(httpd_t)
-	')
+		postgresql_tcp_connect(httpd_sys_script_t)
 	')
 ')
- optional_policy(`
+@@ -491,6 +581,7 @@
@@ -491,6 +575,7 @@
 ')
 optional_policy(`
@ -10688,7 +10720,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -520,9 +605,28 @@
+@@ -520,9 +611,28 @@
 logging_send_syslog_msg(httpd_helper_t)
 tunable_policy(`httpd_tty_comm',`
@ -10717,7 +10749,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache PHP script local policy
-@@ -552,22 +656,27 @@
+@@ -552,22 +662,27 @@
 fs_search_auto_mountpoints(httpd_php_t)
@ -10751,7 +10783,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -591,6 +700,8 @@
+@@ -591,6 +706,8 @@
 manage_files_pattern(httpd_suexec_t,httpd_suexec_tmp_t,httpd_suexec_tmp_t)
 files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@ -10760,7 +10792,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 kernel_read_kernel_sysctls(httpd_suexec_t)
 kernel_list_proc(httpd_suexec_t)
 kernel_read_proc_symlinks(httpd_suexec_t)
-@@ -599,9 +710,7 @@
+@@ -599,9 +716,7 @@
 fs_search_auto_mountpoints(httpd_suexec_t)
@ -10771,7 +10803,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -634,12 +743,21 @@
+@@ -634,12 +749,21 @@
 	corenet_sendrecv_all_client_packets(httpd_suexec_t)
 ')
@ -10796,7 +10828,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -648,6 +766,12 @@
+@@ -648,6 +772,12 @@
 	fs_exec_nfs_files(httpd_suexec_t)
 ')
@ -10809,7 +10841,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_suexec_t)
 	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -665,10 +789,6 @@
+@@ -665,10 +795,6 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
@ -10820,7 +10852,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ########################################
 #
 # Apache system script local policy
-@@ -678,7 +798,8 @@
+@@ -678,7 +804,8 @@
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
@ -10830,7 +10862,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
 read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -692,19 +813,44 @@
+@@ -692,19 +819,44 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
@ -10878,7 +10910,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -717,10 +863,10 @@
+@@ -717,10 +869,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -10893,7 +10925,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 ')
 ########################################
-@@ -728,6 +874,8 @@
+@@ -728,6 +880,8 @@
 # httpd_rotatelogs local policy
 #
@ -10902,7 +10934,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 manage_files_pattern(httpd_rotatelogs_t,httpd_log_t,httpd_log_t)
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -742,3 +890,48 @@
+@@ -742,3 +896,48 @@
 logging_search_logs(httpd_rotatelogs_t)
 miscfiles_read_localization(httpd_rotatelogs_t)
@ -17982,7 +18014,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mail
 ## <param name="domain">
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.5.1/policy/modules/services/mailman.te
 --- nsaserefpolicy/policy/modules/services/mailman.te	2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/mailman.te	2008-07-24 06:54:04.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/services/mailman.te	2008-07-25 07:31:24.000000000 -0400
@@ -53,10 +53,9 @@
 	apache_use_fds(mailman_cgi_t)
 	apache_dontaudit_append_log(mailman_cgi_t)
@ -24354,7 +24386,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/sendmail.te serefpolicy-3.5.1/policy/modules/services/sendmail.te
 --- nsaserefpolicy/policy/modules/services/sendmail.te	2008-07-10 11:38:46.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/sendmail.te	2008-07-24 06:54:04.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/services/sendmail.te	2008-07-25 07:31:50.000000000 -0400
@@ -20,13 +20,17 @@
 mta_mailserver_delivery(sendmail_t)
 mta_mailserver_sender(sendmail_t)
@ -24383,7 +24415,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 corenet_all_recvfrom_unlabeled(sendmail_t)
 corenet_all_recvfrom_netlabel(sendmail_t)
-@@ -69,19 +74,23 @@
+@@ -64,24 +69,29 @@
 fs_getattr_all_fs(sendmail_t)
 fs_search_auto_mountpoints(sendmail_t)
 +fs_rw_anon_inodefs_files(sendmail_t)
 term_dontaudit_use_console(sendmail_t)
 # for piping mail to a command
 corecmd_exec_shell(sendmail_t)
@ -24407,7 +24445,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 auth_use_nsswitch(sendmail_t)
-@@ -91,27 +100,46 @@
+@@ -91,27 +101,46 @@
 libs_read_lib_files(sendmail_t)
 logging_send_syslog_msg(sendmail_t)
@ -24456,7 +24494,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
-@@ -119,6 +147,7 @@
+@@ -119,6 +148,7 @@
 optional_policy(`
 	procmail_domtrans(sendmail_t)
@ -24464,7 +24502,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/send
 ')
 optional_policy(`
-@@ -126,24 +155,25 @@
+@@ -126,24 +156,25 @@
 ')
 optional_policy(`
@ -26243,8 +26281,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.if serefpolicy-3.5.1/policy/modules/services/squid.if
 --- nsaserefpolicy/policy/modules/services/squid.if	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/services/squid.if	2008-07-24 06:54:04.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/services/squid.if	2008-07-25 06:35:25.000000000 -0400
-@@ -131,3 +131,95 @@
+@@ -131,3 +131,114 @@
 interface(`squid_use',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
@ -26340,6 +26378,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squi
 +	files_list_pids($1)
 +        manage_all_pattern($1,squid_var_run_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Send a signal to squid.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`squid_signal',`
 +	gen_require(`
 +		type squid_t;
 +	')
 +
 +	allow $1 squid_t:process signal;
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/squid.te serefpolicy-3.5.1/policy/modules/services/squid.te
 --- nsaserefpolicy/policy/modules/services/squid.te	2008-07-10 11:38:46.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/services/squid.te	2008-07-24 06:54:04.000000000 -0400
@ -31127,7 +31184,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/miscfi
 # /opt
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.5.1/policy/modules/system/modutils.if
 --- nsaserefpolicy/policy/modules/system/modutils.if	2008-06-12 23:25:07.000000000 -0400
-+++ serefpolicy-3.5.1/policy/modules/system/modutils.if	2008-07-24 06:54:04.000000000 -0400
+++ serefpolicy-3.5.1/policy/modules/system/modutils.if	2008-07-25 07:26:20.000000000 -0400
@@ -66,6 +66,25 @@
 ########################################
@ -31154,6 +31211,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/moduti
 ##	Unconditionally execute insmod in the insmod domain.
 ## </summary>
 ## <param name="domain">
@@ -275,6 +294,7 @@
 	modutils_domtrans_update_mods($1)
 	role $2 types update_modules_t;
 	allow update_modules_t $3:chr_file rw_term_perms;
 +	modutils_run_insmod(update_modules_t, $2, $3)
 ')
 ########################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.5.1/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2008-07-10 11:38:46.000000000 -0400
 +++ serefpolicy-3.5.1/policy/modules/system/modutils.te	2008-07-24 06:54:04.000000000 -0400