rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Add label for ~/.forward and /root/.forward

Browse Source
This commit is contained in:
Daniel J Walsh 2009-03-27 19:48:17 +00:00
parent 9da6c9c025
commit c0158a8c68
2 changed files with 36 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
policy-20090105.patch
View File

@ -6775,7 +6775,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+permissive afs_t; +permissive afs_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.10/policy/modules/services/apache.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.10/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500 --- nsaserefpolicy/policy/modules/services/apache.fc 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/apache.fc 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/apache.fc 2009-03-27 14:54:58.000000000 -0400
@@ -1,12 +1,13 @@ @@ -1,12 +1,13 @@
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0) +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -8172,7 +8172,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.10/policy/modules/services/bind.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.fc serefpolicy-3.6.10/policy/modules/services/bind.fc
--- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500 --- nsaserefpolicy/policy/modules/services/bind.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/bind.fc 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/bind.fc 2009-03-27 15:09:58.000000000 -0400
@@ -1,17 +1,22 @@ @@ -1,17 +1,22 @@
/etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0) /etc/rc\.d/init\.d/named -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0) +/etc/rc\.d/init\.d/unbound -- gen_context(system_u:object_r:named_initrc_exec_t,s0)
@ -8196,14 +8196,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
ifdef(`distro_debian',` ifdef(`distro_debian',`
/etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0) /etc/bind(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
@@ -40,7 +45,6 @@ @@ -40,8 +45,8 @@
/var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/data(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0) /var/named/named\.ca -- gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0) /var/named/chroot(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
-/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0) -/var/named/chroot/etc(/.*)? gen_context(system_u:object_r:named_conf_t,s0)
/var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0) /var/named/chroot/etc/rndc\.key -- gen_context(system_u:object_r:dnssec_t,s0)
+/var/named/chroot/proc(/.*)? <<none>>
/var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0) /var/named/chroot/var/run/named.* gen_context(system_u:object_r:named_var_run_t,s0)
/var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0) /var/named/chroot/var/tmp(/.*)? gen_context(system_u:object_r:named_cache_t,s0)
/var/named/chroot/var/named(/.*)? gen_context(system_u:object_r:named_zone_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.10/policy/modules/services/bind.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/bind.if serefpolicy-3.6.10/policy/modules/services/bind.if
--- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500 --- nsaserefpolicy/policy/modules/services/bind.if 2008-11-11 16:13:46.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/bind.if 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/bind.if 2009-03-24 09:03:48.000000000 -0400
@ -13095,7 +13097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
cron_system_entry(mailman_queue_t, mailman_queue_exec_t) cron_system_entry(mailman_queue_t, mailman_queue_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.10/policy/modules/services/mta.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.fc serefpolicy-3.6.10/policy/modules/services/mta.fc
--- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400 --- nsaserefpolicy/policy/modules/services/mta.fc 2008-09-12 10:48:05.000000000 -0400
+++ serefpolicy-3.6.10/policy/modules/services/mta.fc 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/mta.fc 2009-03-27 15:09:24.000000000 -0400
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
-/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0) -/bin/mail -- gen_context(system_u:object_r:sendmail_exec_t,s0)
+/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0) +/bin/mail(x)? -- gen_context(system_u:object_r:sendmail_exec_t,s0)
@ -13116,7 +13118,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
@@ -22,7 +25,3 @@ @@ -22,7 +25,5 @@
/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0) /var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) /var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
@ -13124,9 +13126,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
-#ifdef(`postfix.te', `', ` -#ifdef(`postfix.te', `', `
-#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0) -#/var/spool/postfix(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
-#') -#')
+HOME_DIR/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
+/root/\.forward -- gen_context(system_u:object_r:mail_forward_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.if serefpolicy-3.6.10/policy/modules/services/mta.if
--- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/mta.if 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-27 09:50:44.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/mta.if 2009-03-27 14:46:53.000000000 -0400
@@ -130,6 +130,15 @@ @@ -130,6 +130,15 @@
sendmail_create_log($1_mail_t) sendmail_create_log($1_mail_t)
') ')
@ -13204,8 +13208,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.6.10/policy/modules/services/mta.te
--- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500 --- nsaserefpolicy/policy/modules/services/mta.te 2009-01-19 11:06:49.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/mta.te 2009-03-24 09:03:48.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/mta.te 2009-03-27 15:46:19.000000000 -0400
@@ -47,34 +47,49 @@ @@ -27,6 +27,9 @@
type mail_spool_t;
files_mountpoint(mail_spool_t)
+type mail_forward_t, mailcontent_type;
+files_type(mail_forward_t)
+
type sendmail_exec_t;
mta_agent_executable(sendmail_exec_t)
@@ -47,34 +50,49 @@
# #
# newalias required this, not sure if it is needed in 'if' file # newalias required this, not sure if it is needed in 'if' file
@ -13257,7 +13271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -88,6 +103,13 @@ @@ -88,6 +106,13 @@
optional_policy(` optional_policy(`
cron_read_system_job_tmp_files(system_mail_t) cron_read_system_job_tmp_files(system_mail_t)
cron_dontaudit_write_pipes(system_mail_t) cron_dontaudit_write_pipes(system_mail_t)
@ -13271,7 +13285,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -95,16 +117,16 @@ @@ -95,16 +120,16 @@
') ')
optional_policy(` optional_policy(`
@ -13292,7 +13306,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -132,10 +154,6 @@ @@ -132,10 +157,6 @@
# compatability for old default main.cf # compatability for old default main.cf
postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file }) postfix_config_filetrans(system_mail_t, etc_aliases_t, { dir file lnk_file sock_file fifo_file })
') ')
@ -13303,7 +13317,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
') ')
optional_policy(` optional_policy(`
@@ -155,6 +173,19 @@ @@ -155,6 +176,19 @@
') ')
optional_policy(` optional_policy(`
@ -13323,11 +13337,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
smartmon_read_tmp_files(system_mail_t) smartmon_read_tmp_files(system_mail_t)
') ')
@@ -174,6 +205,23 @@ @@ -174,6 +208,25 @@
') ')
') ')
+read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t) +read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
+userdom_search_admin_dir(mailserver_delivery)
+read_files_pattern(mailserver_delivery, mail_forward_t, mail_forward_t)
+ +
+init_stream_connect_script(mailserver_delivery) +init_stream_connect_script(mailserver_delivery)
+init_rw_script_stream_sockets(mailserver_delivery) +init_rw_script_stream_sockets(mailserver_delivery)
@ -21222,12 +21238,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(` optional_policy(`
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.10/policy/modules/services/virt.fc diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.fc serefpolicy-3.6.10/policy/modules/services/virt.fc
--- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500 --- nsaserefpolicy/policy/modules/services/virt.fc 2009-01-05 15:39:43.000000000 -0500
+++ serefpolicy-3.6.10/policy/modules/services/virt.fc 2009-03-24 15:39:18.000000000 -0400 +++ serefpolicy-3.6.10/policy/modules/services/virt.fc 2009-03-27 15:22:38.000000000 -0400
@@ -8,5 +8,15 @@ @@ -8,5 +8,16 @@
/var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0) /var/lib/libvirt(/.*)? gen_context(system_u:object_r:virt_var_lib_t,s0)
/var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0) /var/lib/libvirt/images(/.*)? gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0) +/var/lib/libvirt/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/boot(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+ +
/var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0) /var/log/libvirt(/.*)? gen_context(system_u:object_r:virt_log_t,s0)
/var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0) /var/run/libvirt(/.*)? gen_context(system_u:object_r:virt_var_run_t,s0)

5
selinux-policy.spec
View File

@ -20,7 +20,7 @@
Summary: SELinux policy configuration Summary: SELinux policy configuration
Name: selinux-policy Name: selinux-policy
Version: 3.6.10 Version: 3.6.10
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: serefpolicy-%{version}.tgz Source: serefpolicy-%{version}.tgz
@ -444,6 +444,9 @@ exit 0
%endif %endif
%changelog %changelog
* Fri Mar 27 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-4
- Add label for ~/.forward and /root/.forward
* Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3 * Thu Mar 26 2009 Dan Walsh <dwalsh@redhat.com> 3.6.10-3
- Fixes for svirt - Fixes for svirt