- Allow gssd to send signals to users
- Fix duplicate label for apache content
This commit is contained in:
parent
faf9cbbc4b
commit
cb5670ca1b
231
policy-F12.patch
231
policy-F12.patch
@ -4327,7 +4327,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/screen.if serefpolicy-3.6.29/policy/modules/apps/screen.if
|
||||
--- nsaserefpolicy/policy/modules/apps/screen.if 2009-07-23 14:11:04.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/apps/screen.if 2009-08-28 15:56:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/apps/screen.if 2009-08-31 08:54:25.000000000 -0400
|
||||
@@ -61,6 +61,8 @@
|
||||
manage_fifo_files_pattern($1_screen_t, screen_dir_t, screen_var_run_t)
|
||||
manage_dirs_pattern($1_screen_t, screen_dir_t, screen_dir_t)
|
||||
@ -4337,7 +4337,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
files_pid_filetrans($1_screen_t, screen_dir_t, dir)
|
||||
|
||||
allow $1_screen_t screen_home_t:dir list_dir_perms;
|
||||
@@ -91,6 +93,7 @@
|
||||
@@ -73,6 +75,8 @@
|
||||
allow $3 $1_screen_t:process signal;
|
||||
allow $1_screen_t $3:process signal;
|
||||
|
||||
+ screen_manage_var_run($3)
|
||||
+
|
||||
manage_dirs_pattern($3, screen_home_t, screen_home_t)
|
||||
manage_files_pattern($3, screen_home_t, screen_home_t)
|
||||
manage_lnk_files_pattern($3, screen_home_t, screen_home_t)
|
||||
@@ -91,6 +95,7 @@
|
||||
# Revert to the user domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_screen_t, $3)
|
||||
corecmd_bin_domtrans($1_screen_t, $3)
|
||||
@ -4345,11 +4354,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1_screen_t)
|
||||
corenet_all_recvfrom_netlabel($1_screen_t)
|
||||
@@ -157,3 +160,24 @@
|
||||
nscd_socket_use($1_screen_t)
|
||||
')
|
||||
')
|
||||
@@ -124,14 +129,14 @@
|
||||
# Write to utmp.
|
||||
init_rw_utmp($1_screen_t)
|
||||
|
||||
+ auth_use_nsswitch($1_screen_t)
|
||||
+
|
||||
logging_send_syslog_msg($1_screen_t)
|
||||
|
||||
miscfiles_read_localization($1_screen_t)
|
||||
|
||||
seutil_read_config($1_screen_t)
|
||||
|
||||
- sysnet_read_config($1_screen_t)
|
||||
-
|
||||
userdom_use_user_terminals($1_screen_t)
|
||||
userdom_create_user_pty($1_screen_t)
|
||||
userdom_user_home_domtrans($1_screen_t, $3)
|
||||
@@ -149,11 +154,25 @@
|
||||
fs_read_nfs_symlinks($1_screen_t)
|
||||
')
|
||||
|
||||
- optional_policy(`
|
||||
- nis_use_ypbind($1_screen_t)
|
||||
')
|
||||
|
||||
- optional_policy(`
|
||||
- nscd_socket_use($1_screen_t)
|
||||
+########################################
|
||||
+## <summary>
|
||||
+## Manage screen var_run files.
|
||||
@ -4363,13 +4394,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+interface(`screen_manage_var_run',`
|
||||
+ gen_require(`
|
||||
+ type screen_var_run_t;
|
||||
+ ')
|
||||
')
|
||||
+
|
||||
+ manage_dirs_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+ manage_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+ manage_lnk_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+ manage_fifo_files_pattern($1,screen_var_run_t,screen_var_run_t)
|
||||
+')
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.fc serefpolicy-3.6.29/policy/modules/apps/seunshare.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/seunshare.fc 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ serefpolicy-3.6.29/policy/modules/apps/seunshare.fc 2009-08-28 15:56:54.000000000 -0400
|
||||
@ -4521,7 +4552,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
ifdef(`TODO',`
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/webalizer.te serefpolicy-3.6.29/policy/modules/apps/webalizer.te
|
||||
--- nsaserefpolicy/policy/modules/apps/webalizer.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/apps/webalizer.te 2009-08-28 15:56:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/apps/webalizer.te 2009-08-31 08:56:44.000000000 -0400
|
||||
@@ -69,7 +69,6 @@
|
||||
fs_search_auto_mountpoints(webalizer_t)
|
||||
fs_getattr_xattr_fs(webalizer_t)
|
||||
@ -4530,6 +4561,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(webalizer_t)
|
||||
files_read_etc_runtime_files(webalizer_t)
|
||||
@@ -78,6 +77,7 @@
|
||||
logging_send_syslog_msg(webalizer_t)
|
||||
|
||||
miscfiles_read_localization(webalizer_t)
|
||||
+miscfiles_read_public_files(webalizer_t)
|
||||
|
||||
sysnet_dns_name_resolve(webalizer_t)
|
||||
sysnet_read_config(webalizer_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/wine.fc serefpolicy-3.6.29/policy/modules/apps/wine.fc
|
||||
--- nsaserefpolicy/policy/modules/apps/wine.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/apps/wine.fc 2009-08-28 15:56:54.000000000 -0400
|
||||
@ -8554,7 +8593,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.29/policy/modules/services/apache.fc
|
||||
--- nsaserefpolicy/policy/modules/services/apache.fc 2009-07-14 14:19:57.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/apache.fc 2009-08-28 15:56:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/apache.fc 2009-08-31 08:37:11.000000000 -0400
|
||||
@@ -1,12 +1,13 @@
|
||||
-HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
+HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
|
||||
@ -8617,7 +8656,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
/var/log/apache(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/apache-ssl(2)?(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
/var/log/cacti(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
|
||||
@@ -64,11 +74,32 @@
|
||||
@@ -64,11 +74,30 @@
|
||||
/var/run/apache.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
@ -8625,9 +8664,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/var/run/mod_.* gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
+/var/run/wsgi.* -s gen_context(system_u:object_r:httpd_var_run_t,s0)
|
||||
|
||||
/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
-/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
+/var/spool/gosa(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
||||
/var/spool/squirrelmail(/.*)? gen_context(system_u:object_r:squirrelmail_spool_t,s0)
|
||||
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t, s0)
|
||||
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t, s0)
|
||||
|
||||
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
@ -8639,20 +8679,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+/usr/share/bugzilla(/.*)? -d gen_context(system_u:object_r:httpd_bugzilla_content_t,s0)
|
||||
+/usr/share/bugzilla(/.*)? -- gen_context(system_u:object_r:httpd_bugzilla_script_exec_t,s0)
|
||||
+/var/lib/bugzilla(/.*)? gen_context(system_u:object_r:httpd_bugzilla_content_rw_t,s0)
|
||||
+#viewvc file context
|
||||
+/var/spool/viewvc(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
||||
+/var/www/html/[^/]*/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+
|
||||
+/var/www/gallery/albums(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
||||
+
|
||||
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
|
||||
+
|
||||
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_script_rw_t,s0)
|
||||
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
|
||||
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
|
||||
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.6.29/policy/modules/services/apache.if
|
||||
--- nsaserefpolicy/policy/modules/services/apache.if 2009-07-28 15:51:13.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/apache.if 2009-08-28 15:56:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/apache.if 2009-08-31 08:43:21.000000000 -0400
|
||||
@@ -13,21 +13,16 @@
|
||||
#
|
||||
template(`apache_content_template',`
|
||||
@ -8891,6 +8929,64 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -258,8 +198,8 @@
|
||||
attribute httpdcontent;
|
||||
type httpd_user_content_t, httpd_user_htaccess_t;
|
||||
type httpd_user_script_t, httpd_user_script_exec_t;
|
||||
- type httpd_user_script_ra_t, httpd_user_script_ro_t;
|
||||
- type httpd_user_script_rw_t;
|
||||
+ type httpd_user_content_ra_t, httpd_user_content_t;
|
||||
+ type httpd_user_content_rw_t;
|
||||
')
|
||||
|
||||
role $1 types httpd_user_script_t;
|
||||
@@ -268,26 +208,26 @@
|
||||
|
||||
allow $2 httpd_user_htaccess_t:file { manage_file_perms relabelto relabelfrom };
|
||||
|
||||
- manage_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
- manage_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
- manage_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
- relabel_dirs_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
- relabel_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
- relabel_lnk_files_pattern($2, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
-
|
||||
- manage_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
- manage_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
- manage_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
- relabel_dirs_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
- relabel_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
- relabel_lnk_files_pattern($2, httpd_user_script_ro_t, httpd_user_script_ro_t)
|
||||
-
|
||||
- manage_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
- manage_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
- manage_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
- relabel_dirs_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
- relabel_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
- relabel_lnk_files_pattern($2, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
+ manage_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+ manage_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+ manage_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+ relabel_dirs_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+ relabel_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+ relabel_lnk_files_pattern($2, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+
|
||||
+ manage_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||||
+ manage_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||||
+ manage_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||||
+ relabel_dirs_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||||
+ relabel_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||||
+ relabel_lnk_files_pattern($2, httpd_user_content_t, httpd_user_content_t)
|
||||
+
|
||||
+ manage_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
+ manage_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
+ manage_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
+ relabel_dirs_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
+ relabel_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
+ relabel_lnk_files_pattern($2, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
|
||||
manage_dirs_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
manage_files_pattern($2, httpd_user_script_exec_t, httpd_user_script_exec_t)
|
||||
@@ -504,6 +444,47 @@
|
||||
########################################
|
||||
## <summary>
|
||||
@ -9154,7 +9250,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.29/policy/modules/services/apache.te
|
||||
--- nsaserefpolicy/policy/modules/services/apache.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/apache.te 2009-08-28 15:56:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/apache.te 2009-08-31 08:40:46.000000000 -0400
|
||||
@@ -19,6 +19,8 @@
|
||||
# Declarations
|
||||
#
|
||||
@ -9263,7 +9359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
|
||||
@@ -187,15 +240,20 @@
|
||||
@@ -187,28 +240,28 @@
|
||||
files_tmpfs_file(httpd_tmpfs_t)
|
||||
|
||||
apache_content_template(user)
|
||||
@ -9287,7 +9383,25 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
|
||||
typealias httpd_user_htaccess_t alias { httpd_staff_htaccess_t httpd_sysadm_htaccess_t };
|
||||
typealias httpd_user_htaccess_t alias { httpd_auditadm_htaccess_t httpd_secadm_htaccess_t };
|
||||
@@ -230,7 +288,7 @@
|
||||
-typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t };
|
||||
-typealias httpd_user_script_t alias { httpd_auditadm_script_t httpd_secadm_script_t };
|
||||
-typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t };
|
||||
-typealias httpd_user_script_exec_t alias { httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
|
||||
-typealias httpd_user_script_ro_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
|
||||
-typealias httpd_user_script_ro_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
||||
-typealias httpd_user_script_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t };
|
||||
-typealias httpd_user_script_rw_t alias { httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
|
||||
-typealias httpd_user_script_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t };
|
||||
-typealias httpd_user_script_ra_t alias { httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
|
||||
+typealias httpd_user_script_t alias { httpd_staff_script_t httpd_sysadm_script_t httpd_auditadm_script_t httpd_secadm_script_t };
|
||||
+typealias httpd_user_script_exec_t alias { httpd_staff_script_exec_t httpd_sysadm_script_exec_t httpd_auditadm_script_exec_t httpd_secadm_script_exec_t };
|
||||
+typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
||||
+typealias httpd_user_content_rw_t alias { httpd_staff_script_rw_t httpd_sysadm_script_rw_t httpd_auditadm_script_rw_t httpd_secadm_script_rw_t };
|
||||
+typealias httpd_user_content_ra_t alias { httpd_staff_script_ra_t httpd_sysadm_script_ra_t httpd_auditadm_script_ra_t httpd_secadm_script_ra_t };
|
||||
|
||||
# for apache2 memory mapped files
|
||||
type httpd_var_lib_t;
|
||||
@@ -230,7 +283,7 @@
|
||||
# Apache server local policy
|
||||
#
|
||||
|
||||
@ -9296,7 +9410,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
dontaudit httpd_t self:capability { net_admin sys_tty_config };
|
||||
allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow httpd_t self:fd use;
|
||||
@@ -272,6 +330,7 @@
|
||||
@@ -272,6 +325,7 @@
|
||||
allow httpd_t httpd_modules_t:dir list_dir_perms;
|
||||
mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
|
||||
@ -9304,7 +9418,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
apache_domtrans_rotatelogs(httpd_t)
|
||||
# Apache-httpd needs to be able to send signals to the log rotate procs.
|
||||
@@ -283,9 +342,9 @@
|
||||
@@ -283,9 +337,9 @@
|
||||
|
||||
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
|
||||
|
||||
@ -9317,7 +9431,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
@@ -301,6 +360,7 @@
|
||||
@@ -301,6 +355,7 @@
|
||||
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
|
||||
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
|
||||
|
||||
@ -9325,7 +9439,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
|
||||
files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
|
||||
@@ -312,16 +372,18 @@
|
||||
@@ -312,16 +367,18 @@
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
@ -9349,7 +9463,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
corenet_tcp_bind_http_port(httpd_t)
|
||||
corenet_tcp_bind_http_cache_port(httpd_t)
|
||||
corenet_sendrecv_http_server_packets(httpd_t)
|
||||
@@ -335,12 +397,11 @@
|
||||
@@ -335,12 +392,11 @@
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
@ -9364,7 +9478,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -358,6 +419,10 @@
|
||||
@@ -358,6 +414,10 @@
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -9375,7 +9489,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
libs_read_lib_files(httpd_t)
|
||||
|
||||
@@ -372,18 +437,33 @@
|
||||
@@ -372,18 +432,33 @@
|
||||
|
||||
userdom_use_unpriv_users_fds(httpd_t)
|
||||
|
||||
@ -9413,7 +9527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -391,20 +471,54 @@
|
||||
@@ -391,20 +466,54 @@
|
||||
corenet_tcp_connect_all_ports(httpd_t)
|
||||
')
|
||||
|
||||
@ -9469,7 +9583,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
|
||||
@@ -415,20 +529,28 @@
|
||||
@@ -415,20 +524,28 @@
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
')
|
||||
|
||||
@ -9502,7 +9616,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
|
||||
allow httpd_sys_script_t httpd_t:fd use;
|
||||
@@ -451,6 +573,10 @@
|
||||
@@ -451,6 +568,10 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9513,7 +9627,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
cron_system_entry(httpd_t, httpd_exec_t)
|
||||
')
|
||||
|
||||
@@ -459,8 +585,13 @@
|
||||
@@ -459,8 +580,13 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9529,7 +9643,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -468,22 +599,18 @@
|
||||
@@ -468,22 +594,18 @@
|
||||
mailman_domtrans_cgi(httpd_t)
|
||||
# should have separate types for public and private archives
|
||||
mailman_search_data(httpd_t)
|
||||
@ -9554,7 +9668,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -494,12 +621,23 @@
|
||||
@@ -494,12 +616,23 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9578,7 +9692,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
')
|
||||
|
||||
@@ -508,6 +646,7 @@
|
||||
@@ -508,6 +641,7 @@
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -9586,7 +9700,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -535,6 +674,22 @@
|
||||
@@ -535,6 +669,22 @@
|
||||
|
||||
userdom_use_user_terminals(httpd_helper_t)
|
||||
|
||||
@ -9609,7 +9723,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
########################################
|
||||
#
|
||||
# Apache PHP script local policy
|
||||
@@ -564,20 +719,25 @@
|
||||
@@ -564,20 +714,25 @@
|
||||
|
||||
fs_search_auto_mountpoints(httpd_php_t)
|
||||
|
||||
@ -9641,7 +9755,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -595,23 +755,24 @@
|
||||
@@ -595,23 +750,24 @@
|
||||
append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
@ -9670,7 +9784,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -624,6 +785,7 @@
|
||||
@@ -624,6 +780,7 @@
|
||||
logging_send_syslog_msg(httpd_suexec_t)
|
||||
|
||||
miscfiles_read_localization(httpd_suexec_t)
|
||||
@ -9678,7 +9792,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
tunable_policy(`httpd_can_network_connect',`
|
||||
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
|
||||
@@ -631,22 +793,30 @@
|
||||
@@ -631,22 +788,30 @@
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_suexec_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_suexec_t)
|
||||
@ -9697,8 +9811,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
+read_files_pattern(httpd_suexec_t, httpd_user_content_t, httpd_user_content_t)
|
||||
+read_files_pattern(httpd_suexec_t, httpd_user_script_rw_t, httpd_user_script_rw_t)
|
||||
+read_files_pattern(httpd_suexec_t, httpd_user_script_ra_t, httpd_user_script_ra_t)
|
||||
+read_files_pattern(httpd_suexec_t, httpd_user_content_rw_t, httpd_user_content_rw_t)
|
||||
+read_files_pattern(httpd_suexec_t, httpd_user_content_ra_t, httpd_user_content_ra_t)
|
||||
+
|
||||
+domain_entry_file(httpd_sys_script_t, httpd_sys_content_t)
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
@ -9716,7 +9830,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -672,15 +842,14 @@
|
||||
@@ -672,15 +837,14 @@
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -9735,7 +9849,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
allow httpd_sys_script_t httpd_t:tcp_socket { read write };
|
||||
|
||||
dontaudit httpd_sys_script_t httpd_config_t:dir search;
|
||||
@@ -699,12 +868,24 @@
|
||||
@@ -699,12 +863,24 @@
|
||||
# Should we add a boolean?
|
||||
apache_domtrans_rotatelogs(httpd_sys_script_t)
|
||||
|
||||
@ -9762,7 +9876,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
|
||||
@@ -712,6 +893,35 @@
|
||||
@@ -712,6 +888,35 @@
|
||||
fs_read_nfs_symlinks(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -9798,7 +9912,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -724,6 +934,10 @@
|
||||
@@ -724,6 +929,10 @@
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -9809,7 +9923,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -735,6 +949,8 @@
|
||||
@@ -735,6 +944,8 @@
|
||||
# httpd_rotatelogs local policy
|
||||
#
|
||||
|
||||
@ -9818,7 +9932,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_rotatelogs_t)
|
||||
@@ -754,6 +970,12 @@
|
||||
@@ -754,6 +965,12 @@
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||
@ -9831,7 +9945,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
')
|
||||
|
||||
# allow accessing files/dirs below the users home dir
|
||||
@@ -762,3 +984,76 @@
|
||||
@@ -762,3 +979,74 @@
|
||||
userdom_search_user_home_dirs(httpd_suexec_t)
|
||||
userdom_search_user_home_dirs(httpd_user_script_t)
|
||||
')
|
||||
@ -9900,11 +10014,9 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+
|
||||
+# Removal of fastcgi, will cause problems without the following
|
||||
+typealias httpd_sys_script_exec_t alias httpd_fastcgi_script_exec_t;
|
||||
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t;
|
||||
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t;
|
||||
+typealias httpd_sys_script_ra_t alias httpd_fastcgi_script_ra_t;
|
||||
+typealias httpd_sys_script_ro_t alias httpd_fastcgi_script_ro_t;
|
||||
+typealias httpd_sys_script_rw_t alias httpd_fastcgi_script_rw_t;
|
||||
+typealias httpd_sys_content_t alias httpd_fastcgi_content_t, httpd_fastcgi_script_ro_t;
|
||||
+typealias httpd_sys_content_rw_t alias httpd_fastcgi_content_rw_t, httpd_fastcgi_script_rw_t;
|
||||
+typealias httpd_sys_content_ra_t alias httpd_fastcgi_script_ra_t;
|
||||
+typealias httpd_sys_script_t alias httpd_fastcgi_script_t;
|
||||
+typealias httpd_var_run_t alias httpd_fastcgi_var_run_t;
|
||||
+
|
||||
@ -15549,7 +15661,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rpc.te serefpolicy-3.6.29/policy/modules/services/rpc.te
|
||||
--- nsaserefpolicy/policy/modules/services/rpc.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/rpc.te 2009-08-28 15:56:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/rpc.te 2009-08-31 09:07:50.000000000 -0400
|
||||
@@ -91,6 +91,8 @@
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
@ -15597,6 +15709,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
|
||||
auth_use_nsswitch(gssd_t)
|
||||
auth_manage_cache(gssd_t)
|
||||
@@ -199,6 +209,8 @@
|
||||
|
||||
mount_signal(gssd_t)
|
||||
|
||||
+userdom_signal_all_users(gssd_t)
|
||||
+
|
||||
tunable_policy(`allow_gssd_read_tmp',`
|
||||
userdom_list_user_tmp(gssd_t)
|
||||
userdom_read_user_tmp_files(gssd_t)
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/rsync.te serefpolicy-3.6.29/policy/modules/services/rsync.te
|
||||
--- nsaserefpolicy/policy/modules/services/rsync.te 2009-08-14 16:14:31.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/services/rsync.te 2009-08-28 15:56:54.000000000 -0400
|
||||
@ -26110,7 +26231,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
||||
+HOME_DIR/\.gvfs(/.*)? <<none>>
|
||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.6.29/policy/modules/system/userdomain.if
|
||||
--- nsaserefpolicy/policy/modules/system/userdomain.if 2009-08-28 14:58:20.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/system/userdomain.if 2009-08-28 15:56:54.000000000 -0400
|
||||
+++ serefpolicy-3.6.29/policy/modules/system/userdomain.if 2009-08-31 09:07:29.000000000 -0400
|
||||
@@ -30,8 +30,9 @@
|
||||
')
|
||||
|
||||
|
@ -20,7 +20,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.6.29
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -443,6 +443,10 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 31 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-2
|
||||
- Allow gssd to send signals to users
|
||||
- Fix duplicate label for apache content
|
||||
|
||||
* Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 3.6.29-1
|
||||
- Update to upstream
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user