- Add httpd_can_connect_ldap() interface
- apcupsd_t needs to use seriel ports connected to usb devic - Kde puts procmail mail directory under ~/.local/share - nfsd_t can trigger sys_rawio on tests that involve too man - Add labeling for /sbin/iscsiuio
This commit is contained in:
parent
7c693b0afa
commit
cd251939af
167
policy-F16.patch
167
policy-F16.patch
@ -14788,7 +14788,7 @@ index 35fed4f..51ad69a 100644
|
||||
|
||||
#
|
||||
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
|
||||
index 6cf8784..26c13f2 100644
|
||||
index 6cf8784..2354089 100644
|
||||
--- a/policy/modules/kernel/devices.fc
|
||||
+++ b/policy/modules/kernel/devices.fc
|
||||
@@ -15,12 +15,14 @@
|
||||
@ -14842,7 +14842,7 @@ index 6cf8784..26c13f2 100644
|
||||
ifdef(`distro_redhat',`
|
||||
# originally from named.fc
|
||||
/var/named/chroot/dev -d gen_context(system_u:object_r:device_t,s0)
|
||||
@@ -196,3 +200,13 @@ ifdef(`distro_redhat',`
|
||||
@@ -196,3 +200,14 @@ ifdef(`distro_redhat',`
|
||||
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
|
||||
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
|
||||
')
|
||||
@ -14851,6 +14851,7 @@ index 6cf8784..26c13f2 100644
|
||||
+# /sys
|
||||
+#
|
||||
+/sys(/.*)? gen_context(system_u:object_r:sysfs_t,s0)
|
||||
+/sys/devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||
+
|
||||
+/usr/lib/udev/devices(/.*)? gen_context(system_u:object_r:device_t,s0)
|
||||
+/usr/lib/udev/devices/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
|
||||
@ -16355,7 +16356,7 @@ index f820f3b..cc3f02e 100644
|
||||
+ filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9")
|
||||
+')
|
||||
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
|
||||
index 08f01e7..112bebb 100644
|
||||
index 08f01e7..8f727be 100644
|
||||
--- a/policy/modules/kernel/devices.te
|
||||
+++ b/policy/modules/kernel/devices.te
|
||||
@@ -108,6 +108,7 @@ dev_node(ksm_device_t)
|
||||
@ -16384,8 +16385,8 @@ index 08f01e7..112bebb 100644
|
||||
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
|
||||
|
||||
+type cpu_online_t;
|
||||
+allow cpu_online_t sysfs_t:filesystem associate;
|
||||
+genfscon sysfs /devices/system/cpu/online gen_context(system_u:object_r:cpu_online_t,s0)
|
||||
+files_type(cpu_online_t)
|
||||
+dev_associate_sysfs(cpu_online_t)
|
||||
+
|
||||
#
|
||||
# Type for /dev/tpm
|
||||
@ -19513,6 +19514,14 @@ index f125dc2..f5e522e 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
diff --git a/policy/modules/kernel/kernel.fc b/policy/modules/kernel/kernel.fc
|
||||
index 7be4ddf..f7021a0 100644
|
||||
--- a/policy/modules/kernel/kernel.fc
|
||||
+++ b/policy/modules/kernel/kernel.fc
|
||||
@@ -1 +1,2 @@
|
||||
-# This module currently does not have any file contexts.
|
||||
+
|
||||
+/sys/class/net/ib.* gen_context(system_u:object_r:sysctl_net_t,s0)
|
||||
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
|
||||
index 6346378..34c6897 100644
|
||||
--- a/policy/modules/kernel/kernel.if
|
||||
@ -25816,10 +25825,10 @@ index 6480167..2ad693a 100644
|
||||
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
|
||||
')
|
||||
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
|
||||
index 3136c6a..2ef8fef 100644
|
||||
index 3136c6a..6b7400b 100644
|
||||
--- a/policy/modules/services/apache.te
|
||||
+++ b/policy/modules/services/apache.te
|
||||
@@ -18,136 +18,211 @@ policy_module(apache, 2.2.1)
|
||||
@@ -18,136 +18,218 @@ policy_module(apache, 2.2.1)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
@ -25986,6 +25995,13 @@ index 3136c6a..2ef8fef 100644
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow httpd to connect to the ldap port
|
||||
+## </p>
|
||||
+## </desc>
|
||||
+gen_tunable(httpd_can_connect_ldap, false)
|
||||
+
|
||||
+## <desc>
|
||||
+## <p>
|
||||
+## Allow httpd to read home directories
|
||||
+## </p>
|
||||
## </desc>
|
||||
@ -26087,7 +26103,7 @@ index 3136c6a..2ef8fef 100644
|
||||
attribute httpd_script_exec_type;
|
||||
attribute httpd_user_script_exec_type;
|
||||
|
||||
@@ -166,7 +241,7 @@ files_type(httpd_cache_t)
|
||||
@@ -166,7 +248,7 @@ files_type(httpd_cache_t)
|
||||
|
||||
# httpd_config_t is the type given to the configuration files
|
||||
type httpd_config_t;
|
||||
@ -26096,7 +26112,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
type httpd_helper_t;
|
||||
type httpd_helper_exec_t;
|
||||
@@ -177,6 +252,9 @@ role system_r types httpd_helper_t;
|
||||
@@ -177,6 +259,9 @@ role system_r types httpd_helper_t;
|
||||
type httpd_initrc_exec_t;
|
||||
init_script_file(httpd_initrc_exec_t)
|
||||
|
||||
@ -26106,7 +26122,7 @@ index 3136c6a..2ef8fef 100644
|
||||
type httpd_lock_t;
|
||||
files_lock_file(httpd_lock_t)
|
||||
|
||||
@@ -216,7 +294,21 @@ files_tmp_file(httpd_suexec_tmp_t)
|
||||
@@ -216,7 +301,21 @@ files_tmp_file(httpd_suexec_tmp_t)
|
||||
|
||||
# setup the system domain for system CGI scripts
|
||||
apache_content_template(sys)
|
||||
@ -26129,7 +26145,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
type httpd_tmp_t;
|
||||
files_tmp_file(httpd_tmp_t)
|
||||
@@ -226,6 +318,10 @@ files_tmpfs_file(httpd_tmpfs_t)
|
||||
@@ -226,6 +325,10 @@ files_tmpfs_file(httpd_tmpfs_t)
|
||||
|
||||
apache_content_template(user)
|
||||
ubac_constrained(httpd_user_script_t)
|
||||
@ -26140,7 +26156,7 @@ index 3136c6a..2ef8fef 100644
|
||||
userdom_user_home_content(httpd_user_content_t)
|
||||
userdom_user_home_content(httpd_user_htaccess_t)
|
||||
userdom_user_home_content(httpd_user_script_exec_t)
|
||||
@@ -233,6 +329,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
|
||||
@@ -233,6 +336,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
|
||||
userdom_user_home_content(httpd_user_rw_content_t)
|
||||
typeattribute httpd_user_script_t httpd_script_domains;
|
||||
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
|
||||
@ -26148,7 +26164,7 @@ index 3136c6a..2ef8fef 100644
|
||||
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
|
||||
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
|
||||
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
|
||||
@@ -254,14 +351,23 @@ files_type(httpd_var_lib_t)
|
||||
@@ -254,14 +358,23 @@ files_type(httpd_var_lib_t)
|
||||
type httpd_var_run_t;
|
||||
files_pid_file(httpd_var_run_t)
|
||||
|
||||
@ -26172,7 +26188,7 @@ index 3136c6a..2ef8fef 100644
|
||||
########################################
|
||||
#
|
||||
# Apache server local policy
|
||||
@@ -281,11 +387,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
@@ -281,11 +394,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
|
||||
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow httpd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow httpd_t self:udp_socket create_socket_perms;
|
||||
@ -26186,7 +26202,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
# Allow the httpd_t to read the web servers config files
|
||||
allow httpd_t httpd_config_t:dir list_dir_perms;
|
||||
@@ -329,8 +437,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
||||
@@ -329,8 +444,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
|
||||
@ -26197,7 +26213,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
||||
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
|
||||
@@ -355,6 +464,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
@@ -355,6 +471,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
|
||||
kernel_read_kernel_sysctls(httpd_t)
|
||||
# for modules that want to access /proc/meminfo
|
||||
kernel_read_system_state(httpd_t)
|
||||
@ -26207,7 +26223,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
corenet_all_recvfrom_unlabeled(httpd_t)
|
||||
corenet_all_recvfrom_netlabel(httpd_t)
|
||||
@@ -365,11 +477,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
|
||||
@@ -365,11 +484,15 @@ corenet_udp_sendrecv_generic_node(httpd_t)
|
||||
corenet_tcp_sendrecv_all_ports(httpd_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_t)
|
||||
corenet_tcp_bind_generic_node(httpd_t)
|
||||
@ -26224,7 +26240,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
dev_read_sysfs(httpd_t)
|
||||
dev_read_rand(httpd_t)
|
||||
@@ -378,12 +494,12 @@ dev_rw_crypto(httpd_t)
|
||||
@@ -378,12 +501,12 @@ dev_rw_crypto(httpd_t)
|
||||
|
||||
fs_getattr_all_fs(httpd_t)
|
||||
fs_search_auto_mountpoints(httpd_t)
|
||||
@ -26240,7 +26256,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
domain_use_interactive_fds(httpd_t)
|
||||
|
||||
@@ -391,6 +507,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
|
||||
@@ -391,6 +514,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
|
||||
files_read_usr_files(httpd_t)
|
||||
files_list_mnt(httpd_t)
|
||||
files_search_spool(httpd_t)
|
||||
@ -26248,7 +26264,7 @@ index 3136c6a..2ef8fef 100644
|
||||
files_read_var_lib_files(httpd_t)
|
||||
files_search_home(httpd_t)
|
||||
files_getattr_home_dir(httpd_t)
|
||||
@@ -402,48 +519,101 @@ files_read_etc_files(httpd_t)
|
||||
@@ -402,48 +526,101 @@ files_read_etc_files(httpd_t)
|
||||
files_read_var_lib_symlinks(httpd_t)
|
||||
|
||||
fs_search_auto_mountpoints(httpd_sys_script_t)
|
||||
@ -26352,7 +26368,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
|
||||
@@ -456,25 +626,47 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
@@ -456,25 +633,51 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
|
||||
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
|
||||
@ -26370,6 +26386,10 @@ index 3136c6a..2ef8fef 100644
|
||||
+ corenet_tcp_connect_ftp_port(httpd_t)
|
||||
+ corenet_tcp_connect_all_ephemeral_ports(httpd_t)
|
||||
+')
|
||||
+
|
||||
+tunable_policy(`httpd_can_connect_ldap',`
|
||||
+ corenet_tcp_connect_ldap_port(httpd_t)
|
||||
+')
|
||||
+
|
||||
tunable_policy(`httpd_enable_ftp_server',`
|
||||
corenet_tcp_bind_ftp_port(httpd_t)
|
||||
@ -26402,7 +26422,7 @@ index 3136c6a..2ef8fef 100644
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_t)
|
||||
fs_read_cifs_symlinks(httpd_t)
|
||||
@@ -484,7 +676,16 @@ tunable_policy(`httpd_can_sendmail',`
|
||||
@@ -484,7 +687,16 @@ tunable_policy(`httpd_can_sendmail',`
|
||||
# allow httpd to connect to mail servers
|
||||
corenet_tcp_connect_smtp_port(httpd_t)
|
||||
corenet_sendrecv_smtp_client_packets(httpd_t)
|
||||
@ -26419,7 +26439,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_ssi_exec',`
|
||||
@@ -499,9 +700,19 @@ tunable_policy(`httpd_ssi_exec',`
|
||||
@@ -499,9 +711,19 @@ tunable_policy(`httpd_ssi_exec',`
|
||||
# to run correctly without this permission, so the permission
|
||||
# are dontaudited here.
|
||||
tunable_policy(`httpd_tty_comm',`
|
||||
@ -26440,7 +26460,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -513,7 +724,13 @@ optional_policy(`
|
||||
@@ -513,7 +735,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26455,7 +26475,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -528,7 +745,19 @@ optional_policy(`
|
||||
@@ -528,7 +756,19 @@ optional_policy(`
|
||||
daemontools_service_domain(httpd_t, httpd_exec_t)
|
||||
')
|
||||
|
||||
@ -26476,7 +26496,7 @@ index 3136c6a..2ef8fef 100644
|
||||
dbus_system_bus_client(httpd_t)
|
||||
|
||||
tunable_policy(`httpd_dbus_avahi',`
|
||||
@@ -537,8 +766,13 @@ optional_policy(`
|
||||
@@ -537,8 +777,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26491,7 +26511,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
')
|
||||
|
||||
@@ -556,7 +790,13 @@ optional_policy(`
|
||||
@@ -556,7 +801,13 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26505,7 +26525,7 @@ index 3136c6a..2ef8fef 100644
|
||||
mysql_stream_connect(httpd_t)
|
||||
mysql_rw_db_sockets(httpd_t)
|
||||
|
||||
@@ -567,6 +807,7 @@ optional_policy(`
|
||||
@@ -567,6 +818,7 @@ optional_policy(`
|
||||
|
||||
optional_policy(`
|
||||
nagios_read_config(httpd_t)
|
||||
@ -26513,7 +26533,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -577,6 +818,20 @@ optional_policy(`
|
||||
@@ -577,6 +829,20 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26534,7 +26554,7 @@ index 3136c6a..2ef8fef 100644
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
postgresql_unpriv_client(httpd_t)
|
||||
@@ -591,6 +846,11 @@ optional_policy(`
|
||||
@@ -591,6 +857,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -26546,7 +26566,7 @@ index 3136c6a..2ef8fef 100644
|
||||
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
|
||||
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
|
||||
')
|
||||
@@ -603,6 +863,12 @@ optional_policy(`
|
||||
@@ -603,6 +874,12 @@ optional_policy(`
|
||||
yam_read_content(httpd_t)
|
||||
')
|
||||
|
||||
@ -26559,7 +26579,7 @@ index 3136c6a..2ef8fef 100644
|
||||
########################################
|
||||
#
|
||||
# Apache helper local policy
|
||||
@@ -616,7 +882,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
|
||||
@@ -616,7 +893,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
|
||||
|
||||
logging_send_syslog_msg(httpd_helper_t)
|
||||
|
||||
@ -26572,7 +26592,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
########################################
|
||||
#
|
||||
@@ -654,28 +924,30 @@ libs_exec_lib_files(httpd_php_t)
|
||||
@@ -654,28 +935,30 @@ libs_exec_lib_files(httpd_php_t)
|
||||
userdom_use_unpriv_users_fds(httpd_php_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
@ -26616,7 +26636,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -685,6 +957,8 @@ optional_policy(`
|
||||
@@ -685,6 +968,8 @@ optional_policy(`
|
||||
|
||||
allow httpd_suexec_t self:capability { setuid setgid };
|
||||
allow httpd_suexec_t self:process signal_perms;
|
||||
@ -26625,7 +26645,7 @@ index 3136c6a..2ef8fef 100644
|
||||
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
|
||||
@@ -699,17 +973,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
@@ -699,17 +984,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
|
||||
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
|
||||
|
||||
@ -26651,7 +26671,7 @@ index 3136c6a..2ef8fef 100644
|
||||
|
||||
files_read_etc_files(httpd_suexec_t)
|
||||
files_read_usr_files(httpd_suexec_t)
|
||||
@@ -740,13 +1019,31 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
@@ -740,13 +1030,31 @@ tunable_policy(`httpd_can_network_connect',`
|
||||
corenet_sendrecv_all_client_packets(httpd_suexec_t)
|
||||
')
|
||||
|
||||
@ -26684,7 +26704,7 @@ index 3136c6a..2ef8fef 100644
|
||||
fs_read_nfs_files(httpd_suexec_t)
|
||||
fs_read_nfs_symlinks(httpd_suexec_t)
|
||||
fs_exec_nfs_files(httpd_suexec_t)
|
||||
@@ -769,6 +1066,25 @@ optional_policy(`
|
||||
@@ -769,6 +1077,25 @@ optional_policy(`
|
||||
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
@ -26710,7 +26730,7 @@ index 3136c6a..2ef8fef 100644
|
||||
########################################
|
||||
#
|
||||
# Apache system script local policy
|
||||
@@ -789,12 +1105,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
|
||||
@@ -789,12 +1116,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
|
||||
|
||||
kernel_read_kernel_sysctls(httpd_sys_script_t)
|
||||
|
||||
@ -26728,7 +26748,7 @@ index 3136c6a..2ef8fef 100644
|
||||
ifdef(`distro_redhat',`
|
||||
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
|
||||
')
|
||||
@@ -803,18 +1124,50 @@ tunable_policy(`httpd_can_sendmail',`
|
||||
@@ -803,18 +1135,50 @@ tunable_policy(`httpd_can_sendmail',`
|
||||
mta_send_mail(httpd_sys_script_t)
|
||||
')
|
||||
|
||||
@ -26785,7 +26805,7 @@ index 3136c6a..2ef8fef 100644
|
||||
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
|
||||
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
|
||||
corenet_tcp_connect_all_ports(httpd_sys_script_t)
|
||||
@@ -822,14 +1175,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
@@ -822,14 +1186,29 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
|
||||
')
|
||||
|
||||
tunable_policy(`httpd_enable_homedirs',`
|
||||
@ -26816,7 +26836,7 @@ index 3136c6a..2ef8fef 100644
|
||||
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
|
||||
fs_read_cifs_files(httpd_sys_script_t)
|
||||
fs_read_cifs_symlinks(httpd_sys_script_t)
|
||||
@@ -842,10 +1210,20 @@ optional_policy(`
|
||||
@@ -842,10 +1221,20 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
mysql_stream_connect(httpd_sys_script_t)
|
||||
mysql_rw_db_sockets(httpd_sys_script_t)
|
||||
@ -26837,7 +26857,7 @@ index 3136c6a..2ef8fef 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -891,11 +1269,135 @@ optional_policy(`
|
||||
@@ -891,11 +1280,135 @@ optional_policy(`
|
||||
|
||||
tunable_policy(`httpd_enable_cgi && httpd_unified',`
|
||||
allow httpd_user_script_t httpdcontent:file entrypoint;
|
||||
@ -27014,10 +27034,18 @@ index e342775..4ffdb80 100644
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 apcupsd_initrc_exec_t system_r;
|
||||
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
|
||||
index d052bf0..ec55314 100644
|
||||
index d052bf0..3059bd2 100644
|
||||
--- a/policy/modules/services/apcupsd.te
|
||||
+++ b/policy/modules/services/apcupsd.te
|
||||
@@ -87,13 +87,17 @@ miscfiles_read_localization(apcupsd_t)
|
||||
@@ -76,6 +76,7 @@ files_etc_filetrans_etc_runtime(apcupsd_t, file)
|
||||
|
||||
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240805
|
||||
term_use_unallocated_ttys(apcupsd_t)
|
||||
+term_use_usb_ttys(apcupsd_t)
|
||||
|
||||
#apcupsd runs shutdown, probably need a shutdown domain
|
||||
init_rw_utmp(apcupsd_t)
|
||||
@@ -87,13 +88,17 @@ miscfiles_read_localization(apcupsd_t)
|
||||
|
||||
sysnet_dns_name_resolve(apcupsd_t)
|
||||
|
||||
@ -53300,7 +53328,7 @@ index b64b02f..166e9c3 100644
|
||||
+ read_files_pattern($1, procmail_home_t, procmail_home_t)
|
||||
+')
|
||||
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
|
||||
index 29b9295..4c188f9 100644
|
||||
index 29b9295..999b986 100644
|
||||
--- a/policy/modules/services/procmail.te
|
||||
+++ b/policy/modules/services/procmail.te
|
||||
@@ -10,6 +10,9 @@ type procmail_exec_t;
|
||||
@ -53373,7 +53401,18 @@ index 29b9295..4c188f9 100644
|
||||
|
||||
optional_policy(`
|
||||
clamav_domtrans_clamscan(procmail_t)
|
||||
@@ -125,6 +128,11 @@ optional_policy(`
|
||||
@@ -115,6 +118,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ gnome_manage_data(procmail_t)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
munin_dontaudit_search_lib(procmail_t)
|
||||
')
|
||||
|
||||
@@ -125,6 +132,11 @@ optional_policy(`
|
||||
postfix_read_spool_files(procmail_t)
|
||||
postfix_read_local_state(procmail_t)
|
||||
postfix_read_master_state(procmail_t)
|
||||
@ -57721,7 +57760,7 @@ index cda37bb..617e83f 100644
|
||||
+ allow $1 var_lib_nfs_t:file relabel_file_perms;
|
||||
')
|
||||
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
|
||||
index b1468ed..372f918 100644
|
||||
index b1468ed..1896e20 100644
|
||||
--- a/policy/modules/services/rpc.te
|
||||
+++ b/policy/modules/services/rpc.te
|
||||
@@ -6,18 +6,18 @@ policy_module(rpc, 1.12.0)
|
||||
@ -57790,7 +57829,7 @@ index b1468ed..372f918 100644
|
||||
fs_getattr_all_fs(rpcd_t)
|
||||
|
||||
storage_getattr_fixed_disk_dev(rpcd_t)
|
||||
@@ -97,15 +105,26 @@ miscfiles_read_generic_certs(rpcd_t)
|
||||
@@ -97,21 +105,33 @@ miscfiles_read_generic_certs(rpcd_t)
|
||||
|
||||
seutil_dontaudit_search_config(rpcd_t)
|
||||
|
||||
@ -57817,7 +57856,14 @@ index b1468ed..372f918 100644
|
||||
########################################
|
||||
#
|
||||
# NFSD local policy
|
||||
@@ -120,9 +139,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
#
|
||||
|
||||
allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
|
||||
+dontaudit nfsd_t self:capability sys_rawio;
|
||||
|
||||
allow nfsd_t exports_t:file read_file_perms;
|
||||
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
@@ -120,9 +140,14 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
|
||||
kernel_read_system_state(nfsd_t)
|
||||
kernel_read_network_state(nfsd_t)
|
||||
kernel_dontaudit_getattr_core_if(nfsd_t)
|
||||
@ -57832,7 +57878,7 @@ index b1468ed..372f918 100644
|
||||
|
||||
dev_dontaudit_getattr_all_blk_files(nfsd_t)
|
||||
dev_dontaudit_getattr_all_chr_files(nfsd_t)
|
||||
@@ -148,6 +172,8 @@ storage_raw_read_removable_device(nfsd_t)
|
||||
@@ -148,6 +173,8 @@ storage_raw_read_removable_device(nfsd_t)
|
||||
# Read access to public_content_t and public_content_rw_t
|
||||
miscfiles_read_public_files(nfsd_t)
|
||||
|
||||
@ -57841,7 +57887,7 @@ index b1468ed..372f918 100644
|
||||
# Write access to public_content_t and public_content_rw_t
|
||||
tunable_policy(`allow_nfsd_anon_write',`
|
||||
miscfiles_manage_public_files(nfsd_t)
|
||||
@@ -158,7 +184,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
@@ -158,7 +185,6 @@ tunable_policy(`nfs_export_all_rw',`
|
||||
dev_getattr_all_chr_files(nfsd_t)
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
@ -57849,7 +57895,7 @@ index b1468ed..372f918 100644
|
||||
')
|
||||
|
||||
tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -170,8 +195,7 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -170,8 +196,7 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
|
||||
fs_read_noxattr_fs_files(nfsd_t)
|
||||
|
||||
@ -57859,7 +57905,7 @@ index b1468ed..372f918 100644
|
||||
')
|
||||
|
||||
########################################
|
||||
@@ -181,7 +205,7 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
@@ -181,7 +206,7 @@ tunable_policy(`nfs_export_all_ro',`
|
||||
|
||||
allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice };
|
||||
allow gssd_t self:process { getsched setsched };
|
||||
@ -57868,7 +57914,7 @@ index b1468ed..372f918 100644
|
||||
|
||||
manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
|
||||
@@ -199,6 +223,7 @@ corecmd_exec_bin(gssd_t)
|
||||
@@ -199,6 +224,7 @@ corecmd_exec_bin(gssd_t)
|
||||
fs_list_rpc(gssd_t)
|
||||
fs_rw_rpc_sockets(gssd_t)
|
||||
fs_read_rpc_files(gssd_t)
|
||||
@ -57876,7 +57922,7 @@ index b1468ed..372f918 100644
|
||||
|
||||
fs_list_inotifyfs(gssd_t)
|
||||
files_list_tmp(gssd_t)
|
||||
@@ -210,14 +235,14 @@ auth_manage_cache(gssd_t)
|
||||
@@ -210,14 +236,14 @@ auth_manage_cache(gssd_t)
|
||||
|
||||
miscfiles_read_generic_certs(gssd_t)
|
||||
|
||||
@ -57893,7 +57939,7 @@ index b1468ed..372f918 100644
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -229,6 +254,10 @@ optional_policy(`
|
||||
@@ -229,6 +255,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@ -72590,10 +72636,15 @@ index f3e1b57..d7fd7fb 100644
|
||||
')
|
||||
|
||||
diff --git a/policy/modules/system/iscsi.fc b/policy/modules/system/iscsi.fc
|
||||
index 14d9670..4c9d1b4 100644
|
||||
index 14d9670..f28128a 100644
|
||||
--- a/policy/modules/system/iscsi.fc
|
||||
+++ b/policy/modules/system/iscsi.fc
|
||||
@@ -5,3 +5,6 @@
|
||||
@@ -1,7 +1,11 @@
|
||||
/sbin/iscsid -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
||||
/sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
||||
+/sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
|
||||
|
||||
/var/lib/iscsi(/.*)? gen_context(system_u:object_r:iscsi_var_lib_t,s0)
|
||||
/var/lock/iscsi(/.*)? gen_context(system_u:object_r:iscsi_lock_t,s0)
|
||||
/var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_log_t,s0)
|
||||
/var/run/iscsid\.pid -- gen_context(system_u:object_r:iscsi_var_run_t,s0)
|
||||
|
@ -17,7 +17,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 3.10.0
|
||||
Release: 69%{?dist}
|
||||
Release: 70%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: serefpolicy-%{version}.tgz
|
||||
@ -470,6 +470,13 @@ SELinux Reference policy mls base module.
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Dec 19 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-70
|
||||
- Add httpd_can_connect_ldap() interface
|
||||
- apcupsd_t needs to use seriel ports connected to usb devices
|
||||
- Kde puts procmail mail directory under ~/.local/share
|
||||
- nfsd_t can trigger sys_rawio on tests that involve too many mountpoints, dontaudit for now
|
||||
- Add labeling for /sbin/iscsiuio
|
||||
|
||||
* Wed Dec 14 2011 Miroslav Grepl <mgrepl@redhat.com> 3.10.0-69
|
||||
- Add label for /var/lib/iscan/interpreter
|
||||
- Dont audit writes to leaked file descriptors or redirected output for nacl
|
||||
|
Loading…
Reference in New Issue
Block a user