- Allow fail2ban to create a socket in /var/run

2008-02-01 13:49:05 +00:00 · 2008-02-01 13:49:05 +00:00 · e1060e24d5
commit e1060e24d5
parent 59d6fbb642
3 changed files with 140 additions and 19 deletions
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -970,7 +970,7 @@ pyzor = module
 #
 # Policy for qmail
 # 
-qmail = base
+qmail = module
 # Layer: admin
 # Module: quota
--- a/policy-20071130.patch
+++ b/policy-20071130.patch
@ -1495,7 +1495,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/su.if s
 #######################################
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreaper.te serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te
 --- nsaserefpolicy/policy/modules/admin/tmpreaper.te	2007-10-02 09:54:52.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te	2008-01-21 13:29:12.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/admin/tmpreaper.te	2008-02-01 08:20:58.000000000 -0500
@@ -28,6 +28,7 @@
 files_purge_tmp(tmpreaper_t)
 # why does it need setattr?
@ -1504,10 +1504,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
-@@ -43,5 +44,14 @@
+@@ -42,6 +43,19 @@
 cron_system_entry(tmpreaper_t,tmpreaper_exec_t)
- optional_policy(`
+userdom_delete_all_users_home_content_dirs(tmpreaper_t)
 +userdom_delete_all_users_home_content_files(tmpreaper_t)
 +userdom_delete_all_users_home_content_symlinks(tmpreaper_t)
 +
 +optional_policy(`
 +	amavis_manage_spool_files(tmpreaper_t)
 +')
 +
@ -1515,7 +1520,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/tmpreap
 +	kismet_manage_log(tmpreaper_t)
 +')
 +
-+optional_policy(`
+ optional_policy(`
 	lpd_manage_spool(tmpreaper_t)
 ')
 +
@ -10971,12 +10976,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/exim
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.fc serefpolicy-3.2.5/policy/modules/services/fail2ban.fc
 --- nsaserefpolicy/policy/modules/services/fail2ban.fc	2007-10-12 08:56:07.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.fc	2008-02-01 07:42:38.000000000 -0500
-@@ -1,3 +1,6 @@
+@@ -1,3 +1,7 @@
 /usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 +/usr/bin/fail2ban-server --	gen_context(system_u:object_r:fail2ban_exec_t,s0)
 /var/log/fail2ban\.log	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
 /var/run/fail2ban\.pid	--	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 +/var/run/fail2ban\.sock	-s	gen_context(system_u:object_r:fail2ban_var_run_t,s0)
 +/etc/rc.d/init.d/fail2ban	--	gen_context(system_u:object_r:fail2ban_script_exec_t,s0)
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.if serefpolicy-3.2.5/policy/modules/services/fail2ban.if
@ -11053,7 +11059,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail2ban.te serefpolicy-3.2.5/policy/modules/services/fail2ban.te
 --- nsaserefpolicy/policy/modules/services/fail2ban.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te	2008-01-21 13:50:35.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/fail2ban.te	2008-02-01 07:40:59.000000000 -0500
@@ -18,6 +18,9 @@
 type fail2ban_var_run_t;
 files_pid_file(fail2ban_var_run_t)
@ -11064,7 +11070,18 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/fail
 ########################################
 #
 # fail2ban local policy
-@@ -55,6 +58,8 @@
+@@ -33,8 +36,9 @@
 logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
 # pid file
 +manage_sock_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
 manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
 -files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
 +files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, { file sock_file })
 kernel_read_system_state(fail2ban_t)
@@ -55,6 +59,8 @@
 miscfiles_read_localization(fail2ban_t)
@ -17973,7 +17990,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smartmon.te serefpolicy-3.2.5/policy/modules/services/smartmon.te
 --- nsaserefpolicy/policy/modules/services/smartmon.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/services/smartmon.te	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/services/smartmon.te	2008-02-01 08:41:51.000000000 -0500
@@ -16,6 +16,9 @@
 type fsdaemon_tmp_t;
 files_tmp_file(fsdaemon_tmp_t)
@ -17984,6 +18001,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/smar
 ########################################
 #
 # Local policy
@@ -49,6 +52,7 @@
 corenet_udp_sendrecv_all_ports(fsdaemon_t)
 dev_read_sysfs(fsdaemon_t)
 +dev_read_urand(fsdaemon_t)
 domain_use_interactive_fds(fsdaemon_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/snmp.fc serefpolicy-3.2.5/policy/modules/services/snmp.fc
 --- nsaserefpolicy/policy/modules/services/snmp.fc	2007-06-19 16:23:06.000000000 -0400
 +++ serefpolicy-3.2.5/policy/modules/services/snmp.fc	2008-01-18 12:40:46.000000000 -0500
@ -21638,7 +21663,20 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstool
 /sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/fstools.if serefpolicy-3.2.5/policy/modules/system/fstools.if
 --- nsaserefpolicy/policy/modules/system/fstools.if	2007-08-22 17:33:53.000000000 -0400
-+++ serefpolicy-3.2.5/policy/modules/system/fstools.if	2008-01-18 12:40:46.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/fstools.if	2008-02-01 08:40:37.000000000 -0500
@@ -81,10 +81,10 @@
 #
 interface(`fstools_read_pipes',`
 	gen_require(`
 -		type fsdaemon_t;
 +		type fstools_t;
 	')
 -	allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
 +	allow $1 fstools_t:fifo_file read_fifo_file_perms;
 ')
 ########################################
@@ -142,3 +142,20 @@
 	allow $1 swapfile_t:file getattr;
@ -23561,7 +23599,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinu
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/selinuxutil.te serefpolicy-3.2.5/policy/modules/system/selinuxutil.te
 --- nsaserefpolicy/policy/modules/system/selinuxutil.te	2007-12-19 05:32:17.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-29 15:11:06.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/selinuxutil.te	2008-01-31 15:54:53.000000000 -0500
@@ -75,7 +75,6 @@
 type restorecond_exec_t;
 init_daemon_domain(restorecond_t,restorecond_exec_t)
@ -24658,7 +24696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 +/root(/.*)?	 	gen_context(system_u:object_r:admin_home_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdomain.if serefpolicy-3.2.5/policy/modules/system/userdomain.if
 --- nsaserefpolicy/policy/modules/system/userdomain.if	2007-11-29 13:29:35.000000000 -0500
-+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-01-31 08:42:16.000000000 -0500
+++ serefpolicy-3.2.5/policy/modules/system/userdomain.if	2008-02-01 08:23:22.000000000 -0500
@@ -29,9 +29,14 @@
 	')
@ -26692,7 +26730,87 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ')
 ########################################
-@@ -5109,7 +5265,7 @@
+@@ -4833,6 +4989,26 @@
 ########################################
 ## <summary>
 +##	delete all directories
 +##	in all users home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_delete_all_users_home_content_dirs',`
 +	gen_require(`
 +		attribute home_type;
 +	')
 +
 +	files_list_home($1)
 +	delete_dirs_pattern($1, home_type, home_type)
 +')
 +
 +########################################
 +## <summary>
 ##	Create, read, write, and delete all directories
 ##	in all users home directories.
 ## </summary>
@@ -4853,6 +5029,25 @@
 ########################################
 ## <summary>
 +##	Delete all files
 +##	in all users home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_delete_all_users_home_content_files',`
 +	gen_require(`
 +		attribute home_type;
 +	')
 +
 +	delete_files_pattern($1,home_type,home_type)
 +')
 +
 +########################################
 +## <summary>
 ##	Create, read, write, and delete all files
 ##	in all users home directories.
 ## </summary>
@@ -4873,6 +5068,26 @@
 ########################################
 ## <summary>
 +##	Delete all symlinks
 +##	in all users home directories.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
 +##	Domain allowed access.
 +##	</summary>
 +## </param>
 +#
 +interface(`userdom_delete_all_users_home_content_symlinks',`
 +	gen_require(`
 +		attribute home_type;
 +	')
 +
 +	files_list_home($1)
 +	delete_lnk_files_pattern($1,home_type,home_type)
 +')
 +
 +########################################
 +## <summary>
 ##	Create, read, write, and delete all symlinks
 ##	in all users home directories.
 ## </summary>
@@ -5109,7 +5324,7 @@
 #
 interface(`userdom_relabelto_generic_user_home_dirs',`
 	gen_require(`
@ -26701,7 +26819,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 	')
 	files_search_home($1)
-@@ -5298,6 +5454,49 @@
+@@ -5298,6 +5513,49 @@
 ########################################
 ## <summary>
@ -26751,7 +26869,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Create, read, write, and delete directories in
 ##	unprivileged users home directories.
 ## </summary>
-@@ -5503,6 +5702,42 @@
+@@ -5503,6 +5761,42 @@
 ########################################
 ## <summary>
@ -26794,7 +26912,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Read and write unprivileged user ttys.
 ## </summary>
 ## <param name="domain">
-@@ -5668,6 +5903,42 @@
+@@ -5668,6 +5962,42 @@
 ########################################
 ## <summary>
@ -26837,7 +26955,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/userdo
 ##	Send a dbus message to all user domains.
 ## </summary>
 ## <param name="domain">
-@@ -5698,3 +5969,277 @@
+@@ -5698,3 +6028,277 @@
 interface(`userdom_unconfined',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.2.5
-Release: 24%{?dist}
+Release: 25%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -387,6 +387,9 @@ exit 0
 %endif
 %changelog
 * Fri Feb 1 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-25
 - Allow fail2ban to create a socket in /var/run
 * Wed Jan 30 2008 Dan Walsh <dwalsh@redhat.com> 3.2.5-24
 - Allow allow_httpd_mod_auth_pam to work