- Add wordpress/wp-content/uploads label

- Fixes for sandbox when run from staff_t
2009-09-11 21:15:35 +00:00 · 2009-09-11 21:15:35 +00:00 · e20e351e10
commit e20e351e10
parent ddc8588081
2 changed files with 191 additions and 56 deletions
--- a/policy-F12.patch
+++ b/policy-F12.patch
@ -3454,8 +3454,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +# No types are sandbox_exec_t
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.31/policy/modules/apps/sandbox.if
 --- nsaserefpolicy/policy/modules/apps/sandbox.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/apps/sandbox.if	2009-09-09 15:38:24.000000000 -0400
-@@ -0,0 +1,167 @@
+++ serefpolicy-3.6.31/policy/modules/apps/sandbox.if	2009-09-10 11:44:49.000000000 -0400
+@@ -0,0 +1,171 @@
 +
 +## <summary>policy for sandbox</summary>
 +
@ -3603,6 +3603,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	manage_lnk_files_pattern($1_client_t, $1_file_t, $1_file_t)
 +	manage_fifo_files_pattern($1_client_t, $1_file_t, $1_file_t)
 +	manage_sock_files_pattern($1_client_t, $1_file_t, $1_file_t)
+
+	optional_policy(`
+		xserver_common_app($1_t)
+	')
 +')
 +
 +########################################
@ -3625,8 +3629,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.6.31/policy/modules/apps/sandbox.te
 --- nsaserefpolicy/policy/modules/apps/sandbox.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/apps/sandbox.te	2009-09-09 15:38:24.000000000 -0400
-@@ -0,0 +1,304 @@
+++ serefpolicy-3.6.31/policy/modules/apps/sandbox.te	2009-09-10 11:48:11.000000000 -0400
+@@ -0,0 +1,315 @@
 +policy_module(sandbox,1.0.0)
 +dbus_stub()
 +attribute sandbox_domain;
@ -3696,8 +3700,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +kernel_read_system_state(sandbox_xserver_t)
 +
+selinux_validate_context(sandbox_xserver_t)
+selinux_compute_access_vector(sandbox_xserver_t)
+selinux_compute_create_context(sandbox_xserver_t)
+
 +auth_use_nsswitch(sandbox_xserver_t)
 +
+logging_send_syslog_msg(sandbox_xserver_t)
+logging_send_audit_msgs(sandbox_xserver_t)
+
 +userdom_use_user_terminals(sandbox_xserver_t)
 +
 +xserver_entry_type(sandbox_xserver_t)
@ -3710,6 +3721,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +	')
 +')
 +
+optional_policy(`
+	xserver_common_app(sandbox_xserver_t)
+')
+
 +########################################
 +#
 +# sandbox local policy
@ -4308,7 +4323,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +/usr/lib(64)?/gimp/.*/plug-ins(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/corecommands.if serefpolicy-3.6.31/policy/modules/kernel/corecommands.if
 --- nsaserefpolicy/policy/modules/kernel/corecommands.if	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/kernel/corecommands.if	2009-09-09 15:38:24.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/kernel/corecommands.if	2009-09-11 16:04:06.000000000 -0400
@@ -893,6 +893,7 @@
 
 	read_lnk_files_pattern($1, bin_t, bin_t)
@ -4317,7 +4332,33 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -973,6 +974,7 @@
+@@ -918,6 +919,25 @@
+ 
+ ########################################
+ ## <summary>
+##	Read all executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`corecmd_read_all_executables',`
+	gen_require(`
+		attribute exec_type;
+	')
+
+	read_files_pattern($1, exec_type, exec_type)
+')
+
+########################################
+## <summary>
+ ##	Execute all executable files.
+ ## </summary>
+ ## <param name="domain">
+@@ -973,6 +993,7 @@
 		type bin_t;
 	')
 
@ -8040,8 +8081,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.31/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.31/policy/modules/services/abrt.te	2009-09-09 15:38:24.000000000 -0400
-@@ -0,0 +1,120 @@
+++ serefpolicy-3.6.31/policy/modules/services/abrt.te	2009-09-11 16:04:15.000000000 -0400
+@@ -0,0 +1,121 @@
 +
 +policy_module(abrt,1.0.0)
 +
@ -8117,6 +8158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 +corecmd_exec_bin(abrt_t)
 +corecmd_exec_shell(abrt_t)
+corecmd_read_all_executables(abrt_t)
 +
 +kernel_read_ring_buffer(abrt_t)
 +kernel_read_system_state(abrt_t)
@ -8198,7 +8240,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.6.31/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2009-07-14 14:19:57.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/apache.fc	2009-09-09 15:38:24.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/apache.fc	2009-09-10 12:01:23.000000000 -0400
@@ -1,12 +1,13 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
@ -8234,7 +8276,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
 +/usr/share/wordpress-mu/wp-config\.php   -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
 +/usr/share/wordpress-mu/wp-content(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
-+
+/usr/share/wordpress/wp-content/uploads(/.*)? gen_context(system_u:object_r:httpd_sys_content_rw_t,s0)
 
 /var/cache/httpd(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
 /var/cache/mason(/.*)?			gen_context(system_u:object_r:httpd_cache_t,s0)
@ -8874,7 +8916,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.6.31/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/apache.te	2009-09-09 15:38:24.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/apache.te	2009-09-11 09:48:03.000000000 -0400
@@ -19,6 +19,8 @@
 # Declarations
 #
@ -8932,7 +8974,21 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
 ## </p>
 ## </desc>
-@@ -108,6 +131,29 @@
+@@ -94,6 +117,13 @@
+ 
+ ## <desc>
+ ## <p>
+## Allow Apache to execute tmp content.
+## </p>
+## </desc>
+gen_tunable(httpd_tmp_exec, false)
+
+## <desc>
+## <p>
+ ## Unify HTTPD to communicate with the terminal.
+ ## Needed for entering the passphrase for certificates at
+ ## the terminal.
+@@ -108,6 +138,29 @@
 ## </desc>
 gen_tunable(httpd_unified, false)
 
@ -8962,7 +9018,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 attribute httpdcontent;
 attribute httpd_user_content_type;
 
-@@ -140,6 +186,9 @@
+@@ -140,6 +193,9 @@
 domain_entry_file(httpd_helper_t, httpd_helper_exec_t)
 role system_r types httpd_helper_t;
 
@ -8972,7 +9028,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type httpd_lock_t;
 files_lock_file(httpd_lock_t)
 
-@@ -180,6 +229,10 @@
+@@ -180,6 +236,10 @@
 # setup the system domain for system CGI scripts
 apache_content_template(sys)
 
@ -8983,7 +9039,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 type httpd_tmp_t;
 files_tmp_file(httpd_tmp_t)
 
-@@ -187,28 +240,28 @@
+@@ -187,28 +247,28 @@
 files_tmpfs_file(httpd_tmpfs_t)
 
 apache_content_template(user)
@ -9025,7 +9081,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 # for apache2 memory mapped files
 type httpd_var_lib_t;
-@@ -230,7 +283,7 @@
+@@ -230,7 +290,7 @@
 # Apache server local policy
 #
 
@ -9034,7 +9090,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 dontaudit httpd_t self:capability { net_admin sys_tty_config };
 allow httpd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow httpd_t self:fd use;
-@@ -272,6 +325,7 @@
+@@ -272,6 +332,7 @@
 allow httpd_t httpd_modules_t:dir list_dir_perms;
 mmap_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 read_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
@ -9042,7 +9098,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 apache_domtrans_rotatelogs(httpd_t)
 # Apache-httpd needs to be able to send signals to the log rotate procs.
-@@ -283,9 +337,9 @@
+@@ -283,9 +344,9 @@
 
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
@ -9055,7 +9111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
-@@ -301,6 +355,7 @@
+@@ -301,6 +362,7 @@
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, file)
 
@ -9063,7 +9119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 manage_sock_files_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
 files_pid_filetrans(httpd_t, httpd_var_run_t, { file sock_file })
-@@ -312,16 +367,18 @@
+@@ -312,16 +374,18 @@
 kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)
@ -9087,7 +9143,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 corenet_tcp_bind_http_port(httpd_t)
 corenet_tcp_bind_http_cache_port(httpd_t)
 corenet_sendrecv_http_server_packets(httpd_t)
-@@ -335,12 +392,11 @@
+@@ -335,12 +399,11 @@
 
 fs_getattr_all_fs(httpd_t)
 fs_search_auto_mountpoints(httpd_t)
@ -9102,7 +9158,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 domain_use_interactive_fds(httpd_t)
 
-@@ -358,6 +414,10 @@
+@@ -358,6 +421,10 @@
 files_read_var_lib_symlinks(httpd_t)
 
 fs_search_auto_mountpoints(httpd_sys_script_t)
@ -9113,7 +9169,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 libs_read_lib_files(httpd_t)
 
-@@ -372,18 +432,33 @@
+@@ -372,18 +439,33 @@
 
 userdom_use_unpriv_users_fds(httpd_t)
 
@ -9134,8 +9190,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_pam, false)
 +
- tunable_policy(`allow_httpd_mod_auth_pam',`
-	auth_domtrans_chk_passwd(httpd_t)
+tunable_policy(`allow_httpd_mod_auth_pam',`
 +	auth_domtrans_chkpwd(httpd_t)
 +')
 +
@ -9146,12 +9201,13 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +## </desc>
 +gen_tunable(allow_httpd_mod_auth_ntlm_winbind, false)
 +optional_policy(`
-+tunable_policy(`allow_httpd_mod_auth_pam',`
+ tunable_policy(`allow_httpd_mod_auth_pam',`
+-	auth_domtrans_chk_passwd(httpd_t)
 +		samba_domtrans_winbind_helper(httpd_t)
 ')
 ')
 
-@@ -391,20 +466,54 @@
+@@ -391,32 +473,70 @@
 	corenet_tcp_connect_all_ports(httpd_t)
 ')
 
@ -9207,16 +9263,27 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-@@ -415,20 +524,28 @@
- 	corenet_tcp_bind_ftp_port(httpd_t)
+ 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ ')
+ 
+-tunable_policy(`httpd_enable_ftp_server',`
+-	corenet_tcp_bind_ftp_port(httpd_t)
+tunable_policy(`httpd_tmp_exec && httpd_builtin_scripting',`
+        can_exec(httpd_t, httpd_tmp_t)
 ')
 
 -tunable_policy(`httpd_enable_homedirs',`
 -	userdom_read_user_home_content_files(httpd_t)
-')
-
+tunable_policy(`httpd_tmp_exec && httpd_enable_cgi',`
+        can_exec(httpd_sys_script_t, httpd_tmp_t)
+')
+
+tunable_policy(`httpd_enable_ftp_server',`
+	corenet_tcp_bind_ftp_port(httpd_t)
+ ')
+ 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
- 	fs_read_nfs_files(httpd_t)
+@@ -424,11 +544,23 @@
 	fs_read_nfs_symlinks(httpd_t)
 ')
 
@ -9240,7 +9307,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_ssi_exec',`
 	corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
 	allow httpd_sys_script_t httpd_t:fd use;
-@@ -451,6 +568,10 @@
+@@ -451,6 +583,10 @@
 ')
 
 optional_policy(`
@ -9251,7 +9318,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	cron_system_entry(httpd_t, httpd_exec_t)
 ')
 
-@@ -459,8 +580,13 @@
+@@ -459,8 +595,13 @@
 ')
 
 optional_policy(`
@ -9267,7 +9334,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -468,22 +594,18 @@
+@@ -468,22 +609,18 @@
 	mailman_domtrans_cgi(httpd_t)
 	# should have separate types for public and private archives
 	mailman_search_data(httpd_t)
@ -9292,7 +9359,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -494,12 +616,23 @@
+@@ -494,12 +631,23 @@
 ')
 
 optional_policy(`
@ -9316,7 +9383,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	')
 ')
 
-@@ -508,6 +641,7 @@
+@@ -508,6 +656,7 @@
 ')
 
 optional_policy(`
@ -9324,7 +9391,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 	snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
-@@ -535,6 +669,22 @@
+@@ -535,6 +684,22 @@
 
 userdom_use_user_terminals(httpd_helper_t)
 
@ -9347,7 +9414,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ########################################
 #
 # Apache PHP script local policy
-@@ -564,20 +714,25 @@
+@@ -564,20 +729,25 @@
 
 fs_search_auto_mountpoints(httpd_php_t)
 
@ -9379,7 +9446,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 ########################################
-@@ -595,23 +750,24 @@
+@@ -595,23 +765,24 @@
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 
@ -9408,7 +9475,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 files_read_etc_files(httpd_suexec_t)
 files_read_usr_files(httpd_suexec_t)
-@@ -624,6 +780,7 @@
+@@ -624,6 +795,7 @@
 logging_send_syslog_msg(httpd_suexec_t)
 
 miscfiles_read_localization(httpd_suexec_t)
@ -9416,7 +9483,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
-@@ -631,22 +788,30 @@
+@@ -631,22 +803,30 @@
 
 	corenet_all_recvfrom_unlabeled(httpd_suexec_t)
 	corenet_all_recvfrom_netlabel(httpd_suexec_t)
@ -9454,7 +9521,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -672,15 +837,14 @@
+@@ -672,15 +852,14 @@
 	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
 ')
 
@ -9473,7 +9540,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 allow httpd_sys_script_t httpd_t:tcp_socket { read write };
 
 dontaudit httpd_sys_script_t httpd_config_t:dir search;
-@@ -699,12 +863,24 @@
+@@ -699,12 +878,24 @@
 # Should we add a boolean?
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
@ -9500,7 +9567,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -712,6 +888,35 @@
+@@ -712,6 +903,35 @@
 	fs_read_nfs_symlinks(httpd_sys_script_t)
 ')
 
@ -9536,7 +9603,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
 	fs_read_cifs_files(httpd_sys_script_t)
 	fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -724,6 +929,10 @@
+@@ -724,6 +944,10 @@
 optional_policy(`
 	mysql_stream_connect(httpd_sys_script_t)
 	mysql_rw_db_sockets(httpd_sys_script_t)
@ -9547,7 +9614,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -735,6 +944,8 @@
+@@ -735,6 +959,8 @@
 # httpd_rotatelogs local policy
 #
 
@ -9556,7 +9623,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 manage_files_pattern(httpd_rotatelogs_t, httpd_log_t, httpd_log_t)
 
 kernel_read_kernel_sysctls(httpd_rotatelogs_t)
-@@ -754,6 +965,12 @@
+@@ -754,6 +980,12 @@
 
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	allow httpd_user_script_t httpdcontent:file entrypoint;
@ -9569,7 +9636,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 # allow accessing files/dirs below the users home dir
-@@ -762,3 +979,74 @@
+@@ -762,3 +994,74 @@
 	userdom_search_user_home_dirs(httpd_suexec_t)
 	userdom_search_user_home_dirs(httpd_user_script_t)
 ')
@ -18808,7 +18875,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +')
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.te serefpolicy-3.6.31/policy/modules/services/virt.te
 --- nsaserefpolicy/policy/modules/services/virt.te	2009-08-31 13:30:04.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/virt.te	2009-09-10 11:38:03.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/virt.te	2009-09-11 10:18:49.000000000 -0400
@@ -20,6 +20,28 @@
 ## </desc>
 gen_tunable(virt_use_samba, false)
@ -18923,7 +18990,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
-@@ -97,30 +156,52 @@
+@@ -97,30 +156,54 @@
 corenet_tcp_sendrecv_generic_node(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
@ -18967,6 +19034,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +fs_rw_anon_inodefs_files(virtd_t)
 +fs_list_inotifyfs(virtd_t)
 
+modutils_manage_module_config(virtd_t)
+
 +storage_manage_fixed_disk(virtd_t)
 +storage_relabel_fixed_disk(virtd_t)
 storage_raw_write_removable_device(virtd_t)
@ -18979,7 +19048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
-@@ -130,7 +211,14 @@
+@@ -130,7 +213,14 @@
 
 logging_send_syslog_msg(virtd_t)
 
@ -18994,7 +19063,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
-@@ -168,22 +256,35 @@
+@@ -168,22 +258,35 @@
 	dnsmasq_domtrans(virtd_t)
 	dnsmasq_signal(virtd_t)
 	dnsmasq_kill(virtd_t)
@ -19035,7 +19104,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ')
 
 optional_policy(`
-@@ -196,8 +297,159 @@
+@@ -196,8 +299,159 @@
 
 	xen_stream_connect(virtd_t)
 	xen_stream_connect_xenstore(virtd_t)
@ -19979,7 +20048,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 +
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.6.31/policy/modules/services/xserver.te
 --- nsaserefpolicy/policy/modules/services/xserver.te	2009-08-28 14:58:20.000000000 -0400
-+++ serefpolicy-3.6.31/policy/modules/services/xserver.te	2009-09-09 15:38:24.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/services/xserver.te	2009-09-10 11:49:20.000000000 -0400
@@ -34,6 +34,13 @@
 
 ## <desc>
@ -23047,6 +23116,68 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
 ##	Do not audit attempts to write fonts.
 ## </summary>
 ## <param name="domain">
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.fc serefpolicy-3.6.31/policy/modules/system/modutils.fc
+--- nsaserefpolicy/policy/modules/system/modutils.fc	2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/system/modutils.fc	2009-09-11 10:15:04.000000000 -0400
+@@ -1,6 +1,7 @@
+ 
+ /etc/modules\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+ /etc/modprobe\.conf.*	--	gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modprobe\.d(/.*)?		gen_context(system_u:object_r:modules_conf_t,s0)
+ 
+ ifdef(`distro_gentoo',`
+ # gentoo init scripts still manage this file
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.if serefpolicy-3.6.31/policy/modules/system/modutils.if
+--- nsaserefpolicy/policy/modules/system/modutils.if	2009-07-14 14:19:57.000000000 -0400
+++ serefpolicy-3.6.31/policy/modules/system/modutils.if	2009-09-11 10:18:38.000000000 -0400
+@@ -41,8 +41,8 @@
+ 	files_search_etc($1)
+ 	files_search_boot($1)
+ 
+-	allow $1 modules_conf_t:file read_file_perms;
+-	allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
+	read_files_pattern($1, modules_conf_t, modules_conf_t)
+	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+ ')
+ 
+ ########################################
+@@ -61,7 +61,7 @@
+ 		type modules_conf_t;
+ 	')
+ 
+-	allow $1 modules_conf_t:file rename_file_perms;
+	rename_files_pattern($1, modules_conf_t,  modules_conf_t)
+ ')
+ 
+ ########################################
+@@ -80,7 +80,26 @@
+ 		type modules_conf_t;
+ 	')
+ 
+-	allow $1 modules_conf_t:file unlink;
+	delete_files_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage files with the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_manage_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	manage_files_pattern($1, modules_conf_t, modules_conf_t)
+ ')
+ 
+ ########################################
 diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/modutils.te serefpolicy-3.6.31/policy/modules/system/modutils.te
 --- nsaserefpolicy/policy/modules/system/modutils.te	2009-08-14 16:14:31.000000000 -0400
 +++ serefpolicy-3.6.31/policy/modules/system/modutils.te	2009-09-09 15:47:14.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.6.31
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -443,6 +443,10 @@ exit 0
 %endif

 %changelog
+* Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-3
+- Add wordpress/wp-content/uploads label
+- Fixes for sandbox when run from staff_t
+
 * Thu Sep 10 2009 Dan Walsh <dwalsh@redhat.com> 3.6.31-2
 - Update to upstream
 - Fixes for devicekit_disk