- Cleanups from dgrift

2009-12-23 13:02:27 +00:00 · 2009-12-23 13:02:27 +00:00 · e2f53dfaec
parent f2eafbf4b7
commit e2f53dfaec
4 changed files with 27 additions and 61 deletions
--- a/modules-minimum.conf
+++ b/modules-minimum.conf
@ -2019,7 +2019,7 @@ cgroup = module
 # Layer: services
 # Module: denyhosts
 #
-#  script to help thwart ssh server attacks
+# script to help thwart ssh server attacks
 # 
 denyhosts = module

--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@ -2019,7 +2019,7 @@ cgroup = module
 # Layer: services
 # Module: denyhosts
 #
-#  script to help thwart ssh server attacks
+# script to help thwart ssh server attacks
 # 
 denyhosts = module

--- a/policy-F13.patch
+++ b/policy-F13.patch
@ -6274,7 +6274,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.te serefpolicy-3.7.5/policy/modules/kernel/domain.te
 --- nsaserefpolicy/policy/modules/kernel/domain.te	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te	2009-12-21 13:07:09.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/domain.te	2009-12-23 07:50:49.000000000 -0500
@@ -5,6 +5,13 @@
 #
 # Declarations
@ -6969,7 +6969,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
 #
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.7.5/policy/modules/kernel/filesystem.if
 --- nsaserefpolicy/policy/modules/kernel/filesystem.if	2009-11-25 11:47:19.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if	2009-12-22 10:30:40.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/kernel/filesystem.if	2009-12-23 07:46:46.000000000 -0500
@@ -906,7 +906,7 @@
 		type cifs_t;
 	')
@ -7014,33 +7014,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 #########################################
 ## <summary>
 ##	Read named sockets on a NFS filesystem.
-@@ -4181,3 +4200,216 @@
+@@ -4181,3 +4200,175 @@
 	relabelfrom_blk_files_pattern($1, noxattrfs, noxattrfs)
 	relabelfrom_chr_files_pattern($1, noxattrfs, noxattrfs)
 ')
 +
 +########################################
 +## <summary>
-+##	Search dirs on cgroup
-+##	file systems.
-+## </summary>
-+## <param name="domain">
-+##	<summary>
-+##	Domain allowed access.
-+##	</summary>
-+## </param>
-+#
-+interface(`fs_search_cgroup_dirs', `
-+	gen_require(`
-+		type cgroup_t;
-+
-+	')
-+
-+	allow $1 cgroup_t:dir search;
-+')
-+
-+########################################
-+## <summary>
 +##      list dirs on cgroup
 +##      file systems.
 +## </summary>
@ -7080,25 +7060,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +
 +########################################
 +## <summary>
-+##      create dirs on cgroup
-+##      file systems.
-+## </summary>
-+## <param name="domain">
-+##      <summary>
-+##      Domain allowed access.
-+##      </summary>
-+## </param>
-+#
-+interface(`fs_create_cgroup_dirs', `
-+        gen_require(`
-+                type cgroup_t;
-+	')
-+
-+	create_dirs_pattern($1, cgroup_t, cgroup_t)
-+')
-+
-+########################################
-+## <summary>
 +##	Manage dirs on cgroup file systems.
 +## </summary>
 +## <param name="domain">
@ -7207,7 +7168,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +	')
 +
 +	setattr_files_pattern($1, cgroup_t, cgroup_t)
-+	fs_search_cgroup_dirs($1)
 +')
 +
 +########################################
@ -7228,7 +7188,6 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesy
 +	')
 +
 +	write_files_pattern($1, cgroup_t, cgroup_t)
-+	fs_search_cgroup_dirs($1)
 +')
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.te serefpolicy-3.7.5/policy/modules/kernel/filesystem.te
@ -9716,7 +9675,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 ##	All of the rules required to administrate 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.7.5/policy/modules/services/abrt.te
 --- nsaserefpolicy/policy/modules/services/abrt.te	2009-09-16 09:09:20.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/services/abrt.te	2009-12-22 08:42:16.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/abrt.te	2009-12-23 07:13:38.000000000 -0500
@@ -33,12 +33,24 @@
 type abrt_var_run_t;
 files_pid_file(abrt_var_run_t)
@ -9764,7 +9723,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
 
 kernel_read_ring_buffer(abrt_t)
-@@ -75,18 +90,34 @@
+@@ -75,18 +90,35 @@
 
 corecmd_exec_bin(abrt_t)
 corecmd_exec_shell(abrt_t)
@ -9795,11 +9754,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt
 fs_getattr_all_fs(abrt_t)
 fs_getattr_all_dirs(abrt_t)
 +fs_read_fusefs_files(abrt_t)
+fs_read_nfs_files(abrt_t)
 +fs_search_all(abrt_t)
 
 sysnet_read_config(abrt_t)
 
-@@ -96,22 +127,92 @@
+@@ -96,22 +128,92 @@
 miscfiles_read_certs(abrt_t)
 miscfiles_read_localization(abrt_t)
 
@ -14634,8 +14594,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +/var/log/denyhosts(/.*)?					gen_context(system_u:object_r:denyhosts_var_log_t, s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.if serefpolicy-3.7.5/policy/modules/services/denyhosts.if
 --- nsaserefpolicy/policy/modules/services/denyhosts.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if	2009-12-22 17:05:58.000000000 -0500
-@@ -0,0 +1,91 @@
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.if	2009-12-23 07:48:54.000000000 -0500
+@@ -0,0 +1,90 @@
 +## <summary>Deny Hosts.</summary>
 +## <desc>
 +##	<p>
@ -14666,7 +14626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +
 +########################################
 +## <summary>
-+##	Execute ksmtuned server in the ksmtuned domain.
+##	Execute denyhost server in the denyhost domain.
 +## </summary>
 +## <param name="domain">
 +##	<summary>
@ -14708,8 +14668,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +	allow $1 denyhosts_t:process { ptrace signal_perms getattr };
 +	read_files_pattern($1, denyhosts_t, denyhosts_t)
 +	        
-+	files_list_pids($1)
-+	admin_pattern($1, denyhosts_var_run_t)
+	admin_pattern($1, denyhosts_var_lib_t)
 +
 +	logging_search_logs($1)
 +	admin_pattern($1, denyhosts_var_log_t)
@ -14729,8 +14688,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/denyhosts.te serefpolicy-3.7.5/policy/modules/services/denyhosts.te
 --- nsaserefpolicy/policy/modules/services/denyhosts.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te	2009-12-22 10:34:58.000000000 -0500
-@@ -0,0 +1,71 @@
+++ serefpolicy-3.7.5/policy/modules/services/denyhosts.te	2009-12-23 07:47:53.000000000 -0500
+@@ -0,0 +1,72 @@
 +
 +policy_module(denyhosts, 1.0.0) 
 +
@ -14798,6 +14757,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/deny
 +miscfiles_read_localization(denyhosts_t)
 +
 +sysnet_manage_config(denyhosts_t)
+sysnet_etc_filetrans_config(denyhosts_t)
 +
 +optional_policy(`
 +	cron_system_entry(denyhosts_t, denyhosts_exec_t)
@ -16182,13 +16142,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerb
 
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.fc serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc
 --- nsaserefpolicy/policy/modules/services/ksmtuned.fc	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc	2009-12-21 13:07:09.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.fc	2009-12-23 07:41:58.000000000 -0500
@@ -0,0 +1,5 @@
 +/etc/rc\.d/init\.d/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_initrc_exec_t,s0)
 +
 +/usr/sbin/ksmtuned	--	gen_context(system_u:object_r:ksmtuned_exec_t,s0)
 +
-+/var/run/ksmtune\.pid		--	gen_context(system_u:object_r:ntpd_var_run_t,s0)
+/var/run/ksmtune\.pid		--	gen_context(system_u:object_r:ksmtuned_var_run_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ksmtuned.if serefpolicy-3.7.5/policy/modules/services/ksmtuned.if
 --- nsaserefpolicy/policy/modules/services/ksmtuned.if	1969-12-31 19:00:00.000000000 -0500
 +++ serefpolicy-3.7.5/policy/modules/services/ksmtuned.if	2009-12-21 13:07:09.000000000 -0500
@ -28985,7 +28945,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/kdump.
 +permissive kdump_t;
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.fc serefpolicy-3.7.5/policy/modules/system/libraries.fc
 --- nsaserefpolicy/policy/modules/system/libraries.fc	2009-08-14 16:14:31.000000000 -0400
-+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc	2009-12-22 08:51:29.000000000 -0500
+++ serefpolicy-3.7.5/policy/modules/system/libraries.fc	2009-12-23 07:33:05.000000000 -0500
@@ -60,12 +60,15 @@
 #
 # /opt
@ -29201,7 +29161,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 ') dnl end distro_redhat
 
 #
-@@ -307,10 +316,111 @@
+@@ -307,10 +316,114 @@
 
 /var/mailman/pythonlib(/.*)?/.+\.so(\..*)? --	gen_context(system_u:object_r:lib_t,s0)
 
@ -29313,6 +29273,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/librar
 +/opt/VirtualBox(/.*)?/VBox.*\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 +
 +/usr/lib(64)?/chromium-browser/.*\.so 	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/local/zend/lib/apache2/libphp5\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+
+/usr/lib(64)?/python.*/site-packages/pymedia/muxer\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/libraries.if serefpolicy-3.7.5/policy/modules/system/libraries.if
 --- nsaserefpolicy/policy/modules/system/libraries.if	2009-07-14 14:19:57.000000000 -0400
 +++ serefpolicy-3.7.5/policy/modules/system/libraries.if	2009-12-21 13:07:09.000000000 -0500
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -20,7 +20,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.7.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -449,6 +449,9 @@ exit 0
 %endif

 %changelog
+* Wed Dec 23 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-4
+- Cleanups from dgrift
+
 * Tue Dec 22 2009 Dan Walsh <dwalsh@redhat.com> 3.7.5-3
 - Add back xserver_manage_home_fonts