- Allow confined users to use postgres

- Allow system_mail_t to exec other mail clients - Label mogrel_rails as an apache server
2008-06-24 11:14:04 +00:00 · 2008-06-24 11:14:04 +00:00 · f86ed5a437
parent 547aa2a382
commit f86ed5a437
2 changed files with 137 additions and 30 deletions
--- a/policy-20080509.patch
+++ b/policy-20080509.patch
@ -642,7 +642,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te serefpolicy-3.4.2/policy/modules/admin/mrtg.te
 --- nsaserefpolicy/policy/modules/admin/mrtg.te	2008-06-12 23:25:08.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te	2008-06-12 23:37:53.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/admin/mrtg.te	2008-06-24 06:26:50.000000000 -0400
@@ -78,6 +78,7 @@
 dev_read_urand(mrtg_t)
@ -651,6 +651,55 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/mrtg.te
 files_read_usr_files(mrtg_t)
 files_search_var(mrtg_t)
@@ -101,6 +102,8 @@
 init_read_utmp(mrtg_t)
 init_dontaudit_write_utmp(mrtg_t)
 +auth_use_nsswitch(mrtg_t)
 +
 libs_read_lib_files(mrtg_t)
 libs_use_ld_so(mrtg_t)
 libs_use_shared_libs(mrtg_t)
@@ -111,12 +114,10 @@
 selinux_dontaudit_getattr_dir(mrtg_t)
 -# Use the network.
 -sysnet_read_config(mrtg_t)
 -
 userdom_dontaudit_use_unpriv_user_fds(mrtg_t)
 sysadm_use_terms(mrtg_t)
 +sysadm_dontaudit_read_home_content_files(mrtg_t)
 ifdef(`enable_mls',`
 	corenet_udp_sendrecv_lo_if(mrtg_t)
@@ -140,14 +141,6 @@
 ')
 optional_policy(`
 -	nis_use_ypbind(mrtg_t)
 -')
 -
 -optional_policy(`
 -	nscd_dontaudit_search_pid(mrtg_t)
 -')
 -
 -optional_policy(`
 	seutil_sigchld_newrole(mrtg_t)
 ')
@@ -162,10 +155,3 @@
 optional_policy(`
 	udev_read_db(mrtg_t)
 ')
 -
 -ifdef(`TODO',`
 -	# should not need this!
 -	dontaudit mrtg_t { staff_home_dir_t sysadm_home_dir_t }:dir { search read getattr };
 -	dontaudit mrtg_t { boot_t device_t file_t lost_found_t }:dir getattr;
 -	dontaudit mrtg_t root_t:lnk_file getattr;
 -')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/netutils.te serefpolicy-3.4.2/policy/modules/admin/netutils.te
 --- nsaserefpolicy/policy/modules/admin/netutils.te	2008-06-12 23:25:08.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/admin/netutils.te	2008-06-12 23:37:53.000000000 -0400
@ -7923,8 +7972,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/secadm.
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.te serefpolicy-3.4.2/policy/modules/roles/staff.te
 --- nsaserefpolicy/policy/modules/roles/staff.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/staff.te	2008-06-12 23:37:52.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/roles/staff.te	2008-06-24 07:05:16.000000000 -0400
-@@ -8,18 +8,30 @@
+@@ -8,18 +8,34 @@
 role staff_r;
@ -7952,11 +8001,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +	logadm_role_change_template(staff)
 +')
 +
 +optional_policy(`
 +	postgresql_userdom_template(staff,staff_t,staff_r)
 +')
 +
 +optional_policy(`
 	secadm_role_change_template(staff)
 ')
-@@ -28,3 +40,14 @@
+@@ -28,3 +44,14 @@
 	sysadm_dontaudit_use_terms(staff_t)
 ')
@ -7973,7 +8026,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/staff.t
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.if serefpolicy-3.4.2/policy/modules/roles/sysadm.if
 --- nsaserefpolicy/policy/modules/roles/sysadm.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if	2008-06-14 07:13:35.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/roles/sysadm.if	2008-06-24 06:22:32.000000000 -0400
@@ -334,10 +334,10 @@
 #
 interface(`sysadm_getattr_home_dirs',`
@ -8135,7 +8188,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/sysadm.
 ## <summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.if serefpolicy-3.4.2/policy/modules/roles/unprivuser.if
 --- nsaserefpolicy/policy/modules/roles/unprivuser.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if	2008-06-12 23:37:52.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.if	2008-06-24 05:57:35.000000000 -0400
@@ -62,6 +62,26 @@
 	files_home_filetrans($1,user_home_dir_t,dir)
 ')
@ -8805,8 +8858,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
 +
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivuser.te serefpolicy-3.4.2/policy/modules/roles/unprivuser.te
 --- nsaserefpolicy/policy/modules/roles/unprivuser.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te	2008-06-12 23:37:52.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/roles/unprivuser.te	2008-06-24 07:05:40.000000000 -0400
-@@ -13,3 +13,19 @@
+@@ -13,3 +13,23 @@
 userdom_unpriv_user_template(user)
@ -8819,6 +8872,10 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unprivu
 +')
 +
 +optional_policy(`
 +	postgresql_userdom_template(user,user_t,user_r)
 +')
 +
 +optional_policy(`
 +	rpm_dontaudit_dbus_chat(user_t)
 +')
 +
@ -9322,14 +9379,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/amav
 # amavis local policy
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.4.2/policy/modules/services/apache.fc
 --- nsaserefpolicy/policy/modules/services/apache.fc	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/apache.fc	2008-06-12 23:37:52.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/apache.fc	2008-06-24 07:09:51.000000000 -0400
@@ -1,4 +1,4 @@
 -HOME_DIR/((www)|(web)|(public_html))(/.+)? gen_context(system_u:object_r:httpd_ROLE_content_t,s0)
 +HOME_DIR/((www)|(web)|(public_html)|(public_git))(/.+)? gen_context(system_u:object_r:httpd_user_content_t,s0)
 /etc/apache(2)?(/.*)?			gen_context(system_u:object_r:httpd_config_t,s0)
 /etc/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_config_t,s0)
-@@ -16,7 +16,6 @@
+@@ -16,13 +16,13 @@
 /usr/lib/apache-ssl/.+		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/lib/cgi-bin(/.*)?			gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@ -9337,7 +9394,14 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 /usr/lib(64)?/apache(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache2/modules(/.*)?	gen_context(system_u:object_r:httpd_modules_t,s0)
 /usr/lib(64)?/apache(2)?/suexec(2)? --	gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +32,7 @@
+ /usr/lib(64)?/cgi-bin/(nph-)?cgiwrap(d)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
 /usr/lib(64)?/httpd(/.*)?		gen_context(system_u:object_r:httpd_modules_t,s0)
 +/usr/bin/mongrel_rails		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache(2)?		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/apache-ssl(2)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?	--	gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -33,6 +33,7 @@
 /usr/sbin/httpd2-.*		--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ')
@ -9345,7 +9409,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,11 +48,14 @@
+@@ -48,11 +49,14 @@
 /var/lib/cacti/rra(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /var/lib/dav(/.*)?			gen_context(system_u:object_r:httpd_var_lib_t,s0)
@ -9360,7 +9424,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
 /var/log/apache(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/apache-ssl(2)?(/.*)?		gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/cacti(/.*)?			gen_context(system_u:object_r:httpd_log_t,s0)
-@@ -66,10 +69,21 @@
+@@ -66,10 +70,21 @@
 /var/run/gcache_port		-s	gen_context(system_u:object_r:httpd_var_run_t,s0)
 /var/run/httpd.*			gen_context(system_u:object_r:httpd_var_run_t,s0)
@ -16036,8 +16100,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +/usr/libexec/gam_server	--	gen_context(system_u:object_r:gamin_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gamin.if serefpolicy-3.4.2/policy/modules/services/gamin.if
 --- nsaserefpolicy/policy/modules/services/gamin.if	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.4.2/policy/modules/services/gamin.if	2008-06-12 23:37:52.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/gamin.if	2008-06-24 06:34:46.000000000 -0400
-@@ -0,0 +1,39 @@
+@@ -0,0 +1,57 @@
 +
 +## <summary>policy for gamin</summary>
 +
@ -16062,6 +16126,24 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/gami
 +
 +########################################
 +## <summary>
 +##	Execute gamin.
 +## </summary>
 +## <param name="domain">
 +## <summary>
 +##	Domain allowed to transition.
 +## </summary>
 +## </param>
 +#
 +interface(`gamin_exec',`
 +	gen_require(`
 +                type gamin_exec_t;
 +	')
 +
 +	can_exec($1,gamin_exec_t)
 +')
 +
 +########################################
 +## <summary>
 +##	Connect to gamin over an unix stream socket.
 +## </summary>
 +## <param name="domain">
@ -17707,7 +17789,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ## </summary>
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.te serefpolicy-3.4.2/policy/modules/services/mta.te
 --- nsaserefpolicy/policy/modules/services/mta.te	2008-06-12 23:25:05.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/mta.te	2008-06-12 23:37:52.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/mta.te	2008-06-24 05:41:16.000000000 -0400
@@ -6,6 +6,8 @@
 # Declarations
 #
@ -17725,13 +17807,15 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 mta_base_mail_template(system)
 role system_r types system_mail_t;
-@@ -37,30 +40,50 @@
+@@ -37,30 +40,52 @@
 #
 # newalias required this, not sure if it is needed in 'if' file
 -allow system_mail_t self:capability { dac_override };
 +allow system_mail_t self:capability { dac_override fowner };
 +allow system_mail_t self:fifo_file rw_fifo_file_perms;
 +
 +can_exec(system_mail_t, mailclient_exec_type)
 read_files_pattern(system_mail_t,etc_mail_t,etc_mail_t)
 +read_files_pattern(system_mail_t,mailcontent_type,mailcontent_type)
@ -17777,7 +17861,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 optional_policy(`
-@@ -73,7 +96,10 @@
+@@ -73,7 +98,10 @@
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
@ -17788,7 +17872,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 ')
 optional_policy(`
-@@ -81,6 +107,11 @@
+@@ -81,6 +109,11 @@
 ')
 optional_policy(`
@ -17800,7 +17884,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 	logrotate_read_tmp_files(system_mail_t)
 ')
-@@ -136,11 +167,38 @@
+@@ -136,11 +169,38 @@
 ')
 optional_policy(`
@ -17840,7 +17924,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mta.
 optional_policy(`
 	# why is mail delivered to a directory of type arpwatch_data_t?
 	arpwatch_search_data(mailserver_delivery)
-@@ -154,3 +212,4 @@
+@@ -154,3 +214,4 @@
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
@ -21027,7 +21111,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +/etc/rc\.d/init\.d/prelude-lml --      gen_context(system_u:object_r:prelude_lml_script_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.if serefpolicy-3.4.2/policy/modules/services/prelude.if
 --- nsaserefpolicy/policy/modules/services/prelude.if	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.if	2008-06-23 08:18:26.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/prelude.if	2008-06-24 06:33:22.000000000 -0400
@@ -42,7 +42,7 @@
 ## </summary>
 ## <param name="domain">
@ -21037,7 +21121,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 ## </summary>
 ## </param>
 #
-@@ -56,6 +56,80 @@
+@@ -56,6 +56,81 @@
 ########################################
 ## <summary>
@ -21074,6 +21158,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +	')
 +
 +	files_search_spool($1)
 +	list_dirs_pattern($1, prelude_spool_t, prelude_spool_t)
 +	rw_files_pattern($1, prelude_spool_t, prelude_spool_t)
 +')
 +
@ -21118,7 +21203,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 ##	All of the rules required to administrate 
 ##	an prelude environment
 ## </summary>
-@@ -64,6 +138,16 @@
+@@ -64,6 +139,16 @@
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
@ -21135,7 +21220,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 ## <rolecap/>
 #
 interface(`prelude_admin',`
-@@ -71,6 +155,11 @@
+@@ -71,6 +156,11 @@
 		type prelude_t, prelude_spool_t;
 		type prelude_var_run_t, prelude_var_lib_t;
 		type prelude_audisp_t, prelude_audisp_var_run_t;
@ -21147,7 +21232,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 	')
 	allow $1 prelude_t:process { ptrace signal_perms };
-@@ -79,11 +168,23 @@
+@@ -79,11 +169,23 @@
 	allow $1 prelude_audisp_t:process { ptrace signal_perms };
 	ps_process_pattern($1, prelude_audisp_t)
@ -21179,7 +21264,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 ')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.4.2/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	2008-06-12 23:25:06.000000000 -0400
-+++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-06-23 08:09:53.000000000 -0400
+++ serefpolicy-3.4.2/policy/modules/services/prelude.te	2008-06-24 06:34:11.000000000 -0400
@@ -19,12 +19,31 @@
 type prelude_var_lib_t;
 files_type(prelude_var_lib_t)
@ -21238,7 +21323,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 dev_read_rand(prelude_audisp_t)
 dev_read_urand(prelude_audisp_t)
-@@ -126,6 +150,76 @@
+@@ -126,6 +150,80 @@
 miscfiles_read_localization(prelude_audisp_t)
@ -21309,13 +21394,17 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prel
 +miscfiles_read_localization(prelude_lml_t)
 +
 +optional_policy(`
 +	gamin_exec(prelude_lml_t)
 +')
 +
 +optional_policy(`
 +	apache_read_log(prelude_lml_t)
 +')
 +
 ########################################
 #
 # prewikka_cgi Declarations
-@@ -135,6 +229,10 @@
+@@ -135,6 +233,10 @@
 	apache_content_template(prewikka)
 	files_read_etc_files(httpd_prewikka_script_t)
@ -28016,6 +28105,19 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/zebr
 kernel_read_kernel_sysctls(zebra_t)
 kernel_rw_net_sysctls(zebra_t)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/application.te serefpolicy-3.4.2/policy/modules/system/application.te
 --- nsaserefpolicy/policy/modules/system/application.te	2008-06-12 23:25:07.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/system/application.te	2008-06-24 05:58:09.000000000 -0400
@@ -7,6 +7,9 @@
 # Executables to be run by user
 attribute application_exec_type;
 +unprivuser_append_home_content_files(application_domain_type)
 +unprivuser_write_tmp_files(application_domain_type)
 +
 optional_policy(`
 	ssh_sigchld(application_domain_type)
 	ssh_rw_stream_sockets(application_domain_type)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/authlogin.fc serefpolicy-3.4.2/policy/modules/system/authlogin.fc
 --- nsaserefpolicy/policy/modules/system/authlogin.fc	2008-06-12 23:25:07.000000000 -0400
 +++ serefpolicy-3.4.2/policy/modules/system/authlogin.fc	2008-06-12 23:37:52.000000000 -0400
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -17,7 +17,7 @@
 Summary: SELinux policy configuration
 Name: selinux-policy
 Version: 3.4.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: GPLv2+
 Group: System Environment/Base
 Source: serefpolicy-%{version}.tgz
@ -375,6 +375,11 @@ exit 0
 %endif
 %changelog
 * Tue Jun 24 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-7
 - Allow confined users to use postgres
 - Allow system_mail_t to exec other mail clients
 - Label mogrel_rails as an apache server
 * Mon Jun 23 2008 Dan Walsh <dwalsh@redhat.com> 3.4.2-6
 - Apply unconfined_execmem_exec_t to haskell programs