[selinux-policy/f13/master] - Allow seunshare fowner capability - Allow dovecot to manage postfix privet socket
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Aug 25 14:33:07 UTC 2010
commit 989462718c4443c033b3435c2743bc17f2b4f68d
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Aug 25 16:32:54 2010 +0200
- Allow seunshare fowner capability
- Allow dovecot to manage postfix privet socket
policy-F13.patch | 91 +++++++++++++++++++++++++++++++++-----------------
selinux-policy.spec | 6 +++-
2 files changed, 65 insertions(+), 32 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index b0b3a13..9caefb4 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -6587,8 +6587,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+# No types are sandbox_exec_t
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.7.19/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-05-28 09:42:00.004610972 +0200
-@@ -0,0 +1,314 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.if 2010-08-25 16:02:58.406085258 +0200
+@@ -0,0 +1,315 @@
+
+## <summary>policy for sandbox</summary>
+
@@ -6626,6 +6626,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+ allow $1 sandbox_x_domain:process { signal_perms transition };
+ dontaudit $1 sandbox_x_domain:process { noatsecure siginh rlimitinh };
+ allow sandbox_x_domain $1:process { sigchld signull };
++ dontaudit sandbox_domain $1:process signal;
+ role $2 types sandbox_x_domain;
+ role $2 types sandbox_xserver_t;
+ allow $1 sandbox_xserver_t:process signal_perms;
@@ -6905,8 +6906,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.te serefpolicy-3.7.19/policy/modules/apps/sandbox.te
--- nsaserefpolicy/policy/modules/apps/sandbox.te 1970-01-01 01:00:00.000000000 +0100
-+++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-24 14:07:38.336335117 +0200
-@@ -0,0 +1,397 @@
++++ serefpolicy-3.7.19/policy/modules/apps/sandbox.te 2010-08-25 16:17:36.953085328 +0200
+@@ -0,0 +1,402 @@
+policy_module(sandbox,1.0.0)
+dbus_stub()
+attribute sandbox_domain;
@@ -7135,6 +7136,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+
+userdom_dontaudit_use_user_terminals(sandbox_x_domain)
+userdom_read_user_home_content_symlinks(sandbox_x_domain)
++userdom_search_user_home_content(sandbox_x_domain)
+
+#============= sandbox_x_t ==============
+files_search_home(sandbox_x_t)
@@ -7184,6 +7186,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+allow sandbox_web_type self:netlink_selinux_socket create_socket_perms;
+
+kernel_dontaudit_search_kernel_sysctl(sandbox_web_type)
++kernel_request_load_module(sandbox_web_type)
+
+dev_read_rand(sandbox_web_type)
+dev_write_sound(sandbox_web_type)
@@ -7216,6 +7219,9 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.
+corenet_sendrecv_ftp_client_packets(sandbox_web_type)
+corenet_sendrecv_ipp_client_packets(sandbox_web_type)
+corenet_sendrecv_generic_client_packets(sandbox_web_type)
++corenet_tcp_sendrecv_squid_port(sandbox_web_type)
++corenet_sendrecv_squid_client_packets(sandbox_web_type)
++corenet_tcp_connect_squid_port(sandbox_web_type)
+# Should not need other ports
+corenet_dontaudit_tcp_sendrecv_generic_port(sandbox_web_type)
+corenet_dontaudit_tcp_bind_generic_port(sandbox_web_type)
@@ -7412,7 +7418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshare.te serefpolicy-3.7.19/policy/modules/apps/seunshare.te
--- nsaserefpolicy/policy/modules/apps/seunshare.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-08-10 16:20:13.598085356 +0200
++++ serefpolicy-3.7.19/policy/modules/apps/seunshare.te 2010-08-25 16:06:59.968119755 +0200
@@ -6,40 +6,45 @@
# Declarations
#
@@ -7427,7 +7433,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/seunshar
#
# seunshare local policy
#
-+allow seunshare_domain self:capability { setuid dac_override setpcap sys_admin sys_nice };
++allow seunshare_domain self:capability { fowner setuid dac_override setpcap sys_admin sys_nice };
+allow seunshare_domain self:process { fork setexec signal getcap setcap setsched };
-allow seunshare_t self:capability { setuid dac_override setpcap sys_admin };
@@ -14494,7 +14500,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.if serefpolicy-3.7.19/policy/modules/services/apache.if
--- nsaserefpolicy/policy/modules/services/apache.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-24 14:04:00.070084847 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.if 2010-08-25 09:32:04.821085078 +0200
@@ -13,17 +13,13 @@
#
template(`apache_content_template',`
@@ -14740,7 +14746,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_search_var($1)
')
-@@ -836,11 +892,60 @@
+@@ -836,11 +892,62 @@
')
files_search_var($1)
@@ -14768,6 +14774,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ ')
+
+ files_search_var($1)
++ apache_search_sys_content($1)
+ manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -14791,6 +14798,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+ ')
+
+ files_search_tmp($1)
++ apache_search_sys_content($1)
+ delete_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ delete_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
@@ -14801,7 +14809,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Execute all web scripts in the system
-@@ -858,6 +963,11 @@
+@@ -858,6 +965,11 @@
gen_require(`
attribute httpdcontent;
type httpd_sys_script_t;
@@ -14813,7 +14821,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_cgi && httpd_unified',`
-@@ -945,7 +1055,7 @@
+@@ -945,7 +1057,7 @@
type httpd_squirrelmail_t;
')
@@ -14822,7 +14830,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -985,6 +1095,24 @@
+@@ -985,6 +1097,24 @@
allow $1 httpd_sys_content_t:dir search_dir_perms;
')
@@ -14847,7 +14855,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Read apache system content.
-@@ -1086,6 +1214,25 @@
+@@ -1086,6 +1216,25 @@
read_files_pattern($1, httpd_tmp_t, httpd_tmp_t)
')
@@ -14873,7 +14881,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
## <summary>
## Dontaudit attempts to write
-@@ -1102,7 +1249,7 @@
+@@ -1102,7 +1251,7 @@
type httpd_tmp_t;
')
@@ -14882,7 +14890,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
########################################
-@@ -1172,7 +1319,7 @@
+@@ -1172,7 +1321,7 @@
type httpd_modules_t, httpd_lock_t;
type httpd_var_run_t, httpd_php_tmp_t;
type httpd_suexec_tmp_t, httpd_tmp_t;
@@ -14891,7 +14899,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
allow $1 httpd_t:process { getattr ptrace signal_perms };
-@@ -1202,12 +1349,62 @@
+@@ -1202,12 +1351,62 @@
kernel_search_proc($1)
allow $1 httpd_t:dir list_dir_perms;
@@ -25541,8 +25549,25 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ntp.
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.7.19/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-05-28 09:42:00.142610728 +0200
-@@ -104,6 +104,10 @@
++++ serefpolicy-3.7.19/policy/modules/services/nut.te 2010-08-25 16:04:52.823085230 +0200
+@@ -67,13 +67,15 @@
+ allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
+ allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow nut_upsmon_t self:tcp_socket create_socket_perms;
++allow nut_upsmon_t self:unix_stream_socket { create_socket_perms connectto };
+
+ read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
+
+ # pid file
+ manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+ manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
+-files_pid_filetrans(nut_upsmon_t, nut_var_run_t, file)
++manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
++files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file sock_file })
+
+ kernel_read_kernel_sysctls(nut_upsmon_t)
+ kernel_read_system_state(nut_upsmon_t)
+@@ -104,6 +106,10 @@
mta_send_mail(nut_upsmon_t)
@@ -27231,7 +27256,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
/usr/sbin/postkick -- gen_context(system_u:object_r:postfix_master_exec_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.if serefpolicy-3.7.19/policy/modules/services/postfix.if
--- nsaserefpolicy/policy/modules/services/postfix.if 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-08-10 16:47:59.294085327 +0200
++++ serefpolicy-3.7.19/policy/modules/services/postfix.if 2010-08-25 16:01:16.678085053 +0200
@@ -46,6 +46,7 @@
allow postfix_$1_t postfix_etc_t:dir list_dir_perms;
@@ -27240,7 +27265,11 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
can_exec(postfix_$1_t, postfix_$1_exec_t)
-@@ -79,6 +80,7 @@
+@@ -76,9 +77,11 @@
+
+ files_read_etc_files(postfix_$1_t)
+ files_read_etc_runtime_files(postfix_$1_t)
++ files_read_usr_files(postfix_$1_t)
files_read_usr_symlinks(postfix_$1_t)
files_search_spool(postfix_$1_t)
files_getattr_tmp_dirs(postfix_$1_t)
@@ -27248,7 +27277,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
init_dontaudit_use_fds(postfix_$1_t)
init_sigchld(postfix_$1_t)
-@@ -110,6 +112,13 @@
+@@ -110,6 +113,13 @@
template(`postfix_server_domain_template',`
postfix_domain_template($1)
@@ -27262,7 +27291,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
allow postfix_$1_t self:capability { setuid setgid dac_override };
allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
allow postfix_$1_t self:tcp_socket create_socket_perms;
-@@ -174,9 +183,8 @@
+@@ -174,9 +184,8 @@
type postfix_etc_t;
')
@@ -27274,7 +27303,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_etc($1)
')
-@@ -232,6 +240,25 @@
+@@ -232,6 +241,25 @@
########################################
## <summary>
@@ -27300,7 +27329,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Allow domain to read postfix local process state
## </summary>
## <param name="domain">
-@@ -349,6 +376,25 @@
+@@ -349,6 +377,25 @@
domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
')
@@ -27326,7 +27355,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
## <summary>
## Execute the master postfix program in the
-@@ -368,6 +414,25 @@
+@@ -368,6 +415,25 @@
can_exec($1, postfix_master_exec_t)
')
@@ -27352,7 +27381,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
########################################
## <summary>
## Create a named socket in a postfix private directory.
-@@ -378,7 +443,7 @@
+@@ -378,7 +444,7 @@
## </summary>
## </param>
#
@@ -27361,7 +27390,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
gen_require(`
type postfix_private_t;
')
-@@ -389,6 +454,25 @@
+@@ -389,6 +455,25 @@
########################################
## <summary>
@@ -27387,7 +27416,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## Execute the master postfix program in the
## postfix_master domain.
## </summary>
-@@ -418,10 +502,10 @@
+@@ -418,10 +503,10 @@
#
interface(`postfix_search_spool',`
gen_require(`
@@ -27400,7 +27429,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
files_search_spool($1)
')
-@@ -437,11 +521,30 @@
+@@ -437,11 +522,30 @@
#
interface(`postfix_list_spool',`
gen_require(`
@@ -27433,7 +27462,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -456,16 +559,16 @@
+@@ -456,16 +560,16 @@
#
interface(`postfix_read_spool_files',`
gen_require(`
@@ -27453,7 +27482,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
## </summary>
## <param name="domain">
## <summary>
-@@ -475,11 +578,11 @@
+@@ -475,11 +579,11 @@
#
interface(`postfix_manage_spool_files',`
gen_require(`
@@ -27467,7 +27496,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/post
')
########################################
-@@ -500,3 +603,158 @@
+@@ -500,3 +604,158 @@
typeattribute $1 postfix_user_domtrans;
')
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 4005798..2af40c3 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 50%{?dist}
+Release: 51%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,10 @@ exit 0
%endif
%changelog
+* Wed Aug 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-51
+- Allow seunshare fowner capability
+- Allow dovecot to manage postfix privet socket
+
* Tue Aug 24 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-50
- Fixes for boinc policy
- Fixes for shorewall policy
More information about the scm-commits
mailing list