[selinux-policy: 1900/3172] trunk: 8 patches from dan.

Thu Oct 7 21:49:14 UTC 2010

commit ee6608baebfeef44cd3595a1cc79568ab22a1548
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Feb 18 18:44:40 2008 +0000

    trunk: 8 patches from dan.

 man/man8/httpd_selinux.8          |    5 +++
 policy/modules/services/aide.if   |   37 +++++++++++++++++++++++++
 policy/modules/services/aide.te   |    2 +-
 policy/modules/services/amavis.if |   53 +++++++++++++++++++++++++++++++++++++
 policy/modules/services/amavis.te |    4 ++-
 policy/modules/system/fstools.if  |    4 +-
 policy/modules/system/fstools.te  |    7 +++--
 policy/modules/system/getty.te    |    7 ++++-
 policy/modules/system/hostname.te |   10 ++++++-
 policy/modules/system/ipsec.te    |    5 +++-
 policy/modules/system/iscsi.te    |    4 +-
 11 files changed, 126 insertions(+), 12 deletions(-)
---

diff --git a/man/man8/httpd_selinux.8 b/man/man8/httpd_selinux.8
index 7f14925..8e06a31 100644
--- a/man/man8/httpd_selinux.8
+++ b/man/man8/httpd_selinux.8
@@ -93,6 +93,11 @@ setsebool -P httpd_unified 0
 .EE
 
 .PP
+httpd can be configured to turn on sending email. By default http is not allowed to send mail.  This is a security feature, since it would prevent a vulnerabiltiy in http from causing a spam attack.  I certain situations, you may want http modules to send mail.  You can turn on the httpd_send_mail boolean.
+
+.EX
+setsebool -P httpd_can_sendmail 1
+.PP
 httpd can be configured to turn off internal scripting (PHP).  PHP and other
 loadable modules run under the same context as httpd. Therefore several policy rules allow httpd greater access to the system then is needed if you only use external cgi scripts.
 
diff --git a/policy/modules/services/aide.if b/policy/modules/services/aide.if
index 7f602c5..9cf2c59 100644
--- a/policy/modules/services/aide.if
+++ b/policy/modules/services/aide.if
@@ -49,3 +49,40 @@ interface(`aide_run',`
 	role $2 types aide_t;
 	allow aide_t $3:chr_file rw_chr_file_perms;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an aide environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the aide domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`aide_admin',`
+	gen_require(`
+		type aide_t, aide_db_t, aide_log_t;
+	')
+
+	allow $1 aide_t:process { ptrace signal_perms };
+	ps_process_pattern($1, aide_t)
+
+	files_list_etc($1)
+	manage_files_pattern($1, aide_db_t, aide_db_t)
+
+	logging_list_logs($1)
+	manage_all_pattern($1, aide_log_t, aide_log_t)
+')
diff --git a/policy/modules/services/aide.te b/policy/modules/services/aide.te
index 8f572f9..408961b 100644
--- a/policy/modules/services/aide.te
+++ b/policy/modules/services/aide.te
@@ -1,5 +1,5 @@
 
-policy_module(aide,1.3.0)
+policy_module(aide,1.3.1)
 
 ########################################
 #
diff --git a/policy/modules/services/amavis.if b/policy/modules/services/amavis.if
index 19a63ef..8366797 100644
--- a/policy/modules/services/amavis.if
+++ b/policy/modules/services/amavis.if
@@ -186,3 +186,56 @@ interface(`amavis_create_pid_files',`
 	allow $1 amavis_var_run_t:file create_file_perms;
 	files_search_pids($1)
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an amavis environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the amavis domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the user terminal.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`amavis_admin',`
+	gen_require(`
+		type amavis_t, amavis_tmp_t, amavis_log_t;
+		type amavis_spool_t, amavis_var_lib_t, amavis_var_run_t;
+		type amavis_etc_t, amavis_quarantine_t;
+	')
+
+	allow $1 amavis_t:process { ptrace signal_perms };
+	ps_process_pattern($1, amavis_t)
+        
+	files_list_tmp($1)
+	manage_files_pattern($1, amavis_tmp_t, amavis_tmp_t)
+
+	manage_files_pattern($1, amavis_quarantine_t, amavis_quarantine_t)
+
+	files_list_etc($1)
+	manage_files_pattern($1, amavis_etc_t, amavis_etc_t)
+
+	logging_list_logs($1)
+	manage_files_pattern($1, amavis_log_t, amavis_log_t)
+
+	files_list_spool($1)
+	manage_files_pattern($1, amavis_spool_t, amavis_spool_t)
+
+	files_list_var_lib($1)
+	manage_files_pattern($1, amavis_var_lib_t, amavis_var_lib_t)
+
+	files_list_pids($1)
+	manage_files_pattern($1, amavis_var_run_t, amavis_var_run_t)
+')
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 6473e5b..bbc190d 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
 
-policy_module(amavis,1.5.0)
+policy_module(amavis,1.5.1)
 
 ########################################
 #
@@ -65,6 +65,7 @@ manage_sock_files_pattern(amavis_t,amavis_quarantine_t,amavis_quarantine_t)
 # Spool Files
 manage_dirs_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
 manage_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
+manage_lnk_files_pattern(amavis_t, amavis_spool_t, amavis_spool_t)
 manage_sock_files_pattern(amavis_t,amavis_spool_t,amavis_spool_t)
 filetrans_pattern(amavis_t,amavis_spool_t,amavis_var_run_t,sock_file)
 files_search_spool(amavis_t)
@@ -116,6 +117,7 @@ corenet_tcp_connect_amavisd_send_port(amavis_t)
 # bind to incoming port
 corenet_tcp_bind_amavisd_recv_port(amavis_t)
 corenet_udp_bind_generic_port(amavis_t)
+corenet_dontaudit_udp_bind_all_ports(amavis_t)
 corenet_tcp_connect_razor_port(amavis_t)
 
 dev_read_rand(amavis_t)
diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 640ce61..a5c3d69 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -81,10 +81,10 @@ interface(`fstools_exec',`
 #
 interface(`fstools_read_pipes',`
 	gen_require(`
-		type fsdaemon_t;
+		type fsadm_t;
 	')
 
-	allow $1 fsdaemon_t:fifo_file read_fifo_file_perms;
+	allow $1 fsadm_t:fifo_file read_fifo_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 34a1ca2..aa5d265 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,5 +1,5 @@
 
-policy_module(fstools,1.9.0)
+policy_module(fstools,1.9.1)
 
 ########################################
 #
@@ -109,8 +109,7 @@ storage_swapon_fixed_disk(fsadm_t)
 
 term_use_console(fsadm_t)
 
-corecmd_list_bin(fsadm_t)
-corecmd_read_bin_symlinks(fsadm_t)
+corecmd_exec_bin(fsadm_t)
 #RedHat bug #201164
 corecmd_exec_shell(fsadm_t)
 
@@ -132,6 +131,8 @@ files_etc_filetrans_etc_runtime(fsadm_t,file)
 # Access to /initrd devices
 files_rw_isid_type_dirs(fsadm_t)
 files_rw_isid_type_blk_files(fsadm_t)
+files_read_isid_type_files(fsadm_t)
+
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index ae1720e..395d0d6 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,5 +1,5 @@
 
-policy_module(getty,1.5.0)
+policy_module(getty,1.5.1)
 
 ########################################
 #
@@ -114,6 +114,11 @@ ifdef(`distro_gentoo',`
 	sysnet_dontaudit_read_config(getty_t)
 ')
 
+ifdef(`distro_redhat',`
+	# getty requires sys_admin #209426
+	allow getty_t self:capability sys_admin;
+')
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(getty_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 9961b9b..3b12003 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,5 +1,5 @@
 
-policy_module(hostname,1.4.0)
+policy_module(hostname,1.4.1)
 
 ########################################
 #
@@ -60,3 +60,11 @@ optional_policy(`
 	xen_append_log(hostname_t)
 	xen_dontaudit_use_fds(hostname_t)
 ')
+
+optional_policy(`
+	xen_append_log(hostname_t)
+')
+
+optional_policy(`
+	unconfined_dontaudit_rw_pipes(hostname_t)
+')
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index aecb1b4..7e3ffa5 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.5.0)
+policy_module(ipsec,1.5.1)
 
 ########################################
 #
@@ -297,11 +297,14 @@ allow racoon_t ipsec_key_file_t:dir list_dir_perms;
 read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 
+kernel_read_system_state(racoon_t)
 kernel_read_network_state(racoon_t)
 
 corenet_all_recvfrom_unlabeled(racoon_t)
 corenet_tcp_bind_all_nodes(racoon_t)
+corenet_udp_bind_all_nodes(racoon_t)
 corenet_udp_bind_isakmp_port(racoon_t)
+corenet_udp_bind_ipsecnat_port(racoon_t)
 
 dev_read_urand(racoon_t)
 
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 0c7fffc..37a6be8 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -1,5 +1,5 @@
 
-policy_module(iscsid,1.3.0)
+policy_module(iscsid,1.3.1)
 
 ########################################
 #
@@ -29,7 +29,7 @@ files_pid_file(iscsi_var_run_t)
 #
 
 allow iscsid_t self:capability { dac_override ipc_lock net_admin sys_nice sys_resource };
-allow iscsid_t self:process setsched;
+allow iscsid_t self:process { setrlimit setsched };
 allow iscsid_t self:fifo_file { read write };
 allow iscsid_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow iscsid_t self:unix_dgram_socket create_socket_perms;
