[selinux-policy/f13/master] - Fix httpd_setrlimit boolean to allow sys_resource capability - Allow lowatch to use zz-disk_space
Miroslav Grepl
mgrepl at fedoraproject.org
Mon Oct 25 16:20:55 UTC 2010
commit bc5acd352f53d7f7020e80bda311cde1cf3b77e7
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Mon Oct 25 18:20:35 2010 +0200
- Fix httpd_setrlimit boolean to allow sys_resource capability
- Allow lowatch to use zz-disk_space logwatch script
- Fix label for ip6tables.save
- Allow ssh_t to exec ssh_exec_t
policy-F13.patch | 92 ++++++++++++++++++++++++++++++--------------------
selinux-policy.spec | 8 ++++-
2 files changed, 62 insertions(+), 38 deletions(-)
---
diff --git a/policy-F13.patch b/policy-F13.patch
index ec17a8c..78717b0 100644
--- a/policy-F13.patch
+++ b/policy-F13.patch
@@ -696,7 +696,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
+/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatch.te serefpolicy-3.7.19/policy/modules/admin/logwatch.te
--- nsaserefpolicy/policy/modules/admin/logwatch.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-08-02 08:55:03.161641361 +0200
++++ serefpolicy-3.7.19/policy/modules/admin/logwatch.te 2010-10-25 10:18:24.897901204 +0200
@@ -20,6 +20,9 @@
type logwatch_tmp_t;
files_tmp_file(logwatch_tmp_t)
@@ -718,7 +718,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
kernel_read_fs_sysctls(logwatch_t)
kernel_read_kernel_sysctls(logwatch_t)
kernel_read_system_state(logwatch_t)
-@@ -93,8 +100,8 @@
+@@ -93,12 +100,13 @@
sysnet_exec_ifconfig(logwatch_t)
userdom_dontaudit_search_user_home_dirs(logwatch_t)
@@ -728,7 +728,12 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/logwatc
ifdef(`distro_redhat',`
files_search_all(logwatch_t)
-@@ -146,3 +153,26 @@
+ files_getattr_all_file_type_fs(logwatch_t)
++ files_getattr_all_files(logwatch_t)
+ ')
+
+ tunable_policy(`use_nfs_home_dirs',`
+@@ -146,3 +154,26 @@
samba_read_log(logwatch_t)
samba_read_share_files(logwatch_t)
')
@@ -9910,7 +9915,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.fc serefpolicy-3.7.19/policy/modules/kernel/files.fc
--- nsaserefpolicy/policy/modules/kernel/files.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-07-13 08:46:23.033752948 +0200
++++ serefpolicy-3.7.19/policy/modules/kernel/files.fc 2010-10-25 11:09:58.145663420 +0200
@@ -18,6 +18,7 @@
/fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
/halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -9946,11 +9951,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.
/etc/cups/client\.conf -- gen_context(system_u:object_r:etc_t,s0)
/etc/ipsec\.d/examples(/.*)? gen_context(system_u:object_r:etc_t,s0)
-@@ -72,7 +81,8 @@
+@@ -71,8 +80,9 @@
+ /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
- /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+-/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
++/etc/sysconfig/ip6?tables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
+
+/etc/xorg\.conf\.d/00-system-setup-keyboard\.conf -- gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -15833,7 +15840,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.7.19/policy/modules/services/apache.te
--- nsaserefpolicy/policy/modules/services/apache.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-08 10:48:07.118901432 +0200
++++ serefpolicy-3.7.19/policy/modules/services/apache.te 2010-10-25 09:58:11.608650337 +0200
@@ -19,11 +19,13 @@
# Declarations
#
@@ -16145,7 +16152,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,9 +603,22 @@
+@@ -484,9 +603,23 @@
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -16163,12 +16170,13 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
+
+tunable_policy(`httpd_setrlimit',`
+ allow httpd_t self:process setrlimit;
++ allow httpd_t self:capability sys_resource;
+')
+
tunable_policy(`httpd_ssi_exec',`
corecmd_shell_domtrans(httpd_t, httpd_sys_script_t)
allow httpd_sys_script_t httpd_t:fd use;
-@@ -500,8 +632,13 @@
+@@ -500,8 +633,13 @@
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
userdom_use_user_terminals(httpd_t)
@@ -16182,7 +16190,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -514,6 +651,9 @@
+@@ -514,6 +652,9 @@
optional_policy(`
cobbler_search_lib(httpd_t)
@@ -16192,7 +16200,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -528,7 +668,7 @@
+@@ -528,7 +669,7 @@
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -16201,7 +16209,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +677,12 @@
+@@ -537,8 +678,12 @@
')
optional_policy(`
@@ -16215,7 +16223,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -556,7 +700,13 @@
+@@ -556,7 +701,13 @@
')
optional_policy(`
@@ -16229,7 +16237,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +717,7 @@
+@@ -567,6 +718,7 @@
optional_policy(`
nagios_read_config(httpd_t)
@@ -16237,7 +16245,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -577,12 +728,23 @@
+@@ -577,12 +729,23 @@
')
optional_policy(`
@@ -16261,7 +16269,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
')
-@@ -591,6 +753,11 @@
+@@ -591,6 +754,11 @@
')
optional_policy(`
@@ -16273,7 +16281,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -618,6 +785,10 @@
+@@ -618,6 +786,10 @@
userdom_use_user_terminals(httpd_helper_t)
@@ -16284,7 +16292,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache PHP script local policy
-@@ -699,17 +870,18 @@
+@@ -699,17 +871,18 @@
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -16306,7 +16314,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,10 +912,21 @@
+@@ -740,10 +913,21 @@
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -16329,7 +16337,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
-@@ -769,6 +952,12 @@
+@@ -769,6 +953,12 @@
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -16342,7 +16350,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
########################################
#
# Apache system script local policy
-@@ -792,9 +981,13 @@
+@@ -792,9 +982,13 @@
files_search_var_lib(httpd_sys_script_t)
files_search_spool(httpd_sys_script_t)
@@ -16356,7 +16364,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,6 +996,28 @@
+@@ -803,6 +997,28 @@
mta_send_mail(httpd_sys_script_t)
')
@@ -16385,7 +16393,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_sys_script_t self:udp_socket create_socket_perms;
-@@ -830,6 +1045,16 @@
+@@ -830,6 +1046,16 @@
fs_read_nfs_symlinks(httpd_sys_script_t)
')
@@ -16402,7 +16410,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,6 +1067,7 @@
+@@ -842,6 +1068,7 @@
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -16410,7 +16418,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apac
')
optional_policy(`
-@@ -891,11 +1117,33 @@
+@@ -891,11 +1118,33 @@
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -26153,8 +26161,8 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nagi
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/networkmanager.fc serefpolicy-3.7.19/policy/modules/services/networkmanager.fc
--- nsaserefpolicy/policy/modules/services/networkmanager.fc 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/networkmanager.fc 2010-05-28 09:42:00.133610558 +0200
-@@ -1,12 +1,32 @@
++++ serefpolicy-3.7.19/policy/modules/services/networkmanager.fc 2010-10-25 13:45:54.246900872 +0200
+@@ -1,12 +1,33 @@
+/etc/rc\.d/init\.d/wicd -- gen_context(system_u:object_r:NetworkManager_initrc_exec_t, s0)
+/etc/NetworkManager/dispatcher\.d(/.*) gen_context(system_u:object_r:NetworkManager_initrc_exec_t,s0)
+/etc/wicd/manager-settings.conf -- gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
@@ -26179,6 +26187,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/netw
+/etc/NetworkManager(/.*)? gen_context(system_u:object_r:NetworkManager_var_lib_t, s0)
+
+/var/log/wicd(/.*)? gen_context(system_u:object_r:NetworkManager_log_t,s0)
++/var/log/wicd\.log -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/log/wpa_supplicant.* -- gen_context(system_u:object_r:NetworkManager_log_t,s0)
/var/run/NetworkManager\.pid -- gen_context(system_u:object_r:NetworkManager_var_run_t,s0)
@@ -35004,7 +35013,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.te serefpolicy-3.7.19/policy/modules/services/ssh.te
--- nsaserefpolicy/policy/modules/services/ssh.te 2010-04-13 20:44:37.000000000 +0200
-+++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-08-04 15:01:13.430084931 +0200
++++ serefpolicy-3.7.19/policy/modules/services/ssh.te 2010-10-25 12:31:52.241650895 +0200
@@ -34,6 +34,9 @@
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
@@ -35015,7 +35024,16 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
type sshd_key_t;
files_type(sshd_key_t)
-@@ -114,6 +117,7 @@
+@@ -97,6 +100,8 @@
+ allow ssh_t self:msg { send receive };
+ allow ssh_t self:tcp_socket create_stream_socket_perms;
+
++can_exec(ssh_t, ssh_exec_t)
++
+ # Read the ssh key file.
+ allow ssh_t sshd_key_t:file read_file_perms;
+
+@@ -114,6 +119,7 @@
manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t)
manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file })
@@ -35023,7 +35041,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
# Allow the ssh program to communicate with ssh-agent.
stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type)
-@@ -125,9 +129,10 @@
+@@ -125,9 +131,10 @@
read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t)
# ssh servers can read the user keys and config
@@ -35037,7 +35055,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
kernel_read_kernel_sysctls(ssh_t)
kernel_read_system_state(ssh_t)
-@@ -139,6 +144,8 @@
+@@ -139,6 +146,8 @@
corenet_tcp_sendrecv_all_ports(ssh_t)
corenet_tcp_connect_ssh_port(ssh_t)
corenet_sendrecv_ssh_client_packets(ssh_t)
@@ -35046,7 +35064,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
dev_read_urand(ssh_t)
-@@ -170,8 +177,10 @@
+@@ -170,8 +179,10 @@
userdom_search_user_home_dirs(ssh_t)
# Write to the user domain tty.
userdom_use_user_terminals(ssh_t)
@@ -35058,7 +35076,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
tunable_policy(`allow_ssh_keysign',`
domain_auto_trans(ssh_t, ssh_keysign_exec_t, ssh_keysign_t)
-@@ -282,6 +291,8 @@
+@@ -282,6 +293,8 @@
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
@@ -35067,7 +35085,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
-@@ -290,24 +301,34 @@
+@@ -290,24 +303,34 @@
kernel_search_key(sshd_t)
kernel_link_key(sshd_t)
@@ -35106,7 +35124,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -315,7 +336,12 @@
+@@ -315,7 +338,12 @@
')
optional_policy(`
@@ -35120,7 +35138,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
')
optional_policy(`
-@@ -323,6 +349,10 @@
+@@ -323,6 +351,10 @@
')
optional_policy(`
@@ -35131,7 +35149,7 @@ diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/ssh.
rpm_use_script_fds(sshd_t)
')
-@@ -333,10 +363,18 @@
+@@ -333,10 +365,18 @@
')
optional_policy(`
diff --git a/selinux-policy.spec b/selinux-policy.spec
index f70331c..444a548 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -20,7 +20,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.7.19
-Release: 67%{?dist}
+Release: 68%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -469,6 +469,12 @@ exit 0
%endif
%changelog
+* Mon Oct 25 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-68
+- Fix httpd_setrlimit boolean to allow sys_resource capability
+- Allow lowatch to use zz-disk_space logwatch script
+- Fix label for ip6tables.save
+- Allow ssh_t to exec ssh_exec_t
+
* Mon Oct 18 2010 Miroslav Grepl <mgrepl at redhat.com> 3.7.19-67
- Fixes for sandbox policy
- Allow chromium-browser to read gnome homedir content
More information about the scm-commits
mailing list