[selinux-policy/f16] - Add httpd_verify_dns boolean - Add label for log directory under /var/www/stickshift - Allow opens
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Oct 31 11:31:27 UTC 2012
commit 9ac3bc40b99097c62dea36322accb3f493bd78f8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed Oct 31 12:30:17 2012 +0100
- Add httpd_verify_dns boolean
- Add label for log directory under /var/www/stickshift
- Allow openshift domains to use /dev/shm
- Dontaudit leaked fifo files from openshift to ping
- Allow nsswitch domains to read SAMBA conf files
policy-F16.patch | 156 +++++++++++++++++++++++++++++----------------------
selinux-policy.spec | 9 +++-
2 files changed, 96 insertions(+), 69 deletions(-)
---
diff --git a/policy-F16.patch b/policy-F16.patch
index 084d39f..054953e 100644
--- a/policy-F16.patch
+++ b/policy-F16.patch
@@ -1815,7 +1815,7 @@ index c6ca761..46e0767 100644
')
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
-index e0791b9..d84d16a 100644
+index e0791b9..faaa201 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -48,6 +48,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
@@ -1864,7 +1864,7 @@ index e0791b9..d84d16a 100644
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
-@@ -145,11 +150,29 @@ ifdef(`hide_broken_symptoms',`
+@@ -145,11 +150,30 @@ ifdef(`hide_broken_symptoms',`
')
')
@@ -1888,13 +1888,14 @@ index e0791b9..d84d16a 100644
+
+optional_policy(`
+ openshift_rw_inherited_content(ping_t)
++ openshift_dontaudit_rw_inherited_fifo_files(ping_t)
+')
+
+optional_policy(`
pcmcia_use_cardmgr_fds(ping_t)
')
-@@ -157,6 +180,10 @@ optional_policy(`
+@@ -157,6 +181,10 @@ optional_policy(`
hotplug_use_fds(ping_t)
')
@@ -1905,7 +1906,7 @@ index e0791b9..d84d16a 100644
########################################
#
# Traceroute local policy
-@@ -194,6 +221,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
+@@ -194,6 +222,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t)
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
@@ -1913,7 +1914,7 @@ index e0791b9..d84d16a 100644
files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
-@@ -204,9 +232,16 @@ logging_send_syslog_msg(traceroute_t)
+@@ -204,9 +233,16 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
@@ -25622,7 +25623,7 @@ index deca9d3..ac92fce 100644
')
diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
-index 9e39aa5..726e9d6 100644
+index 9e39aa5..203a5aa 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -1,21 +1,30 @@
@@ -25746,7 +25747,7 @@ index 9e39aa5..726e9d6 100644
/var/run/gcache_port -s gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/httpd.* gen_context(system_u:object_r:httpd_var_run_t,s0)
/var/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -105,7 +129,30 @@ ifdef(`distro_debian', `
+@@ -105,7 +129,31 @@ ifdef(`distro_debian', `
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
@@ -25769,6 +25770,7 @@ index 9e39aa5..726e9d6 100644
+/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
+
++/var/www/stickshift/[^/]*/log(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+/var/www/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/www/svn/hooks(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
+/var/www/svn/conf(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -26472,22 +26474,15 @@ index 6480167..eeb2953 100644
+ filetrans_pattern($1, { httpd_user_content_t httpd_user_script_exec_t }, httpd_user_htaccess_t, file, ".htaccess")
')
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
-index 3136c6a..a77ef51 100644
+index 3136c6a..fcb45ba 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
-@@ -18,130 +18,246 @@ policy_module(apache, 2.2.1)
+@@ -18,130 +18,253 @@ policy_module(apache, 2.2.1)
# Declarations
#
+selinux_genbool(httpd_bool_t)
+
-+## <desc>
-+## <p>
-+## Allow Apache to run in stickshift mode, not transition to passenger
-+## </p>
-+## </desc>
-+gen_tunable(httpd_run_stickshift, false)
-+
## <desc>
-## <p>
-## Allow Apache to modify public files
@@ -26612,17 +26607,17 @@ index 3136c6a..a77ef51 100644
gen_tunable(httpd_can_sendmail, false)
+
-+## <desc>
+ ## <desc>
+-## <p>
+-## Allow Apache to communicate with avahi service via dbus
+-## </p>
+## <p>
+## Allow http daemon to connect to zabbix
+## </p>
+## </desc>
+gen_tunable(httpd_can_connect_zabbix, false)
+
- ## <desc>
--## <p>
--## Allow Apache to communicate with avahi service via dbus
--## </p>
++## <desc>
+## <p>
+## Allow http daemon to check spam
+## </p>
@@ -26686,7 +26681,6 @@ index 3136c6a..a77ef51 100644
## <desc>
-## <p>
-## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
--## </p>
+## <p>
+## Allow httpd to read user content
+## </p>
@@ -26695,9 +26689,23 @@ index 3136c6a..a77ef51 100644
+
+## <desc>
+## <p>
-+## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++## Allow Apache to run in stickshift mode, not transition to passenger
+## </p>
++## </desc>
++gen_tunable(httpd_run_stickshift, false)
++
++## <desc>
++## <p>
++## Allow Apache to query NS records
+ ## </p>
## </desc>
++gen_tunable(httpd_verify_dns, false)
++
++## <desc>
++## <p>
++## Allow HTTPD to run SSI executables in the same domain as system CGI scripts.
++## </p>
++## </desc>
gen_tunable(httpd_ssi_exec, false)
## <desc>
@@ -26778,7 +26786,7 @@ index 3136c6a..a77ef51 100644
attribute httpdcontent;
attribute httpd_user_content_type;
-@@ -166,7 +282,7 @@ files_type(httpd_cache_t)
+@@ -166,7 +289,7 @@ files_type(httpd_cache_t)
# httpd_config_t is the type given to the configuration files
type httpd_config_t;
@@ -26787,7 +26795,7 @@ index 3136c6a..a77ef51 100644
type httpd_helper_t;
type httpd_helper_exec_t;
-@@ -177,6 +293,9 @@ role system_r types httpd_helper_t;
+@@ -177,6 +300,9 @@ role system_r types httpd_helper_t;
type httpd_initrc_exec_t;
init_script_file(httpd_initrc_exec_t)
@@ -26797,7 +26805,7 @@ index 3136c6a..a77ef51 100644
type httpd_lock_t;
files_lock_file(httpd_lock_t)
-@@ -216,7 +335,17 @@ files_tmp_file(httpd_suexec_tmp_t)
+@@ -216,7 +342,17 @@ files_tmp_file(httpd_suexec_tmp_t)
# setup the system domain for system CGI scripts
apache_content_template(sys)
@@ -26816,7 +26824,7 @@ index 3136c6a..a77ef51 100644
type httpd_tmp_t;
files_tmp_file(httpd_tmp_t)
-@@ -226,6 +355,10 @@ files_tmpfs_file(httpd_tmpfs_t)
+@@ -226,6 +362,10 @@ files_tmpfs_file(httpd_tmpfs_t)
apache_content_template(user)
ubac_constrained(httpd_user_script_t)
@@ -26827,7 +26835,7 @@ index 3136c6a..a77ef51 100644
userdom_user_home_content(httpd_user_content_t)
userdom_user_home_content(httpd_user_htaccess_t)
userdom_user_home_content(httpd_user_script_exec_t)
-@@ -233,6 +366,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
+@@ -233,6 +373,7 @@ userdom_user_home_content(httpd_user_ra_content_t)
userdom_user_home_content(httpd_user_rw_content_t)
typeattribute httpd_user_script_t httpd_script_domains;
typealias httpd_user_content_t alias { httpd_staff_content_t httpd_sysadm_content_t };
@@ -26835,7 +26843,7 @@ index 3136c6a..a77ef51 100644
typealias httpd_user_content_t alias { httpd_auditadm_content_t httpd_secadm_content_t };
typealias httpd_user_content_t alias { httpd_staff_script_ro_t httpd_sysadm_script_ro_t };
typealias httpd_user_content_t alias { httpd_auditadm_script_ro_t httpd_secadm_script_ro_t };
-@@ -254,14 +388,23 @@ files_type(httpd_var_lib_t)
+@@ -254,14 +395,23 @@ files_type(httpd_var_lib_t)
type httpd_var_run_t;
files_pid_file(httpd_var_run_t)
@@ -26859,7 +26867,7 @@ index 3136c6a..a77ef51 100644
########################################
#
# Apache server local policy
-@@ -281,11 +424,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
+@@ -281,11 +431,13 @@ allow httpd_t self:unix_dgram_socket { create_socket_perms sendto };
allow httpd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow httpd_t self:tcp_socket create_stream_socket_perms;
allow httpd_t self:udp_socket create_socket_perms;
@@ -26873,7 +26881,7 @@ index 3136c6a..a77ef51 100644
# Allow the httpd_t to read the web servers config files
allow httpd_t httpd_config_t:dir list_dir_perms;
-@@ -329,8 +474,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
+@@ -329,8 +481,9 @@ allow httpd_t httpd_sys_script_t:unix_stream_socket connectto;
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
@@ -26884,7 +26892,7 @@ index 3136c6a..a77ef51 100644
manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-@@ -339,8 +485,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+@@ -339,8 +492,9 @@ manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
@@ -26895,7 +26903,7 @@ index 3136c6a..a77ef51 100644
setattr_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
manage_dirs_pattern(httpd_t, httpd_var_run_t, httpd_var_run_t)
-@@ -355,6 +502,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
+@@ -355,6 +509,9 @@ manage_lnk_files_pattern(httpd_t, squirrelmail_spool_t, squirrelmail_spool_t)
kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
@@ -26905,7 +26913,7 @@ index 3136c6a..a77ef51 100644
corenet_all_recvfrom_unlabeled(httpd_t)
corenet_all_recvfrom_netlabel(httpd_t)
-@@ -365,11 +515,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
+@@ -365,11 +522,19 @@ corenet_udp_sendrecv_generic_node(httpd_t)
corenet_tcp_sendrecv_all_ports(httpd_t)
corenet_udp_sendrecv_all_ports(httpd_t)
corenet_tcp_bind_generic_node(httpd_t)
@@ -26926,7 +26934,7 @@ index 3136c6a..a77ef51 100644
dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
-@@ -378,12 +536,12 @@ dev_rw_crypto(httpd_t)
+@@ -378,12 +543,12 @@ dev_rw_crypto(httpd_t)
fs_getattr_all_fs(httpd_t)
fs_search_auto_mountpoints(httpd_t)
@@ -26942,7 +26950,7 @@ index 3136c6a..a77ef51 100644
domain_use_interactive_fds(httpd_t)
-@@ -391,6 +549,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
+@@ -391,6 +556,7 @@ files_dontaudit_getattr_all_pids(httpd_t)
files_read_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
@@ -26950,7 +26958,7 @@ index 3136c6a..a77ef51 100644
files_read_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
-@@ -402,48 +561,101 @@ files_read_etc_files(httpd_t)
+@@ -402,48 +568,101 @@ files_read_etc_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
fs_search_auto_mountpoints(httpd_sys_script_t)
@@ -27054,7 +27062,7 @@ index 3136c6a..a77ef51 100644
')
tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
-@@ -454,27 +666,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
+@@ -454,27 +673,61 @@ tunable_policy(`httpd_enable_cgi && httpd_use_cifs',`
fs_cifs_domtrans(httpd_t, httpd_sys_script_t)
')
@@ -27118,7 +27126,7 @@ index 3136c6a..a77ef51 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_t)
fs_read_cifs_symlinks(httpd_t)
-@@ -484,7 +730,22 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -484,7 +737,22 @@ tunable_policy(`httpd_can_sendmail',`
# allow httpd to connect to mail servers
corenet_tcp_connect_smtp_port(httpd_t)
corenet_sendrecv_smtp_client_packets(httpd_t)
@@ -27141,7 +27149,7 @@ index 3136c6a..a77ef51 100644
')
tunable_policy(`httpd_ssi_exec',`
-@@ -499,9 +760,19 @@ tunable_policy(`httpd_ssi_exec',`
+@@ -499,9 +767,19 @@ tunable_policy(`httpd_ssi_exec',`
# to run correctly without this permission, so the permission
# are dontaudited here.
tunable_policy(`httpd_tty_comm',`
@@ -27162,7 +27170,7 @@ index 3136c6a..a77ef51 100644
')
optional_policy(`
-@@ -513,7 +784,13 @@ optional_policy(`
+@@ -513,7 +791,13 @@ optional_policy(`
')
optional_policy(`
@@ -27177,7 +27185,7 @@ index 3136c6a..a77ef51 100644
')
optional_policy(`
-@@ -528,7 +805,19 @@ optional_policy(`
+@@ -528,7 +812,19 @@ optional_policy(`
daemontools_service_domain(httpd_t, httpd_exec_t)
')
@@ -27198,7 +27206,7 @@ index 3136c6a..a77ef51 100644
dbus_system_bus_client(httpd_t)
tunable_policy(`httpd_dbus_avahi',`
-@@ -537,8 +826,13 @@ optional_policy(`
+@@ -537,8 +833,13 @@ optional_policy(`
')
optional_policy(`
@@ -27213,7 +27221,7 @@ index 3136c6a..a77ef51 100644
')
')
-@@ -556,7 +850,21 @@ optional_policy(`
+@@ -556,7 +857,21 @@ optional_policy(`
')
optional_policy(`
@@ -27235,7 +27243,7 @@ index 3136c6a..a77ef51 100644
mysql_stream_connect(httpd_t)
mysql_rw_db_sockets(httpd_t)
-@@ -567,6 +875,7 @@ optional_policy(`
+@@ -567,6 +882,7 @@ optional_policy(`
optional_policy(`
nagios_read_config(httpd_t)
@@ -27243,10 +27251,15 @@ index 3136c6a..a77ef51 100644
')
optional_policy(`
-@@ -577,6 +886,47 @@ optional_policy(`
+@@ -576,6 +892,51 @@ optional_policy(`
+ openca_kill(httpd_t)
')
- optional_policy(`
++tunable_policy(`httpd_verify_dns',`
++ corenet_udp_bind_all_ephemeral_ports(httpd_t)
++')
++
++optional_policy(`
+ tunable_policy(`httpd_run_stickshift', `
+ allow httpd_t self:capability { fowner fsetid sys_resource };
+ dontaudit httpd_t self:capability sys_ptrace;
@@ -27287,11 +27300,10 @@ index 3136c6a..a77ef51 100644
+ rpc_search_nfs_state_data(httpd_t)
+')
+
-+optional_policy(`
+ optional_policy(`
# Allow httpd to work with postgresql
postgresql_stream_connect(httpd_t)
- postgresql_unpriv_client(httpd_t)
-@@ -591,6 +941,11 @@ optional_policy(`
+@@ -591,6 +952,11 @@ optional_policy(`
')
optional_policy(`
@@ -27303,7 +27315,7 @@ index 3136c6a..a77ef51 100644
snmp_dontaudit_read_snmp_var_lib_files(httpd_t)
snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
')
-@@ -603,6 +958,12 @@ optional_policy(`
+@@ -603,6 +969,12 @@ optional_policy(`
yam_read_content(httpd_t)
')
@@ -27316,7 +27328,7 @@ index 3136c6a..a77ef51 100644
########################################
#
# Apache helper local policy
-@@ -616,7 +977,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
+@@ -616,7 +988,11 @@ allow httpd_helper_t httpd_log_t:file append_file_perms;
logging_send_syslog_msg(httpd_helper_t)
@@ -27329,7 +27341,7 @@ index 3136c6a..a77ef51 100644
########################################
#
-@@ -654,28 +1019,30 @@ libs_exec_lib_files(httpd_php_t)
+@@ -654,28 +1030,30 @@ libs_exec_lib_files(httpd_php_t)
userdom_use_unpriv_users_fds(httpd_php_t)
tunable_policy(`httpd_can_network_connect_db',`
@@ -27373,7 +27385,7 @@ index 3136c6a..a77ef51 100644
')
########################################
-@@ -685,6 +1052,8 @@ optional_policy(`
+@@ -685,6 +1063,8 @@ optional_policy(`
allow httpd_suexec_t self:capability { setuid setgid };
allow httpd_suexec_t self:process signal_perms;
@@ -27382,7 +27394,7 @@ index 3136c6a..a77ef51 100644
allow httpd_suexec_t self:unix_stream_socket create_stream_socket_perms;
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
-@@ -699,17 +1068,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
+@@ -699,17 +1079,22 @@ manage_dirs_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
manage_files_pattern(httpd_suexec_t, httpd_suexec_tmp_t, httpd_suexec_tmp_t)
files_tmp_filetrans(httpd_suexec_t, httpd_suexec_tmp_t, { file dir })
@@ -27408,7 +27420,7 @@ index 3136c6a..a77ef51 100644
files_read_etc_files(httpd_suexec_t)
files_read_usr_files(httpd_suexec_t)
-@@ -740,13 +1114,31 @@ tunable_policy(`httpd_can_network_connect',`
+@@ -740,13 +1125,31 @@ tunable_policy(`httpd_can_network_connect',`
corenet_sendrecv_all_client_packets(httpd_suexec_t)
')
@@ -27441,7 +27453,7 @@ index 3136c6a..a77ef51 100644
fs_read_nfs_files(httpd_suexec_t)
fs_read_nfs_symlinks(httpd_suexec_t)
fs_exec_nfs_files(httpd_suexec_t)
-@@ -769,6 +1161,25 @@ optional_policy(`
+@@ -769,6 +1172,25 @@ optional_policy(`
dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
')
@@ -27467,7 +27479,7 @@ index 3136c6a..a77ef51 100644
########################################
#
# Apache system script local policy
-@@ -789,12 +1200,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
+@@ -789,12 +1211,17 @@ read_lnk_files_pattern(httpd_sys_script_t, squirrelmail_spool_t, squirrelmail_sp
kernel_read_kernel_sysctls(httpd_sys_script_t)
@@ -27485,7 +27497,7 @@ index 3136c6a..a77ef51 100644
ifdef(`distro_redhat',`
allow httpd_sys_script_t httpd_log_t:file append_file_perms;
')
-@@ -803,18 +1219,50 @@ tunable_policy(`httpd_can_sendmail',`
+@@ -803,18 +1230,50 @@ tunable_policy(`httpd_can_sendmail',`
mta_send_mail(httpd_sys_script_t)
')
@@ -27542,7 +27554,7 @@ index 3136c6a..a77ef51 100644
corenet_tcp_sendrecv_all_ports(httpd_sys_script_t)
corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
corenet_tcp_connect_all_ports(httpd_sys_script_t)
-@@ -822,14 +1270,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
+@@ -822,14 +1281,39 @@ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect',`
')
tunable_policy(`httpd_enable_homedirs',`
@@ -27583,7 +27595,7 @@ index 3136c6a..a77ef51 100644
tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(httpd_sys_script_t)
fs_read_cifs_symlinks(httpd_sys_script_t)
-@@ -842,10 +1315,20 @@ optional_policy(`
+@@ -842,10 +1326,20 @@ optional_policy(`
optional_policy(`
mysql_stream_connect(httpd_sys_script_t)
mysql_rw_db_sockets(httpd_sys_script_t)
@@ -27604,7 +27616,7 @@ index 3136c6a..a77ef51 100644
')
########################################
-@@ -891,11 +1374,49 @@ optional_policy(`
+@@ -891,11 +1385,49 @@ optional_policy(`
tunable_policy(`httpd_enable_cgi && httpd_unified',`
allow httpd_user_script_t httpdcontent:file entrypoint;
@@ -27622,13 +27634,13 @@ index 3136c6a..a77ef51 100644
+ userdom_search_user_home_content(httpd_t)
+ userdom_search_user_home_content(httpd_suexec_t)
+ userdom_search_user_home_content(httpd_user_script_t)
-+')
+ ')
+
+tunable_policy(`httpd_read_user_content',`
+ userdom_read_user_home_content_files(httpd_t)
+ userdom_read_user_home_content_files(httpd_suexec_t)
+ userdom_read_user_home_content_files(httpd_user_script_t)
- ')
++')
+
+########################################
+#
@@ -50574,10 +50586,10 @@ index 0000000..681f8a0
+')
diff --git a/policy/modules/services/openshift.te b/policy/modules/services/openshift.te
new file mode 100644
-index 0000000..fa79ac6
+index 0000000..d41f31a
--- /dev/null
+++ b/policy/modules/services/openshift.te
-@@ -0,0 +1,355 @@
+@@ -0,0 +1,362 @@
+policy_module(openshift,1.0.0)
+
+gen_require(`
@@ -50607,6 +50619,9 @@ index 0000000..fa79ac6
+oddjob_system_entry(openshift_initrc_t, openshift_initrc_exec_t)
+domain_obj_id_change_exemption(openshift_initrc_t)
+
++type openshift_tmpfs_t;
++files_tmpfs_file(openshift_tmpfs_t)
++
+type openshift_initrc_tmp_t;
+files_tmp_file(openshift_initrc_tmp_t)
+
@@ -50714,6 +50729,10 @@ index 0000000..fa79ac6
+dontaudit openshift_domain openshift_file_type:dir search_dir_perms
+;
+
++manage_dirs_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++manage_files_pattern(openshift_domain, openshift_tmpfs_t, openshift_tmpfs_t)
++fs_tmpfs_filetrans(openshift_domain, openshift_tmpfs_t, { dir file })
++
+manage_dirs_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_fifo_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
+manage_files_pattern(openshift_domain, openshift_tmp_t, openshift_tmp_t)
@@ -70782,7 +70801,7 @@ index 73554ec..cd2c7cc 100644
+ logging_log_named_filetrans($1, wtmp_t, file, "wtmp")
+')
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
-index b7a5f00..c175fd9 100644
+index b7a5f00..b2cdd68 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,25 @@ policy_module(authlogin, 2.2.1)
@@ -70863,7 +70882,7 @@ index b7a5f00..c175fd9 100644
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
-@@ -388,10 +409,72 @@ ifdef(`distro_ubuntu',`
+@@ -388,10 +409,73 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
@@ -70937,6 +70956,7 @@ index b7a5f00..c175fd9 100644
+optional_policy(`
+ samba_stream_connect_winbind(nsswitch_domain)
+ samba_read_var_files(nsswitch_domain)
++ samba_read_config(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
')
diff --git a/policy/modules/system/clock.if b/policy/modules/system/clock.if
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d965116..2c8b14a 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.10.0
-Release: 93%{?dist}
+Release: 94%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -466,6 +466,13 @@ SELinux Reference policy mls base module.
%endif
%changelog
+* Wed Oct 31 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-94
+- Add httpd_verify_dns boolean
+- Add label for log directory under /var/www/stickshift
+- Allow openshift domains to use /dev/shm
+- Dontaudit leaked fifo files from openshift to ping
+- Allow nsswitch domains to read SAMBA conf files
+
* Mon Oct 22 2012 Miroslav Grepl <mgrepl at redhat.com> 3.10.0-93
- Add labeling for mcollectived
- Allow openshift domains to read localization
More information about the scm-commits
mailing list