rpms/selinux-policy/F-8 policy-20070703.patch, 1.200, 1.201 selinux-policy.spec, 1.626, 1.627
Daniel J Walsh (dwalsh)
fedora-extras-commits at redhat.com
Tue Apr 15 20:26:37 UTC 2008
Author: dwalsh
Update of /cvs/extras/rpms/selinux-policy/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9581
Modified Files:
policy-20070703.patch selinux-policy.spec
Log Message:
* Tue Apr 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-100
- Dontaudit validating context when using kerberos libraries
- Allow postfix_virtual write access to postfix_private sockets
policy-20070703.patch:
Index: policy-20070703.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/policy-20070703.patch,v
retrieving revision 1.200
retrieving revision 1.201
diff -u -r1.200 -r1.201
--- policy-20070703.patch 15 Apr 2008 16:57:03 -0000 1.200
+++ policy-20070703.patch 15 Apr 2008 20:26:28 -0000 1.201
@@ -6393,7 +6393,7 @@
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/selinux.if serefpolicy-3.0.8/policy/modules/kernel/selinux.if
--- nsaserefpolicy/policy/modules/kernel/selinux.if 2007-10-22 13:21:42.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/kernel/selinux.if 2008-04-15 13:51:50.000000000 -0400
@@ -138,6 +138,7 @@
type security_t;
')
@@ -6460,7 +6460,36 @@
if(!secure_mode_policyload) {
allow $1 security_t:security setbool;
-@@ -463,3 +495,23 @@
+@@ -336,6 +368,28 @@
+
+ ########################################
+ ## <summary>
++## dontaudit caller to validate security contexts.
++## </summary>
++## <param name="domain">
++## <summary>
++## The process type permitted to validate contexts.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`selinux_dontaudit_validate_context',`
++ gen_require(`
++ type security_t;
++ ')
++
++ dontaudit $1 security_t:dir list_dir_perms;
++ dontaudit $1 security_t:file { getattr read write };
++ dontaudit $1 security_t:security check_context;
++')
++
++
++########################################
++## <summary>
+ ## Allows caller to compute an access vector.
+ ## </summary>
+ ## <param name="domain">
+@@ -463,3 +517,23 @@
typeattribute $1 selinux_unconfined_type;
')
@@ -6759,8 +6788,16 @@
dev_read_rand(amavis_t)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.fc serefpolicy-3.0.8/policy/modules/services/apache.fc
--- nsaserefpolicy/policy/modules/services/apache.fc 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2008-04-04 16:11:03.000000000 -0400
-@@ -16,7 +16,6 @@
++++ serefpolicy-3.0.8/policy/modules/services/apache.fc 2008-04-14 16:03:57.000000000 -0400
+@@ -6,6 +6,7 @@
+ /etc/httpd -d gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/conf.* gen_context(system_u:object_r:httpd_config_t,s0)
+ /etc/httpd/logs gen_context(system_u:object_r:httpd_log_t,s0)
++/var/www(/.*)?/logs(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
+ /etc/httpd/modules gen_context(system_u:object_r:httpd_modules_t,s0)
+ /etc/vhosts -- gen_context(system_u:object_r:httpd_config_t,s0)
+
+@@ -16,7 +17,6 @@
/usr/lib/apache-ssl/.+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/lib/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -6768,7 +6805,7 @@
/usr/lib(64)?/apache(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache2/modules(/.*)? gen_context(system_u:object_r:httpd_modules_t,s0)
/usr/lib(64)?/apache(2)?/suexec(2)? -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
-@@ -33,6 +32,7 @@
+@@ -33,6 +33,7 @@
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
')
@@ -6776,7 +6813,7 @@
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-@@ -48,6 +48,7 @@
+@@ -48,6 +49,7 @@
/var/lib/cacti/rra(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/dav(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
@@ -6784,7 +6821,7 @@
/var/lib/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/lib/httpd(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_var_run_t,s0)
-@@ -71,5 +72,16 @@
+@@ -71,5 +73,16 @@
/var/www(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/var/www/cgi-bin(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
@@ -11111,14 +11148,15 @@
+/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.if serefpolicy-3.0.8/policy/modules/services/kerberos.if
--- nsaserefpolicy/policy/modules/services/kerberos.if 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2008-04-07 20:47:25.000000000 -0400
-@@ -42,11 +42,17 @@
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.if 2008-04-15 15:34:14.000000000 -0400
+@@ -42,11 +42,18 @@
dontaudit $1 krb5_conf_t:file write;
dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
+
+ #kerberos libraries are attempting to set the correct file context
+ dontaudit $1 self:process setfscreate;
++ selinux_dontaudit_validate_context($1)
+ seutil_dontaudit_read_file_contexts($1)
tunable_policy(`allow_kerberos',`
@@ -11130,7 +11168,7 @@
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
-@@ -61,9 +67,6 @@
+@@ -61,9 +68,6 @@
corenet_tcp_connect_ocsp_port($1)
corenet_sendrecv_kerberos_client_packets($1)
corenet_sendrecv_ocsp_client_packets($1)
@@ -11140,7 +11178,7 @@
')
optional_policy(`
-@@ -169,6 +172,53 @@
+@@ -169,6 +173,53 @@
')
files_search_etc($1)
@@ -11197,7 +11235,7 @@
')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/kerberos.te serefpolicy-3.0.8/policy/modules/services/kerberos.te
--- nsaserefpolicy/policy/modules/services/kerberos.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/kerberos.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/kerberos.te 2008-04-15 15:35:49.000000000 -0400
@@ -54,6 +54,9 @@
type krb5kdc_var_run_t;
files_pid_file(krb5kdc_var_run_t)
@@ -11225,7 +11263,13 @@
corenet_all_recvfrom_unlabeled(kadmind_t)
corenet_all_recvfrom_netlabel(kadmind_t)
-@@ -118,6 +122,9 @@
+@@ -115,9 +119,15 @@
+ fs_getattr_all_fs(kadmind_t)
+ fs_search_auto_mountpoints(kadmind_t)
+
++selinux_validate_context(kadmind_t)
++seutil_read_file_contexts(kadmind_t)
++
domain_use_interactive_fds(kadmind_t)
files_read_etc_files(kadmind_t)
@@ -11235,7 +11279,7 @@
libs_use_ld_so(kadmind_t)
libs_use_shared_libs(kadmind_t)
-@@ -127,6 +134,7 @@
+@@ -127,6 +137,7 @@
miscfiles_read_localization(kadmind_t)
sysnet_read_config(kadmind_t)
@@ -11243,7 +11287,7 @@
userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
userdom_dontaudit_search_sysadm_home_dirs(kadmind_t)
-@@ -137,6 +145,7 @@
+@@ -137,6 +148,7 @@
optional_policy(`
seutil_sigchld_newrole(kadmind_t)
@@ -11251,7 +11295,7 @@
')
optional_policy(`
-@@ -151,7 +160,7 @@
+@@ -151,7 +163,7 @@
# Use capabilities. Surplus capabilities may be allowed.
allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
dontaudit krb5kdc_t self:capability sys_tty_config;
@@ -11260,7 +11304,17 @@
allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
allow krb5kdc_t self:udp_socket create_socket_perms;
-@@ -223,6 +232,7 @@
+@@ -215,6 +227,9 @@
+ files_read_usr_symlinks(krb5kdc_t)
+ files_read_var_files(krb5kdc_t)
+
++selinux_validate_context(krb5kdc_t)
++seutil_read_file_contexts(krb5kdc_t)
++
+ libs_use_ld_so(krb5kdc_t)
+ libs_use_shared_libs(krb5kdc_t)
+
+@@ -223,6 +238,7 @@
miscfiles_read_localization(krb5kdc_t)
sysnet_read_config(krb5kdc_t)
@@ -11268,7 +11322,7 @@
userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
userdom_dontaudit_search_sysadm_home_dirs(krb5kdc_t)
-@@ -233,6 +243,7 @@
+@@ -233,6 +249,7 @@
optional_policy(`
seutil_sigchld_newrole(krb5kdc_t)
@@ -11463,7 +11517,7 @@
## <param name="domain">
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/mailman.te serefpolicy-3.0.8/policy/modules/services/mailman.te
--- nsaserefpolicy/policy/modules/services/mailman.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2008-04-04 16:11:03.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/mailman.te 2008-04-15 14:13:47.000000000 -0400
@@ -55,6 +55,8 @@
apache_use_fds(mailman_cgi_t)
apache_dontaudit_append_log(mailman_cgi_t)
@@ -11473,7 +11527,7 @@
optional_policy(`
nscd_socket_use(mailman_cgi_t)
-@@ -67,6 +69,16 @@
+@@ -67,6 +69,17 @@
#
allow mailman_mail_t self:unix_dgram_socket create_socket_perms;
@@ -11487,10 +11541,11 @@
+auth_use_nsswitch(mailman_mail_t)
+
+files_search_spool(mailman_mail_t)
++fs_rw_anon_inodefs_files(mailman_mail_t)
mta_dontaudit_rw_delivery_tcp_sockets(mailman_mail_t)
-@@ -96,6 +108,7 @@
+@@ -96,6 +109,7 @@
kernel_read_proc_symlinks(mailman_queue_t)
auth_domtrans_chk_passwd(mailman_queue_t)
@@ -13398,7 +13453,7 @@
+')
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postfix.te serefpolicy-3.0.8/policy/modules/services/postfix.te
--- nsaserefpolicy/policy/modules/services/postfix.te 2007-10-22 13:21:39.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2008-04-14 14:31:24.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/postfix.te 2008-04-15 13:43:34.000000000 -0400
@@ -6,6 +6,14 @@
# Declarations
#
@@ -13664,7 +13719,7 @@
+files_tmp_filetrans(postfix_virtual_t, postfix_virtual_tmp_t, { file dir })
+
+# connect to master process
-+stream_connect_pattern(postfix_virtual_t,postfix_public_t,postfix_public_t,postfix_master_t)
++stream_connect_pattern(postfix_virtual_t,{ postfix_private_t postfix_public_t },{ postfix_private_t postfix_public_t },postfix_master_t)
+
+allow postfix_virtual_t postfix_spool_t:file rw_file_perms;
+
@@ -17998,7 +18053,7 @@
+
diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/xserver.te serefpolicy-3.0.8/policy/modules/services/xserver.te
--- nsaserefpolicy/policy/modules/services/xserver.te 2007-10-22 13:21:36.000000000 -0400
-+++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-04-14 09:15:01.000000000 -0400
++++ serefpolicy-3.0.8/policy/modules/services/xserver.te 2008-04-14 14:44:39.000000000 -0400
@@ -16,6 +16,13 @@
## <desc>
@@ -18063,7 +18118,8 @@
manage_dirs_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
manage_files_pattern(xdm_t,xdm_var_lib_t,xdm_var_lib_t)
- files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
+-files_var_lib_filetrans(xdm_t,xdm_var_lib_t,file)
++files_var_lib_filetrans(xdm_t,xdm_var_lib_t,{ file dir })
+# Read machine-id
+files_read_var_lib_files(xdm_t)
Index: selinux-policy.spec
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-8/selinux-policy.spec,v
retrieving revision 1.626
retrieving revision 1.627
diff -u -r1.626 -r1.627
--- selinux-policy.spec 15 Apr 2008 16:57:03 -0000 1.626
+++ selinux-policy.spec 15 Apr 2008 20:26:28 -0000 1.627
@@ -17,7 +17,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.0.8
-Release: 99%{?dist}
+Release: 100%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -381,6 +381,10 @@
%endif
%changelog
+* Tue Apr 15 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-100
+- Dontaudit validating context when using kerberos libraries
+- Allow postfix_virtual write access to postfix_private sockets
+
* Tue Apr 8 2008 Dan Walsh <dwalsh at redhat.com> 3.0.8-99
- Allow privoxy to write to /etc/privoxy/default\.action
More information about the scm-commits
mailing list